Foundry ServerIron® SwitchCommand Line Interface Reference
2100 Gold Street
P.O. Box 649100
San Jose, CA 95164-9100
Tel 408.586.1700
Fax 408.586.1900
www.foundrynetworks.com
February 2002
Copyright 2002 by Foundry Networks, Inc.
Contents
CHAPTER 1GETTING STARTED...................................................................................... 1-1INTRODUCTION ...........................................................................................................................................1-1AUDIENCE ..................................................................................................................................................1-1NOMENCLATURE .........................................................................................................................................1-1RELATED PUBLICATIONS .............................................................................................................................1-2HOW TO GET HELP .....................................................................................................................................1-2
WARRANTY COVERAGE ........................................................................................................................1-2
CHAPTER 2USING THE COMMAND LINE INTERFACE ....................................................... 2-1EXEC COMMANDS .....................................................................................................................................2-2
USER LEVEL ........................................................................................................................................2-2PRIVILEGED LEVEL ...............................................................................................................................2-2
CONFIG COMMANDS .................................................................................................................................2-2GLOBAL LEVEL .....................................................................................................................................2-2REDUNDANCY LEVEL ............................................................................................................................2-3INTERFACE LEVEL ................................................................................................................................2-3VLAN LEVEL .......................................................................................................................................2-3REAL SERVER, CACHE SERVER, AND FIREWALL LEVEL ..........................................................................2-3VIRTUAL SERVER LEVEL .......................................................................................................................2-3CACHE GROUP AND FIREWALL GROUP LEVEL .......................................................................................2-3GLOBAL AFFINITY LEVEL ......................................................................................................................2-3GLOBAL SLB DNS ZONE LEVEL ...........................................................................................................2-3GLOBAL SLB SITE LEVEL .....................................................................................................................2-3GLOBAL SLB POLICY LEVEL .................................................................................................................2-3URL SWITCHING POLICY LEVEL ............................................................................................................2-3HTTP MATCHING LIST LEVEL ...............................................................................................................2-4SERVER MONITOR LEVEL .....................................................................................................................2-4ROUTING INFORMATION PROTOCOL (RIP) LEVEL ...................................................................................2-4
February 2002 iii
Foundry ServerIron Command Line Interface Reference
ACCESSING THE CLI ...................................................................................................................................2-4NAVIGATING AMONG COMMAND LEVELS ................................................................................................2-5CLI COMMAND STRUCTURE ..................................................................................................................2-5SYNTAX SHORTCUTS ............................................................................................................................2-6SAVING CONFIGURATION CHANGES ......................................................................................................2-6
CHAPTER 3COMMAND LIST .......................................................................................... 3-1COMPLETE COMMAND LIST .........................................................................................................................3-1COMMANDS LISTED BY CLI LEVEL .............................................................................................................3-16
USER EXEC LEVEL ...........................................................................................................................3-17PRIVILEGED EXEC LEVEL ..................................................................................................................3-17CONFIG COMMANDS ........................................................................................................................3-20
CHAPTER 4USER EXEC COMMANDS ............................................................................ 4-1
CHAPTER 5PRIVILEGED EXEC COMMANDS................................................................... 5-1
CHAPTER 6GLOBAL CONFIG COMMANDS.................................................................... 6-1
CHAPTER 7REDUNDANT MANAGEMENT MODULE CONFIG COMMANDS......................... 7-1
CHAPTER 8INTERFACE COMMANDS............................................................................... 8-1
CHAPTER 9VLAN COMMANDS ..................................................................................... 9-1
CHAPTER 10REAL SERVER COMMANDS........................................................................ 10-1
CHAPTER 11VIRTUAL SERVER COMMANDS ................................................................... 11-1
CHAPTER 12CACHE GROUP COMMANDS ...................................................................... 12-1
iv February 2002
CHAPTER 13GSLB AFFINITY COMMANDS..................................................................... 13-1
CHAPTER 14GSLB DNS ZONE COMMANDS ................................................................. 14-1
CHAPTER 15GSLB SITE COMMANDS ........................................................................... 15-1
CHAPTER 16GSLB POLICY COMMANDS ....................................................................... 16-1
CHAPTER 17URL SWITCHING COMMANDS.................................................................... 17-1
CHAPTER 18HTTP MATCH LIST COMMANDS ................................................................ 18-1
CHAPTER 19SERVER MONITOR COMMANDS.................................................................. 19-1
CHAPTER 20ROUTING INFORMATION PROTOCOL (RIP) COMMANDS............................... 20-1
CHAPTER 21SHOW COMMANDS.................................................................................... 21-1
February 2002 v
Foundry ServerIron Command Line Interface Reference
vi February 2002
Chapter 1Getting Started
Introduction
This reference describes the Command Line Interface (CLI) for Foundry ServerIron® switch products.
For step-by-step instructions on how to install key features of the system, see the Foundry ServerIron Installation and Configuration Guide.
NOTE: Some commands are supported only on specific products. Where this is the case, the description for the command states the products to which the command applies.
NOTE: This reference lists all the commands that appear at each command level for users with super-user access. If you are logged on with port-configuration access or read-only access, some of these commands will not be displayed and will not be available.
AudienceThis manual is designed for system administrators with a working knowledge of Layer 2 and Layer 4 – 7 networking.
NomenclatureThis guide uses the following typographical conventions to show information:
Italic highlights the title of another publication and occasionally emphasizes a word or phrase.
Bold highlights a CLI command.
Bold Italic highlights a term that is being defined.
Underline highlights a link on the Web management interface.
Capitals highlights field names and buttons that appear in the Web management interface.
NOTE: A note emphasizes an important fact or calls your attention to a dependency.
WARNING: A warning calls your attention to a possible hazard that can cause injury or death.
February 2002 1 - 1
Foundry ServerIron Command Line Interface Reference
CAUTION: A caution calls your attention to a possible hazard that can damage equipment.
Related PublicationsThe following Foundry Networks documents supplement the information in this guide.
• Foundry ServerIron Application Guide – provides setup procedures for the ServerIron’s basic SLB and TCS features.
• Foundry ServerIron Installation and Configuration Guide – provides installation instructions as well as detailed feature descriptions, procedures, and application examples for Server Load Balancing (SLB), Global SLB (GSLB), Transparent Cache Switching (TCS), and URL Switching.
• Foundry ServerIron Firewall Load Balancing Guide – provides detailed feature descriptions, procedures, and application examples for Firewall Load Balancing (FWLB).
To order additional copies of these manuals, do one of the following:
• Call 1-877-TURBOCALL (887-2622) in the United States or 408.586.1881 outside the United States.
• Send email to [email protected].
How to Get HelpFoundry Networks technical support will ensure that the fast and easy access that you have come to expect from your Foundry Networks products will be maintained.
Web Access
The latest product information and technical tips are always available to our customers from the Foundry Networks web site. You can access the web site at the following URL:
• http://www.foundrynetworks.com
Email Access
Technical requests can also be sent to the following email address:
Telephone Access
• 1-877-TURBOCALL (887-2622) United States
• 408.586.1881 Outside the United States
Warranty CoverageContact Foundry Networks using any of the methods listed above for information about the standard and extended warranties.
1 - 2 February 2002
Chapter 2Using the Command Line Interface
The CLI is a text-based interface for configuring and monitoring Foundry ServerIron products. You can access the CLI can through either a direct serial connection to the device or through a Telnet session.
The commands in the CLI are organized into the following levels:
• User EXEC – Lets you display information and perform basic tasks such as pings and trace routes.
• Privileged EXEC – Lets you use the same commands as those at the User EXEC level plus configuration commands that do not require saving the changes to the system-config file.
• CONFIG – Lets you make configuration changes to the device. To save the changes across reboots, you need to save them to the system-config file. The CONFIG level contains sub-levels for individual ports, for VLANs, and other configuration areas.
NOTE: By default, any user who can open a serial or Telnet connection to the Foundry device can access all these CLI levels. To secure access, you can configure Enable passwords or local user accounts, or you can configure the device to use Access Control Lists (ACLs), a RADIUS server, or a TACACS/TACACS+ server for authentication. See the Foundry Security Guide.
To display a list of available commands or command options, enter “?” or press Tab. If you have not entered part of a command at the command prompt, all the commands supported at the current CLI level are listed. If you enter part of a command, then enter “?” or press Tab, the CLI lists the options you can enter at the point in the command string.
The CLI supports command completion, so you do not need to enter the entire name of a command or option. As long as you enter enough characters of the command or option name to avoid ambiguity with other commands or options, the CLI understands what you are typing.
The CLI supports the following line editing commands. To enter a line-editing command, use the CTRL-key combination for the command by pressing and holding the CTRL key, then pressing the letter associated with the command.
Table 2.1: CLI Line-Editing Commands
Ctrl-Key Combination Description
Ctrl-A Moves to the first character on the command line.
Ctrl-B Moves the cursor back one character.
February 2002 2 - 1
Foundry ServerIron Command Line Interface Reference
EXEC CommandsThere are two different levels of EXEC commands, the User Level and the Privileged Level. The User level commands are at the top of the CLI hierarchy. These are the first commands that you have access to when connected to the ServerIron through the CLI.
User LevelAt the User EXEC level, you can view basic system information and verify connectivity but cannot make any changes to the ServerIron configuration. To make changes to the configuration base, you must move to other levels of the CLI hierarchy. This is accomplished by entering the enable command at initial log-on. Once entered correctly, you have access to the Privileged Level.
Privileged LevelThe Privileged Level EXEC commands primarily enable you to transfer and store ServerIron software images and configuration files between the network and the system; and review its configuration. You reach this level by entering enable <password> or enable <username> <password> at the user EXEC level.
CONFIG Commands
Global LevelThe global level is the first level of the CONFIG command structure. The global CONFIG level allows you to globally apply or modify parameters for ports on the ServerIron. You reach this level by entering configure terminal at the privileged EXEC level.
Ctrl-C Escapes and terminates command prompts and ongoing tasks (such as lengthy displays), and displays a fresh command prompt.
Ctrl-D Deletes the character at the cursor.
Ctrl-E Moves to the end of the current command line.
Ctrl-F Moves the cursor forward one character.
Ctrl-K Deletes all characters from the cursor to the end of the command line.
Ctrl-L; Ctrl-R Repeats the current command line on a new line.
Ctrl-N Enters the next command line in the history buffer.
Ctrl-P Enters the previous command line in the history buffer.
Ctrl-U; Ctrl-X Deletes all characters from the cursor to the beginning of the command line.
Ctrl-W Deletes the last word you typed.
Ctrl-Z Moves from any CONFIG level of the CLI to the Privileged EXEC level; at the Privileged EXEC level, moves to the User EXEC level.
Table 2.1: CLI Line-Editing Commands (Continued)
Ctrl-Key Combination Description
2 - 2 February 2002
Using the Command Line Interface
Redundancy LevelThis redundancy level allows you to configure redundancy parameters for redundant management modules. You reach this level by entering the redundancy command at the global CONFIG level.
NOTE: The redundancy commands apply only to a BigServerIron with redundant management modules.
Interface LevelThe interface level allows you to assign or modify specific port parameters on a port-by-port basis. You reach this level by entering interface ethernet <portnum> at the global level.
VLAN LevelPolicy-based VLANs allow you to assign VLANs on a protocol (IP, IPX, Decnet, AppleTalk, NetBIOS, Others), sub-net (IP sub-net and IPX network), port, or 802.1q tagged basis. You reach this level by entering the vlan <vlan-id> by port command at the Global CONFIG Level for switches and vlan 1 for routers.
Real Server, Cache Server, and Firewall LevelThis level allows you to assign and configure servers for the SLB, TCS, FWLB, and web switching features. For SLB and web switching, you reach this level by entering the server real-name <text> <ip-addr> command at the global CONFIG level. For TCS, you reach this level by entering the server cache-name <text> command. For FWLB, you reach this level by entering the server fw-name <text> <ip-addr> command.
Virtual Server LevelThe virtual server level allows you to assign and configure virtual servers. You reach this level by entering the server virtual-name <text> <ip-addr> command at the global CONFIG level.
Cache Group and Firewall Group LevelThis level allows you to configure TCS cache groups and the FWLB firewall group. For TCS, you reach this level by entering the server cache-group <num> command at the global CONFIG level. For FWLB, you reach this level by entering the server fw-group 2 command at the global CONFIG level.
Global Affinity LevelThis level allows you to configure Global SLB (GSLB) affinity parameters. You reach this level by entering the gslb dns affinity command at the global CONFIG level.
Global SLB DNS Zone LevelThis level allows you to configure Global GSLB DNS zone parameters. You reach this level by entering the gslb dns zone-name <name> command at the global CONFIG level.
Global SLB Site LevelThis level allows you to configure GSLB site parameters. You reach this level by entering the gslb site <name> command at the global CONFIG level.
Global SLB Policy LevelThis level allows you to configure GSLB policy parameters. You reach this level by entering the gslb policy command at the global CONFIG level.
URL Switching Policy LevelThis level allows you to configure URL switching policies. You reach this level by entering the url-map <policy-name> command at the global CONFIG level.
February 2002 2 - 3
Foundry ServerIron Command Line Interface Reference
HTTP Matching List LevelThis level allows you to configure matching lists of selection criteria for HTTP content verification health checks. You reach this level by entering the http match-list <name> command at the global CONFIG level.
Server Monitor LevelThis level allows you to configure history lists for monitoring Layer 4 statistics. You reach this level by entering the server monitor command at the global CONFIG level.
Routing Information Protocol (RIP) LevelThis level allows you to configure global RIP parameters for use with IP forwarding. You reach this level by entering the router rip command at the global CONFIG level.
Accessing the CLIThe CLI can be accessed through both serial and Telnet connections. For initial log on, you must use a serial connection. Once an IP address is assigned, you can access the CLI through Telnet.
NOTE: When accessing the CLI through Telnet, you are prompted for a password. By default, the password required is the password you enter for general access at initial setup. You also have the option of assigning a separate password for Telnet access with the enable telnet password <password> command, available at the global CONFIG level.
NOTE: At initial log on, all you need to do is type enable at the prompt. You only need to enter a password after a permanent password is entered at global CONFIG level of the CLI.
Once connectivity to the ServerIron is established, you will see one of the following prompts:
FastIron>
ServerIron>
SW-TurboIron>
At this prompt, you are at the user level of the CLI EXEC command structure.
To reach the Global CONFIG Level, the uppermost level of the CONFIG commands, enter the following commands:
ServerIron> enable User Level EXEC commands
ServerIron# configure terminal Privileged Level EXEC commands
ServerIron(config)# Global Level CONFIG commands
You can then reach all other levels of the CONFIG command structure from this point.
The CLI prompt will change at each level of the CONFIG command structure, to easily identify the current level. A summary of the look of each prompt is noted below:
ServerIron> User EXEC level
ServerIron# Privileged EXEC level
ServerIron(config)# Global CONFIG level
BigServerIron(config-redundancy)# Redundant Management Module CONFIG level
ServerIron(config-gslb-dns-affinity)# Global SLB Affinity level
ServerIron(config-gslb-dns-zonename)# Global SLB DNS Zone level
ServerIron(config-gslb-policy)# Global SLB Policy level
2 - 4 February 2002
Using the Command Line Interface
ServerIron(config-gslb-site-sitename)# Global SLB Site level
ServerIron(config-if-portnum)# Interface CONFIG level
ServerIron(config-vif-number)# Virtual Interface CONFIG level
ServerIron(config-vlan-number)# Port-based VLAN level
ServerIron(config-vlan-protocoltype)# Protocol VLAN level
ServerIron(config-tc-cachename)# Cache Group level
ServerIron(config-tc-firewallname)# Firewall Group level
ServerIron(config-rs-servername)# Real Server level
ServerIron(config-url-policy)# URL Switching Policy level
ServerIron(config-vs-servername)# Virtual Server level
ServerIron(config-http-ml-listname)# HTTP Matching List level
ServerIron(config-slb-mon)# Server Monitor Level
NOTE: The CLI prompt at the interface level includes the port speed. The speed is one of the following:
• e100 – The interface is a 10/100 port.
• e1000 – The interface is a Gigabit port.
For simplicity, the port speeds sometimes are not shown in example Interface level prompts in this manual.
Navigating Among Command LevelsTo reach other CLI command levels, you need to enter certain commands. At each level there is a launch command that allows you to move either up or down to the next level.
CLI Command StructureMany CLI commands may require textual or numeral input as part of the command. These fields are either required or optional depending on how the information is bracketed. For clarity, a few CLI command examples are explained below.
EXAMPLE:
server virtual-name <value>
vlan <num> [name <value>] by port
Whenever an item is bracketed with “< >” symbols, the information requested is required.
Whenever an item is bracketed with “[ ]” symbols, the information requested is optional.
Whenever two or more options are separated by a vertical bar, “ | “, you must enter one of the options as part of the command.
predictor least-conn | response-time | round-robin | weighted
means enter one of the values
For example, the command above requires that "least-conn", "response-time", "round-robin", or "weighted" be entered as part of the command.
To get a quick display of available options at a CLI level, enter a question mark (?) at the prompt, and a summary list of possible commands will be listed, as shown below:
To view all available commands at the user level, enter the following:
February 2002 2 - 5
Foundry ServerIron Command Line Interface Reference
ServerIron> ? <return>
enable
fastboot
You also can use the question mark (?) with an individual command to see all available options for that command or to check context.
To view possible copy command options, enter the following:
ServerIron# copy ?
flash
running-config
startup-config
tftp
ServerIron# copy flash ?
tftp
Syntax ShortcutsCommands and parameters can be abbreviated as long as enough text is entered to distinguish it from other commands at that level. For example, given the possible commands copy tftp… and config tftp…, possible shortcuts are cop tftp and con tftp respectively. In this case, co does not properly distinguish the two commands.
Saving Configuration ChangesYou can make configuration changes while the ServerIron is running. The type of configuration change determines whether or not it becomes effective immediately or requires a save to flash (write memory) and reset of the system (reload), before it becomes active.
This approach in adopting configuration changes:
• allows you to make configuration changes to the operating or running configuration of the ServerIron to address a short-term requirement or validate a configuration without overwriting the permanent configuration file, the startup configuration, that is saved in the system flash, and;
• ensures that dependent or related configuration changes are all cut in at the same time.
In all cases, if you want to make the changes permanent, you need to save the changes to flash using the write memory command. When you save the configuration changes to flash, this will become the configuration that is initiated and run at system boot.
NOTE: The majority of configuration changes are dynamic in nature. Those changes that require a reset of the system are highlighted in the specific configuration chapter and in the CLI commands of this appendix.
2 - 6 February 2002
Chapter 3Command List
This chapter lists all the commands in the CLI. The commands are listed in two ways:
• All commands are listed together in a single alphabetic list. See “Complete Command List” on page 3-1.
• Commands are listed separately for each CLI level (for example, global CONFIG level, BGP4 level, and so on). See “Commands Listed by CLI Level” on page 3-16.
In each list, the page numbers in this reference that describe the commands are listed.
Complete Command ListThe following table lists all the CLI commands on Foundry ServerIron products.
Table 3.1: Complete ServerIron Command List
aaa authentication 6-1
aaa authorization 6-2
aaa accounting 6-3
access-list (standard) 6-3
access-list (extended) 6-5
acl-id 11-1, 12-1
active-management 7-1
all-client 6-7
always-active 9-1
append 5-1
arp 6-8
asymmetric 10-1
atalk-proto 6-8, 9-1
attrib 5-1
auto-gig 8-1
February 2002 3 - 1
Foundry ServerIron Command Line Interface Reference
backup 10-1
banner exec 6-9
banner incoming 6-9
banner motd 6-9
bind 11-1
boot system bootp 5-2, 6-10
boot system flash primary 5-2, 6-10
boot system flash secondary 5-3, 6-10
boot system slot1 | slot2 5-3
boot system tftp 5-3, 6-11
broadcast filter 6-11
broadcast limit 6-12, 8-1
cache-enable 11-2
cache-group 8-1
cache-name 12-1
capacity 16-1
capacity threshold 16-1
cd 5-4
chassis name 6-12
chassis poll-time 6-13
chassis trap-log 6-13
chdir 5-4
clear arp 5-4
clear healthck statistics 5-5
clear ip cache 5-5
clear ip nat 5-5
clear ip traffic 5-6
clear logging 5-6
clear mac-address 5-6
clear public-key 5-6
clear rmon 5-6
clear server 5-7
clear server session 5-7
Table 3.1: Complete ServerIron Command List (Continued)
3 - 2 February 2002
Command List
clear snmp-server 5-8
clear statistics 5-8
clear statistics dos-attack 5-8
clear web-connection 5-8
clock 5-8
clock summer-time 6-13
clock timezone 6-13
clone-server 10-2
configure terminal 5-9
confirm-port-up 6-14
console 6-14
copy <from-card> <to-card> 5-9
copy flash flash… 5-9
copy flash slot1 | slot2 5-10
copy flash tftp 5-10
copy running slot1 | slot2 5-10
copy running-config tftp 5-11
copy slot1 | slot2 flash 5-11
copy slot1 | slot2 running 5-11
copy slot1 | slot2 start 5-12
copy slot1 | slot2 tftp 5-12
copy start slot1 | slot2 5-13
copy startup-config tftp 5-13
copy tftp flash 5-13
copy tftp running-config 5-14
copy tftp slot1 | slot2 5-14
copy tftp startup-config 5-14
crypto key 6-15
crypto random-number-seed 6-15
debug access-list 5-18
debug ip nat 5-16
decnet-proto 6-15, 9-2
default 17-1, 18-1
Table 3.1: Complete ServerIron Command List (Continued)
February 2002 3 - 3
Foundry ServerIron Command Line Interface Reference
default-vlan-id 6-16
delete 5-16
deny redistribute 20-1
dest-nat 12-2
dhcp-gateway-list 6-16, 8-2
dir 5-17
disable 12-2, 8-2
dns active-only 16-2
dns check-interval 16-2
dns ttl 16-2
down compound 18-1
down simple 18-2
enable 4-1, 6-17, 8-2
enable <password> 4-1
enable <username> <password> 4-1
enable password-display 6-17
enable skip-page-display 6-17
enable snmp config-radius 6-18
enable snmp config-tacacs 6-18
enable telnet authentication 6-18
enable telnet password… 6-18
end 6-18
erase flash primary 5-18
erase flash secondary 5-18
erase startup-config 5-19
exceed-max-drop 10-2
exit 6-19
failover-acl 12-3
fastboot… 4-2, 5-19
fast port-span 6-19
fast uplink-span 6-19
filter-match 10-3
flashback 16-3
Table 3.1: Complete ServerIron Command List (Continued)
3 - 4 February 2002
Command List
flashback application | tcp tolerance <num> 16-3
flow-control 6-19, 8-3
format 5-19
fwall-info 12-3
fwall-zone 12-4
fw-exceed-max-drop 12-4
fw-group 8-3
fw-health-check icmp 12-4
fw-health-check tcp | udp 12-5
fw-name 12-6
fw-predictor 12-6
geographic 16-4
geo-location 15-1
gig-default 6-20, 8-3
gslb affinity 6-20
gslb communication 6-21
gslb dns zone-name 6-21
gslb policy 6-22
gslb protocol 6-22
gslb site 6-23
hash-mask 12-6
hash-port-range 12-7
hash-ports 12-7
hd 5-20
healthck
Note: ServerIronXL only
6-23
healthck
Note: ServerIron 400 and ServerIron 800 only
6-26
health-check 16-4
history 19-1
history-group 10-3
host-info 14-1
hostname 6-32
Table 3.1: Complete ServerIron Command List (Continued)
February 2002 3 - 5
Foundry ServerIron Command Line Interface Reference
host-range 10-3, 11-3
http-cache-control 12-8
http match-list 6-32
httpredirect 11-3
interface ethernet 6-33
ip access-group 8-4
ip access-list 6-33
ip address (Layer 2) 6-34
ip address (Layer 3) 8-5
ip-address 10-4
ip default-gateway 6-34
ip dns domain-name 6-35
ip dns server-address 6-35
ip filter 6-35
ip forward 6-35
ipg10 8-9
ipg100 8-9
ipg1000 8-10
ip icmp burst 6-36, 8-6
ip multicast 6-36
ip-multicast-disable 8-6
ip nat inside 6-36
ip nat pool 6-38
ip nat translation 6-38
ip policy 6-39
ip-policy 8-6
ip-proto 6-46, 9-2
ip rip 8-7
ip rip learn-default 8-7
ip rip poison-reverse 8-8
ip route 6-40
ip show-subnet-length 6-40
ip ssh authentication-retries 6-41
Table 3.1: Complete ServerIron Command List (Continued)
3 - 6 February 2002
Command List
ip ssh key-size 6-41
ip ssh password-authentication 6-41
ip ssh permit-empty-passwd 6-41
ip ssh port 6-42
ip ssh pub-key-file 6-42
ip ssh rsa-authentication 6-43
ip ssh scp 6-43
ip ssh timeout 6-43
ip strict-acl-mode 6-43
ip-subnet 6-46, 9-3
ip tcp burst 6-44, 8-8
ip ttl 6-45
ipx-network 6-47, 9-4
ipx-proto 6-47, 9-4
kill 5-20
l2-fwall 12-8
locate 5-20
lock-address ethernet 6-48
logging 6-48
mac-age-time 6-49
mac filter 6-50
mac filter-group 8-10
mac filter log-enable 6-52
match 17-2
max-conn 10-4
max-tcp-conn-rate 10-5
max-udp-conn-rate 10-5
md 5-21
method 17-2
metric-order 16-4
mirror-port 6-52
mkdir 5-21
module 6-52
Table 3.1: Complete ServerIron Command List (Continued)
February 2002 3 - 7
Foundry ServerIron Command Line Interface Reference
monitor 8-11
more 5-22
multicast filter 6-53
multicast limit 6-53, 8-11
ncopy flash primary | secondary slot1 | slot2 <to-name>
5-22
ncopy flash primary | secondary tftp <ip-addr> <from-name>
5-23
ncopy running slot1 | slot2 <to-name> 5-23
ncopy running-config tftp <ip-addr> <from-name> 5-24
ncopy slot1 | slot2 <from-name> flash primary | secondary
5-24
ncopy slot1 | slot2 <from-name> running 5-24
ncopy slot1 | slot2 <from-name> slot1 | slot2 [<to-name>]
5-25
ncopy slot1 | slot2 <from-name> start 5-25
ncopy start slot1 | slot2 <to-name> 5-26
ncopy slot1 | slot2 <from-name> tftp <ip-addr> [<to-name>]
5-26
ncopy startup-config tftp <ip-addr> <from-name> 5-26
ncopy tftp <ip-addr> <from-name> flash primary | secondary
5-26
ncopy tftp <ip-addr> <from-name> running-config 5-27
ncopy tftp <ip-addr> <from-name> slot1 | slot2 [<to-name>]
5-27
ncopy tftp <ip-addr> <from-name> startup-config 5-28
neg-off 8-11
netbios-proto 6-54
no 6-54
no-group-failover 12-8
no-http-downgrade 12-9
num-session 16-6
num-session tolerance 16-6
other-ip 10-5
other-proto 6-54, 9-5
page-display 5-28
Table 3.1: Complete ServerIron Command List (Continued)
3 - 8 February 2002
Command List
password-change 6-54
perf-mode 6-56
permit redistribute 20-2
phy-mode 8-12
ping 4-2, 5-28
port 10-5, 11-3
port disable-all 10-8
port unbind-all 10-8
port-name 8-12
predictor 11-7
prefer 13-1
prefer-cnt 12-9
preference 16-7
prefer-router-cnt 12-9
priority 9-6
privilege 6-55
protocol 16-7
pvst-mode 8-12
pwd 5-29
qos-priority 8-13
quit 6-55
radius-server 6-56
rconsole 5-30
rconsole-exit 5-30
rd 5-30
redistribution 20-3
reload 5-31
rename 5-31
relative-utilization 6-56
response-time 10-9
rmdir 5-31
rmon alarm 6-57
rmon event 6-57
Table 3.1: Complete ServerIron Command List (Continued)
February 2002 3 - 9
Foundry ServerIron Command Line Interface Reference
rmon history 6-58
round-trip-time 16-7
round-trip-time cache-interval 16-8
round-trip-time cache-prefix 16-8
round-trip-time explore-percentage 16-8
round-trip-time tolerance 16-9
router-interface 9-6
rshow 6-58
server active-active-port 6-59
server allow-sticky 6-59
server backup 6-60
server backup-group 6-60
server backup-port 6-60
server backup-preference 6-61
server backup-timer 6-61
server cache-group 6-61
server cache-name 6-62
server cache-router-offload 6-62
server cache-stateful 6-62
server clock-scale 6-62
server connection-log 6-63
server delay-symmetric 6-63
server force-delete 6-64
server fw-group 6-66
server fw-name 6-66
server fw-port 6-66
server fw-recv-stateful 6-66
server fw-slb 6-67
server fw-stateful 6-67
server fw-strict-sec 6-67
server fw-superzone 6-67
server icmp-message 6-68
server l4-check 6-68
Table 3.1: Complete ServerIron Command List (Continued)
3 - 10 February 2002
Command List
server max-ssl-session-id 6-68
server max-url-switch 6-69
server monitor 6-69
server msl 6-69
server no-fast-bringup 6-69
server no-real-l3-check 6-70
server no-remote-l3-check 6-70
server no-slow-start 6-70
server partner-ports 6-71
server path-group 6-71
server peer-group 6-71
server ping-interval 6-72
server ping-retries 6-72
server policy-hash-acl 6-73
server port 6-73
server predictor 6-78
server real-name 6-78
server reassign-threshold 6-78
server remote-name 6-79
server reverse-nat 6-80
server response-time 6-79
server router-ports 6-81
server session-id-age 6-81
server session-limit 6-81
server slb-fw 6-81
server source-ip 6-82
server source-nat 6-82
server source-nat-ip 6-82
server source-standby-ip 6-83
server sticky-age 6-83
server sym-pdu-rate 6-83
server syn-def 6-84
server syn-limit 6-84
Table 3.1: Complete ServerIron Command List (Continued)
February 2002 3 - 11
Foundry ServerIron Command Line Interface Reference
server tcp-age 6-85
server transparent-vip 6-85
server udp-age 6-85
server use-simple-ssl-health-check 6-86
server virtual-name 6-86
server vpn-lb 6-86
server vpn-lb-inside 6-87
service password-encryption 6-87
show aaa 21-1
show arp 21-1
show cache-group 21-2
show chassis 21-2
show clock 21-3
show configuration 21-3
show default 21-3
show flash 21-4
show fw-group 21-4
show fw-hash 21-4
show gslb cache 21-5
show gslb default 21-6
show gslb dns detail 21-6
show gslb dns zone 21-7
show gslb global-stat 21-8
show gslb policy 21-8
show gslb resources 21-9
show gslb site 21-10
show healthck 21-11
show healthck statistics 21-12
show http match-list 21-12
show interfaces 21-12
show ip 21-13
show ip cache 21-13
show ip client-public-key 21-14
Table 3.1: Complete ServerIron Command List (Continued)
3 - 12 February 2002
Command List
show ip filter-cache 21-14
show ip interface 21-14
show ip multicast 21-15
show ip nat statistics 21-15
show ip nat translation 21-15
show ip policy 21-16
show ip route 21-16
show ip ssh 21-16
show ip static-arp 21-17
show ip traffic 21-17
show logging 21-18
show mac-address 21-20
show mac-address statistics 21-21
show media 21-21
show module 21-22
show monitor 21-22
show policy-map 21-22
show relative-utilization 21-23
show reload 21-23
show rmon alarm 21-23
show rmon event 21-24
show rmon history 21-24
show rmon statistics 21-24
show running-config 21-25
show server backup 21-25
show server bind 21-25
show server dynamic 21-26
show server fw-path 21-26
show server global 21-26
show server hash 21-27
show server proxy 21-27
show server real 21-27
show server sessions 21-28
Table 3.1: Complete ServerIron Command List (Continued)
February 2002 3 - 13
Foundry ServerIron Command Line Interface Reference
show server symmetric 21-29
show server traffic 21-29
show server virtual 21-29
show snmp server 21-30
show sntp associations 21-30
show sntp status 21-31
show span 21-32
show span vlan 21-32
show statistics 21-33
show statistics dos-attack 21-34
show tech-support 21-34
show telnet 21-34
show trunk 21-35
show users 21-35
show version 21-35
show vlans 21-36
show web-connection 21-36
show who 21-36
show wsm-map 21-36
show wsm-state 21-37
si-name 15-2
skip-page-display 5-32
snmp-client 6-88
snmp-server community 6-88
snmp-server contact 6-88
snmp-server enable traps 6-89
snmp-server enable vlan 6-89
snmp-server host 6-89
snmp-server location 6-89
snmp-server pw-check 6-90
snmp-server trap-source 6-90
snmp-server view 6-90
sntp 5-32
Table 3.1: Complete ServerIron Command List (Continued)
3 - 14 February 2002
Command List
sntp poll-interval 6-91
sntp server 6-91
source-nat 10-9, 12-10
source-sticky 11-7
spanning-tree 6-91, 8-13, 9-7
spanning-tree <parameter> 6-91
speed-duplex 8-14
spoof-support 12-10
static-mac-address 6-92, 9-8
static-prefix 16-9
stop-traceroute 4-3, 5-32
sym-active 11-8
sym-priority 11-8, 12-11
sync-standby 5-33, 7-2
system-max 6-94
tacacs-server 6-94
tagged 9-9
tag-type 6-95
tcp-port 17-3
telnet <ip-addr> | <name> 5-33
telnet access-group 6-95
telnet client 6-95
telnet login-timeout 6-96
telnet server 6-96
telnet server enable vlan 6-96
telnet timeout 6-97
temperature shutdown 5-33
temperature warning 5-34
tftp client enable vlan 6-97
traceroute 4-3, 5-34
track 11-9
track-group 11-9
transparent-vip 11-9
Table 3.1: Complete ServerIron Command List (Continued)
February 2002 3 - 15
Foundry ServerIron Command Line Interface Reference
Commands Listed by CLI LevelThe following sections contain tables that list the CLI commands within each level of the CLI.
trunk 6-97
undebug access-list 5-34
undebug ip nat 5-35
undelete 5-35
unknown-unicast limit 6-98, 8-14
untagged 9-9
up compound 18-3
uplink-switch 9-10
up simple 18-3
url-host-id 12-11
url-map 12-11, 6-98
url-switch 12-11
username 6-98
virtual-ip 12-12
vlan 6-99
vlan-dynamic-discovery 6-99
vlan max-vlans 6-100
web access-group 6-100
web client 6-100
web-management 6-100
web-management enable vlan 6-101
weight 10-10
whois 5-35
write memory 5-36
write terminal 5-36
wsm boot 6-101
wsm copy flash flash 5-36
wsm copy tftp flash 5-36
wsm wsm-map 6-102
Table 3.1: Complete ServerIron Command List (Continued)
3 - 16 February 2002
Command List
User EXEC LevelThere are two different levels of EXEC commands, the User EXEC level and the Privileged EXEC level. The User level commands are at the top of the CLI hierarchy. These are the first commands that you have access to when connected to the ServerIron through the CLI. At this level, you can view basic system information and verify connectivity but cannot make any changes to the ServerIron configuration.
To make changes to the configuration, you must move to other levels of the CLI hierarchy. This is accomplished by the User EXEC level command enable at initial log-on. This command takes you to the Privileged EXEC level, from which you can reach the configuration command levels.
The User EXEC commands are listed in the following table.
Privileged EXEC LevelThe Privileged EXEC level commands primarily enable you to transfer and store ServerIron software images and configuration files between the network and the ServerIron, and review the configuration.
You reach this level by entering enable [<password>] or enable <username> <password> at the User EXEC level.
Table 3.2: User EXEC Commands
enable 4-1
enable <password> 4-1
enable <username> <password> 4-1
fastboot… 4-2
ping 4-2
rshow 4-3
show 4-3
stop-traceroute 4-3
traceroute 4-3
Table 3.3: Privileged EXEC Commands
append 5-1
attrib 5-1
boot system bootp 5-2
boot system flash primary 5-2
boot system flash secondary 5-3
boot system slot1 | slot2 5-3
boot system tftp 5-3
cd 5-4
chdir 5-4
clear arp 5-4
clear healthck statistics 5-5
clear ip cache 5-5
February 2002 3 - 17
Foundry ServerIron Command Line Interface Reference
clear ip nat 5-5
clear ip traffic 5-6
clear logging 5-6
clear mac-address 5-6
clear public-key 5-6
clear rmon 5-6
clear server 5-7
clear server session 5-7
clear snmp-server 5-8
clear statistics 5-8
clear statistics dos-attack 5-8
clear web-connection 5-8
clock 5-8
configure terminal 5-9
copy <from-card> <to-card> 5-9
copy flash flash… 5-9
copy flash slot1 | slot2 5-10
copy flash tftp 5-10
copy running slot1 | slot2 5-10
copy running-config tftp 5-11
copy slot1 | slot2 flash 5-11
copy slot1 | slot2 running 5-11
copy slot1 | slot2 start 5-12
copy slot1 | slot2 tftp 5-12
copy start slot1 | slot2 5-13
copy startup-config tftp 5-13
copy tftp flash 5-13
copy tftp running-config 5-14
copy tftp slot1 | slot2 5-14
copy tftp startup-config 5-14
debug access-list 5-18
debug ip nat 5-16
delete 5-16
Table 3.3: Privileged EXEC Commands (Continued)
3 - 18 February 2002
Command List
dir 5-17
erase flash primary 5-18
erase flash secondary 5-18
erase startup-config 5-19
exit 5-19
fastboot… 5-19
format 5-19
hd 5-20
kill 5-20
locate 5-20
md 5-21
mkdir 5-21
more 5-22
ncopy flash primary | secondary slot1 | slot2 <to-name>
5-22
ncopy flash primary | secondary tftp <ip-addr> <from-name>
5-23
ncopy running slot1 | slot2 <to-name> 5-23
ncopy running-config tftp <ip-addr> <from-name> 5-24
ncopy slot1 | slot2 <from-name> flash primary | secondary
5-24
ncopy slot1 | slot2 <from-name> running 5-24
ncopy slot1 | slot2 <from-name> slot1 | slot2 [<to-name>]
5-25
ncopy slot1 | slot2 <from-name> start 5-25
ncopy start slot1 | slot2 <to-name> 5-26
ncopy slot1 | slot2 <from-name> tftp <ip-addr> [<to-name>]
5-26
ncopy startup-config tftp <ip-addr> <from-name> 5-26
ncopy tftp <ip-addr> <from-name> flash primary | secondary
5-26
ncopy tftp <ip-addr> <from-name> running-config 5-27
ncopy tftp <ip-addr> <from-name> slot1 | slot2 [<to-name>]
5-27
ncopy tftp <ip-addr> <from-name> startup-config 5-28
page-display 5-28
Table 3.3: Privileged EXEC Commands (Continued)
February 2002 3 - 19
Foundry ServerIron Command Line Interface Reference
CONFIG CommandsCONFIG commands modify the configuration of a Foundry ServerIron product. This reference describes the following CONFIG CLI levels.
ping 5-28
pwd 5-29
quit 5-30
rconsole 5-30
rconsole-exit 5-30
rd 5-30
reload 5-31
rename 5-31
rmdir 5-31
rshow 5-32
show… 5-32
skip-page-display 5-32
sntp 5-32
stop-traceroute 5-32
sync-standby 5-33
telnet <ip-addr> | <name> 5-33
temperature shutdown 5-33
temperature warning 5-34
traceroute 5-34
undebug access-list 5-34
undebug ip nat 5-35
undelete 5-35
whois 5-35
write memory 5-36
write terminal 5-36
wsm copy flash flash 5-36
wsm copy tftp flash 5-36
Table 3.3: Privileged EXEC Commands (Continued)
3 - 20 February 2002
Command List
Global Level
The global CONFIG level allows you to globally apply or modify parameters for ports on the switch or router. You reach this level by entering configure terminal at the privileged EXEC level.
Table 3.4: Global CONFIG Commands
aaa authentication 6-1
aaa authorization 6-2
aaa accounting 6-3
access-list (standard) 6-3
access-list (extended) 6-5
all-client 6-7
arp 6-8
atalk-proto 6-8
banner exec 6-9
banner incoming 6-9
banner motd 6-9
boot system bootp 6-10
boot system flash primary 6-10
boot system flash secondary 6-10
boot system tftp 6-11
broadcast filter 6-11
broadcast limit 6-12
chassis name 6-12
chassis poll-time 6-13
chassis trap-log 6-13
clear 6-13
clock summer-time 6-13
clock timezone 6-13
confirm-port-up 6-14
console 6-14
crypto key 6-15
crypto random-number-seed 6-15
decnet-proto 6-15
default-vlan-id 6-16
dhcp-gateway-list 6-16
February 2002 3 - 21
Foundry ServerIron Command Line Interface Reference
enable 6-17
enable password-display 6-17
enable skip-page-display 6-17
enable snmp config-radius 6-18
enable snmp config-tacacs 6-18
enable telnet authentication 6-18
enable telnet password… 6-18
end 6-18
exit 6-19
fast port-span 6-19
fast uplink-span 6-19
flow-control 6-19
gig-default 6-20
gslb affinity 6-20
gslb communication 6-21
gslb dns zone-name 6-21
gslb policy 6-22
gslb protocol 6-22
gslb site 6-23
healthck
Note: ServerIronXL only
6-23
healthck
Note: ServerIron 400 and ServerIron 800 only
6-26
hostname 6-32
http match-list 6-32
interface ethernet 6-33
ip access-list 6-33
ip address (Layer 2) 6-34
ip default-gateway 6-34
ip dns domain-name 6-35
ip dns server-address 6-35
ip filter 6-35
ip forward 6-35
Table 3.4: Global CONFIG Commands (Continued)
3 - 22 February 2002
Command List
ip icmp burst 6-36
ip multicast 6-36
ip nat inside 6-36
ip nat pool 6-38
ip nat translation 6-38
ip policy 6-39
ip route 6-40
ip show-subnet-length 6-40
ip ssh authentication-retries 6-41
ip ssh key-size 6-41
ip ssh password-authentication 6-41
ip ssh permit-empty-passwd 6-41
ip ssh port 6-42
ip ssh pub-key-file 6-42
ip ssh rsa-authentication 6-43
ip ssh scp 6-43
ip ssh timeout 6-43
ip strict-acl-mode 6-43
ip tcp burst 6-44
ip tcp conn-rate 6-44
ip tcp conn-rate-change 6-45
ip tcp syn-proxy 6-45
ip ttl 6-45
ip-proto 6-46
ip-subnet 6-46
ipx-network 6-47
ipx-proto 6-47
lock-address ethernet 6-48
logging 6-48
mac-age-time 6-49
mac filter 6-50
mac filter log-enable 6-52
mirror-port 6-52
Table 3.4: Global CONFIG Commands (Continued)
February 2002 3 - 23
Foundry ServerIron Command Line Interface Reference
module 6-52
multicast filter 6-53
multicast limit 6-53
netbios-proto 6-54, 9-5
no 6-54
other-proto 6-54
password-change 6-54
perf-mode 6-56
privilege 6-55
quit 6-55
radius-server 6-56
relative-utilization 6-56
rmon alarm 6-57
rmon event 6-57
rmon history 6-58
router-interface 9-6
rshow 6-58
server active-active-port 6-59
server allow-sticky 6-59
server backup 6-60
server backup-group 6-60
server backup-port 6-60
server backup-preference 6-61
server backup-timer 6-61
server cache-group 6-61
server cache-name 6-62
server cache-router-offload 6-62
server cache-stateful 6-62
server clock-scale 6-62
server connection-log 6-63
server delay-symmetric 6-63
server force-delete 6-64
server fw-group 6-66
Table 3.4: Global CONFIG Commands (Continued)
3 - 24 February 2002
Command List
server fw-name 6-66
server fw-port 6-66
server fw-recv-stateful 6-66
server fw-slb 6-67
server fw-stateful 6-67
server fw-strict-sec 6-67
server fw-superzone 6-67
server icmp-message 6-68
server l4-check 6-68
server max-conn-trap 6-68
server max-ssl-session-id 6-68
server max-url-switch 6-69
server monitor 6-69
server no-fast-bringup 6-69
server no-real-l3-check 6-70
server no-remote-l3-check 6-70
server no-slow-start 6-70
server partner-ports 6-71
server path-group 6-71
server peer-group 6-71
server ping-interval 6-72
server ping-retries 6-72
server policy-hash-acl 6-73
server port 6-73
server predictor 6-78
server real-name 6-78
server reassign-threshold 6-78
server remote-name 6-79
server response-time 6-79
server reverse-nat 6-80
server router-ports 6-81
server session-id-age 6-81
server session-limit 6-81
Table 3.4: Global CONFIG Commands (Continued)
February 2002 3 - 25
Foundry ServerIron Command Line Interface Reference
server slb-fw 6-81
server source-ip 6-82
server source-nat 6-82
server source-nat-ip 6-82
server source-standby-ip 6-83
server sticky-age 6-83
server sym-pdu-rate 6-83
server syn-def 6-84
server syn-limit 6-84
server tcp-age 6-85
server transparent-vip 6-85
server udp-age 6-85
server use-simple-ssl-health-check 6-86
server virtual-name 6-86
server vpn-lb 6-86
server vpn-lb-inside 6-87
service password-encryption 6-87
show 6-88
snmp-client 6-88
snmp-server community 6-88
snmp-server contact 6-88
snmp-server enable traps 6-89
snmp-server enable vlan 6-89
snmp-server host 6-89
snmp-server location 6-89
snmp-server pw-check 6-90
snmp-server trap-source 6-90
snmp-server view 6-90
sntp poll-interval 6-91
sntp server 6-91
spanning-tree 6-91
spanning-tree <parameter> 6-91
static-mac-address 6-92
Table 3.4: Global CONFIG Commands (Continued)
3 - 26 February 2002
Command List
system-max 6-94
tacacs-server 6-94
tag-type 6-95
telnet access-group 6-95
telnet client 6-95
telnet login-timeout 6-96
telnet server 6-96
telnet server enable vlan 6-96
telnet timeout 6-97
tftp client enable vlan 6-97
trunk 6-97
unknown-unicast limit 6-98
url-map 6-98
username 6-98
vlan 6-99
vlan-dynamic-discovery 6-99
vlan max-vlans 6-100
web access-group 6-100
web client 6-100
web-management 6-100
web-management enable vlan 6-101
write memory 6-101
write terminal 6-101
wsm boot 6-101
wsm wsm-map 6-102
Table 3.4: Global CONFIG Commands (Continued)
February 2002 3 - 27
Foundry ServerIron Command Line Interface Reference
Redundancy Level
The redundancy CONFIG level allows you to configure parameters on redundant management modules. You reach this level by entering redundancy at the global CONFIG level.
Interface Level
The interface level allows you to assign or modify specific port parameters on a port-by-port basis. You reach this level by entering interface ethernet <portnum> or interface ve <num> at the global CONFIG level.
Table 3.5: Redundancy CONFIG Commands
active-management 7-1
end 7-2
exit 7-2
no 7-2
quit 7-2
show 7-2
sync-standby 7-2
write memory 7-3
write terminal 7-3
Table 3.6: Interface Commands
auto-gig 8-1
broadcast limit 8-1
cache-group 8-1
clear 8-2
dhcp-gateway-list 8-2
disable 8-2
enable 8-2
end 8-2
exit 8-3
flow-control 8-3
fw-group 8-3
gig-default 8-3
ip access-group 8-4
ip address (Layer 3) 8-5
ip icmp burst 8-6
ip-multicast-disable 8-6
ip-policy 8-6
3 - 28 February 2002
Command List
VLAN Level
The VLAN level allows you to configure VLAN parameters. You reach this level by entering the vlan <vlan-id> by port command at the Global CONFIG Level.
ip rip 8-7
ip rip learn-default 8-7
ip rip poison-reverse 8-8
ip tcp burst 8-8
ip tcp syn-proxy 8-9
ipg10 8-9
ipg100 8-9
ipg1000 8-10
mac filter-group 8-10
monitor 8-11
multicast limit 8-11
neg-off 8-11
no 8-12
phy-mode 8-12
port-name 8-12
pvst-mode 8-12
qos-priority 8-13
quit 8-13
rshow 8-13
show 8-13
spanning-tree 8-13
speed-duplex 8-14
unknown-unicast limit 8-14
write memory 8-14
write terminal 8-14
Table 3.7: VLAN Commands
always-active 9-1
atalk-proto 9-1
decnet-proto 9-2
end 9-2
Table 3.6: Interface Commands (Continued)
February 2002 3 - 29
Foundry ServerIron Command Line Interface Reference
Real Server, Cache Server, and Firewall Level
This level allows you to assign and configure servers for the SLB, TCS, FWLB, and web switching features. For SLB and web switching, you reach this level by entering the server real-name <text> <ip-addr> command at the global CONFIG level. For TCS, you reach this level by entering the server cache-name <text> command. For FWLB, you reach this level by entering the server fw-name <text> <ip-addr> command.
exit 9-2
ip-proto 9-2
ip-subnet 9-3
ipx-network 9-4
ipx-proto 9-4
netbios-proto 9-5
no 9-5
other-proto 9-5
priority 9-6
quit 9-6
rshow 9-7
show 9-7
spanning-tree 9-7
static-mac-address 9-8
tagged 9-9
untagged 9-9
uplink-switch 9-10
write memory 9-10
write terminal 9-10
Table 3.8: Real Server, Cache Server, and Firewall CONFIG Commands
asymmetric 10-1
backup 10-1
clear 10-1
clone-server 10-2
description 10-2
end 10-2
exceed-max-drop 10-2
exit 10-3
filter-match 10-3
Table 3.7: VLAN Commands (Continued)
3 - 30 February 2002
Command List
Virtual Server Level
The virtual server level allows you to assign and configure virtual servers. You reach this level by entering the server virtual-name <text> <ip-addr> command at the global CONFIG level.
history-group 10-3
host-range 10-3
ip-address 10-4
max-conn 10-4
max-tcp-conn-rate 10-5
max-udp-conn-rate 10-5
no 10-5
other-ip 10-5
port 10-5
port disable-all 10-8
port unbind-all 10-8
quit 10-8
response-time 10-9
rshow 10-9
show 10-9
source-nat 10-9
weight 10-10
write memory 10-10
write terminal 10-11
Table 3.9: Virtual Server CONFIG Commands
acl-id 11-1
bind 11-1
cache-enable 11-2
clear 11-2
end 11-2
exit 11-2
host-range 11-3
httpredirect 11-3
no 11-3
port 11-3
Table 3.8: Real Server, Cache Server, and Firewall CONFIG Commands (Continued)
February 2002 3 - 31
Foundry ServerIron Command Line Interface Reference
Cache Group and Firewall Group Level
This level allows you to configure TCS cache groups and the FWLB firewall group. For TCS, you reach this level by entering the server cache-group <num> command at the global CONFIG level. For FWLB, you reach this level by entering the server fw-group 2 command at the global CONFIG level.
predictor 11-7
quit 11-7
rshow 11-7
show 11-7
source-sticky 11-7
sym-active 11-8
sym-priority 11-8
track 11-9
track-group 11-9
transparent-vip 11-9
write memory 11-9
write terminal 11-10
Table 3.10: Cache Group and Firewall Group CONFIG Commands
acl-id 12-1
cache-name 12-1
clear 12-2
dest-nat 12-2
disable 12-2
end 12-2
exit 12-3
failover-acl 12-3
fwall-info 12-3
fwall-zone 12-4
fw-exceed-max-drop 12-4
fw-health-check icmp 12-4
fw-health-check tcp | udp 12-5
fw-name 12-6
fw-predictor 12-6
hash-mask 12-6
Table 3.9: Virtual Server CONFIG Commands (Continued)
3 - 32 February 2002
Command List
GSLB Affinity Level
This level allows you to configure Global SLB (GSLB) affinity parameters. You reach this level by entering the gslb dns affinity command at the global CONFIG level.
hash-port-range 12-7
hash-ports 12-7
http-cache-control 12-8
l2-fwall 12-8
no 12-8
no-group-failover 12-8
no-http-downgrade 12-9
prefer-cnt 12-9
prefer-router-cnt 12-9
quit 12-10
rshow 12-10
show 12-10
source-nat 12-10
spoof-support 12-10
sym-priority 12-11
url-host-id 12-11
url-map 12-11
url-switch 12-11
virtual-ip 12-12
write memory 12-12
write terminal 12-12
Table 3.11: GSLB Affinity CONFIG Commands
end 13-1
exit 13-1
no 13-1
prefer 13-1
quit 13-2
rshow 13-2
show 13-2
write memory 13-2
Table 3.10: Cache Group and Firewall Group CONFIG Commands (Continued)
February 2002 3 - 33
Foundry ServerIron Command Line Interface Reference
GSLB DNS Zone Level
This level allows you to configure Global GSLB DNS zone parameters. You reach this level by entering the gslb dns zone-name <name> command at the global CONFIG level.
GSLB Site Level
This level allows you to configure GSLB site parameters. You reach this level by entering the gslb site <name> command at the global CONFIG level.
write terminal 13-3
Table 3.12: GSLB DNS Zone CONFIG Commands
end 14-1
exit 14-1
host-info 14-1
no 14-2
quit 14-2
rshow 14-3
show 14-3
write memory 14-3
write terminal 14-3
Table 3.13: GSLB Site CONFIG Commands
end 15-1
exit 15-1
geo-location 15-1
no 15-2
quit 15-2
rshow 15-2
show 15-2
si-name 15-2
write memory 15-3
write terminal 15-3
Table 3.11: GSLB Affinity CONFIG Commands (Continued)
3 - 34 February 2002
Command List
GSLB Policy Level
This level allows you to configure GSLB policy parameters. You reach this level by entering the gslb policy command at the global CONFIG level.
Table 3.14: GSLB Policy CONFIG Commands
capacity 16-1
capacity threshold 16-1
dns active-only 16-2
dns check-interval 16-2
dns ttl 16-2
end 16-2
exit 16-3
flashback 16-3
flashback application | tcp tolerance <num> 16-3
geographic 16-4
health-check 16-4
metric-order 16-4
no 16-6
num-session 16-6
num-session tolerance 16-6
preference 16-7
protocol 16-7
quit 16-7
round-trip-time 16-7
round-trip-time cache-interval 16-8
round-trip-time cache-prefix 16-8
round-trip-time explore-percentage 16-8
round-trip-time tolerance 16-9
rshow 16-9
show 16-9
static-prefix 16-9
write memory 16-10
write terminal 16-10
February 2002 3 - 35
Foundry ServerIron Command Line Interface Reference
URL Switching Level
This level allows you to configure URL switching policies. You reach this level by entering the url-map <policy-name> command at the global CONFIG level.
HTTP Match List Level
This level allows you to configure matching lists of selection criteria for HTTP content verification health checks. You reach this level by entering the http match-list <name> command at the global CONFIG level.
Table 3.15: URL Switching CONFIG Commands
default 17-1
end 17-1
exit 17-1
match 17-2
method 17-2
no 17-2
quit 17-2
rshow 17-2
show 17-3
tcp-port 17-3
write memory 17-3
write terminal 17-3
Table 3.16: HTTP Match List CONFIG Commands
default 18-1
down compound 18-1
down simple 18-2
end 18-2
exit 18-2
no 18-2
quit 18-2
rshow 18-3
show 18-3
up compound 18-3
up simple 18-3
write memory 18-3
write terminal 18-3
3 - 36 February 2002
Command List
Server Monitor Level
This level allows you to configure history lists for monitoring Layer 4 statistics. You reach this level by entering the server monitor command at the global CONFIG level.
Routing Information Protocol (RIP) Level
This level allows you to configure global RIP parameters for use with IP forwarding. You reach this level by entering the router rip command at the global CONFIG level.
Show Commands
The show commands display configuration information and statistics. You can enter these commands from any level of the CLI.
Table 3.17: Server Monitor CONFIG Commands
end 19-1
exit 19-1
history 19-1
no 19-2
quit 19-2
rshow 19-2
show 19-2
write memory 19-2
write terminal 19-2
Table 3.18: RIP CONFIG Commands
deny redistribute 20-1
end 20-2
exit 20-2
no 20-2
permit redistribute 20-2
quit 20-3
redistribution 20-3
rshow 20-3
show 20-4
write memory 20-4
write terminal 20-4
Table 3.19: Show Commands
show aaa 21-1
show arp 21-1
February 2002 3 - 37
Foundry ServerIron Command Line Interface Reference
show cache-group 21-2
show chassis 21-2
show clock 21-3
show configuration 21-3
show default 21-3
show flash 21-4
show fw-group 21-4
show fw-hash 21-4
show gslb cache 21-5
show gslb default 21-6
show gslb dns detail 21-6
show gslb dns zone 21-7
show gslb global-stat 21-8
show gslb policy 21-8
show gslb resources 21-9
show gslb site 21-10
show healthck 21-11
show healthck statistics 21-12
show http match-list 21-12
show interfaces 21-12
show ip 21-13
show ip cache 21-13
show ip client-public-key 21-14
show ip filter-cache 21-14
show ip interface 21-14
show ip multicast 21-15
show ip nat statistics 21-15
show ip nat translation 21-15
show ip policy 21-16
show ip route 21-16
show ip ssh 21-16
show ip static-arp 21-17
show ip traffic 21-17
Table 3.19: Show Commands (Continued)
3 - 38 February 2002
Command List
show logging 21-18
show mac-address 21-20
show mac-address statistics 21-21
show media 21-21
show module 21-22
show monitor 21-22
show policy-map 21-22
show relative-utilization 21-23
show reload 21-23
show rmon alarm 21-23
show rmon event 21-24
show rmon history 21-24
show rmon statistics 21-24
show running-config 21-25
show server backup 21-25
show server bind 21-25
show server conn-rate 21-25
show server dynamic 21-26
show server fw-path 21-26
show server global 21-26
show server hash 21-27
show server proxy 21-27
show server real 21-27
show server sessions 21-28
show server symmetric 21-29
show server traffic 21-29
show server virtual 21-29
show snmp server 21-30
show sntp associations 21-30
show sntp status 21-31
show span 21-32
show span vlan 21-32
show statistics 21-33
Table 3.19: Show Commands (Continued)
February 2002 3 - 39
Foundry ServerIron Command Line Interface Reference
show statistics dos-attack 21-34
show tech-support 21-34
show telnet 21-34
show trunk 21-35
show users 21-35
show version 21-35
show vlans 21-36
show web-connection 21-36
show who 21-36
show wsm-map 21-36
show wsm-state 21-37
Table 3.19: Show Commands (Continued)
3 - 40 February 2002
Chapter 4User EXEC Commands
enableAt initial startup, you enter this command to access the privileged EXEC level of the CLI. You access subsequent levels of the CLI using the proper launch commands.
You can assign a permanent password with the enable password… command at the global level of the CONFIG command structure. To reach the global level, enter configure terminal. Until a password is assigned, you have access only to the user level.
NOTE: You also can configure the ServerIron to authenticate access using a RADIUS or TACACS/TACACS+ server or local user accounts. See the Foundry Security Guide.
EXAMPLE:
ServerIron> enable
Syntax: enable
Possible values: N/A
Default value: No system default
enable <password>Once a password is defined for the ServerIron, you must enter this command along with the defined password to access the privileged EXEC Level of the CLI.
Three levels of password access can be assigned at the global CONFIG level.
EXAMPLE:
ServerIron> enable whateverServerIron#
Syntax: enable <password>
Possible values: Up to 32 alphanumeric characters can be assigned as the password.
Default value: N/A
enable <username> <password>If local access control is configured on the ServerIron, you are prompted for a user name and a password. The user name and password must be configured in a user account on the ServerIron.
EXAMPLE:
ServerIron> enable waldo whereis
February 2002 4 - 1
Foundry ServerIron Command Line Interface Reference
ServerIron#
Syntax: enable <username> <password>
Possible values: N/A
Default value: N/A
fastboot…By default, this option is turned off, to provide a three-second pause to allow you to break into the boot prompt, if necessary. Use fastboot on to turn this option on and eliminate the three-second pause. To turn this feature off later, enter the command, fastboot off. Fastboot changes will be saved automatically but will not become active until after a system reset.
To execute an immediate reload of the boot code from the console without a three-second delay, enter the fast reload command. The fast reload command is found at the privileged level.
EXAMPLE:
ServerIron> fastboot on
Syntax: fastboot [on | off]
Possible values: off
pingVerifies connectivity to a Foundry device or another device. The command performs an ICMP echo test to confirm connectivity to the specified device.
NOTE: If you address the ping to the IP broadcast address, the device lists the first four responses to the ping.
EXAMPLE:
ServerIron> ping 192.22.2.33
Syntax: ping <ip addr> | <hostname> [source <ip addr>] [count <num>] [timeout <msec>] [ttl <num>] [size <byte>] [quiet] [numeric] [no-fragment] [verify] [data <1-to-4 byte hex>] [brief]
The only required parameter is the IP address or host name of the device.
NOTE: If the device is a Foundry Layer 2 or Layer 3 Switch, you can use the host name only if you have already enabled the Domain Name Server (DNS) resolver feature on the device from which you are sending the ping. See the “Configuring Basic Features” chapter of the Foundry Switch and Router Installation and Basic Configuration Guide.
The source <ip addr> specifies an IP address to be used as the origin of the ping packets.
The count <num> parameter specifies how many ping packets the device sends. You can specify from 1 – 4294967296. The default is 1.
The timeout <msec> parameter specifies how many milliseconds the Foundry device waits for a reply from the pinged device. You can specify a timeout from 1 – 4294967296 milliseconds. The default is 5000 (5 seconds).
The ttl <num> parameter specifies the maximum number of hops. You can specify a TTL from 1 – 255. The default is 64.
The size <byte> parameter specifies the size of the ICMP data portion of the packet. This is the payload and does not include the header. You can specify from 0 – 4000. The default is 16.
The no-fragment parameter turns on the “don’t fragment” bit in the IP header of the ping packet. This option is disabled by default.
The quiet parameter hides informational messages such as a summary of the ping parameters sent to the device and instead only displays messages indicating the success or failure of the ping. This option is disabled by default.
4 - 2 February 2002
User EXEC Commands
The verify parameter verifies that the data in the echo packet (the reply packet) is the same as the data in the echo request (the ping). By default the device does not verify the data.
The data <1 – 4 byte hex> parameter lets you specify a specific data pattern for the payload instead of the default data pattern, “abcd”, in the packet’s data payload. The pattern repeats itself throughout the ICMP message (payload) portion of the packet.
NOTE: For numeric parameter values, the CLI does not check that the value you enter is within the allowed range. Instead, if you do exceed the range for a numeric value, the software rounds the value to the nearest valid value.
The brief parameter causes ping test characters to be displayed. The following ping test characters are supported:
! Indicates that a reply was received.
. Indicates that the network server timed out while waiting for a reply.
U Indicates that a destination unreachable error PDU was received.
I Indicates that the user interrupted ping.
Possible values: see above
Default value: see above
rshowDisplays the real and virtual server configuration information on a remote site ServerIron in the GSLB ServerIron’s CLI. The command also displays the session and CPU information used by the GSLB policy. You can view detailed configuration information and statistics for the site ServerIron, from the GSLB ServerIron’s management console. For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.
showDisplays a variety of configuration and statistical information about the device. See “Show Commands” on page 21-1.
stop-tracerouteStops an initiated trace on a Foundry device.
EXAMPLE:
ServerIron> stop-traceroute
Syntax: stop-traceroute
Possible values: N/A
Default value: N/A
tracerouteAllows you to trace the path from the current Foundry device to a host address.
The CLI displays trace route information for each hop as soon as the information is received. Traceroute requests display all responses to a given TTL. In addition, if there are multiple equal-cost routes to the destination, the Foundry device displays up to three responses by default.
EXAMPLE:
ServerIron> traceroute 192.33.4.7 minttl 5 maxttl 5 timeout 5
Syntax: traceroute <host-ip-addr> [maxttl <value>] [minttl <value>] [numeric] [timeout <value>] [source-ip <ip addr>]
February 2002 4 - 3
Foundry ServerIron Command Line Interface Reference
Possible and default values:
minttl – minimum TTL (hops) value: Possible values are 1 – 255. Default value is 1 second.
maxttl – maximum TTL (hops) value: Possible values are 1 – 255. Default value is 30 seconds.
timeout – Possible values are 1 – 120. Default value is 2 seconds.
numeric – Lets you change the display to list the devices by their IP addresses instead of their names.
source-ip <ip addr> – Specifies an IP address to be used as the origin for the traceroute.
4 - 4 February 2002
Chapter 5Privileged EXEC Commands
appendAppends a file on a PCMCIA flash card to the end of another file.
NOTE: This command applies only to a BigServerIron using a Management IV module.
EXAMPLE:
BigServerIron# append newacls.cfg startup-config.cfg
This command appends a file called “newacls.cfg” to the end of a file called “startup-config.cfg” file. This example assumes that both files are present on the PCMCIA slot and in the subdirectory level that currently have the management focus.
The following command appends a file in the current subdirectory to the end of a file in another subdirectory:
BigServerIron# append newacls.cfg \TEST\startup-config.cfg
Syntax: append [<from-card> <to-card>] [\<from-dir-path>\]<from-name> [\<to-dir-path>\]<to-name>
The <from-card> and <to-card> parameters specify the source and destination flash cards when you are appending a file on one flash card to a file located on another flash card.
The [\<from-dir-path>\]<from-name> parameter specifies the file you are adding to the end of another file. If the file is not located in the current subdirectory (the subdirectory that currently has the management focus), specify the subdirectory path in front of the file name.
The [\<to-dir-path>\]<to-name> parameter specifies the file to which you are appending the other file. If the file is not located in the current subdirectory, specify the subdirectory path in front of the file name.
Possible values: See above
Default value: N/A
attribChanges the read-write attribute of a file on a flash card in a Management IV module’s PCMCIA slot.
NOTE: This command applies only to a BigServerIron using a Management IV module.
The read-write attribute specifies whether a file on a flash card can be changed or deleted.
• Read-only – You can display or copy the file but you cannot replace (copy over) or delete the file.
• Read-write – You can replace (copy over) or delete the file. This is the default.
February 2002 5 - 1
Foundry ServerIron Command Line Interface Reference
Use the following method to change the read-write attribute of a file.
EXAMPLE:
To protect a file from accidental changes by changing the read-write attribute from read-write to read-only, enter a command such as the following:
BigServerIron# attrib ro goodcfg.cfg
Syntax: attrib [slot1 | slot2] ro | rw <file-name>
To determine the read-write attribute of a file, use the dir command to list the directory information for the file. Files set to read-only are listed with “R” in front of the file name. See “dir” on page 5-17.
To change all files on a flash card to read-only, enter a command such as the following:
BigServerIron# attrib ro *.*
This command changes the read-write attribute for all files on the flash card that currently has the management focus to read-only.
Possible values: See above.
Default value: rw (read-write)
boot system bootpInitiates a system boot from a BootP server. You can specify the preferred initial boot source and boot sequence in the startup-config file. If upon boot, the user-specified boot source and sequence fails, then by default, the ServerIron will attempt to load the software image from a different source. The following sources will be tried one at a time, in the order noted, until a software load is successful.
• flash primary
• flash secondary
• TFTP
• BootP
If the image does not load successfully from the above sources, you are prompted to enter alternative locations from which to load an image:
• boot system bootp
• boot system flash primary
• boot system flash secondary
• boot system tftp
EXAMPLE:
ServerIron# boot system bootp
Syntax: boot system bootp
Possible values: N/A
Default value: N/A
boot system flash primaryInitiates a system boot from the primary software image stored in flash.
EXAMPLE:
ServerIron(config)# boot system flash primary
Syntax: boot system flash primary
Possible values: N/A
Default value: N/A
5 - 2 February 2002
Privileged EXEC Commands
boot system flash secondaryInitiates a system boot from the secondary software image stored in flash.
EXAMPLE:
ServerIron(config)# boot system flash secondary
Syntax: boot system flash secondary
Possible values: N/A
Default value: N/A
boot system slot1 | slot2Initiates a system boot from an image file on a PCMCIA flash card.
NOTE: This command applies only to a BigServerIron with the Management IV module.
EXAMPLE:
To reboot the device using a software image file on the flash card, enter a command such as the following at the Privileged Exec level of the CLI:
BigServerIron# boot system slot1 BSI07101.bin
The command in this example reboots the device using the image file BSI07101.bin located on the PCMCIA flash card in slot 1. This example assumes the image file is in the root directory on the flash card. If the image file is in a subdirectory, specify the subdirectory path. For example, to boot using an image in a subdirectory called “BSI”, enter command such as the following:
BigServerIron# boot system slot1 \BSI\BSI07101.bin
Syntax: boot system slot1 | slot2 [\<dir-path>\]<file-name>
The slot1 | slot2 parameter indicates the flash card slot.
The <file-name> parameter specifies the file name. If the file is in a subdirectory, specify the subdirectory path in front of the file name. If the file name you specify is not a full path name, the CLI assumes that the name (and path, if applicable) you enter are relative to the subdirectory that currently has the management focus.
Possible values: See above
Default value: N/A
boot system tftpInitiates a system boot of the software image from a TFTP server.
EXAMPLE:
ServerIron(config)# boot system tftp 192.22.33.44 current.img
Syntax: boot system tftp <ip-addr> <filename>
Possible values: N/A
Default value: N/A
Before entering the TFTP boot command, you must first assign an IP address, IP mask and default gateway (if applicable) at the boot prompt as shown.
EXAMPLE:
boot> ip address 192.22.33.44 255.255.255.0
boot> ip default-gateway 192.22.33.1
You now can proceed with the boot system tftp… command.
February 2002 5 - 3
Foundry ServerIron Command Line Interface Reference
cdAnother form of the chdir command. See “chdir” on page 5-4.
chdirSwitches the management focus from one flash card in a Management IV module’s PCMCIA slot to the other slot.
NOTE: This command applies only to a BigServerIron using a Management IV module.
The effect of file management commands depends on the flash card that has the management focus. For example, if you enter a command to delete a file, the software deletes the specified file from the flash card that currently has the management focus.
EXAMPLE:
To switch the focus of the CLI from one flash card to the other, enter a command such as the following:
BigServerIron# cd slot2BigServerIron#
Syntax: cd | chdir slot1 | slot2
Syntax: cd | chdir <dir-name>
When you enter the cd command, the software changes the management focus to the slot or subdirectory path you specify, then displays a new command prompt.
If a slot you specify does not contain a flash card, the software displays the message shown in the following example.
BigServerIron# cd slot2The system can not find the drive specified
To switch the management focus to a different subdirectory, enter a commands such as the following:
BigServerIron# cd PLOOKCurrent directory of slot1 is: \PLOOK
This command changes the focus from the root directory level ( \) to the subdirectory named “PLOOK”.
If you specify an invalid subdirectory path, the CLI displays a message such as the following:
BigServerIron# cd PLOOKPath not found
If you are certain the path you specified exists, make sure you are at the correct level for reaching the path. For example, if you are already at the PLOOK level, the CLI cannot find the subdirectory “\PLOOK” because it is not a subdirectory from the level that currently has the management focus.
Possible values: N/A
Default value: N/A
clear arpRemoves all data from the ARP cache.
EXAMPLE:
ServerIron# clear arp
The following command clears all ARP entries for port 2 on the module in slot 3.
ServerIron# clear arp ethernet 3/2
Syntax: clear arp [ethernet <num> | mac-address <xxxx.xxxx.xxxx> [<mask>] | <ip-addr> [<ip-mask>]]
Specify the MAC address mask as “f”s and “0”s, where “f”s are significant bits. Specify IP address masks in standard decimal mask format (for example, 255.255.0.0).
Possible values: N/A
5 - 4 February 2002
Privileged EXEC Commands
Default value: N/A
clear healthck statisticsClears health-check policy statistics.
EXAMPLE:
ServerIron(config)# clear healthck statistics
Syntax: clear healthck statistics
Possible values: N/A
Default value: N/A
clear ip cacheRemoves all entries from the IP cache.
EXAMPLE:
ServerIron# clear ip cache
Syntax: clear ip cache
Possible values: N/A
Default value: N/A
clear ip natClears entries from the NAT table. The software provides the following clear options:
• Clear all entries (static and dynamic)
• Clear an entry for a specific NAT entry based on the private and global IP addresses
• Clear an entry for a specific NAT entry based on the IP addresses and the TCP or UDP port number. Use this option when you are trying to clear specific entries created using the Port Address Translation feature.
NOTE: These commands are not supported on the ServerIron 400 or ServerIron 800.
EXAMPLE:
To clear all dynamic entries from the NAT translation table, enter the following command at the Privileged EXEC level of the CLI:
ServerIron# clear ip nat all
Syntax: clear ip nat all
To clear only the entries for a specific address entry, enter a command such as the following:
ServerIron# clear ip nat inside 209.157.1.43 10.10.10.5
This command clears the inside NAT entry that maps private address 10.10.10.5 to Internet address 209.157.1.43. Here is the syntax for this form of the command.
Syntax: clear ip nat inside <global-ip> <private-ip>
If you use Port Address Translation, you can selectively clear entries based on the TCP or UDP port number assigned to an entry by the feature. For example, the following command clears one of the entries associated with Internet address 209.157.1.44 but does not clear other entries associated with the same address.
ServerIron# clear ip nat inside 209.157.1.43 1081 10.10.10.5 80
The command above clears all inside NAT entries that match the specified global IP address, private IP address, and TCP or UDP ports.
Syntax: clear ip nat <protocol> inside <global-ip> <internet-tcp/udp-port> <private-ip> <private-tcp/udp-port>
The <protocol> parameter specifies the protocol type and can be tcp or udp.
February 2002 5 - 5
Foundry ServerIron Command Line Interface Reference
Possible values: N/A
Default value: N/A
clear ip trafficClears the IP traffic statistics.
EXAMPLE:
ServerIron# clear ip traffic
Syntax: clear ip traffic
Possible values: N/A
Default value: N/A
clear loggingRemoves all entries from the SNMP event log.
EXAMPLE:
ServerIron# clear logging
Syntax: clear logging
Possible values: N/A
Default value: N/A
clear mac-addressRemoves all static MAC address entries from the address table.
EXAMPLE:
ServerIron# clear mac-address
Syntax: clear mac-address
Possible values: N/A
Default value: N/A
clear public-keyClears the public keys from the active configuration.
EXAMPLE:
ServerIron# clear public-key
Syntax: clear public-key
Possible values: N/A
Default value: N/A
clear rmonClears packet statistics displayed by the show rmon statistics command. See “show rmon statistics” on page 21-24.
EXAMPLE:
ServerIron# clear rmon
Syntax: clear rmon
Possible values: N/A
Default value: N/A
5 - 6 February 2002
Privileged EXEC Commands
clear server trafficClears traffic statistics for real and virtual servers.
EXAMPLE:
ServerIron# clear server traffic
Syntax: clear server traffic
Possible values: N/A
Default value: N/A
clear server sessionClears all session table entries for a deleted real server.
When you delete a real server, the ServerIron attempts to clear all the session entries for that real server from the session table. The ServerIron requires all the sessions to be cleared from the table before performing these operations. If you use the force shutdown option (server force-delete command), the ServerIron ends the sessions within one minute. Otherwise, the ServerIron allows active sessions to end normally before removing them.
When you enter the command to delete a real server (no server real <name>), the ServerIron changes the server’s state to "await_delete". The real server remains in this state until all its sessions are cleared from the session table. Occasionally, the ServerIron cannot clear all of a deleted real server’s sessions from the table. When this occurs, the real server cannot be fully deleted. To complete deletion of the server in this case, enter the clear server session <name> command after entering the no server real <name> command.
EXAMPLE:
ServerIron(config)# no server real rs1ServerIron(config)# show server real rs1Real Servers Info
Name : rs1 Mac-addr: UnknownIP:1.2.3.4 Range:1 State:await_delete Max-conn:1000000Least-con Wt:0 Resp-time Wt:0
Port State Ms CurConn TotConn Rx-pkts Tx-pkts Rx-octet Tx-octet Reas---- ----- -- ------- ------- ------- ------- -------- -------- ----8080 unbnd 0 0 0 0 0 0 0 0default unbnd 0 0 0 0 0 0 0 0
Server Total 0 0 0 0 0 0 0 ServerIron(config)# clear server session rs1
The no server real command deletes real server "rs1". The show server real command displays the states of the real servers. Notice that rs1 is still listed as a valid real server, and has the state "await_delete". If the no server real command does not list the deleted server, the server has been completely deleted.
If the server continues to be listed with the "await_delete" state after several minutes, enter the clear server session command to finish deleting the server. The clear server session command deletes the remaining sessions for rs1, after which the ServerIron can finish deleting the server. You can enter this command immediately after entering the no server real command. You do not need to wait for any sessions to end normally.
Syntax: clear server session <name> [<name> [<name> [<name>]]]
The <name> parameter specifies the name of the real server. You can enter up to four real server names. It can take up to three minutes for the command to take effect. This command is supported only on the MP (the main processor management session). The command is not valid if entered in a WSM CPU management session.
NOTE: You cannot undo the clear server session command. If you re-enter the command for the same real server, the new command is ignored and the original command continues to be processed.
February 2002 5 - 7
Foundry ServerIron Command Line Interface Reference
Possible values: up to four real server names
Default value: N/A
clear snmp-server trafficClears statistics for SNMP server traffic.
EXAMPLE:
ServerIron# clear snmp-server traffic
Syntax: clear snmp-server traffic
Possible values: N/A
Default value: N/A
clear statisticsClears packet statistics displayed by the show statistics command. See “show statistics” on page 21-33.
EXAMPLE:
ServerIron# clear statistics
Syntax: clear statistics
Possible values: N/A
Default value: N/A
clear statistics dos-attackResets counters for ICMP and TCP SYN packet burst thresholds.
EXAMPLE:
ServerIron# clear statistics dos-attack
Syntax: clear statistics dos-attack
Possible values: N/A
Default value: N/A
clear web-connectionClears all Web management interface sessions with the ServerIron. The sessions are immediately ended when you enter the command.
EXAMPLE:
ServerIron# clear web-connection
Syntax: clear web-connection
Possible values: N/A
Default value: N/A
clockThe system clock can be set for a ServerIron. This command allows you to set the time and date. The time zone must be set using the clock timezone... command at the global CONFIG level.
NOTE: Clock settings are not saved over power cycles; however, you can configure the system to reference a SNTP server at power up. This server will then automatically download the correct time reference for the network. For more details on this capability, reference the sntp command at the privileged EXEC level and the sntp poll-interval and sntp server commands at the global CONFG level.
EXAMPLE:
ServerIron# clock set 10:15:05 10-15-98
5 - 8 February 2002
Privileged EXEC Commands
Syntax: [no] clock set <hh:mm:ss> <mm-dd-yy> | <mm-dd-yyyy>
Possible values: N/A
Default value: N/A
configure terminalLaunches you into the global CONFIG level.
EXAMPLE:
ServerIron# configure terminal
ServerIron(config)#
Syntax: configure terminal
Possible values: N/A
Default value: N/A
copy <from-card> <to-card>Copies files from one PCMCIA flash card on a management module to the other card.
NOTE: This command applies only to a BigServerIron using a Management IV module.
NOTE: This command does the same thing as the ncopy slot1 | slot2 <from-name> slot1 | slot2 <to-name> command. See “ncopy slot1 | slot2 <from-name> slot1 | slot2 [<to-name>]” on page 5-25.
EXAMPLE:
To copy a file from one flash card to the other, enter the following command:
BigServerIron# copy slot1 slot2 sales.cfg
Syntax: copy <from-card> <to-card> [\<from-dir-path>\]<from-name> [[\<to-dir-path>\]<to-name>]
The command shown in the example above copies a file from the flash card in slot 1 to the flash card in slot 2. In this case, the software uses the same name for the original file and for the copy. Optionally, you can specify a different file name for the copy.
Possible values: See above.
Default value: N/A
copy flash flashCopies a software image between the primary and secondary flash storage locations.
EXAMPLE:
Suppose you want to copy the software image stored in the primary flash into the secondary storage location. To do so, enter the following command.
BigServerIron# copy flash flash secondary
If you want to copy the image from the secondary flash to the primary flash, enter the following command.
BigServerIron# copy flash flash primary
In the copy flash flash…command, the first ‘flash’ refers to the origin of the image and the second ’flash’ in the command points to the destination flash. Note that in the command above, when ‘primary’ is entered, the system automatically knows that the origin flash is the secondary flash location.
Syntax: copy flash flash [primary | secondary]
Possible values: N/A
Default value: N/A
February 2002 5 - 9
Foundry ServerIron Command Line Interface Reference
copy flash slot1 | slot2Copies a file from flash memory to a PCMCIA flash card on the management module.
NOTE: This command applies only to a BigServerIron using a Management IV module.
NOTE: This command does the same thing as the ncopy flash primary | secondary slot1 | slot2 <to-name> command. See “ncopy flash primary | secondary slot1 | slot2 <to-name>” on page 5-22.
EXAMPLE:
To copy a file from flash memory to a flash card, enter a command such as the following:
BigServerIron# copy flash slot2 BIS07000.bin primaryFlash Card Write (128 KBytes per dot) .......Write to slot2 BIS07000.bin succeeded
The command in this example copies a software image file from the primary area in flash memory onto the flash card in slot 2.
If the copy does not succeed, the software lists messages to indicate the reason the copy did not work. For example, the following messages indicate that the copy did not work because the slot specified for the copy does not contain a flash card.
BigServerIron# copy flash slot2 m4s.car secondaryThe system can not find the drive specifiedWrite to slot2 m4s.car failed
Syntax: copy flash slot1 | slot2 [\<to-dir-path>\]<to-name> primary | secondary
Possible values: See above.
Default value: N/A
copy flash tftpUploads a copy of the primary or secondary software image to a TFTP server.
NOTE: This command does the same thing as the ncopy flash primary | secondary tftp <ip-addr> <from-name> command. See “ncopy flash primary | secondary tftp <ip-addr> <from-name>” on page 5-23.
EXAMPLE:
BigServerIron# copy flash tftp 192.22.33.4 test.img secondary
Syntax: copy flash tftp <ip-addr> <filename> primary | secondary
Possible values: See above.
Default value: N/A
copy running slot1 | slot2Copies the device’s running-config to a PCMCIA flash card. The running-config contains the device’s currently active configuration information. When you copy the running-config to a flash card, you are making a copy of the device’s current configuration, including any configuration changes you have not saved to the startup-config file.
NOTE: This command applies only to a BigServerIron using a Management IV module.
NOTE: This command does the same thing as the ncopy running slot1 | slot2 <to-name> command. See “ncopy running slot1 | slot2 <to-name>” on page 5-23.
EXAMPLE:
To copy the device’s running configuration into a file on a flash card, enter a command such as the following:
5 - 10 February 2002
Privileged EXEC Commands
BigServerIron# copy running slot1 runip.1Write to slot1 run.sw succeeded
Syntax: copy running slot1 | slot2 [\<to-dir-path>\]<to-name>
Possible values: See above.
Default value: N/A
copy running-config tftpUploads a copy of the running configuration file from the switch or router to a designated TFTP server.
NOTE: This command does the same thing as the ncopy running-config tftp <ip-addr> <from-name> command. See “ncopy running-config tftp <ip-addr> <from-name>” on page 5-24.
EXAMPLE:
BigServerIron# copy running-config tftp 192.22.3.44 newrun.cfg
Syntax: copy running-config tftp <ip-addr> <filename>
Possible values: See above.
Default value: N/A
copy slot1 | slot2 flashCopies a file from a PCMCIA flash card to the primary area in flash memory.
NOTE: This command applies only to a BigServerIron using a Management IV module.
NOTE: This command does the same thing as the ncopy slot1 | slot2 <from-name> flash primary | secondary command. See “ncopy slot1 | slot2 <from-name> flash primary | secondary” on page 5-24.
EXAMPLE:
To copy a file from a flash card to the primary area in flash memory, enter a command such as the following:
BigServerIron# copy slot1 flash B2P07000.bin primaryBigServerIron# Flash Erase ------------------------------------------Flash Memory Write (8192 bytes per dot) ............................................................................................code flash copy done
Syntax: copy slot1 | slot2 flash [\<from-dir-path>\]<from-name> primary | secondary
Possible values: See above.
Default value: N/A
copy slot1 | slot2 runningLoads ACLs from a running-config file into the device’s active configuration.
NOTE: This command applies only to a BigServerIron using a Management IV module.
For example, if the device’s configuration includes a large set of Access Control Lists (ACLs), you can configure the ACLs offline in a text file on a PC, then save the file to the flash card. To load the ACLs, you can insert the flash card in the Foundry device, then copy the file to the device’s running configuration.
February 2002 5 - 11
Foundry ServerIron Command Line Interface Reference
NOTE: This feature allows you to preconfigure and load large sets of ACLs. If you accidentally try to load a running-config file that contains other types of configuration information using this method, the software might display error messages. This occurs when the device’s parser encounters lines in the file that do not correspond to valid configuration commands.
NOTE: This command does the same thing as the ncopy slot1 | slot2 <from-name> running command. See “ncopy slot1 | slot2 <from-name> running” on page 5-24.
EXAMPLE:
To copy a running-config file from a flash card, enter a command such as the following:
BigServerIron# copy slot2 running runip.2
Syntax: copy slot1 | slot2 running [\<from-dir-path>\]<from-name>
The command in this example changes the device’s active configuration based on the information in the file.
Possible values: See above.
Default value: N/A
copy slot1 | slot2 startCopies a startup-config file from a PCMCIA flash card to flash memory. By default, the device uses the startup-config in the primary area of flash memory to configure itself when you boot or reload the device.
NOTE: This command applies only to a BigServerIron using a Management IV module.
NOTE: The device cannot use a startup-config file on a flash card to configure itself. You cannot boot or reload from a flash card.
NOTE: This command does the same thing as the ncopy slot1 | slot2 <from-name> start command. See “ncopy slot1 | slot2 <from-name> start” on page 5-25.
EXAMPLE:
To copy a startup-config file from a flash card to flash memory, enter a command such as the following:
BigServerIron# copy slot1 start test2.cfg..Write startup-config done.
Syntax: copy slot1 | slot2 start [\<from-dir-path>\]<from-name>
This command copies a configuration file named test2.cfg from the flash card in slot 2 into the device’s flash memory. The next time you reboot or reload the device, it uses the configuration information in test2.cfg.
Possible values: See above.
Default value: N/A
copy slot1 | slot2 tftpCopies a file from a PCMCIA flash card to a TFTP server.
NOTE: This command applies only to a BigServerIron using a Management IV module.
NOTE: This command does the same thing as the ncopy slot1 | slot2 <from-name> tftp <ip-addr> [<to-name>] command. See “ncopy slot1 | slot2 <from-name> tftp <ip-addr> [<to-name>]” on page 5-26.
EXAMPLE:
To copy a file from a flash card to a TFTP server, enter a command such as the following:
5 - 12 February 2002
Privileged EXEC Commands
BigServerIron# copy slot1 tftp 192.168.1.17 notes.txtUploading 254 bytes to tftp server ...Upload to TFTP server done.
Syntax: copy slot1 | slot2 tftp <ip-addr> [\<from-dir-path>\]<from-name> [<to-name>]
Possible values: See above.
Default value: N/A
copy start slot1 | slot2Copies the device’s startup-config file from flash memory onto a PCMCIA flash card.
NOTE: This command applies only to a BigServerIron using a Management IV module.
NOTE: This command does the same thing as the ncopy start slot1 | slot2 <to-name> command. See “ncopy start slot1 | slot2 <to-name>” on page 5-26.
EXAMPLE:
To copy the device’s startup-config file from flash memory onto a flash card, enter a command such as the following:
BigServerIron# copy start slot1 mfgtest.cfgWrite to slot1 cfgtest.cfg succeeded
Syntax: copy start slot1 | slot2 [\<to-dir-path>\]<to-name>
Possible values: See above.
Default value: N/A
copy startup-config tftpUploads a copy of the startup configuration file from the switch or router to a designated TFTP server.
NOTE: This command does the same thing as the ncopy startup-config tftp <ip-addr> <from-name> command. See “ncopy startup-config tftp <ip-addr> <from-name>” on page 5-26.
EXAMPLE:
BigServerIron# copy startup-config tftp 192.22.3.44 new.cfg
Syntax: copy startup-config tftp <ip-addr> <filename>
Possible values: See above.
Default value: N/A
copy tftp flashDownloads a copy of a Foundry switch or router software image from a TFTP server into the system flash in the primary or secondary storage location.
NOTE: This command does the same thing as the ncopy tftp <ip-addr> <from-name> flash primary | secondary command. See “ncopy tftp <ip-addr> <from-name> flash primary | secondary” on page 5-26.
EXAMPLE:
BigServerIron# copy tftp flash 192.22.33.4 test.img primary
To download into the secondary storage location, enter the command listed below instead:
BigServerIron# copy tftp flash 192.22.33.4 test.img secondary
Syntax: copy tftp flash <ip-addr> <filename> primary | secondary
February 2002 5 - 13
Foundry ServerIron Command Line Interface Reference
Possible values: See above.
Default value: N/A
copy tftp running-configDownloads a copy of a running-config file from a TFTP server into the running-config of the switch or router.
NOTE: This command does the same thing as the ncopy tftp <ip-addr> <from-name> running-config command. See “ncopy tftp <ip-addr> <from-name> running-config” on page 5-27.
EXAMPLE:
BigServerIron# copy tftp running-config 192.22.33.4 newrun.cfg
Syntax: copy tftp running-config <ip-addr> <filename>
Possible values: See above.
Default value: N/A
copy tftp slot1 | slot2Copies a file from a TFTP server to a PCMCIA flash card.
NOTE: This command applies only to a BigServerIron using a Management IV module.
NOTE: This command does the same thing as the ncopy tftp <ip-addr> <from-name> slot1 | slot2 [<to-name>] command. See “ncopy tftp <ip-addr> <from-name> slot1 | slot2 [<to-name>]” on page 5-27.
EXAMPLE:
To copy a file from a TFTP server to a flash card, enter a command such as the following:
BigServerIron# copy tftp slot1 192.168.1.17 notes.txtDownloading from tftp server ...Tftp 254 bytes done, copy to slot1 ...Write to slot1 cfg.cfg succeeded
Syntax: copy tftp slot1 | slot2 <ip-addr> <from-name> [[\<to-dir-path>\]<to-name>]
If the file name you specify is not on the TFTP server, the CLI displays messages such as those shown in the following example:
BigServerIron# copy tftp slot1 192.168.1.17 nots.txtDownloading from tftp server ...TFTP: received error request -- code 1 message File not found: C:/TFTP/nots.txt.Error - can't download data from TFTP server, error code 17. Abort!
To simplify troubleshooting, especially when the file is present on your server but the command doesn’t find it, the messages list the complete TFTP path name on your TFTP server.
Possible values: See above.
Default value: N/A
copy tftp startup-configDownloads a copy of a configuration file from a TFTP server into the startup configuration file of the switch or router. To activate this configuration file, reload (reset) the system.
NOTE: This command does the same thing as the ncopy tftp <ip-addr> <from-name> startup-config command. See “ncopy tftp <ip-addr> <from-name> startup-config” on page 5-28.
EXAMPLE:
BigServerIron# copy tftp startup-config 192.22.33.4 new.cfg
5 - 14 February 2002
Privileged EXEC Commands
Syntax: copy tftp startup-config <ip-addr> <filename>
Possible values: See above.
Default value: N/A
February 2002 5 - 15
Foundry ServerIron Command Line Interface Reference
debug ip natPlaces the device in diagnostic mode for Network Address Translation (NAT).
NOTE: This command is not supported on the ServerIron 400 or ServerIron 800.
EXAMPLE:
ServerIron# debug ip nat icmp 0.0.0.0NAT: icmp src 10.10.100.18 => trans 192.168.2.79 dst 204.71.202.127NAT: 192.168.2.79 204.71.202.127 ID 35768 len 60 txfid 13 icmp (8/0/512/519)NAT: 204.71.202.127 10.10.100.18 ID 11554 len 60 txfid 15 icmp (0/0/512/519)
ServerIron# debug ip nat tcp 0.0.0.0NAT: tcp src 10.10.100.18:1473 => trans 192.168.2.78:8016 dst 192.168.2.158:53NAT: 192.168.2.78:8016 192.168.2.158:53 flags S ID 57970 len 44 txfid 13NAT: 192.168.2.158:53 10.10.100.18:1473 flags S A ID 22762 len 44 txfid 15NAT: 192.168.2.78:8016 192.168.2.158:53 flags A ID 58226 len 40 txfid 13NAT: 192.168.2.78:8016 192.168.2.158:53 flags A ID 58482 len 77 txfid 13NAT: 192.168.2.158:53 10.10.100.18:1473 flags A ID 23018 len 42 txfid 15NAT: 192.168.2.78:8016 192.168.2.158:53 flags A ID 58738 len 40 txfid 13NAT: 192.168.2.158:53 10.10.100.18:1473 flags A ID 23274 len 131 txfid 15NAT: 192.168.2.78:8016 192.168.2.158:53 flags FA ID 58994 len 40 txfid 13NAT: 192.168.2.158:53 10.10.100.18:1473 flags A ID 23530 len 40 txfid 15NAT: 192.168.2.158:53 10.10.100.18:1473 flags FA ID 23786 len 40 txfid 15NAT: 192.168.2.78:8016 192.168.2.158:53 flags A ID 59250 len 40 txfid 13
ServerIron# debug ip nat udp 0.0.0.0NAT: udp src 10.10.100.18:1561 => trans 192.168.2.79:65286 dst 192.168.3.11:53NAT: 192.168.2.79:65286 192.168.3.11:53 ID 35512 len 58 txfid 13NAT: 192.168.3.11:53 10.10.100.18:1560 ID 8453 len 346 txfid 15
ServerIron# debug ip nat transdataNAT: icmp src 10.10.100.18:2048 => trans 192.168.2.79 dst 204.71.202.127NAT: udp src 10.10.100.18:1561 => trans 192.168.2.79:65286 dst 192.168.3.11:53NAT: tcp src 10.10.100.18:1473 => trans 192.168.2.78:8016 dst 192.168.2.158:53
Syntax: debug ip nat icmp | tcp | udp <ip-addr>
Syntax: debug ip nat transdata
The <ip-addr> parameter specifies an IP address. The address applies to packets with the address as the source or the destination. Specify 0.0.0.0 to enable the diagnostic mode for all addresses.
The following examples show sample output from debug ip nat commands. The first three examples show the output from the diagnostic mode for ICMP NAT, TCP NAT, and UDP NAT. The fourth command shows the output for the diagnostic mode for NAT translation requests.
To disable the NAT diagnostic mode, enter a command such as the following:
Syntax: undebug ip nat icmp | tcp | udp | transdata
ServerIron# undebug ip nat tcp
This command disables the diagnostic mode for NAT performed on TCP packets. NAT diagnostics for other types of packets remain enabled.
Possible values: N/A
Default value: Disabled
deleteDeletes a file from a flash card. This command applies only to management modules with PCMCIA slots.
5 - 16 February 2002
Privileged EXEC Commands
NOTE: This command applies only to a BigServerIron using a Management IV module.
CAUTION: By default, the delete option deletes all files on the flash card. Make sure you specify the files you want to delete.
CAUTION: The software does not have an undelete option. Make sure you really want to delete the file.
EXAMPLE:
To delete a file on the flash card that has the management focus, enter a command such as the following:
BigServerIron# delete cfg.cfg
If the command is successful, the CLI displays a new command prompt.
Syntax: delete [slot1 | slot2] [<file-name>]
The command in this example deletes the specified file. To delete all files that contain a specific string of characters, enter a command such as the following:
BigServerIron# delete test*.*
This command deletes all files whose names start with “test”. To delete all the files on a flash card, enter a command such as the following:
BigServerIron# delete slot2
The command in this example deletes all files on the flash card in slot 2. In this example, slot 1 has the management focus, but the files to be deleted are on the flash card in slot 2.
Possible values: See above.
Default value: Deletes all files on the flash card!
dirList the files on a flash card in a Management IV module’s PCMCIA slot.
NOTE: This command applies only to a BigServerIron using a Management IV module.
NOTE: By default, the software displays the contents of the flash card in the slot that has the management focus. However, you do not need to change the focus to list the files on another flash card. You can specify the other flash card when you display the files.
EXAMPLE:
To display a directory of all the files on the flash card that has the management focus, enter the following command:
BigServerIron# dir Volume in slot1 has no label Volume Serial Number is 19ED-1725
Directory of slot1
01/01/2000 00:00a 685935 POS.BIN01/01/2000 00:00a 2157693 M4R.BIN01/01/2000 00:00a 184 A22.CFG01/01/2000 00:00a 254 R CFG.CFG01/01/2000 00:00a 256 STR.CFG01/01/2000 00:00a 1027230 M5.BIN01/01/2000 00:00a 184 A8.CFG01/01/2000 00:00a 1029838 M4S.BIN01/01/2000 00:00a 687026 P3R.BIN
February 2002 5 - 17
Foundry ServerIron Command Line Interface Reference
01/01/2000 00:00a 1029838 MM.BIN 10 File(s) 6618438 bytes 74180608 bytes free
Syntax: dir [slot1 | slot2] [<file-name>]
To list only files that contain a specific pattern of characters in the name, enter a command such as the following:
BigServerIron# dir *.bin Volume in slot1 has no label Volume Serial Number is 19ED-1725
Directory of slot1
01/01/2000 00:00a 685935 POS.BIN01/01/2000 00:00a 2157693 M4R.BIN01/01/2000 00:00a 1027230 M5.BIN01/01/2000 00:00a 1029838 M4S.BIN01/01/2000 00:00a 687026 P3R.BIN01/01/2000 00:00a 1029838 MM.BIN 6 File(s) 6617560 bytes 74180608 bytes free
The command in this example lists all the image files on the flash card in the slot that has the management focus. (More specifically, the command lists all the files that end with “.bin”.)
For information about the command’s display, see the “Displaying a Directory of the Files on a Flash Card” section in the “Using Redundant Management Modules” chapter of the Foundry Switching Router Installation and Configuration Guide.
Possible values: See above.
Default value: Displays all files on the flash card that has the management focus.
debug access-listPlaces the device in diagnostic mode for IP access lists. Use this diagnostic mode only if advised to do so by Foundry Technical Support.
Possible values: N/A
Default value: Disabled
erase flash primaryErases the image stored in primary flash.
EXAMPLE:
ServerIron# erase flash primary
Syntax: erase flash primary
Possible values: N/A
Default value: N/A
erase flash secondaryErases the image stored in secondary flash.
EXAMPLE:
ServerIron# erase flash secondary
Syntax: erase flash secondary
Possible values: N/A
Default value: N/A
5 - 18 February 2002
Privileged EXEC Commands
erase startup-configErases the configuration stored in the startup-config file.
EXAMPLE:
ServerIron# erase startup-config
Syntax: erase startup-config
Possible values: N/A
Default value: N/A
exitMoves activity up one level from the current level. In this case, activity will be moved to the user level.
EXAMPLE:
To move from the privileged level, back to the user level, enter the following:
ServerIron# exit
ServerIron>
Syntax: exit
Possible values: N/A
Default value: N/A
fastboot…Provides a configurable option to speed up the system startup time. By default, this option is turned off, providing a three-second pause to allow a user to break into the boot prompt, if necessary. Use fastboot on to turn this option on and eliminate the three-second pause. To turn this feature off later, enter the command fastboot off. Fastboot changes will be saved automatically but will not become active until after a system reset.
To execute an immediate reload from the console of the boot code without a three-second delay, you can enter the fast reload command.
EXAMPLE:
ServerIron# fastboot on
Syntax: fastboot [on | off]
Possible values: on or off
Default value: off
formatReformats a flash card in a Management IV module’s PCMCIA slot.
NOTE: This command applies only to a BigServerIron using a Management IV module.
EXAMPLE:
To reformat a flash card, enter the following command:
BigServerIron# format slot2
Formatting Flash Card(256 clusters per dot) ..........................................................................................................................................................Verifying Flash Card(256 clusters per dot) ..........................................................................................................................................................
80809984 bytes total card space. 80809984 bytes available on card.
February 2002 5 - 19
Foundry ServerIron Command Line Interface Reference
2048 bytes in each allocation unit. 39458 allocation units available on card.
Flash card format done
As shown in this example, the software formats the sector on the flash card, then verifies the formatting. In this example, the software did not find any bad sectors, so all the bytes on the card are available.
Syntax: format slot1 | slot2 [<label>]
The slot1 | slot2 parameter specifies the PCMCIA slot that contains the flash card you are formatting.
The <label> parameter specifies the label. You can specify up to 11 alphanumeric characters. You cannot use special characters or spaces.
Possible values: See above
Default value: N/A
hdDisplays the data in a file on a flash card in hexadecimal format. This command applies only to management modules with PCMCIA flash slots.
NOTE: This command applies only to a BigServerIron using a Management IV module.
EXAMPLE:
To display the data in a file in hexadecimal format, enter a command such as the following:
BigServerIron# hd cfg.cfg
Syntax: hd [slot1 | slot2] <file-name>
Each row of hexadecimal output contains the following parts:
• The byte offset of the date that is displayed to the right of the offset
• A row of hexadecimal data
• The ASCII equivalent of the hexadecimal data shown in the row
Possible values: see above
Default value: N/A
killTerminates the specified active CLI session and resets the CONFIG token. Once you know the session ID of a Telnet connection (using the show who command), you can terminate it with the kill command. If the terminated session was a console, the console is sent back into User EXEC mode. If the terminated CLI session was a Telnet session, the Telnet connection is closed.
EXAMPLE:
ServerIron# kill telnet 1
Syntax: kill console | telnet <session-id>
Possible values: Session ID number from show who command
Default value: N/A
locateDisplays or changes the save location for the startup-config file.
NOTE: This command applies only to a BigServerIron using a Management IV module.
5 - 20 February 2002
Privileged EXEC Commands
EXAMPLE:
BigServerIron# locate startup-config
Syntax: locate startup-config
EXAMPLE:
By default, when you save configuration changes, the changes are saved to the startup-config file on the device’s flash memory module. If you want to change the save location to a PCMCIA slot, enter a command such as the following:
BigServerIron# locate startup-config slot1 router1.cfgBigServerIron# write memory
The first command in this example sets the device to save configuration changes to the file named “router1.cfg” in the flash card in PCMCIA slot 1. The second command saves the running-config to the router1.cfg file on the flash card in slot 1.
NOTE: In this example, after you save the configuration changes using the write memory command, the router1.cfg file will include the command that designates PCMCIA slot1 as the save location for configuration changes.
Syntax: locate startup-config [[slot1 | slot2] <file-name>]
You can specify a relative path name or full path name as part of the file name.
Possible values: See above
Default value: N/A
mdAnother form of the md command. See “mkdir” on page 5-21.
mkdirCreates a subdirectory on a PCMCIA flash card.
NOTE: This command applies only to a BigServerIron using a Management IV module.
EXAMPLE:
BigServerIron# mkdir slot1 \TEST
To verify successful creation of the subdirectory, enter a command to change to the new subdirectory level:
BigServerIron# chdir \TESTCurrent directory of slot1 is: \TEST
Syntax: md | mkdir [slot1 | slot2] <dir-name>
You can enter either md or mkdir for the command name.
The slot1 | slot2 parameter specifies a PCMCIA slot. If you do not specify a slot, the command applies to the slot that currently has the management focus.
The <dir-name> parameter specifies the subdirectory name. You can enter a name that contains any combination of the following characters. Do not enter a backslash “ / ” in front of the name.
• All upper and lowercase letters
• All digits
• Spaces
• Any of the following special characters:
• $
• %
February 2002 5 - 21
Foundry ServerIron Command Line Interface Reference
• '
• -
• _
• @
• ~
• `
• !
• (
• )
• {
• }
• ^
• #
• &
You can use spaces in a file or subdirectory name if you enclose the name in double quotes. For example, to specify a subdirectory name that contains spaces, enter a string such as the following: “a long subdirectory name”.
A subdirectory or file name can be a maximum of 256 characters long. A complete subdirectory path name cannot contain more than 263 characters.
The name is not case sensitive. You can enter upper- or lowercase letters. The CLI displays the name using uppercase letters.
Possible values: See above
Default value: N/A
moreDisplays the data in a file on a flash card in a Management IV module’s PCMCIA slot.
NOTE: This command applies only to a BigServerIron using a Management IV module.
EXAMPLE:
To display the contents of a file, enter a command such as the following:
BigServerIron# more cfg.cfg
Syntax: more [slot1 | slot2] <file-name>
Possible values: See above.
Default value: N/A
ncopy flash primary | secondary slot1 | slot2 <to-name>Copies a file from flash memory to a PCMCIA flash card on the management module.
NOTE: This command applies only to a BigServerIron using a Management IV module.
NOTE: This command does the same thing as the copy flash slot1 | slot2 command. See “copy flash slot1 | slot2” on page 5-10.
5 - 22 February 2002
Privileged EXEC Commands
EXAMPLE:
To copy a file from flash memory to a flash card, enter a command such as the following:
BigServerIron# ncopy flash primary slot2 BIS07000.binFlash Card Write (128 KBytes per dot) .......Write to slot2 BIS07000.bin succeeded
The command in this example copies a software image file from the primary area in flash memory onto the flash card in slot 2.
If the copy does not succeed, the software lists messages to indicate the reason the copy did not work. For example, the following messages indicate that the copy did not work because the slot specified for the copy does not contain a flash card.
BigServerIron# ncopy flash secondary slot2 m4s.carThe system can not find the drive specifiedWrite to slot2 m4s.car failed
Syntax: ncopy flash primary | secondary slot1 | slot2 [\<to-dir-path>\]<to-name>
Possible values: See above.
Default value: N/A
ncopy flash primary | secondary tftp <ip-addr> <from-name>Uploads a copy of the primary or secondary software image to a TFTP server.
NOTE: This command does the same thing as the copy flash tftp <ip-addr> <filename> primary | secondary command. See “copy flash tftp” on page 5-10.
EXAMPLE:
BigServerIron# ncopy flash secondary tftp 192.22.33.4 test.img
Syntax: ncopy flash primary | secondary tftp <ip-addr> <from-name>
Possible values: See above.
Default value: N/A
ncopy running slot1 | slot2 <to-name>Copies the device’s running-config to a PCMCIA flash card. The running-config contains the device’s currently active configuration information. When you copy the running-config to a flash card, you are making a copy of the device’s current configuration, including any configuration changes you have not saved to the startup-config file.
NOTE: This command applies only to a BigServerIron using a Management IV module.
NOTE: This command does the same thing as the copy running slot1 | slot2 <to-name> command. See “copy running slot1 | slot2” on page 5-10.
EXAMPLE:
To copy the device’s running configuration into a file on a flash card, enter a command such as the following:
BigServerIron# ncopy running slot1 runip.1Write to slot1 run.sw succeeded
Syntax: ncopy running slot1 | slot2 [\<to-dir-path>\]<to-name>
Possible values: See above.
Default value: N/A
February 2002 5 - 23
Foundry ServerIron Command Line Interface Reference
ncopy running-config tftp <ip-addr> <from-name>Uploads a copy of the running configuration file from the switch or router to a designated TFTP server.
NOTE: This command does the same thing as the copy running-config tftp <ip-addr> <filename> command. See “copy running-config tftp” on page 5-11.
EXAMPLE:
BigServerIron# ncopy running-config tftp 192.22.3.44 newrun.cfg
Syntax: ncopy running-config tftp <ip-addr> <from-name>
Possible values: See above.
Default value: N/A
ncopy slot1 | slot2 <from-name> flash primary | secondaryCopies a file from a PCMCIA flash card to the primary area in flash memory.
NOTE: This command applies only to a BigServerIron using a Management IV module.
NOTE: This command does the same thing as the copy slot1 | slot2 flash <from-name> primary | secondary command. See “copy flash slot1 | slot2” on page 5-10.
EXAMPLE:
To copy a file from a flash card to the primary area in flash memory, enter a command such as the following:
BigServerIron# ncopy slot1 B2P07000.bin flash primaryBigServerIron# Flash Erase ------------------------------------------Flash Memory Write (8192 bytes per dot) ..............................................................................................................................code flash copy done
Syntax: ncopy slot1 | slot2 [\<from-dir-path>\]<from-name> flash primary | secondary
Possible values: See above.
Default value: N/A
ncopy slot1 | slot2 <from-name> runningLoads ACLs from a running-config file into the device’s active configuration.
NOTE: This command applies only to a BigServerIron using a Management IV module.
For example, if the device’s configuration includes a large set of Access Control Lists (ACLs), you can configure the ACLs offline in a text file on a PC, then save the file to the flash card. To load the ACLs, you can insert the flash card in the Foundry device, then copy the file to the device’s running configuration.
NOTE: This feature allows you to preconfigure and load large sets of ACLs. If you accidentally try to load a running-config file that contains other types of configuration information using this method, the software might display error messages. This occurs when the device’s parser encounters lines in the file that do not correspond to valid configuration commands.
NOTE: This command does the same thing as the copy slot1 | slot2 running <from-name> command. See “copy slot1 | slot2 running” on page 5-11.
EXAMPLE:
To copy a running-config file from a flash card, enter a command such as the following:
5 - 24 February 2002
Privileged EXEC Commands
BigServerIron# ncopy slot2 runip.2 running
Syntax: ncopy slot1 | slot2 [\<from-dir-path>\]<from-name> running
The command in this example changes the device’s active configuration based on the information in the file.
Possible values: See above.
Default value: N/A
ncopy slot1 | slot2 <from-name> slot1 | slot2 [<to-name>]Copies files from one PCMCIA flash card on a management module to the other card.
NOTE: This command applies only to a BigServerIron using a Management IV module.
NOTE: This command does the same thing as the copy <from-card> <to-card> <from-name> [<to-name>] command. See “copy <from-card> <to-card>” on page 5-9.
EXAMPLE:
To copy a file from one flash card to the other, enter the following command:
BigServerIron# ncopy slot1 sales.cfg slot2
Syntax: ncopy slot1 | slot2 [\<from-dir-path>\]<from-name> slot1 | slot2 [[\<to-dir-path>\]<to-name>]
The command shown in the example above copies a file from the flash card in slot 1 to the flash card in slot 2. In this case, the software uses the same name for the original file and for the copy. Optionally, you can specify a different file name for the copy.
Possible values: See above.
Default value: N/A
ncopy slot1 | slot2 <from-name> startCopies a startup-config file from a PCMCIA flash card to flash memory. By default, the device uses the startup-config in the primary area of flash memory to configure itself when you boot or reload the device.
NOTE: This command applies only to a BigServerIron using a Management IV module.
NOTE: The device cannot use a startup-config file on a flash card to configure itself. You cannot boot or reload from a flash card.
NOTE: This command does the same thing as the copy slot1 | slot2 start <from-name> command. See “copy slot1 | slot2 start” on page 5-12.
EXAMPLE:
To copy a startup-config file from a flash card to flash memory, enter a command such as the following:
BigServerIron# ncopy slot1 test2.cfg start..Write startup-config done.
Syntax: ncopy slot1 | slot2 [\<from-dir-path>\]<from-name> start
This command copies a configuration file named test2.cfg from the flash card in slot 2 into the device’s flash memory. The next time you reboot or reload the device, it uses the configuration information in test2.cfg.
Possible values: See above.
Default value: N/A
February 2002 5 - 25
Foundry ServerIron Command Line Interface Reference
ncopy start slot1 | slot2 <to-name>Copies the device’s startup-config file from flash memory onto a PCMCIA flash card.
NOTE: This command applies only to a BigServerIron using a Management IV module.
NOTE: This command does the same thing as the copy start slot1 | slot2 <to-name> command. See “copy start slot1 | slot2” on page 5-13.
EXAMPLE:
To copy the device’s startup-config file from flash memory onto a flash card, enter a command such as the following:
BigServerIron# ncopy start slot1 mfgtest.cfgWrite to slot1 cfgtest.cfg succeeded
Syntax: ncopy start slot1 | slot2 [\<to-dir-path>\]<to-name>
Possible values: See above.
Default value: N/A
ncopy slot1 | slot2 <from-name> tftp <ip-addr> [<to-name>]Copies a file from a PCMCIA flash card to a TFTP server.
NOTE: This command applies only to a BigServerIron using a Management IV module.
NOTE: This command does the same thing as the copy slot1 | slot2 tftp <ip-addr> <from-name> [<to-name>] command. See “copy slot1 | slot2 tftp” on page 5-12.
EXAMPLE:
To copy a file from a flash card to a TFTP server, enter a command such as the following:
BigServerIron# ncopy slot1 notes.txt tftp 192.168.1.17 Uploading 254 bytes to tftp server ...Upload to TFTP server done.
Syntax: ncopy slot1 | slot2 [\<from-dir-path>\]<from-name> tftp <ip-addr> [<to-name>]
Possible values: See above.
Default value: N/A
ncopy startup-config tftp <ip-addr> <from-name>Uploads a copy of the startup configuration file from the switch or router to a designated TFTP server.
NOTE: This command does the same thing as the copy startup-config tftp <ip-addr> <filename> command. See “copy startup-config tftp” on page 5-13.
EXAMPLE:
BigServerIron# ncopy startup-config tftp 192.22.3.44 new.cfg
Syntax: ncopy startup-config tftp <ip-addr> <from-name>
Possible values: See above.
Default value: N/A
ncopy tftp <ip-addr> <from-name> flash primary | secondaryDownloads a copy of a Foundry switch or router software image from a TFTP server into the system flash in the primary or secondary storage location.
5 - 26 February 2002
Privileged EXEC Commands
NOTE: This command does the same thing as the copy tftp flash <ip-addr> <filename> primary | secondary command. See “copy tftp flash” on page 5-13.
EXAMPLE:
BigServerIron# ncopy tftp 192.22.33.4 test.img flash primary
To download into the secondary storage location, enter the command listed below instead:
ServerIron# ncopy tftp 192.22.33.4 test.img flash secondary
Syntax: ncopy tftp <ip-addr> <from-name> flash primary | secondary
Possible values: See above.
Default value: N/A
ncopy tftp <ip-addr> <from-name> running-configDownloads a copy of a running-config file from a TFTP server into the running-config of the switch or router.
NOTE: This command does the same thing as the copy tftp running-config <ip-addr> <filename> command. See “copy tftp running-config” on page 5-14.
EXAMPLE:
BigServerIron# ncopy tftp 192.22.33.4 newrun.cfg running-config
Syntax: ncopy tftp <ip-addr> <from-name> running-config
Possible values: See above.
Default value: N/A
ncopy tftp <ip-addr> <from-name> slot1 | slot2 [<to-name>]Copies a file from a TFTP server to a PCMCIA flash card.
NOTE: This command applies only to a BigServerIron using a Management IV module.
NOTE: This command does the same thing as the copy tftp slot1 | slot2 <ip-addr> <from-name> [<to-name>] command. See “copy tftp slot1 | slot2” on page 5-14.
EXAMPLE:
To copy a file from a TFTP server to a flash card, enter a command such as the following:
BigServerIron# ncopy tftp 192.168.1.17 notes.txt slot1Downloading from tftp server ...Tftp 254 bytes done, copy to slot1 ...Write to slot1 cfg.cfg succeeded
Syntax: ncopy tftp <ip-addr> <from-name> slot1 | slot2 [[\<to-dir-path>\]<to-name>]
If the file name you specify is not on the TFTP server, the CLI displays messages such as those shown in the following example:
BigServerIron# ncopy tftp 192.168.1.17 nots.txt slot1 Downloading from tftp server ...TFTP: received error request -- code 1 message File not found: C:/TFTP/nots.txt.Error - can't download data from TFTP server, error code 17. Abort!
To simplify troubleshooting, especially when the file is present on your server but the command doesn’t find it, the messages list the complete TFTP path name on your TFTP server.
Possible values: See above.
February 2002 5 - 27
Foundry ServerIron Command Line Interface Reference
Default value: N/A
ncopy tftp <ip-addr> <from-name> startup-configDownloads a copy of a configuration file from a TFTP server into the startup configuration file of the switch or router. To activate this configuration file, reload (reset) the system.
NOTE: This command does the same thing as the copy tftp startup-config <ip-addr> <filename> command. See “copy tftp startup-config” on page 5-14.
EXAMPLE:
BigServerIron# ncopy tftp 192.22.33.4 new.cfg startup-config
Syntax: ncopy tftp <ip-addr> <from-name> startup-config
Possible values: See above.
Default value: N/A
page-displayEnables page-by-page display of the configuration file. When you display or save the file, one "page" (window-full) of the file is displayed. The following line provides you with options to continue the display or to cancel:
--More--, next page: Space/Return key, quit: Control-c
If you disable the page-display mode, the CLI displays the entire file without interruption.
Page-display mode is enabled by default. To disable it, enter the skip-page-display command.
NOTE: This command is equivalent to the enable skip-page-display command at the global CONFIG level.
EXAMPLE:
ServerIron# page-display
Syntax: page-display
Possible values: N/A
Default value: N/A
pingVerifies connectivity to a Foundry switch or Layer 3 Switch or other device. The command performs an ICMP echo test to confirm connectivity to the specified device.
EXAMPLE:
ServerIron# ping 192.22.2.33
Syntax: ping <ip-addr> | <hostname> [count <num>] [timeout <msec>] [ttl <num>] [size <byte>] [no-fragment] [quiet] [verify] [data <1 – 4 byte hex>] [brief]
The only required parameter is the IP address or host name of the device.
NOTE: If the device is a Foundry switch or Layer 3 Switch, you can use the host name only if you have already enabled the Domain Name Server (DNS) resolver feature on the device from which you are sending the ping. See “ip dns domain-name” on page 6-35 and “ip dns server-address” on page 6-35.
The count <num> parameter specifies how many ping packets the device sends. You can specify from 1 – 4294967296. The default is 1.
The timeout <msec> parameter specifies how many milliseconds the Foundry device waits for a reply from the pinged device. You can specify a timeout from 1 – 4294967296 milliseconds. The default is 5000 (5 seconds).
The ttl <num> parameter specifies the maximum number of hops. You can specify a TTL from 1 – 255. The default is 64.
5 - 28 February 2002
Privileged EXEC Commands
The size <byte> parameter specifies the size of the ICMP data portion of the packet. This is the payload and does not include the header. You can specify from 0 – 4000. The default is 16.
The no-fragment parameter turns on the "don’t fragment" bit in the IP header of the ping packet. This option is disabled by default.
The quiet parameter hides informational messages such as a summary of the ping parameters sent to the device and instead only displays messages indicating the success or failure of the ping. This option is disabled by default.
The verify parameter verifies that the data in the echo packet (the reply packet) is the same as the data in the echo request (the ping). By default the device does not verify the data.
The data <1 – 4 byte hex> parameter lets you specify a specific data pattern for the payload instead of the default data pattern, "abcd", in the packet’s data payload. The pattern repeats itself throughout the ICMP message (payload) portion of the packet.
NOTE: For numeric parameter values, the CLI does not check that the value you enter is within the allowed range. Instead, if you do exceed the range for a numeric value, the software rounds the value to the nearest valid value.
The brief parameter causes ping test characters to be displayed. The following ping test characters are supported:
! Indicates that a reply was received.
. Indicates that the network server timed out while waiting for a reply.
U Indicates that a destination unreachable error PDU was received.
I Indicates that the user interrupted ping.
Possible values: see above
Default value: see above
pwdIndicates which flash card in a Management IV module’s PCMCIA slot has the management focus.
NOTE: This command applies only to a BigServerIron using a Management IV module.
The management focus determines the default flash card for a file management operation. For example, when you list a directory of the files on a flash card, the PCMCIA slot parameter is optional. If you do not specify the slot, the software displays the contents of the flash card in the slot that currently has the management focus. As another example, the command for deleting a file from a flash card does not require that you specify the PCMCIA slot. If you do not specify the slot, the command deletes the file from the flash card that has the management focus.
When you power on or reload a device, if the management module contains only one flash card, the slot that contains the flash card receives the management focus by default. If both slots contain flash cards, slot 1 receives the management focus by default.
EXAMPLE:
To display which flash card currently has the management focus, enter the following command:
BigServerIron# pwdslot1
Syntax: pwd
In this example, the flash card in slot 1 has the management focus.
Possible values: N/A
Default value: N/A
February 2002 5 - 29
Foundry ServerIron Command Line Interface Reference
quitThis command returns you from any level of the CLI to the User EXEC mode.
EXAMPLE:
ServerIron# quit
ServerIron>
Syntax: quit
Possible values: N/A
Default value: N/A
rconsoleLogs in to a WSM CPU on the Web Switching Management Module.
ServerIron# rconsole 2 1ServerIron2/1 #
This command changes the management session from the MP to WSM CPU 1 on the Web Switching Management Module in slot 2. Notice that the end of the command prompt changes to indicate the slot number and WSM CPU number.
Syntax: rconsole <slotnum> <cpunum>
The <slotnum> parameter specifies the chassis slot that contains the module.
• Slots on a four-slot chassis are numbered 1 – 4, from top to bottom.
• Slots on an eight-slot chassis are numbered 1 – 8, from left to right.
The <cpunum> parameter specifies the WSM CPU. The WSM CPUs are numbered from 1 – 3.
For more information, see the "Using the Web Switching Management Module" chapter in the Foundry ServerIron Installation and Configuration Guide.
Possible values: See above.
Default value: Disabled
rconsole-exitLogs out of a WSM CPU on the Web Switching Management Module.
EXAMPLE:
To log out from a management session with a WSM CPU, enter the following command at the WSM command prompt:
ServerIron2/1 # rconsole-exitServerIron#
Syntax: rconsole-exit
NOTE: You must enter the entire command name (rconsole-exit). The CLI will not accept abbreviated forms of the command.
Possible values: See above.
Default value: N/A
rdAnother form of the rmdir command. See “rmdir” on page 5-31.
5 - 30 February 2002
Privileged EXEC Commands
reloadInitiates a system reset. All configuration changes made since the last reset or start of the ServerIron will be saved to the startup configuration file.
EXAMPLE:
ServerIron# reload
Syntax: reload [after <dd:hh:mm>] | [at <hh:mm:ss> <mm-dd-yy>] | [cancel] [primary | secondary]
Possible values:
after <dd:hh:mm> causes the system to reload after the specified amount of time has passed.
at <hh:mm:ss> <mm-dd-yy> causes the system to reload at exactly the specified time.
cancel cancels the scheduled reload
primary | secondary specifies whether the reload is to occur from the primary code flash module or the secondary code flash module. The default is primary.
NOTE: The reload command must be typed in its entirety.
Default value: N/A
renameRenames a file on a flash card in a Management IV module’s PCMCIA slot.
NOTE: This command applies only to a BigServerIron using a Management IV module.
EXAMPLE:
To rename a file, enter a command such as the following:
ServerIron# rename oldname newname
Syntax: rename [slot1 | slot2] <old-name> <new-name>
If the command is successful, the CLI displays a new command prompt.
Possible values: See above.
Default value: N/A
rmdirRemoves a subdirectory from a PCMCIA flash card.
NOTE: This command applies only to a BigServerIron using a Management IV module.
EXAMPLE:
BigServerIron# rmdir \TEST
Syntax: rd | rmdir [slot1 | slot2] <dir-name>
You can enter either rd or rmdir for the command name.
The slot1 | slot2 parameter specifies a PCMCIA slot.
The <dir-name> parameter specifies the subdirectory you want to delete. You can enter a path name if the subdirectory is not in the current directory.
NOTE: You can remove a subdirectory only if the subdirectory does not contain files or other subdirectories.
If you receive a message such as the following, enter the pwd command to verify that the management focus is at the appropriate level of the directory tree.
February 2002 5 - 31
Foundry ServerIron Command Line Interface Reference
BigServerIron# rmdir \TESTFile not found
Possible values: See above.
Default value: N/A
rshowDisplays the real and virtual server configuration information on a remote site ServerIron in the GSLB ServerIron’s CLI. The command also displays the session and CPU information used by the GSLB policy. You can view detailed configuration information and statistics for the site ServerIron, from the GSLB ServerIron’s management console. For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.
show…Displays a variety of configuration and statistical information about the ServerIron. To see a description of the show commands, see “Show Commands” on page 21-1.
skip-page-displayDisables page-display mode. Page-display mode displays the file one page at a time and prompts you to continue or cancel the display. When page-display mode is disabled, if you display or save the configuration file, the CLI displays the entire file without interruption.
Page display mode is enabled by default.
NOTE: This command is equivalent to the no enable skip-page-display command at the global CONFIG level.
EXAMPLE:
ServerIron> skip-page-display
Syntax: skip-page-display
Possible values: N/A
Default value: Enabled
sntp syncSynchronizes the device’s system clock with the time supplied by the device’s SNTP server.
You define the SNTP server using the sntp server... command at the global CONFIG level. You also can define how often the clock references are validated between the ServerIron and the SNTP server by entering the sntp poll-interval command at the global CONFIG level.
NOTE: Configure the clock timezone parameter before configuring an SNTP server.
EXAMPLE:
ServerIron# sntp sync
Syntax: sntp sync
Possible values: N/A
Default value: N/A
stop-tracerouteStops an initiated trace on a ServerIron.
EXAMPLE:
ServerIron# stop-trace-route
Syntax: stop-trace-route
5 - 32 February 2002
Privileged EXEC Commands
Possible values: N/A
Default value: N/A
sync-standbyImmediately synchronizes software between the active and standby management modules. When you synchronize software, the active module copies the software you specify to the standby module, replacing the software on the standby module.
NOTE: This command applies only to a BigServerIron with redundant management modules.
EXAMPLE:
To immediately synchronize the boot code on the standby module with the boot code on the active module, enter the following command at the Privileged EXEC level of the CLI:
BigServerIron# sync-standby boot
Syntax: sync-standby boot
To immediately synchronize the flash code (system software) on the standby module with the boot code on the active module, enter the following command at the Privileged EXEC level of the CLI:
BigServerIron# sync-standby code
Syntax: sync-standby code
To immediately synchronize the running-config on the standby module with the running-config on the active module, enter the following command at the Privileged EXEC level of the CLI:
BigServerIron# sync-standby running-config
Syntax: sync-standby running-config
To immediately synchronize the startup-config file on the standby module with the startup-config file on the active module, enter the following command at the Privileged EXEC level of the CLI:
BigServerIron# sync-standby startup-config
Syntax: sync-standby startup-config
Possible values: See above
Default value: N/A
telnetAllows a Telnet connection to a remote ServerIron using the console. Up to five access Telnet sessions can be supported on a ServerIron at one time. Write access through Telnet is limited to one session and only one outgoing Telnet sessions is supported on a ServerIron at one time.
To see the number of open Telnet sessions at any time, enter the command show telnet.
EXAMPLE:
ServerIron# telnet 208.96.6.101
Syntax: telnet <ip-addr> | <hostname>
Possible values: N/A
Default value: N/A
temperature shutdownChanges the shutdown temperature of a module containing a temperature sensor. If the temperature matches or exceeds the shutdown temperature, the software sends a Syslog message to the Syslog buffer and also to the SyslogD server if configured. The software also sends an SNMP trap to the SNMP trap receiver, if you have configured the device to use one.
February 2002 5 - 33
Foundry ServerIron Command Line Interface Reference
If the temperature equals or exceeds the shutdown temperature for five consecutive polls of the temperature by the software, the software shuts down the module to prevent damage.
EXAMPLE:
To change the shutdown temperature from 55 to 57 degrees Celsius, enter the following command:
ServerIron# temperature shutdown 57
Syntax: temperature shutdown <value>
The <value> can be 0 – 125.
Possible values: 0 – 125 degrees Celsius
Default value: 55
temperature warningChanges the warning temperature of a module containing a temperature sensor. If the temperature of the module reaches the warning value, the software sends a Syslog message to the Syslog buffer and also to the SyslogD server, if configured. In addition, the software sends an SNMP trap to the SNMP trap receiver, if you have configured the device to use one.
NOTE: You cannot set the warning temperature to a value higher than the shutdown temperature.
EXAMPLE:
To change the warning temperature from 45 to 47 degrees Celsius, enter the following command:
ServerIron# temperature warning 57
Syntax: temperature warning <value>
The <value> can be 0 – 125.
Possible values: 0 – 125 degrees Celsius
Default value: 45
tracerouteAllows you to trace the path from the current ServerIron to a host address. This command is not available on Foundry switches.
EXAMPLE:
ServerIron# traceroute 192.33.4.7 minttl 5 maxttl 5 timeout 5
Syntax: traceroute <host-ip-addr> [minttl <value>] [maxttl <value>] [timeout <value>] [numeric]
minttl – minimum TTL (hops) value: Possible values are 1 – 255. Default value is 1 second.
maxttl – maximum TTL (hops) value: Possible values are 1 – 255. Default value is 30 seconds.
timeout – Possible values are 1 – 120. Default value is 2 seconds.
numeric – Lets you change the display to list the devices by their IP addresses instead of their names.
Possible values: See above.
Default value: See above.
undebug access-listDisables access-list diagnostic mode.
EXAMPLE:
ServerIron# undebug access-list 1
Syntax: undebug access-list <num>
Possible values: See above.
5 - 34 February 2002
Privileged EXEC Commands
Default value: N/A
undebug ip natDisables diagnostic mode for NAT.
NOTE: This command is not supported on the ServerIron 400 or ServerIron 800.
EXAMPLE:
To disable the NAT diagnostic mode, enter a command such as the following:
ServerIron# undebug ip nat tcp
Syntax: undebug ip nat icmp | tcp | udp | transdata
This command disables the diagnostic mode for NAT performed on TCP packets. NAT diagnostics for other types of packets remain enabled.
Possible values: See above.
Default value: N/A
undeleteRecovers a file deleted from a PCMCIA flash card.
NOTE: This command applies only to a BigServerIron using a Management IV module.
NOTE: When you delete a file from a flash card, the CLI leaves the file intact but removes the first letter in the file name from the file directory. However, if you save file changes or new files that use part of the space occupied by the deleted file, you cannot undelete the file. The undelete command lists only the files that can be undeleted.
EXAMPLE:
BigServerIron# undeleteUndelete file "?LD.CFG" ? (enter 'y' or 'n'): yInput one character: OFile recovered successfully and named to OLD.CFG
The command in this example starts the undelete process for the flash card and subdirectory that currently have the management focus. For each file that can be undeleted, the CLI displays the remaining name entry in the file directory and prompts you for the first character of the file name. You can enter any valid file name character. You do not need to enter the character that was used before in the deleted file name.
Once you enter a character and the CLI undeletes the file, the CLI continues with the next file that can be undeleted. For each file, specify “y” or “n”, and specify a first character for the files that you select to undelete.
To end the undelete process, enter the CTRL + C key combination.
Syntax: undelete [slot1 | slot2] [\<to-dir-path>]
Possible values: See above
Default value: N/A
whoisPerforms a whois lookup on a specified domain.
EXAMPLE:
ServerIron# whois boole.com
Syntax: whois <host-ip-addr> | <domain>
Possible values: <host-ip-addr> is a valid IP address; <domain> is a valid domain name.
February 2002 5 - 35
Foundry ServerIron Command Line Interface Reference
NOTE: A DNS gateway must be defined in order to use this command.
Default value: N/A
write memorySaves the running-time configuration into the startup-config file.
EXAMPLE:
ServerIron# write memory
Syntax: write memory
Possible values: N/A
Default value: N/A
write terminalDisplays the running-configuration on the terminal screen.
EXAMPLE:
ServerIron# write terminal
Syntax: write terminal
Possible values: N/A
Default value: N/A
wsm copy flash flashCopies the flash code from the primary flash to the secondary flash for each of the WSM CPUs on the Web Switching Management Module.
EXAMPLE:
ServerIron# wsm copy flash flash secondary
Syntax: wsm copy flash flash primary | secondary
The primary and secondary parameters identify either the primary or secondary flash on the WSM CPUs. For each command, the parameter specifies the destination of the copy operation.
Possible values: See above
Default value: N/A
wsm copy tftp flashUpgrades the WSM CPUs on the Web Switching Management Module.
EXAMPLE:
ServerIron# wsm copy tftp flash 109.157.22.26 wsp07200.bin primary
This command upgrades the WSM CPUs by copying a flash code image from a TFTP server to the primary flash for each of the WSM CPUs on the module.
Syntax: wsm copy tftp flash <tftp-server-ip-addr> <image-file-name> primary | secondary
The primary and secondary parameters identify either the primary or secondary flash on the WSM CPUs. For each command, the parameter specifies the destination of the copy operation.
Possible values: See above
Default value: N/A
5 - 36 February 2002
Chapter 6Global CONFIG Commands
aaa authenticationDefines an authentication-method list for access authentication. See the Foundry Security Guide for more information.
EXAMPLE:
To configure an access method list, enter a command such as the following:
ServerIron(config)# aaa authentication web-server default local
This command configures the device to use the local user accounts to authenticate access to the device through the Web management interface. If the device does not have a user account that matches the user name and password entered by the user, the user is not granted access.
To configure the device to consult a RADIUS server first for Enable access, then consult the local user accounts if the RADIUS server is unavailable, enter the following command:
ServerIron(config)# aaa authentication enable default radius local
Syntax: aaa authentication snmp-server | web-server | enable [implicit-user] | login default <method1> [<method2>] [<method3>] [<method4>] [<method5>] [<method6>] [<method7>]
The snmp-server | web-server | enable [implicit-user] | login parameter specifies the type of access this authentication-method list controls. You can configure one authentication-method list for each type of access.
The implicit-user parameter configures the device to prompt for only a password when a user attempts to access the Privileged EXEC or CONFIG level of the CLI. By default, the device prompts for both a username and a password. This parameter is valid only with the enable access type.
NOTE: TACACS/TACACS+ and RADIUS are supported only for enable and login.
February 2002 6 - 1
Foundry ServerIron Command Line Interface Reference
The <method1> parameter specifies the primary authentication method. The remaining optional <method> parameters specify the secondary methods to try if an error occurs with the primary method. A method can be one of the values listed in the Method Value column in the following table.
Possible values: see above
Default value: N/A
aaa authorizationConfigures authorization for controlling access to management functions in the CLI. Foundry devices support RADIUS and TACACS+ authorization.
• When RADIUS authorization is enabled, the Foundry device consults the list of commands supplied by the RADIUS server during authentication to determine whether a user can execute a command he or she has entered.
• Two kinds of TACACS+ authorization are supported: Exec authorization determines a user’s privilege level when they are authenticated; Command authorization consults a TACACS+ server to get authorization for commands entered by the user
EXAMPLE:
You enable command authorization by specifying a privilege level whose commands require authorization. For example, to configure the Foundry device to perform RADIUS authorization for the commands available at the Super User privilege level (that is; all commands on the device), enter the following command:
ServerIron(config)# aaa authorization commands 0 default radius
Syntax: [no] aaa authorization commands <privilege-level> default tacacs+ | radius | none
The <privilege-level> parameter can be one of the following:
• 0 – Authorization is performed for commands available at the Super User level (all commands)
• 4 – Authorization is performed for commands available at the Port Configuration level (port-config and read-only commands)
• 5 – Authorization is performed for commands available at the Read Only level (read-only commands)
Table 0.1: Authentication Method Values
Method Value Description
tacacs
or
tacacs+
A TACACS/TACACS+ server. You can use either parameter. Each parameter supports both TACACS and TACACS+. You also must identify the server to the device using the tacacs-server command. See “tacacs-server” on page 6-94.
radius A RADIUS server. You also must identify the server to the device using the radius-server command. See “radius-server” on page 6-56.
local A local user name and password you configured on the device. Local user names and passwords are configured using the username… command. See “username” on page 6-98.
line The password you configured for Telnet access. The Telnet password is configured using the enable telnet password… command. See “enable telnet password” on page 6-18.
enable The super-user “enable” password you configured on the device. The enable password is configured using the enable super-user-password… command. See “enable” on page 6-17.
none No authentication is used. The device automatically permits access.
6 - 2 February 2002
Global CONFIG Commands
NOTE: TACACS+ and RADIUS command authorization is performed only for commands entered from Telnet or SSH sessions. No authorization is performed for commands entered at the console, the Web management interface, or IronView.
NOTE: Since RADIUS authorization relies on the command list supplied by the RADIUS server during authentication, you cannot perform RADIUS authorization without RADIUS authentication.
When TACACS+ exec authorization is configured, the Foundry device consults a TACACS+ server to determine the privilege level for an authenticated user. To configure TACACS+ exec authorization, on the Foundry device, enter the following command:
ServerIron(config)# aaa authorization exec default tacacs+
Syntax: [no] aaa authorization exec default tacacs+ | none
Possible values: see above
Default value: N/A
aaa accountingConfigures RADIUS or TACACS+ accounting for recording information about user activity and system events. When you configure accounting on a Foundry device, information is sent to an accounting server when specified events occur, such as when a user logs into the device or the system is rebooted.
EXAMPLE:
To send an Accounting Start packet to a TACACS+ accounting server when an authenticated user establishes a Telnet or SSH session on the Foundry device, and an Accounting Stop packet when the user logs out:
ServerIron(config)# aaa accounting exec default start-stop tacacs+
Syntax: [no] aaa accounting exec default start-stop radius | tacacs+ | none
You can configure accounting for CLI commands by specifying a privilege level whose commands require accounting. For example, to configure the Foundry device to perform RADIUS accounting for the commands available at the Super User privilege level (that is; all commands on the device), enter the following command:
ServerIron(config)# aaa accounting commands 0 default start-stop radius
Syntax: [no] aaa accounting commands <privilege-level> default start-stop radius | tacacs+ | none
The <privilege-level> parameter can be one of the following:
• 0 – Records commands available at the Super User level (all commands)
• 4 – Records commands available at the Port Configuration level (port-config and read-only commands)
• 5 – Records commands available at the Read Only level (read-only commands)
You can configure accounting to record when system events occur on the Foundry device. System events include rebooting and when changes to the active configuration are made.
The following command causes an Accounting Start packet to be sent to a TACACS+ accounting server when a system event occurs, and a Accounting Stop packet to be sent when the system event is completed:
ServerIron(config)# aaa accounting system default start-stop tacacs+
Syntax: [no] aaa accounting system default start-stop radius | tacacs+ | none
Possible values: see above
Default value: N/A
access-list (standard)Configures standard Access Control Lists (ACLs), which permit or deny packets based on source IP address (in contrast to extended ACLs, which permit or deny packets based on source and destination IP address and also based on IP protocol information). You can configure up to 99 standard ACLs. You can configure up to 1024
February 2002 6 - 3
Foundry ServerIron Command Line Interface Reference
individual ACL entries. There is no limit to the number of ACL entries an ACL can contain except for the system-wide limitation of 1024 total ACL entries.
EXAMPLE:
To configure a standard ACL and apply it to outgoing traffic on port 1, enter the following commands.
ServerIron(config)# access-list 1 deny host 209.157.22.26 logServerIron(config)# access-list 1 deny 209.157.29.12 logServerIron(config)# access-list 1 deny host IPHost1 logServerIron(config)# access-list 1 permit any ServerIron(config)# int eth 1ServerIron(config-if-1)# ip access-group 1 out ServerIron(config-if-1)# write mem
The commands in this example configure an ACL to deny packets from three source IP addresses from being forwarded on port 1. The last ACL entry in this ACL permits all packets that are not explicitly denied by the first three ACL entries.
Syntax: [no] access-list <num> deny | permit <source-ip> | <hostname> <wildcard> [log]
Syntax: [no] access-list <num> deny | permit <source-ip>/<mask-bits> | <hostname> [log]
Syntax: [no] access-list <num> deny | permit host <source-ip> | <hostname> [log]
Syntax: [no] access-list <num> deny | permit any [log]
Syntax: [no] ip access-group <num> in | out
The <num> parameter is the access list number and can be from 1 – 99.
The deny | permit parameter indicates whether packets that match a policy in the access list are denied (dropped) or permitted (forwarded).
The <source-ip> parameter specifies the source IP address. Alternatively, you can specify the host name.
NOTE: To specify the host name instead of the IP address, the host name must be configured using the Foundry device’s DNS resolver. To configure the DNS resolver name, use the ip dns server-address… command at the global CONFIG level of the CLI.
The <wildcard> parameter specifies the mask value to compare against the host address specified by the <source-ip> parameter. The <wildcard> is a four-part value in dotted-decimal notation (IP address format) consisting of ones and zeros. Zeros in the mask mean the packet’s source address must match the <source-ip>. Ones mean any value matches. For example, the <source-ip> and <wildcard> values 209.157.22.26 0.0.0.255 mean that all hosts in the Class C sub-net 209.157.22.x match the policy.
If you prefer to specify the wildcard (mask value) in CIDR format, you can enter a forward slash after the IP address, then enter the number of significant bits in the mask. For example, you can enter the CIDR equivalent of “209.157.22.26 0.0.0.255” as “209.157.22.26/24”.
NOTE: When you save ACL policies to the startup-config file, the software changes your <source-ip> values if appropriate to contain zeros where the packet value must match. For example, if you specify 209.157.22.26/24 or 209.157.22.26 255.255.255.0, then save the startup-config file, the values appear as 209.157.22.0/24 (if you have enabled display of sub-net lengths) or 209.157.22.0 255.255.255.0 in the startup-config file.
If you enable the software to display IP sub-net masks in CIDR format, the mask is saved in the file in “/<mask-bits>” format. To enable the software to display the CIDR masks, enter the ip show-subnet-length command at the global CONFIG level of the CLI. You can use the CIDR format to configure the ACL entry regardless of whether the software is configured to display the masks in CIDR format.
NOTE: If you use the CIDR format, the ACL entries appear in this format in the running-config and startup-config files, but are shown with sub-net mask in the display produced by the show access-list and show ip access-list commands.
6 - 4 February 2002
Global CONFIG Commands
The host <source-ip> | <hostname> parameter lets you specify a host IP address or name. When you use this parameter, you do not need to specify the mask. A mask of all zeros (0.0.0.0) is implied.
The any parameter configures the policy to match on all host addresses.
The log argument configures the device to generate Syslog entries and SNMP traps for packets that are permitted or denied by the access policy.
The in | out parameter specifies whether the ACL applies to incoming traffic or outgoing traffic on the port to which you apply the ACL.
Possible values: see above
Default value: N/A
access-list (extended)Configures extended ACLs, which permit or deny packets based on the following information:
• IP protocol
• Source IP address or host name
• Destination IP address or host name
• Source TCP or UDP port (if the IP protocol is TCP or UDP)
• Destination TCP or UDP port (if the IP protocol is TCP or UDP)
EXAMPLE:
To configure an extended ACL that blocks all Telnet traffic received on port 1 from IP host 209.157.22.26, enter the following commands.
ServerIron(config)# access-list 101 deny tcp host 209.157.22.26 any eq telnet log ServerIron(config)# access-list 101 permit ip any any ServerIron(config)# int eth 1ServerIron(config-if-1)# ip access-group 101 in ServerIron(config)# write mem
Syntax: [no] access-list <num> deny | permit <ip-protocol> <source-ip> | <hostname> <wildcard> [<operator> <source-tcp/udp-port>] <destination-ip> | <hostname> <wildcard> [<operator> <destination-tcp/udp-port>] [log]
Syntax: [no] access-list <num> deny | permit host <ip-protocol> any any [log]
Syntax: [no] ip access-group <num> in | out
The <num> parameter indicates the ACL number and can be from 100 – 199 for an extended ACL.
The deny | permit parameter indicates whether packets that match the policy are dropped or forwarded.
The <ip-protocol> parameter indicates the type of IP packet you are filtering. You can specify one of the following:
• icmp
• igmp
• igrp
• ip
• ospf
• tcp
• udp
The <source-ip> | <hostname> parameter specifies the source IP host for the policy. If you want the policy to match on all source addresses, enter any.
February 2002 6 - 5
Foundry ServerIron Command Line Interface Reference
The <wildcard> parameter specifies the portion of the source IP host address to match against. The <wildcard> is a four-part value in dotted-decimal notation (IP address format) consisting of ones and zeros. Zeros in the mask mean the packet’s source address must match the <source-ip>. Ones mean any value matches. For example, the <source-ip> and <wildcard> values 209.157.22.26 0.0.0.255 mean that all hosts in the Class C sub-net 209.157.22.x match the policy.
If you prefer to specify the wildcard (mask value) in Classless Interdomain Routing (CIDR) format, you can enter a forward slash after the IP address, then enter the number of significant bits in the mask. For example, you can enter the CIDR equivalent of “209.157.22.26 0.0.0.255” as “209.157.22.26/24”.
NOTE: When you save ACL policies to the startup-config file, the software changes your IP address values if appropriate to contain zeros where the packet value must match. For example, if you specify 209.157.22.26/24 or 209.157.22.26 255.255.255.0, then save the startup-config file, the values appear as 209.157.22.0/24 (if you have enabled display of sub-net lengths) or 209.157.22.0 255.255.255.0 in the startup-config file.
If you enable the software to display IP sub-net masks in CIDR format, the mask is saved in the file in “/<mask-bits>” format. To enable the software to display the CIDR masks, enter the ip show-subnet-length command at the global CONFIG level of the CLI. You can use the CIDR format to configure the ACL entry regardless of whether the software is configured to display the masks in CIDR format.
NOTE: If you use the CIDR format, the ACL entries appear in this format in the running-config and startup-config files, but are shown with sub-net mask in the display produced by the show access-list and show ip access-list commands.
The <destination-ip> | <hostname> parameter specifies the destination IP host for the policy. If you want the policy to match on all destination addresses, enter any.
The <operator> parameter specifies a comparison operator for the TCP or UDP port number. This parameter applies only when you specify tcp or udp as the IP protocol. For example, if you are configuring an entry for HTTP, specify tcp eq http. You can enter one of the following operators:
• eq – The policy applies to the TCP or UDP port name or number you enter after eq.
• gt – The policy applies to TCP or UDP port numbers greater than the port number or the numeric equivalent of the port name you enter after gt.
• lt – The policy applies to TCP or UDP port numbers that are less than the port number or the numeric equivalent of the port name you enter after lt.
• neq – The policy applies to all TCP or UDP port numbers except the port number or port name you enter after neq.
• range – The policy applies to all TCP or UDP port numbers that are between the first TCP or UDP port name or number and the second one you enter following the range parameter. The range includes the port names or numbers you enter. For example, to apply the policy to all ports between and including 23 (Telnet) and 53 (DNS), enter the following: range 23 53. The first port number in the range must be lower than the last number in the range.
• established – This operator applies only to TCP packets. If you use this operator, the policy applies to TCP packets that have the ACK (Acknowledgment) or RST (Reset) bits set on (set to "1") in the Control Bits field of the TCP packet header. Thus, the policy applies only to established TCP sessions, not to new sessions. See Section 3.1, "Header Format", in RFC 793 for information about this field.
NOTE: This operator applies only to destination TCP ports, not source TCP ports.
The <tcp/udp-port> parameter specifies the TCP or UDP port number or well-known name. The device recognizes the following well-known names. For other ports, you must specify the port number.
NOTE: The following lists are organized alphabetically. In the CLI, these port names are listed according to ascending port number.
6 - 6 February 2002
Global CONFIG Commands
• TCP port names recognized by the software:
• bgp
• dns
• ftp
• http
• imap4
• ldap
• mms
• nntp
• pop2
• pop3
• pnm
• rtsp
• smtp
• ssl
• telnet
• UDP port names recognized by the software:
• bootps
• bootpc
• dns
• ntp
• radius
• radius-old
• rip
• snmp
• snmp-trap
• tftp
The in | out parameter specifies whether the ACL applies to incoming traffic or outgoing traffic on the port to which you apply the ACL.
Possible values: see above
Default value: N/A
all-clientRestricts management access to the Foundry device to the host whose IP address you specify. No other device except the one with the specified IP address can access the Foundry device through Telnet (CLI), the Web (Web management interface), or SNMP (IronView).
If you want to restrict access for some of the management platforms but not all of them, use one or two of the following commands:
• snmp-client – restricts IronView access and all other SNMP access. See “snmp-client” on page 6-88.
• telnet client – restricts Telnet access. See “telnet client” on page 6-95.
February 2002 6 - 7
Foundry ServerIron Command Line Interface Reference
• web client – restricts web access. See “web client” on page 6-100.
EXAMPLE:
To restrict all management access to the Foundry device to the host with IP address 209.157.22.26, enter the following command:
ServerIron(config)# all-client 209.157.22.26
Syntax: [no] all-client <ip-addr>
Possible values: a valid IP address. You can enter one IP address with the command. You can use the command up to ten times for up to ten IP addresses.
Default value: N/A
arpAdds a static ARP entry.
NOTE: This command applies only to IP forwarding (Layer 3).
EXAMPLE:
ServerIron(config)# arp 1 209.157.22.3 aaaa.bbbb.cccc ethernet 3
This command adds a static ARP entry that maps IP address 209.157.22.3 to MAC address aaaa.bbbb.cccc. The entry is for a MAC address connected to ServerIron port 3.
Syntax: [no] arp <num> <ip-addr> <mac-addr> ethernet <portnum> [vlan <vlan-id>]
The <num> parameter specifies the entry number. You can specify a number from 1 up to the maximum number of static entries allowed on the device. To determine the maximum number of entries, enter the show default values command. To increase the maximum, use the system-max static-arp command.
The <ip-addr> command specifies the IP address of the device that has the MAC address of the entry.
The <mac-addr> parameter specifies the MAC address of the entry.
The ethernet <portnum> command specifies the port number attached to the device that has the MAC address of the entry.
The vlan <vlan-id> parameter specifies the port-based VLAN the entry belongs to. Use this parameter when the port is a member of more than one port-based VLAN and you want the ARP entry to apply only to a specific VLAN.
NOTE: The clear arp command clears learned ARP entries but does not remove any static ARP entries.
Possible values: See above
Default value: None configured
atalk-protoCreates an AppleTalk protocol VLAN on a Foundry switch or router. When first assigned, all ports are assumed by default to be members of the VLAN. VLAN membership can be modified using the dynamic, static, or exclude commands.
EXAMPLE:
To create an AppleTalk Protocol VLAN with permanent port membership of 9 and 13 and no dynamic ports, enter the following commands.
ServerIron(config)# atalk-proto
ServerIron(config-atalk-proto)# static e9 e13
ServerIron(config-atalk-proto)# no dynamic
ServerIron(config-atalk-proto)# exit
6 - 8 February 2002
Global CONFIG Commands
Syntax: atalk-proto [name <string>]
The name can be up to 16 characters long and can contain blanks. The name appears in VLAN show displays.
Possible values: N/A
Default value: N/A
banner execConfigures the Foundry device to display a message when a user enters the Privileged EXEC CLI level.
EXAMPLE:
ServerIron(config)# banner exec $ (Press Return)Enter TEXT message, End with the character '$'.You are entering Privileged EXEC levelDon’t foul anything up! $
Syntax: [no] banner exec <delimiting-character>
A delimiting character is established on the first line of the banner exec command. You begin and end the message with this delimiting character. The delimiting character can be any character except “ (double-quotation mark) and cannot appear in the banner text. In this example, the delimiting character is $ (dollar sign). The text in between the dollar signs is the contents of the banner. The banner text can be up to 2048 characters long and can consist of multiple lines. To remove the banner, enter the no banner exec command.
Possible values: N/A
Default value: N/A
banner incomingConfigures the Foundry device to display a message on the Console when a user establishes a Telnet session. This message indicates where the user is connecting from and displays a configurable text message.
EXAMPLE:
ServerIron(config)# banner incoming $ (Press Return)Enter TEXT message, End with the character '$'.Incoming Telnet Session!! $
When a user connects to the CLI using Telnet, the following message appears on the Console:
Telnet from 209.157.22.63Incoming Telnet Session!!
Syntax: [no] banner incoming <delimiting-character>
A delimiting character is established on the first line of the banner incoming command. You begin and end the message with this delimiting character. The delimiting character can be any character except “ (double-quotation mark) and cannot appear in the banner text. In this example, the delimiting character is $ (dollar sign). The text in between the dollar signs is the contents of the banner. The banner text can be up to 2048 characters long and can consist of multiple lines. To remove the banner, enter the no banner incoming command.
Possible values: N/A
Default value: N/A
banner motdConfigures the Foundry device to display a message on a user’s terminal when he or she establishes a Telnet CLI session.
EXAMPLE:
To display the message “Welcome to ServerIron!” when a Telnet CLI session is established:
ServerIron(config)# banner motd $ (Press Return)Enter TEXT message, End with the character '$'.Welcome to ServerIron! $
February 2002 6 - 9
Foundry ServerIron Command Line Interface Reference
Syntax: [no] banner <delimiting-character> | [motd <delimiting-character>]
A delimiting character is established on the first line of the banner motd command. You begin and end the message with this delimiting character. The delimiting character can be any character except “ (double-quotation mark) and cannot appear in the banner text. In this example, the delimiting character is $ (dollar sign). The text in between the dollar signs is the contents of the banner. The banner text can be up to 2048 characters long and can consist of multiple lines. To remove the banner, enter the no banner motd command.
When you access the Web management interface, the banner is displayed on the login panel.
NOTE: The banner <delimiting-character> command is equivalent to the banner motd <delimiting-character> command.
Possible values: N/A
Default value: N/A
boot system bootpConfigures the device to use BootP as the primary boot source.
NOTE: If you enter another boot system command at the global CONFIG level after entering this command, the software adds the new boot source as the primary source and changes the previously entered source to be the secondary source.
EXAMPLE:
ServerIron(config)# boot system bootp
Syntax: boot system bootp
Possible values: N/A
Default value: primary flash
boot system flash primaryConfigures the device to use the primary flash location as the primary boot source. This is the default primary boot source.
NOTE: If you enter another boot system command at the global CONFIG level after entering this command, the software adds the new boot source as the primary source and changes the previously entered source to be the secondary source.
EXAMPLE:
ServerIron(config)# boot system flash primary
Syntax: boot system flash primary
Possible values: N/A
Default value: primary flash
boot system flash secondaryConfigures the device to use the secondary flash location as the primary boot source.
NOTE: If you enter another boot system command at the global CONFIG level after entering this command, the software adds the new boot source as the primary source and changes the previously entered source to be the secondary source.
EXAMPLE:
ServerIron(config)# boot system flash secondary
Syntax: boot system flash secondary
6 - 10 February 2002
Global CONFIG Commands
Possible values: N/A
Default value: primary flash
boot system tftpConfigures the device to use a TFTP server as the primary boot source.
NOTE: If you enter another boot system command at the global CONFIG level after entering this command, the software adds the new boot source as the primary source and changes the previously entered source to be the secondary source.
EXAMPLE:
ServerIron(config)# boot sys tftp 192.22.33.44 current.img
NOTE: Before entering the TFTP boot command, you must first assign an IP address, IP mask and default gateway (if applicable) at the boot prompt as shown.
EXAMPLE:
boot> ip address 192.22.33.44 255.255.255.0
boot> ip default-gateway 192.22.33.1
You now can proceed with the boot system tftp… command.
Syntax: boot system tftp <ip-addr> <filename>
Possible values: N/A
Default value: primary flash
broadcast filterConfigures a Layer 2 broadcast packet filter. You can filter on all broadcast traffic or on IP UDP broadcast traffic.
EXAMPLE:
To configure a Layer 2 broadcast filter to filter all types of broadcasts, then apply the filter to ports 1, 2, and 3, enter the following commands:
ServerIron(config)# broadcast filter 1 any
ServerIron(config-bcast-filter-id-1)# exclude-ports ethernet 1 to 3
ServerIron(config-bcast-filter-id-1)# write mem
EXAMPLE:
To configure two filters, one to filter IP UDP traffic on ports 1 – 4, and the other to filter all broadcast traffic on port 6, enter the following commands:
ServerIron(config)# broadcast filter 1 ip udp
ServerIron(config-bcast-filter-id-1)# exclude-ports ethernet 1 to 4
ServerIron(config-bcast-filter-id-1)# exit
ServerIron(config)# broadcast filter 2 any
ServerIron(config-bcast-filter-id-2)# exclude-ports ethernet 6
ServerIron(config-bcast-filter-id-2)# write mem
EXAMPLE:
To configure an IP UDP broadcast filter and apply that applies only to port-based VLAN 10, then apply the filter to two ports within the VLAN, enter the following commands:
ServerIron(config)# broadcast filter 4 ip udp vlan 10
February 2002 6 - 11
Foundry ServerIron Command Line Interface Reference
ServerIron(config-bcast-filter-id-4)# exclude-ports eth 1 eth 3
ServerIron(config-bcast-filter-id-1)# write mem
Syntax: [no] broadcast filter <filter-id> any | ip udp [vlan <vlan-id>]
The <filter-id> specifies the filter number and can be a number from 1 – 8. The software applies the filters in ascending numerical order. As soon as a match is found, the software takes the action specified by the filter (block the broadcast) and does not compare the packet against additional broadcast filters.
You can specify any or ip udp as the type of broadcast traffic to filter. The any parameter prevents all broadcast traffic from being sent on the specified ports. The ip udp parameter prevents all IP UDP broadcasts from being sent on the specified ports but allows other types of broadcast traffic.
If you specify a port-based VLAN ID, the filter applies only to the broadcast domain of the specified VLAN, not to all broadcast domains (VLANs) on the device.
As soon as you press Enter after entering the command, the CLI changes to the configuration level for the filter you are configuring. You specify the ports to which the filter applies at the filter's configuration level.
Syntax: [no] exclude-ports ethernet <portnum> to <portnum>
Or
Syntax: [no] exclude-ports ethernet <portnum> ethernet <portnum>
These commands specify the ports to which the filter applies.
NOTE: This is the same command syntax as that used for configuring port-based VLANs. Use the first command for adding a range of ports. Use the second command for adding separate ports (not in a range). You also can combine the syntax. For example, you can enter exclude-ports ethernet 1/4 ethernet 2/6 to 2/9.
Possible values: see above
Default value: N/A
broadcast limitSpecifies the maximum number of broadcast packets the device can forward each second. By default the device sends broadcasts and all other traffic at wire speed and is limited only by the capacities of the hardware. However, if other devices in the network cannot handle unlimited broadcast traffic, this command allows you to relieve those devices by throttling the broadcasts at the Foundry device.
NOTE: The broadcast limit does not affect multicast or unicast traffic. However, you can use the multicast limit and unknown-unicast limit commands to control these types of traffic. See “multicast limit” on page 6-53 and “unknown-unicast limit” on page 6-98.
EXAMPLE:
ServerIron(config)# broadcast limit 30000
Syntax: broadcast limit <num>
Possible values: 0 – 4294967295
Default value: N/A
chassis nameAssigns an administrative ID to the device.
NOTE: This command does not change the CLI prompt. To change the CLI prompt, use the hostname command. See “hostname” on page 6-32.
EXAMPLE:
ServerIron(config)# chassis name routernyc
6 - 12 February 2002
Global CONFIG Commands
Syntax: chassis name <text>
Possible values: Up to 32 alphanumeric characters
Default value: Null string
chassis poll-timeChanges the number of seconds between polls of the power supply and fan status.
Use the show chassis command to display the hardware status.
EXAMPLE:
To change the hardware poll time from 60 seconds (the default) to 30 seconds:
ServerIron(config)# chassis poll-time 30
Syntax: chassis poll-time <num>
Possible values: 0 – 65535
Default value: 60
chassis trap-logDisables or re-enables status polling for individual power supplies and fans. When you disable status polling, a fault in the power supply does not generate a trap in the system log.
EXAMPLE:
To disable polling of power supply 2, enter the following command:
ServerIron(config)# no chassis trap-log ps2
Syntax: [no] chassis trap-log ps1 | ps2 | fan1 | fan2
Possible values: see above
Default value: all traps enabled
clearClears statistics or clears entries from a cache or table. See the descriptions for the individual clear commands in “Privileged EXEC Commands” on page 5-1.
clock summer-timeThis command will automatically activate and deactivate daylight savings time for the relevant time zones.
EXAMPLE:
ServerIron(config)# clock summer-time
Syntax: clock summer-time
Possible values: N/A
Default value: N/A
clock timezoneAllows you to define the time zone of the clock. This parameter is used in conjunction with the clock set command or for timestamps obtained from a SNTP server. The clock set...command is configured at the privileged EXEC level of the CLI.
NOTE: Use this clock command before all others to ensure accuracy of the clock settings.
NOTE: For those time zones that recognize daylight savings time, the clock summer-time command will also need to be defined.
February 2002 6 - 13
Foundry ServerIron Command Line Interface Reference
NOTE: Clock settings are not saved over power cycles; however, you can configure the system to reference a SNTP server at power up. This server will then automatically download the correct time reference for the network. The local ServerIron will then adjust the time according to its time zone setting. For more details on setting up a SNTP reference clock, refer to the sntp command at the privileged EXEC level and the sntp poll-interval and sntp server commands at the global CONFIG level.
EXAMPLE:
ServerIron(config)# clock timezone us eastern
Syntax: clock timezone gmt | us <time-zone>
Possible values: The following time zones can be entered for US or GMT:
US time zones: alaska, aleutian, arizona, central, east-indiana, eastern, hawaii, michigan, mountain, pacific, samoa
GMT time zones: gmt+12, gmt+11, gmt+10...fmt+01, gmt+00, gmt-01...gmt-10, gmt-11, gmt-12
Default value: gmt + 00
confirm-port-upReduces the number of up-status confirmations the software requires before bringing a port up for use. This command is useful for network interface cards (NICs) that are designed to come up very quickly in certain applications and are sensitive to the slight delay caused by the Foundry ports as they wait for the multiple status indications before coming up. You can configure a Foundry device to reduce the number of status indications the software requires before bringing up a 10/100Base-Tx port.
NOTE: Do not use this command unless advised to do so by Foundry technical support.
By default, Foundry devices wait for multiple indications that a port is good before bringing the port up. Specific types of networking devices are sensitive to the very slight delay caused by the multiple status indications. In this case, you can use one of the following methods to reduce the number of status indications the software requires before bringing up a 10/100Base-Tx port. You can set the parameter globally for all 10/100 ports.
EXAMPLE:
By default, Stackable devices bring a 10/100 Base-Tx port up after receiving ten consecutive up-status indications for the port. You can reduce this number to as few as one indication.
To reduce the up-status indications required to bring up 10/100 ports on a Stackable device, enter the following commands:
ServerIron(config)# confirm-port-up 1
ServerIron(config)# write mem
Syntax: [no] confirm-port-up <num>
The <num> parameter specifies the number of indications required by the software and can be from 1 – 10. The default for Stackable devices is 10.
Possible values: 1 – 10
Default value: 10
consoleTimes out idle serial management sessions.
By default, a Foundry device does not time out serial CLI sessions. A serial session remains open indefinitely until you close it. You can configure the device to time out serial CLI sessions if they remain idle for a specified number of minutes. You can configure an idle timeout value from 0 – 240 minutes. The default is 0.
6 - 14 February 2002
Global CONFIG Commands
NOTE: If a session times out, the device does not close the connection. Instead, the CLI changes to the User EXEC mode (for example: ServerIron>).
EXAMPLE:
To configure the idle timeout for serial CLI sessions, enter a command such as the following:
ServerIron(config)# console timeout 20
This command configures the idle timeout value to 20 minutes.
Syntax: [no] console timeout <num>
The <num> parameter specifies the number of minutes the serial CLI session can remain idle before it times out. You can specify from 0 – 240 minutes. The default is 0 (sessions never time out).
Possible values: 0 – 240 minutes
Default value: 0 (sessions never time out)
crypto keyConfigures a host RSA public and private key pair for SSH. The host RSA key pair is stored in the Foundry device’s system-config file. Only the public key is readable. The host RSA key pair is used to negotiate a session key and encryption method with the SSH clients trying to connect to it.
EXAMPLE 1:
To generate a public and private host RSA key pair for the Foundry device:
ServerIron(config)# crypto key generate rsaServerIron(config)# wri mem
A host RSA key pair is stored in the system-config file, and SSH is enabled on the device.
EXAMPLE 2:
To delete the host RSA key pair from the system-config file:
ServerIron(config)# crypto key zeroize rsaServerIron(config)# wri mem
The host RSA key pair is deleted from the system-config file, and SSH is disabled on the device.
Syntax: crypto key generate | zeroize rsa
Possible values: N/A
Default value: N/A
crypto random-number-seedCreates a new seed for generating a random number that is used for generating the dynamically created server RSA key pair for SSH.
EXAMPLE:
ServerIron(config)# crypto random-number-seed generate
Syntax: crypto random-number-seed generate
Possible values: N/A
Default value: N/A
decnet-protoCreates a Decnet protocol VLAN on a Foundry switch or router. All ports will by default be assigned to the VLAN when initially created. VLAN Membership can be modified using the dynamic, static, or exclude commands.
February 2002 6 - 15
Foundry ServerIron Command Line Interface Reference
EXAMPLE:
To create a Decnet protocol VLAN with permanent port membership of 15 and 16 with port 17 as a dynamic member port (on module 1), enter the following commands.
ServerIron(config)# decnet-proto
ServerIron(config-decnet-proto)# static e 1/15 to 1/16
ServerIron(config-decnet-proto)# exclude e 1/1 to 1/14 e 1/18
Syntax: decnet-proto
Possible values: N/A
Default value: N/A
default-vlan-idWhen you enable port-based VLAN operation, all ports are assigned to VLAN 1 by default. As you create additional VLANs and assign ports to them, the ports are removed from the default VLAN. All ports that you do not assign to other VLANs remain members of default VLAN 1. This behavior ensures that all ports are always members of at least one VLAN.
You can change the VLAN ID for the default VLAN by entering the following command at the global CONFIG level of the CLI:
ServerIron(config)# default-vlan-id 1001
You must specify a valid VLAN ID that is not already in use. For example, if you have already defined VLAN 10, do not try to use "10" as the new VLAN ID for the default VLAN. Valid VLAN IDs are numbers from 1 – 4095.
NOTE: Changing the default VLAN name does not change the properties of the default VLAN. Changing the name allows you to use the VLAN ID "1" as a configurable VLAN.
dhcp-gateway-listThis parameter must be defined when the feature, DHCP Assist, is enabled on a Foundry switch. A gateway address must be defined for each sub-net that will be requesting addresses from a DHCP server. This allows the stamping process to occur. Each gateway address defined on the switch corresponds to an IP address of the ServerIron interface or other device involved.
Up to eight addresses can be defined for each gateway list in support of ports that are multi-homed. When multiple IP addresses are configured for a gateway list, the switch inserts the addresses into the discovery packet in a round robin fashion.
Up to 32 gateway lists can be defined for each switch.
NOTE: For more details on this command and the DHCP Assist feature, see the Foundry Switch and Router Installation and Basic Configuration Guide.
EXAMPLE:
ServerIron(config)# dhcp-gateway-list 1 192.95.5.1
ServerIron(config)# int e 2
ServerIron(config-if-2)# dhcp-gateway-list 1
Syntax: dhcp-gateway-list <num> <ip-addr>
Possible values: N/A
Default value: N/A
6 - 16 February 2002
Global CONFIG Commands
enableYou can use the enable command to assign three levels of passwords to provide a range of access points for various users within the network.
The three levels are:
• Super user: This user has unlimited access to all levels of the CLI. This level is generally reserved for system administration. The super user is also the only user that can assign a password access level to another user.
• Configure Port: This user has the ability to configure interface parameters only. The user can also view any show commands.
• Read only: A user with this password level is only able to view show commands. No configuration is allowed with this password access type.
NOTE: You also can secure access using a RADIUS or TACACS/TACACS+ server or local user accounts. See the Foundry Security Guide.
EXAMPLE:
ServerIron(config)# enable super-user-password Alexis
ServerIron(config)# enable read-only-password Jim
ServerIron(config)# enable port-config-password Bill
Syntax: enable super-user-password | read-only-password | port-config-password <text>
Possible values: Up to 32 alphanumeric characters can be assigned in the text field.
Default value: No system default
enable password-displayBy default, passwords are never visible, even in the configuration file. If you want passwords to be visible in the configuration file, use the enable password-display command. The next time you display the configuration file, the passwords will be visible along with the commands used to set them. This command takes effect immediately.
EXAMPLE:
ServerIron(config)# enable password-display
Syntax: [no] enable password-display
Possible values: N/A
Default value: Disabled
enable skip-page-displayRemoves the stop page display characteristic for the write terminal command. For example, by default, when a user enters the command write terminal the full configuration will generally involve more than a single page display. You are prompted to enter the return key to view the next page of information. When this command is enabled, this page-by-page prompting will be removed and the entire display will roll on the screen until the end is reached.
To re-enable the stop page display characteristic, enter the no enable skip-page-display.
EXAMPLE:
To remove the page-by-page display of configuration information, enter the following:
ServerIron(config)# enable skip-page-display
Syntax: enable skip-page-display
Possible values: N/A
Default value: Disabled
February 2002 6 - 17
Foundry ServerIron Command Line Interface Reference
enable snmp config-radiusEnables users of IronView or other SNMP management applications to configure RADIUS authentication parameters on the ServerIron.
EXAMPLE:
To enable IronView users to configure RADIUS authentication parameters on the ServerIron, enter the following:
ServerIron(config)# enable snmp config-radius
Syntax: enable snmp config-radius
Possible values: N/A
Default value: Disabled
enable snmp config-tacacsEnables users of IronView or other SNMP management applications to configure TACACS/TACACS+ authentication parameters on the ServerIron.
EXAMPLE:
To enable IronView users to configure TACACS/TACACS+ authentication parameters on the Foundry device, enter the following:
ServerIron(config)# enable snmp config-tacacs
Syntax: enable snmp config-tacacs
Possible values: N/A
Default value: Disabled
enable telnet authenticationAllows you to use local access control or a RADIUS server to authenticate telnet access to the ServerIron.
EXAMPLE:
ServerIron(config)# enable telnet authentication
Syntax: [no] enable telnet authentication
Possible values: N/A
Default value: Disabled
enable telnet passwordAllows you to assign a password for Telnet session access. To close a Telnet session, enter logout.
EXAMPLE:
ServerIron(config)# enable telnet password secretsalso
Syntax: enable telnet password <text>
Possible values: Up to 32 alphanumeric characters can be assigned as the password.
Default value: No system default.
endMoves activity to the privileged EXEC level from any level of the CLI, with the exception of the user level.
EXAMPLE:
ServerIron(config)# end
ServerIron#
Syntax: end
Possible values: N/A
6 - 18 February 2002
Global CONFIG Commands
Default value: N/A
exitMoves activity up one level from the current level. In this case, activity will be moved to the privileged level.
EXAMPLE:
To move from the global level, back to the privileged level, enter the following:
ServerIron(config)# exit
ServerIron#
Syntax: exit
Possible values: N/A
Default value: N/A
fast port-spanConfigures the Fast Port Span feature, which allows faster STP convergence on ports that are attached to end stations.
EXAMPLE:
To enable Fast Port Span:
ServerIron(config)# fast port-span
EXAMPLE:
To exclude a port from Fast Port Span, while leaving Fast Port Span enabled globally:
ServerIron(config)# fast port-span exclude ethernet 1
Syntax: [no] fast port-span [exclude ethernet <portnum> [ethernet <portnum>… | to <portnum>]
Possible values: Valid port numbers
Default value: Enabled
fast uplink-spanConfigures the Fast Uplink Span feature, which reduces the convergence time for uplink ports to another device to just four seconds (two seconds for listening and two seconds for learning).
EXAMPLE:
To configure a group of ports for Fast Uplink Span, enter the following commands:
ServerIron(config)# fast uplink-span ethernet 1 to 4
Syntax: [no] fast uplink-span [ethernet <portnum> [ethernet <portnum>… | to <portnum>]
Possible values: Ports that have redundant uplinks on a wiring closet switch.
Default value: Disabled
flow-controlAllows you to turn flow control (802.3x) for full-duplex ports on or off (no). By default, flow control is on. To turn the feature off, enter the command no flow-control.
EXAMPLE:
ServerIron(config)# no flow-control
To turn the feature back on later, enter the following command:
ServerIron(config)# flow-control
Syntax: [no] flow-control
Possible values: N/A
February 2002 6 - 19
Foundry ServerIron Command Line Interface Reference
Default value: on
gig-defaultChanges the default negotiation mode for Gigabit ports on Chassis devices. You can configure the default Gigabit negotiation mode to be one of the following:
• Negotiate-full-auto – The port first tries to perform a handshake with the other port to exchange capability information. If the other port does not respond to the handshake attempt, the port uses the manually configured configuration information (or the defaults if an administrator has not set the information). This is the default for Chassis devices (including the TurboIron/8).
• Auto-Gigabit – The port tries to perform a handshake with the other port to exchange capability information. This is still the default for Stackable devices.
• Negotiation-off – The port does not try to perform a handshake. Instead, the port uses configuration information manually configured by an administrator.
See the “Configuring Basic Features” chapter of the Foundry Switch and Router Installation and Basic Configuration Guide for more information.
NOTE: This command does not apply to Stackable devices. To change the negotiation mode for a Stackable Gigabit Ethernet port, use the [no] auto-gig command at the Interface level. See “auto-gig” on page 8-1.
EXAMPLE:
To change the mode globally to negotiation-off, enter the following command:
ServerIron(config)# gig-default neg-off
To override the global default on an individual Gigabit port, see “gig-default” on page 8-3.
Syntax: gig-default neg-full-auto | auto-gig | neg-off
Possible values: see above
Default value: neg-full-auto
gslb affinityChanges the CLI to the GSLB affinity configuration level. See “GSLB Affinity Commands” on page 13-1 for information about the commands at this level.
EXAMPLE:
To configure an affinity definition, enter commands such as the following:
ServerIron(config)# gslb affinityServerIron(config-gslb-affinity)# prefer sunnyvale slb-1 for 0.0.0.0/0ServerIron(config-gslb-affinity)# prefer atlanta slb-1 for 192.108.22.0/22
These commands configure a default affinity definition (using the 0.0.0.0/0) prefix and an affinity definition that uses prefix 192.108.22.0/22. For clients that are not within the prefix in the second affinity definition, the ServerIron uses the default affinity definition. The ServerIron sends clients whose IP addresses are within the 192.108.22.0/22 prefix to a VIP on slb-1 at the “atlanta” site, when available. The ServerIron sends all other clients to a VIP on slb-1 at the “sunnyvale” site when available.
Syntax: gslb affinity
This command places the CLI at the affinity configuration level.
Syntax: [no] prefer <site-name> <si-name> | <si-ip-addr> for <ip-addr> <ip-mask> | <ip-addr>/<prefix-length>
You can refer to the ServerIron by its GSLB site name and ServerIron name or by its management IP address. Use one of the following parameters:
• The <site-name> and <si-name> parameters specify the remote site and a ServerIron at that site. If you use this method, you must specify both parameters.
• The <si-ip-addr> parameter specifies the site ServerIron’s management IP address.
6 - 20 February 2002
Global CONFIG Commands
NOTE: In either case, the running-config and the startup-config file refer to the ServerIron by its IP address.
The <ip-addr> <ip-mask> or <ip-addr>/<prefix-length> parameter specifies the prefix. You can specify a mask from 0.0.0.0 – 255.255.255.254. If you instead specify a prefix length, you can specify from 0 – 31 bits.
If you specify 0.0.0.0 0.0.0.0 or 0.0.0.0/0, the ServerIron applies the affinity definition to all client addresses. As a result, an address that does not match another affinity definition uses the zero affinity definition by default. If you do not configure a default affinity definition, the ServerIron uses the standard GSLB policy for clients whose addresses are not within a prefix in an affinity definition.
Possible values: see above
Default value: N/A
gslb communicationChanges the TCP port number used by the GSLB protocol. By default, a GSLB ServerIron uses TCP port 182 to exchange GSLB information with other ServerIrons, including the site ServerIrons. You can change the GSLB protocol port if needed. For example, if other devices in the network also use port 182, but for other applications, you need to change the protocol on those devices or on the ServerIrons.
NOTE: If you change the GSLB protocol port number, you must save the change to the startup-config file and reload the software to place the change into effect. Also, you must change the port to the same number on all ServerIrons in the GSLB configuration. If the port number in two GSLB ServerIrons is not the same, those ServerIrons are not able to properly perform GSLB.
EXAMPLE:
To change the GSLB protocol port number on a ServerIron, enter commands such as the following:
ServerIron(config)# gslb communication 1882ServerIron(config)# write memoryServerIron(config)# endServerIron# reload
The first command changes the TCP protocol port from 182 to the specified port number, in this example 1882. The subsequent commands save the configuration change to the startup-config file and reload the software to place the change into effect.
Syntax: [no] gslb communication <tcp-portnum>
The <tcp-portnum> parameter specifies the TCP port number you want the ServerIron to use for exchanging GSLB information with other ServerIrons.
Possible values: a valid TCP port number
Default value: 182
gslb dns zone-nameChanges the CLI to the GSLB zone configuration level. See “GSLB DNS Zone Commands” on page 14-1 for information about the commands at this level.
EXAMPLE:
To specify the foundrynet.com zone and two host names, each of which is associated with an application, enter the following commands:
ServerIron(config)# gslb dns zone-name foundrynet.comServerIron(config-gslb-dns-foundrynet.com)# host-info www httpServerIron(config-gslb-dns-foundrynet.com)# host-info ftp ftp
The commands in this example add the zone foundrynet.com and add two hosts within that zone: www and ftp. The GSLB ServerIron will provide global SLB for these two hosts within the zone.
Syntax: [no] gslb dns zone-name <name>
February 2002 6 - 21
Foundry ServerIron Command Line Interface Reference
The <name> parameter specifies the DNS zone name.
NOTE: If you delete a DNS zone (by entering the no gslb dns zone-name <name> command), the zone and all the host names you associated with the zone are deleted.
Syntax: [no] host-info <host-name> <host-application> | <tcp/udp-portnum>
The <host-name> parameter specifies the host name. You do not need to enter the entire (fully-qualified) host name. Enter only the host portion of the name. For example, if the fully qualified host name is www.foundrynet.com, do not enter the entire name. Enter only “www”. The rest of the name is already specified by the gslb dns zone-name command. You can enter a name up to 32 characters long.
The <host-application> specifies the host application for which you want the GSLB ServerIron to provide global SLB. You can specify one of the following:
• FTP – the well-known name for port 21. (Ports 20 and 21 both are FTP ports but on the ServerIron, the name “FTP” corresponds to port 21.)
• TFTP – the well-known name for port 69
• HTTP – the well-known name for port 80
• IMAP4 – the well-known name for port 143
• LDAP – the well-known name for port 389
• NNTP – the well-known name for port 119
• POP3 – the well-known name for port 110
• SMTP – the well-known name for port 25
• TELNET – the well-known name for port 23
The <tcp/udp-portnum> parameter specifies a TCP/UDP port number instead of a well-known port. If the application is not one of those listed above, you still can configure the GSLB ServerIron to perform the Layer 4 health check on the specified port.
NOTE: If the application number does not correspond to one of the well-known ports recognized by the ServerIron, the GSLB ServerIron performs Layer 4 TCP or UDP health checks for the ports but does not perform application-specific health checks.
Possible values: see above
Default value: N/A
gslb policyChanges the CLI to the GSLB policy configuration level. See “GSLB Policy Commands” on page 16-1 for information about the commands at this level.
EXAMPLE:
ServerIron(config)# gslb policy ServerIron(config-gslb-policy)#
Syntax: gslb policy
Possible values: N/A
Default value: N/A
gslb protocolEnables the GSLB protocol on a site ServerIron in a GSLB configuration. The GSLB protocol is enabled by default on the GSLB ServerIron but is disabled by default on the site ServerIrons.
6 - 22 February 2002
Global CONFIG Commands
NOTE: The ServerIron uses TCP port 182 for the GSLB protocol by default. You can change the port number if needed. See “gslb communication” on page 6-21.
EXAMPLE:
ServerIron(config)# gslb protocol
Syntax: [no] gslb protocol
Possible values: N/A
Default value: N/A
gslb siteChanges the CLI to the GSLB site configuration level. See “GSLB Site Commands” on page 15-1 for information about the commands at this level.
EXAMPLE:
To identify two server sites, each of which has two ServerIrons, enter the following commands:
ServerIron(config)# gslb site sunnyvaleServerIron(config-gslb-site-sunnyvale)# si-name slb-1 209.157.22.209ServerIron(config-gslb-site-sunnyvale)# si-name slb-2 209.157.22.210ServerIron(config)# gslb site atlantaServerIron(config-gslb-site-atlanta)# si-name slb-1 192.108.22.111ServerIron(config-gslb-site-atlanta)# si-name slb-2 192.108.22.112
These commands configure two GSLB sites. One of the sites is in Sunnyvale and the other is in Atlanta. Each site contains two ServerIrons that load balance traffic across server farms. The GSLB ServerIron you are configuring will use information provided by the other ServerIrons when it evaluates the servers listed in DNS replies.
Syntax: [no] gslb site <name>
The <name> parameter is a text string that uniquely identifies the site on the GSLB ServerIron. You can enter a string up to 16 characters long. The string can contain blanks. To use blanks, enclose the string in quotation marks.
NOTE: If you delete a GSLB site (by entering the no gslb site <name> command), the site and all the ServerIrons you associated with the site are deleted.
Syntax: [no] si-name [<name>] <ip-addr>
The <name> parameter specifies a unique name for the ServerIron at the site. You can enter a string up to 16 characters long. The string can contain blanks. To use blanks, enclose the string in quotation marks. You can enter up to four pairs of ServerIron name and IP address on the same command line. The name is optional.
NOTE: Enter the ServerIron’s management IP address, not a virtual IP address (VIP) configured on the ServerIron or a source IP address added for source NAT.
healthck (ServerIronXL)Configures a health-check policy on the ServerIronXL. Health-check policies consist of element-action expressions and logical operators.
• Element-action expression – In the case of Layer 3 health checks, an element-action expression consists of the IP protocol to be used (ICMP) and the IP address to be checked.
• Logical operator – A logical operator is the Boolean operator OR or AND. To configure a health-check policy that requires a reply from all IP addresses in the policy, use the operator AND. To create a policy that is successful if at least one of the addresses replies, use OR.
February 2002 6 - 23
Foundry ServerIron Command Line Interface Reference
You can use the same element-action expressions in multiple logical expressions if desired. You can configure up to 254 health-check policies. The default maximum number you can configure is 128. You can change the maximum to a number from 64 – 254.
To use a health-check policy:
• Configure the element-action expressions.
• Configure the health-check policy using element-action expressions and the logical operator AND or OR.
• Bind logical expressions to application ports on specific VIPs. A health check policy does not take effect until you bind it to an application port on a VIP.
EXAMPLE:
Here is an example of how to configure and apply a Layer 3 health-check policy.
ServerIron(config)# healthck Rtr2-ck1 icmpServerIron(config-hc-Rtr2-ck1)# dest-ip 10.168.2.56ServerIron(config-hc-Rtr2-ck1)# healthck Rtr2-ck2 icmpServerIron(config-hc-Rtr2-ck2)# dest-ip 10.168.2.57ServerIron(config)# healthck Router2 booleanServerIron(config-hc-Router2)# and Rtr2-ck1 Rtr2-ck2ServerIron(config)# server virtual-name VIP1 1.1.1.1ServerIron(config-vs-VIP1)# port http healthck Router2
These commands configure two element-action expressions, "Rtr2-ck1" and "Rtr2-ck2", and use them in a health-check policy called "Router2". The last two commands apply the health-check policy to the HTTP port on VIP1. For more information, see the following sections.
For Layer 3 health-check policies, an element-action expression contains an IP address. To configure an element-action expression, enter commands such as the following:
ServerIron(config)# healthck Rtr2-ck1 icmpServerIron(config-hc-Rtr2-ck1)# dest-ip 10.168.2.56ServerIron(config-hc-Rtr2-ck1)# healthck Rtr2-ck2 icmpServerIron(config-hc-Rtr2-ck2)# dest-ip 10.168.2.57
The commands in this example configure two element-action expressions.
Syntax: [no] healthck <element-name> <protocol>
Syntax: [no] dest-ip <ip-addr>
The <element-name> parameter specifies a name for the element-action expression. The name can be up to 20 characters long. The name cannot contain blanks.
The <protocol> parameter specifies the IP protocol to use for the health. The Layer health checks use ICMP echo packets. Therefore, you must specify icmp.
The <ip-addr> parameter specifies the IP address to check.
A health-check policy consists of one or more element-action expressions. When a logical expression contains multiple element-action expressions, the policy also contains the logical operator AND or OR.
You can use a health-check policy as an element-action expression in another policy.
To configure a health-check policy, enter commands such as the following:
ServerIron(config)# healthck Router2 booleanServerIron(config-hc-Router2)# and Rtr2-ck1 Rtr2-ck2
These commands configure a health-check policy that uses the element-action expressions "Rtr2-ck1" and "Rtr2-ck2". Since the AND operator is used, the IP addresses in both "Rtr2-ck1" and "Rtr2-ck2" must reply successfully for the health check to be successful. If only one of the addresses replies, the health check is unsuccessful and the ServerIron brings the VIP down.
Syntax: [no] healthck <policy-name> boolean
6 - 24 February 2002
Global CONFIG Commands
Syntax: <element-name>
Or
Syntax: and | or <element-name> <element-name>
The <policy-name> parameter specifies the name of the health-check policy. The name can be up to 20 characters long. The name cannot contain blanks.
The and | or parameter specifies a logical operator in the health-check policy.
• You can specify an element-action without also specifying a logical operator (AND or OR). In this case, the policy checks the health of the specified element (IP address) and has a true result (the health check is successful) if the element replies to the health check.
• You can enter two element-action expressions along with the logical operator and or or.
• If you specify and, the policy evaluates to true only if all elements (IP addresses) respond to the health check.
• If you specify or, the policy is true if at least one of the elements responds to the health check.
If you want to use a single health-check policy to test more than two IP addresses, configure health-check policies for all the IP addresses, and use them in another health-check policy. For example, to create a health-check policy that tests four IP addresses, enter commands such as the following:
ServerIron(config)# healthck nest1 icmpServerIron(config-hc-nest1)# dest-ip 1.1.1.10ServerIron(config-hc-nest1)# healthck nest2 icmpServerIron(config-hc-nest2)# dest-ip 1.1.1.20ServerIron(config-hc-nest2)# healthck nest3 icmpServerIron(config-hc-nest3)# dest-ip 1.1.1.30ServerIron(config-hc-nest3)# healthck nest4 icmpServerIron(config-hc-nest4)# dest-ip 1.1.1.40
The commands above configure four element-action expressions, one for each IP address. The following commands configure two health-check policies, each of which contains two of the IP addresses.
ServerIron(config-hc-nest4)# healthck nested1 booleanServerIron(config-hc-nested1)# or nest1 nest2ServerIron(config-hc-nested1)# healthck nested2 booleanServerIron(config-hc-nested2)# or nest3 nest4
The following command creates a health-check policy that contains the two policies configured above. The result is a single health-check policy for all four IP addresses.
ServerIron(config-hc-nested2)# healthck check1 booleanServerIron(config-hc-check1)# or nested1 nested2
In this example, the OR logical operator is used in all the policies. Thus, the "check1" health check is successful if at least one of the four IP addresses responds. To create more restrictive policies, you can use the AND logical operator. For example, if the AND operator is used in this configuration instead of OR, the health check is successful only if all four IP addresses respond.
You also can combine policies that use AND with policies that use OR in nested health-check policies.
After you configure logical expressions, you can bind them to application ports on VIPs. A health-check policy does not take effect until you bind the policy to an application port on a VIP.
To bind a health-check policy to an application port on a VIP, enter commands such as the following:
ServerIron(config)# server virtual-name VIP1 1.1.1.1ServerIron(config-vs-VIP1)# port http healthck Router2
This command configures virtual IP address VIP1 to use the heath-check policy named "Router2" to check the health of HTTP (port 80) for the VIP.
Syntax: [no] port <tcp/udp-portnum> healthck <policy-name>
February 2002 6 - 25
Foundry ServerIron Command Line Interface Reference
The <tcp/udp-portnum> parameter specifies a TCP or UDP application port. The <policy-name> parameter specifies the health-check policy you want to use to check the Layer 3 health of a device associated with the application port.
Possible values: See above
Default value: None configured
healthck (ServerIron 400 and ServerIron 800)Configures a health-check policy on the ServerIron 400 and ServerIron 800.
Health-check policies enable you to assess the health of any application port using the health-check mechanisms for ports well-known to the ServerIron. In addition, health-check policies enable you to use multiple checks with different parameters, and base a port’s health on successful completion of all or any one of the individual checks in the policy.
Depending on the conditions you specify when you configure a health-check policy, the ServerIron will bring the application port on a server down in one of the following cases:
• Any one of the servers fails its health check (individual health checks combined using AND condition) – In this case, all servers in the policy must pass their health checks. Otherwise, the ServerIron considers all of the servers to have failed the health checks and brings down the application on all servers that are checked by the policy.
• All of the servers fail their health checks (individual health checks combined using OR condition) – In this case, an application port remains up as long as at least one of the servers checked by the policy passes its health check.
For finer control, you can combine OR and AND conditions.
When you attach a health-check policy to a real server’s application port, the ServerIron uses the health-check policy for periodic health checks and also for the next initial bringup of the server. When a health-check policy is attached, the ServerIron no longer uses the default health check methods for initial bringup and periodic health checks described in "Health Check Summary" in the "Configuring Port and Health Check Parameters" chapter of the Foundry ServerIron Installation and Configuration Guide.
Health-check policies consist of element-action expressions and logical expressions.
• Element-action expression – An element-action expression consists of the IP address of the server, the Layer 4 protocol (TCP or UDP), and the application port on the server. For some applications, the element-action expression can also include Layer 7 application-specific health check information.
• Logical expression – A logical expression is a set of element-action expressions joined by the Boolean operators OR and AND.
• To create a health-check policy that is successful if at least one of the applications passes its health check, use OR.
• To configure a health-check policy that is successful only if the ServerIron receives a successful reply from all servers and application ports in the policy, use the operator AND.
You can use the same element-action expressions in multiple logical expressions if desired. You can configure up to 254 health-check policies.
To use a health-check policy:
• Configure the element-action expressions.
• Configure the health-check policy using element-action expressions and logical expressions joined by the operators AND or OR.
• Attach logical expressions to application ports on specific real servers. A health check policy does not take effect until you attach it to an application port on a server.
6 - 26 February 2002
Global CONFIG Commands
NOTE: A health-check policy does not take effect (begin sending health check packets) until you attach the policy to an application port on a real server.
EXAMPLE:
Configuring an Element-Action Expression
To configure an element-action expression, enter commands such as the following. The commands in this example specify the IP address of the real server and the application port on the server.
ServerIron(config)# healthck check1 tcpServerIron(config-hc-check1)# dest-ip 10.10.10.50ServerIron(config-hc-check1)# port http
These commands change the CLI to the configuration level for an element-action expression, then specify the IP address of the real server and the application port on the server. Since the specified application is well-known to the ServerIron, the ServerIron automatically associates the default health check parameters for the port with the element-action expression. In this example, the port is HTTP (80), so the ServerIron associates the default HTTP health check parameters with the element-action expression. By default, the ServerIron sends a HEAD request for the default page, “1.0”.
NOTE: If you do not specify the server IP address and the application port, the ServerIron will list the status of the health check as FALSE (failed).
To configure an element-action expression for a port number that is not well-known to the ServerIron, enter commands such as the following:
ServerIron(config)# healthck check1 tcpServerIron(config-hc-check1)# dest-ip 10.10.10.50ServerIron(config-hc-check1)# port 8080ServerIron(config-hc-check1)# protocol http
These commands configure an element-action expression for unknown port 8080 and associate the default health check parameters for port 80 with the unknown port. To customize the Layer 7 health check parameters for a port, add the information with the protocol command, as in the following example:
ServerIron(config)# healthck check1 tcpServerIron(config-hc-check1)# dest-ip 10.10.10.50ServerIron(config-hc-check1)# port 8080ServerIron(config-hc-check1)# protocol http url "GET/sales.html"
The protocol command in this example changes the Layer 7 health check parameters for this HTTP port to a GET request for a page named "sales.html".
Syntax: [no] healthck <string> tcp | udp
This command begins configuration of the element-action expression. The <string> parameter specifies the name for the expression and can be up to 20 characters long. The tcp | udp parameter specifies whether you are configuring an expression for a TCP application port or a UDP application port. There is no default.
Syntax: [no] dest-ip <ip-addr>
This command specifies the IP address of the real server.
Syntax: [no] port <tcp/udp-port>
This command specifies the application port number.
NOTE: If you do not specify the server IP address and the application port, the ServerIron will list the status of the health check as FALSE (failed).
You can specify any valid number, or one of the following port names well-known to the ServerIron:
• dns – port 53
February 2002 6 - 27
Foundry ServerIron Command Line Interface Reference
• ftp – port 21. (Ports 20 and 21 both are FTP ports but in the ServerIron, the name “ftp” corresponds to port 21.)
• http – port 80
• imap4 – port 143
• ldap – port 389
• nntp – port 119
• ntp – port 123
• pop2 – port 109
• pop3 – port 110
• radius – port 1812
• radius-old – the ServerIron name for UDP port 1645, which is used in some older RADIUS implementations instead of port 1812
• smtp – port 25
• snmp – port 161
• ssl – port 443
• telnet – port 23
• tftp – port 69
NOTE: If you enter the no port <tcp/udp-port> command to remove the port, the ServerIron also removes the protocol <tcp/udp-port> command (see below) if the port is well-known to the ServerIron. This is because the ServerIron automatically uses the protocol that matches the well-known port. Otherwise, the ServerIron does not remove the protocol. You must remove it separately.
Syntax: [no] protocol <tcp/udp-port>
This command specifies a port whose health-check mechanism you want to use for the port specified by the port command. You need to use this command only if the port specified by the port command is not one of the ports listed above but the port is the same type as one of the ports listed above. For example, use this command if you want to use the DNS health-check mechanism for a port other than 53.
NOTE: You must specify the port using the port command before you enter the protocol command. If the port command specified a port that is well-known to the ServerIron, the ServerIron automatically uses the protocol that matches the port; you do not need to specify it and cannot change it.
NOTE: If you remove the Layer 7 health check information (using a no protocol command), the application will fail the health check. If you want the ServerIron to use a Layer 4 health check instead, enter the l4-check command to change the health-check type to Layer 4.
If the port is not well-known to the ServerIron and you do not specify a protocol for the Layer 7 health check, but Layer 7 health checking is enabled for the port, the port will fail the health check.
See "Changing the Health-Check Type" below.
For some ports, you also can customize the Layer 7 information sent with the health check. Here is the syntax.
Syntax: [no] protocol http | 80 [url “[GET | HEAD] [/]<URL-page-name>” | port http status_code <range> [<range>[<range>[<range>]]] |content-match <matching-list-name>]
6 - 28 February 2002
Global CONFIG Commands
This command changes one of the following HTTP health-check parameters. To change more than one of these parameters, enter a separate protocol http or protocol 80 command for each parameter.
• url “[GET | HEAD] [/]<URL-page-name>” – This parameter specifies whether the HTTP health check performs a GET request or a HEAD request. For GET requests, you can specify the page that is requested. By default, a GET request asks for page “1.0”.
• port http status_code <range> [<range>[<range>[<range>]]] – This parameter changes the HTTP status codes that the ServerIron will accept as valid responses. Each <range> specifies the low number and high number in a range of status codes. You can specify up to four ranges (total of eight values). To specify a single message code for a range, enter the code twice. For example to specify 200 only, enter the following command: port http status_code 200 200. For SLB, the default status code range is 200 – 299. If the server’s reply to the health check contains a status code within this range, the ServerIron considers the HTTP application to be healthy.
• content-match <matching-list-name> – This parameter attaches a match list for an HTTP content verification health check to the real server. An HTTP content verification health check is a type of Layer 7 health check in which the ServerIron examines text in an HTML file sent by a real server in response to an HTTP keepalive request. The ServerIron searches the text in the HTML file for user-specified selection criteria and determines whether the HTTP port on the real server is alive based on what it finds. The selection criteria used in HTTP content verification is contained in a matching list that is attached to one or more real servers. The following is an example of the commands used to set up a matching list. For information on how to configure the match lists, see the "Configuring HTTP Content Matching Lists" section in the "Configuring Port and Health Check Parameters" chapter of the Foundry ServerIron Installation and Configuration Guide.
Syntax: [no] protocol dns | 53 [addr_query "<name>" | zone <zone-name>]
This command changes one of the following DNS health-check parameters. To change more than one of these parameters, enter a separate protocol dns or protocol 53 command for each parameter.
• addr_query "<name>" – This parameter specifies a domain name to be requested from the real server by the ServerIron. If the server successfully responds with the IP address for the domain name, the server passes the health check. There is no default.
• zone <zone-name> – This parameter specifies a DNS zone name. The ServerIron sends a Source-of-Authority (SOA) request for the zone name. If the server is authoritative for the zone and successfully responds to the SOA request, the server passes the health check. There is no default.
NOTE: If you do not configure one of these parameters, the DNS port will fail the health check.
Syntax: [no] protocol radius | 1812 [username <string>] | [password <string>] | [key <string>]
This command changes one of the following RADIUS health-check parameters. The health check requests values that are configured on the RADIOS server. To change more than one of these parameters, enter a separate protocol radius or protocol 1812 command for each parameter.
• username <string> – This parameter specifies an authentication username on the server.
• password <string> – This parameter specifies an authentication password on the server.
• key <string> – This parameter specifies an authentication key on the server.
Syntax: [no] protocol ldap | 389 [<num>]
This command changes the LDAP version. The health check sent by the ServerIron differs depending on the version. You can specify 2 or 3. The default is 3.
Changing the Health-Check Interval and Retries
By default, the ServerIron performs a health check every 5 seconds. If a reply is not received, the ServerIron will attempt the health check two more times before concluding that the application has failed the health check. You can change the number of seconds the ServerIron will wait for a reply to a health check and the number of retries.
February 2002 6 - 29
Foundry ServerIron Command Line Interface Reference
NOTE: The number of retries is the total number of attempts the ServerIron will make. Thus, if you use the default interval and retries values, the ServerIron will send up to three health-check packets, at 5-second intervals. If a server does not respond within 15 seconds of the time the ServerIron sent the first health-check packet, the server fails the health check and the ServerIron concludes that the server is not available.
To change the interval for a health check, enter a command such as the following at the configuration level for the element-action expression that contains the health check:
ServerIron(config-hc-check1)# interval 30
Syntax: [no] interval <secs>
You can specify from 2 – 120 seconds. The default is 5 seconds.
To change the number of retries for a health check, enter a command such as the following at the configuration level for the element-action expression that contains the health check:
ServerIron(config-hc-check1)# retries 4
Syntax: [no] retries <num>
You can specify from 1 – 5 retries. The default is 3 retries.
NOTE: You also can globally change the interval and retries for a an application port by editing its port profile. See the "Adding a TCP or UDP Port, Specifying the Port Type, and Configuring the Keepalive Health Check" section in the "Configuring Port and Health Check Parameters" chapter of the Foundry ServerIron Installation and Configuration Guide.
Changing the Health-Check Type
For TCP application ports, you can change the health-check type between Layer 4 and Layer 7. By default, the ServerIron performs a Layer 7 health check in the following cases:
• The port is one of the following ports well-known to the ServerIron:
• FTP – port 21. (Ports 20 and 21 both are FTP ports but on the ServerIron, the name “FTP” corresponds to port 21.)
• HTTP – port 80
• IMAP4 – port 143
• LDAP – port 389
• MMS – port 1755
• NNTP – port 119
• PNM – port 7070
• POP3 – port 110
• RTSP – port 554
• SMTP – port 25
• SSL – port 443
• TELNET – port 23
• The port is not well-known to the ServerIron but you used the protocol command to specify the protocol of one of the well-known ports. By specifying the protocol, you configure the ServerIron to use the protocol’s Layer 7 health-check method for the port.
If the TCP port is not one of the ports above or you did not specify a Layer 7 health-check method (using the protocol command), the ServerIron uses the Layer 4 health check for TCP.
6 - 30 February 2002
Global CONFIG Commands
NOTE: Changing the health-check type for UDP application ports has no effect. If the application port is RADIUS (1812) or DNS (53) or uses the health-check method of one of these ports, the ServerIron uses a Layer 7 health check. Otherwise, the ServerIron uses the Layer 4 health check for UDP.
The Layer 7 health-check methods differ depending on the application, and are described in the "Health Check Summary" section of the "Configuring Port and Health Check Parameters" chapter of the Foundry ServerIron Installation and Configuration Guide. The Layer 4 health checks are as follows:
• TCP – The ServerIron attempts to engage in a normal three-way TCP handshake with the port on the real server:
• The ServerIron sends a TCP SYN packet to the port on the real server.
• The ServerIron expects the real server to respond with a SYN ACK.
• If the ServerIron receives the SYN ACK, the ServerIron sends a TCP RESET, satisfied that the TCP port is alive.
• UDP – The ServerIron sends a UDP packet with garbage (meaningless) data to the UDP port.
• If the server responds with an ICMP “Port Unreachable” message, the ServerIron concludes that the port is not alive.
• If the server does not respond at all, the ServerIron assumes that the port is alive and received the garbage data. Since UDP is a connectionless protocol, the ServerIron and other clients do not expect replies to data sent to a UDP port. Thus, lack of a response is a good outcome.
ServerIron(config-hc-check1)# l4-check
The command in this example configures the ServerIron to use the Layer 4 health check for the application port in the element-action expression. Since the application port in this element-action expression is HTTP, the ServerIron will use the Layer 4 health check for TCP.
Syntax: [no] l4-check | l7-check
Changing the Health-Check State
Once you configure an element-action expression, the health check in the expression is enabled by default. To disable the health check, enter the following command at the configuration level for the element-action expression:
ServerIron(config-hc-check1)# disable
Syntax: [no] disable | enable
NOTE: Health checking (keepalive) also must be enabled on the port profile level or the real server level. Otherwise, the health-check policy is used during initial bringup of the server but is not used for periodic health checks after the server is brought up.
NOTE: If the health check for an application on a server is disabled, the ServerIron assumes that the server and application are healthy and continues to send client requests to the server.
NOTE: If you change the health-check state from within the element-action expression, this state overrides the health-check state configured in the port profile for the application port or in the real server configuration.
Configuring a Health-Check Policy
A health-check policy consists of one or more element-action expressions. When a logical expression contains multiple element-action expressions, the policy also contains the logical operator AND or OR.
You can use a health-check policy as an element-action expression in another policy.
To configure a health-check policy, enter commands such as the following:
ServerIron(config)# healthck "httpsrvr" booleanServerIron(config-hc-httpsrvr)# and "check1" "check2"
February 2002 6 - 31
Foundry ServerIron Command Line Interface Reference
These commands configure a health-check policy that uses the element-action expressions "check1" and "check2". Since the AND operator is used, the real servers in both "check1" and "check2" must reply successfully for the health check to be successful. If only one of the servers replies, the health check is unsuccessful and the ServerIron stops using all the server application ports in the health-check policy "httpsrvr".
Syntax: [no] healthck "<policy-name>" boolean
Syntax: and | or "<element-name>" "<element-name>"
The <policy-name> parameter specifies the name of the health-check policy. The name can be up to 20 characters long. The name cannot contain blanks.
The and | or parameter specifies a logical operator in the health-check policy. You can enter two element-action expressions along with the logical operator and or or.
• If you specify and, the policy evaluates to true only if all elements (IP addresses) respond to the health check.
• If you specify or, the policy is true if at least one of the elements responds to the health check.
Attaching a Health-Check Policy to an Application Port on a Server
After you configure logical expressions, you can attach them to application ports on real servers. The ServerIron does not begin sending health-check packets until you attach the policy to a real server port.
To attach a health-check policy to an application port on a server, enter commands such as the following:
ServerIron(config)# server real-name R1 10.10.10.50ServerIron(config-rs-R1)# port 80 healthck “check1”
This command configures the ServerIron to base the health of application port 80 on real server R1 on the results of the check1 health-check policy.
Possible values: See above
Default value: None configured
hostnameChanges the hostname field to more easily identify the ServerIron within the network. By default, a ServerIron will be identified as “ServerIron” in the CLI command prompt.
EXAMPLE:
To change the hostname to TCSserver1 from the ServerIron default, enter the following:
ServerIron(config)# hostname TCSserver1
TCSserver1(config)#
Syntax: hostname <text>
Possible values: Up to 32 alphanumeric characters can be assigned to hostname text string.
Default value: ServerIron
http match-listThis command is used in conjunction with the HTTP content verification health check feature on the ServerIron. This command assigns a name to an HTTP matching list and enters the HTTP matching list CONFIG level.
EXAMPLE:
To create an HTTP matching list name named m1:
ServerIron(config)# http match-list m1
Syntax: http match-list <matching-list-name>
Possible values: HTTP matching list name
Default value: N/A
6 - 32 February 2002
Global CONFIG Commands
interface ethernetAccesses the interface CONFIG level of the CLI. You can define a physical or virtual interface (ve) at this level.
EXAMPLE:
To change the configuration for port 1 on a Stackable device, enter the following:
ServerIron(config)# inter e 1
ServerIron(config-if-1)#
NOTE: To change the port for a Chassis device, you also need to enter the slot number of the module on which the port resides.
EXAMPLE:
To change the configuration for port 1 on slot 4 of a Chassis device, enter the following:
ServerIron(config)# inter e 4/1
ServerIron(config-if-4/1)#
Syntax: interface ethernet <portnum> | ve <num>
Possible values: N/A
Default value: N/A
ip access-listConfigures a named IP ACL. The commands for configuring named ACL entries are different from the commands for configuring numbered ACL entries. The command to configure a numbered ACL is access-list. The command for configuring a named ACL is ip access-list. In addition, when you configure a numbered ACL entry, you specify all the command parameters on the same command. When you configure a named ACL, you specify the ACL type (standard or extended) and the ACL number with one command, which places you in the configuration level for that ACL. Once you enter the configuration level for the ACL, the command syntax is the same as the syntax for numbered ACLs.
EXAMPLE:
To configure a named standard ACL entry:
ServerIron(config)# ip access-list standard Net1 ServerIron(config-std-nac1)# deny host 209.157.22.26 logServerIron(config-std-nac1)# deny 209.157.29.12 logServerIron(config-std-nac1)# deny host IPHost1 logServerIron(config-std-nac1)# permit any ServerIron(config-std-nac1)# exit ServerIron(config)# int eth 1/1ServerIron(config-if-1)# ip access-group Net1 out
The commands in this example configure a standard ACL named “Net1”. The entries in this ACL deny packets from three source IP addresses from being forwarded on port 1. Since the implicit action for an ACL is “deny”, the last ACL entry in this ACL permits all packets that are not explicitly denied by the first three ACL entries. For an example of how to configure the same entries in a numbered ACL, see the “Configuring Standard ACLs“ section of the “Using Access Control Lists (ACLs)” chapter in the Foundry Switch and Router Installation and Basic Configuration Guide.
Notice that the command prompt changes after you enter the ACL type and name. The “std” in the command prompt indicates that you are configuring entries for a standard ACL. For an extended ACL, this part of the command prompt is “ext“. The “nacl” indicates that are configuring a named ACL.
EXAMPLE:
To configure a named extended ACL entry:
ServerIron(config)# ip access-list extended “block Telnet” ServerIron(config-ext-nac1)# deny tcp host 209.157.22.26 any eq telnet log
February 2002 6 - 33
Foundry ServerIron Command Line Interface Reference
ServerIron(config-ext-nac1)# permit ip any anyServerIron(config-ext-nac1)# exitServerIron(config)# int eth 1ServerIron(config-if-1)# ip access-group “block Telnet” in
Syntax: ip access-list extended | standard <string> | <num>
Syntax: [no] ip access-group <string> in | out
Possible values: The extended | standard parameter indicates the ACL type.
The <string> parameter is the ACL name. You can specify a string of up to 256 alphanumeric characters. You can use blanks in the ACL name if you enclose the name in quotation marks (for example, “ACL for Net1”). The <num> parameter allows you to specify an ACL number if you prefer. If you specify a number, you can specify from 1 – 99 for standard ACLs or 100 – 199 for extended ACLs.
The options at the ACL configuration level and the syntax for the ip access-group command are the same for numbered and named ACLs and are described in the “Configuring Standard ACLs“ section of the “Using Access Control Lists (ACLs)” chapter in the Foundry Switch and Router Installation and Basic Configuration Guide.
Default value: N/A
ip addressAssigns an IP address and mask to a switch to support Telnet and SNMP management. Foundry devices support both classical IP network masks (Class A, B, and C sub-net masks, and so on) and prefix masks.
• To enter a classical network mask, enter the mask in IP address format. For example, enter "209.157.22.99 255.255.255.0" for an IP address with a Class-C sub-net mask.
• To enter a network mask using prefix addressing, enter a forward slash ( / ) and the number of bits in the mask immediately after the IP address. For example, enter "209.157.22.99/24" for an IP address that has a network mask with 24 significant ("mask") bits.
NOTE: If you need to add an additional IP address for network address translation (NAT), use the server source-ip command. See “server source-ip” on page 6-82.
EXAMPLE:
ServerIron(config)# ip address 192.22.3.44 255.255.255.0
Syntax: ip address <ip-addr> <ip-mask>
or
Syntax: ip address <ip-addr>/<mask-bits>
Possible values: N/A
Default value: N/A
ip default-gatewayAssigns an IP address and mask to a switch to support Telnet and SNMP management.
NOTE: This command is not available on Foundry routers.
EXAMPLE:
ServerIron(config)# ip default-gateway 192.22.33.100
Syntax: ip default-gateway <ip-addr>
Possible values: N/A
Default value: N/A
6 - 34 February 2002
Global CONFIG Commands
ip dns domain-nameThis command is used to define a domain name for a range of addresses on the ServerIron. This will eliminate the need for a user to type in the domain name. It will automatically be appended to the hostname.
EXAMPLE:
ServerIron(config)# ip dns domain-name newyork.com
Syntax: ip dns domain-name
Possible values: N/A
Default value: N/A
ip dns server-addressUp to four DNS servers can be defined for each DNS entry. The first entry serves as the primary default address (207.95.6.199). If a query to the primary address fails to be resolved after three attempts, the next gateway address will be queried for three times as well. This process will continue for each defined gateway address until a query is resolved. The order in which the default gateway addresses are polled is tied to the order in which they are entered when initially defined as shown in the example.
EXAMPLE:
ServerIron(config)# ip dns server-address 207.95.6.199 205.96.7.1 208.95.7.25 201.98.7.15
Syntax: ip dns server-address <ip-addr>
Possible values: N/A
Default value: N/A
ip filter…This command allows you to define layer 4 TCP/UDP filters for switches. Up to 1024 TCP/UDP filters can be defined on a switch.
NOTE: Foundry plans to remove this command in a later software release and therefore recommends that you do not use the command. Instead, always use Access Control Lists (ACLs). For ACL configuration information, see the "Using Access Control Lists (ACLs)" chapter of the Foundry Switch and Router Installation and Basic Configuration Guide.
Syntax: ip filter <index> permit | deny <src-ip-addr> | any <src-mask> | any <dst-ip-addr> | any <dst-mask> | any <protocol> [established <operator> <port range>] [log]
Possible values: The <protocol> parameter can be ICMP, TCP, UDP, or a protocol number.
Default value: N/A
ip forwardEnables IP forwarding (Layer 3).
For complete configuration information, see the "Configuring IP Forwarding" chapter in the Foundry ServerIron Installation and Configuration Guide.
EXAMPLE:
ServerIron(config)# ip forward
Syntax: [no] ip forward
Possible values: N/A
Default value: Disabled
February 2002 6 - 35
Foundry ServerIron Command Line Interface Reference
ip icmp burstCauses the Foundry device to drop ICMP packets when excessive numbers are encountered, as is the case when the device is the victim of a Smurf attack. This command allows you to set threshold values for ICMP packets targeted at the router and drop them when the thresholds are exceeded.
EXAMPLE:
In the following example, if the number of ICMP packets received per second exceeds 5,000, the excess packets are dropped. If the number of ICMP packets received per second exceeds 10,000, the device drops all ICMP packets for the next 300 seconds (five minutes).
ServerIron(config)# ip icmp burst-normal 5000 burst-max 10000 lockup 300
Syntax: ip icmp burst-normal <value> burst-max <value> lockup <seconds>
The burst-normal value can be from 1 – 100000.
The burst-max value can be from 1 – 100000.
The lockup value can be from 1 – 10000.
The number of incoming ICMP packets per second are measured and compared to the threshold values as follows:
• If the number of ICMP packets exceeds the burst-normal value, the excess ICMP packets are dropped.
• If the number of ICMP packets exceeds the burst-max value, all ICMP packets are dropped for the number of seconds specified by the lockup value. When the lockup period expires, the packet counter is reset and measurement is restarted.
Possible values: The burst-normal and burst-max values can be between 1 – 100000 packets. The burst-normal value must be smaller than the burst-max value. The lockup value can be between 1 – 10000 seconds.
Default value: N/A
ip multicastEnables IP Multicast Traffic Reduction on a Foundry switch. A switch can operate in either an active or passive IP multicast mode. You must save changes to flash and reset (reload) the switch for the configuration changes to become active. For more details on this feature, see the Foundry Switch and Router Installation and Basic Configuration Guide.
If configured to be active, the switch will actively send out host queries to identify IP Multicast groups on the network and insert this information in the IGMP packet. Routers in the network generally handle this operation
If configured to be passive, the switch will only identify the packet as an IGMP packet and forward it accordingly.
EXAMPLE:
ServerIron(config)# ip multicast passive
ServerIron(config)# write memory
ServerIron(config)# end
ServerIron# reload
Syntax: ip multicast active | passive
Possible values: Active or passive
Default value: Disabled
ip nat insideConfigures and enables Network Address Translation (NAT).
You can use this command to configure static NAT entries and dynamic NAT entries (by referring to an ACL and a pool), and enable NAT.
6 - 36 February 2002
Global CONFIG Commands
EXAMPLE:
To configure static NAT for an IP address, enter commands such as the following:
ServerIron(config)# ip nat inside source static 10.10.10.69 209.157.1.69
The commands in this example statically map the private address 10.10.10.69 to the Internet address 209.157.1.69.
Syntax: [no] ip nat inside source static <private-ip> <global-ip>
This command associates a specific private address with a specific Internet address. Use this command when you want to ensure that the specified addresses are always mapped together.
The inside source parameter specifies that the mapping applies to the private address sending traffic to the Internet.
The <private-ip> parameter specifies the private IP address.
The <global-ip> parameter specifies the Internet address. The ServerIron supports up to 255 global IP addresses.
Neither of the IP address parameters needs a network mask.
EXAMPLE:
To configure dynamic NAT, enter commands such as the following at the global CONFIG level of the CLI:
ServerIron(config)# access-list 1 permit 10.10.10.0/24ServerIron(config)# ip nat pool OutAdds 209.157.1.2 209.157.2.254 prefix-length 24ServerIron(config)# ip nat inside source list 1 pool OutAdds
These commands configure a standard ACL for the private sub-net 10.10.10.x/24, then enable inside NAT for the sub-net. Make sure you specify permit in the ACL, rather than deny. If you specify deny, the Foundry device will not provide NAT for the addresses.
Syntax: [no] ip nat pool <pool-name> <start-ip> <end-ip> netmask <ip-mask> | prefix-length <length>
This command configures the address pool.
The <pool-name> parameter specifies the pool name. The name can be up to 255 characters long and can contain special characters and internal blanks. If you use internal blanks, you must use quotation marks around the entire name.
The <start-ip> parameter specifies the IP address at the beginning of the pool range. Specify the lowest-numbered IP address in the range.
The <end-ip> parameter specifies the IP address at the end of the pool range. Specify the highest-numbered IP address in the range.
NOTE: The address range cannot contain any gaps. Make sure you own all the IP addresses in the range. If the range contains gaps, you must create separate pools containing only the addresses you own.
The netmask <ip-mask> | prefix-length <length> parameter specifies a classical sub-net mask (example: netmask 255.255.255.0) or the length of a Classless Interdomain Routing prefix (example: prefix-length 24). The ServerIron supports up to 255 global IP addresses.
Syntax: [no] ip nat inside source list <acl-name-or-num> pool <pool-name> [overload]
This command associates a private address range with a pool of Internet addresses and optionally enables the Port Address Translation feature.
The inside source parameter specifies that the translation applies to private addresses sending traffic to the Internet (inside source).
The list <acl-name-or-num> parameter specifies a standard or extended ACL. You can specify a numbered or named ACL.
February 2002 6 - 37
Foundry ServerIron Command Line Interface Reference
NOTE: For complete standard and extended ACL syntax, see the “Using Access Control Lists (ACLs)” chapter of the Foundry Switch and Router Installation and Basic Configuration Guide.
The pool <pool-name> parameter specifies the pool. You must create the pool before you can use it with this command.
The overload parameter enables the Port Address Translation feature. Use this parameter if the IP address pool does not contain enough addresses to ensure NAT for each private address. The Port Address Translation feature conserves Internet addresses by mapping the same Internet address to more than one private address and using a TCP or UDP port number to distinguish among the private hosts. The ServerIron supports up to 50 IP addresses with this feature enabled.
EXAMPLE:
To enable NAT on the ServerIron, enter the following command at the global CONFIG level of the CLI:
ServerIron(config)# ip policy 1 cache tcp 0 globalServerIron(config)# ip policy 2 cache udp 0 globalServerIron(config)# ip nat inside
Syntax: [no] ip policy <policy-num> cache tcp | udp 0 global
The <policy-num> value identifies the policy and can be a number from 1 – 64.
Each policy affects TCP or UDP traffic, so you must specify tcp or udp.
The value 0 following the tcp | udp parameter specifies that the policy applies to all ports of the specified type (TCP or UDP). In this command, “0” is equivalent to “any port number”. For NAT, you must specify “0”.
Syntax: [no] ip nat inside
This command enables inside NAT.
Possible values: See above.
Default value: See above.
ip nat poolConfigures an address pool for dynamic NAT. See “ip nat inside” on page 6-36 for syntax information and a configuration example.
ip nat translationChanges the age timer for the specified type of NAT translation entry.
The NAT translation table contains all the currently active NAT translation entries on the device. An active entry is one that the ServerIron created for a private address when that client at that address sent traffic to the Internet. NAT performs the following steps to provide an address translation for a source IP address:
• The feature looks in the NAT translation table for an active NAT entry for the translation. If the table contains an active entry for the session, the ServerIron uses that entry.
• If NAT does not find an active entry in the NAT translation table, NAT creates an entry and places the entry in the table. The entry remains in the table until the entry times out.
Each NAT entry remains in the NAT translation table until the entry ages out. NAT translation table entries have different default timeouts depending on the entry type.
• Dynamic timeout – This age timer applies to all entries (static and dynamic) that do not use Port Address Translation. The default is 120 seconds.
• UDP timeout – This age timer applies to entries that use Port Address Translation based on UDP port numbers. The default is 120 seconds.
• TCP timeout – This age timer applies to entries that use Port Address Translation based on TCP port numbers. The default is 120 seconds.
6 - 38 February 2002
Global CONFIG Commands
NOTE: This timer applies only to TCP sessions that do not end “gracefully”, with a TCP FIN or TCP RST.
• TCP FIN/RST timeout – This age timer applies to TCP FIN (finish) and RST (reset) packets, which normally terminate TCP connections. The default is 120 seconds.
NOTE: This timer is not related to the TCP timeout. The TCP timeout applies to packets to or from a host address that is mapped to an global IP address and a TCP port number (Port Address Translation feature). The TCP FIN/RST timeout applies to packets that terminate a TCP session, regardless of the host address or whether Port Address Translation is used.
• DNS timeout – This age timer applies to connections to a Domain Name Server (DNS). The default is 120 seconds.
EXAMPLE:
To change the age timeout for all entries that do not use Port Address Translation to 1800 seconds (one half hour), enter a command such as the following at the global CONFIG level of the CLI:
ServerIron(config)# ip nat timeout 1800
Syntax: [no] ip nat translation timeout | udp-timeout | tcp-timeout | finrst-timeout | dns-timeout <secs>
Use one of the following parameters to specify the dynamic entry type:
• timeout – All entries that do not use Port Address Translation. The default is 120 seconds.
• udp-timeout – Dynamic entries that use Port Address Translation based on UDP port numbers. The default is 120 seconds.
• tcp-timeout – Dynamic entries that use Port Address Translation based on TCP port numbers. The default is 120 seconds.
• finrst-timeout – TCP FIN (finish) and RST (reset) packets, which normally terminate TCP connections. The default is 120 seconds.
• dns-timeout – Connections to a Domain Name Server (DNS). The default is 120 seconds.
The <secs> parameter specifies the number of seconds. For each entry type, you can enter a value from 1 – 3600.
Possible values: 1 – 3600 seconds
Default value: 120 seconds
ip policyEnables TCS or firewall load balancing. You can enable these features globally or on individual ports. If you want to enable them on individual ports, you must also use the ip-policy command at the interface level. See “ip-policy” on page 8-6.
EXAMPLE:
To globally enable TCS, enter the following command:
ServerIron(config)# ip policy 1 cache tcp 80 global
EXAMPLE:
To locally enable firewall load balancing on port 9, enter the following commands:
ServerIron(config)# ip policy 1 fw tcp 0 local
ServerIron(config)# ip policy 2 fw udp 0 local
ServerIron(config)# int e 9
ServerIron(config-if-9)# ip-policy 1
ServerIron(config-if-9)# ip-policy 2
February 2002 6 - 39
Foundry ServerIron Command Line Interface Reference
ServerIron(config-if-9)# write mem
Syntax: ip policy <index> cache | fw | high | normal tcp | udp <tcp/udp-portnum> global | local
NOTE: When enabling firewall load balancing, you must specify "0" for the <tcp/udp-portnum> parameter. This value allows all ports of the specified type (TCP or UDP).
Possible values: N/A
Default value: Disabled
ip routeConfigures a static IP route for IP forwarding.
NOTE: This command applies only to IP forwarding (Layer 3 IP). To add a default gateway address if you are not using IP forwarding, see “ip default-gateway” on page 6-34.
NOTE: The software places the static route in the IP route table only if the virtual routing interface is up.
EXAMPLE:
ServerIron(config)# ip route 209.157.2.0 255.255.255.0 192.168.2.1
This commands adds a static IP route to the 209.157.2.x/24 sub-net.
Syntax: [no] ip route <dest-ip-addr> <dest-mask> <next-hop-ip-addr> | null0 [<metric>]
or
Syntax: [no] ip route <dest-ip-addr>/<mask-bits> <next-hop-ip-addr> | null0 [<metric>]
The <dest-ip-addr> is the route’s destination. The <dest-mask> is the network mask for the route’s destination IP address. Alternatively, you can specify the network mask information by entering a forward slash followed by the number of bits in the network mask. For example, you can enter 192.0.0.0 255.255.255.0 as 192.0.0.0/.24. To configure a default route, enter 0.0.0.0 for <dest-ip-addr> and 0.0.0.0 for <dest-mask> (or 0 for the <mask-bits> if you specify the address in CIDR format). Specify the IP address of the default gateway using the <next-hop-ip-addr> parameter.
The <next-hop-ip-addr> is the IP address of the next-hop router (gateway) for the route. If you specify null0 instead of a next hop IP address, the ServerIron discards packets addressed to the route’s destination IP address instead of forwarding them to another device.
NOTE: If you add a default route, the gateway address of the route replaces the default gateway address configured by the ip default-gateway command. Likewise, if you use the ip default-gateway command to change the default gateway address, the gateway address in the default route is automatically changed also.
The <metric> parameter specifies the cost of the route and can be a number from 1 – 16. The default is 1. The metric is used by RIP. If you do not enable RIP, the metric is not used.
Possible values: See above
Default value: N/A
ip show-subnet-lengthChanges display of network mask information from class-based notation (xxx.xxx.xxx.xxx) to Classless Interdomain Routing (CIDR) notation. By default the ServerIron displays network mask information in class-based notation.
EXAMPLE:
ServerIron(config)# ip show-subnet-length
Syntax: [no] ip show-subnet-length
6 - 40 February 2002
Global CONFIG Commands
Possible values: N/A
Default value: Disabled
ip ssh authentication-retriesSets the number of SSH authentication retries.
EXAMPLE:
The following command changes the number of authentication retries to 5:
ServerIron(config)# ip ssh authentication-retries 5
Syntax: ip ssh authentication-retries <number>
Possible values: 1 – 5
Default value: 3
ip ssh key-sizeSets the SSH key size.
EXAMPLE:
The following command changes the server RSA key size to 896 bits:
ServerIron(config)# ip ssh key-size 896
Syntax: ip ssh key-size <number>
NOTE: The size of the host RSA key that resides in the system-config file is always 1024 bits and cannot be changed.
Possible values: 512 – 896 bits
Default value: 768 bits
ip ssh password-authenticationDisables SSH password authentication.
After the SSH server on the Foundry device negotiates a session key and encryption method with the connecting client, user authentication takes place. Of the methods of user authentication available in SSH, Foundry’s implementation of SSH supports password authentication only.
With password authentication, users are prompted for a password when they attempt to log into the device (unless empty password logins are not allowed; see “ip ssh permit-empty-passwd”). If there is no user account that matches the user name and password supplied by the user, the user is not granted access.
You can deactivate password authentication for SSH. However, since password authentication is the only user authentication method supported for SSH, this means that no user authentication is performed at all. Deactivating password authentication essentially disables the SSH server entirely.
EXAMPLE:
To deactivate password authentication:
ServerIron(config)# ip ssh password-authentication no
Syntax: ip ssh password-authentication no | yes
Possible values: N/A
Default value: Enabled
ip ssh permit-empty-passwdEnables empty password SSH logins. By default, empty password logins are not allowed. This means that users with an SSH client are always prompted for a password when they log into the device. To gain access to the device, each user must have a user name and password. Without a user name and password, a user is not
February 2002 6 - 41
Foundry ServerIron Command Line Interface Reference
granted access. See the Foundry Switch and Router Installation and Basic Configuration Guide for information on setting up user names and passwords on Foundry devices.
If you enable empty password logins, users are not prompted for a password when they log in. Any user with an SSH client can log in without being prompted for a password.
EXAMPLE:
To enable empty password logins:
ServerIron(config)# ip ssh permit-empty-passwd yes
Syntax: ip ssh permit-empty-passwd no | yes
Possible values: N/A
Default value: Disabled
ip ssh portChanges the TCP port used for SSH. By default, SSH traffic occurs on TCP port 22. You can change this port number.
EXAMPLE:
The following command changes the SSH port number to 2200:
ServerIron(config)# ip ssh port 2200
Note that if you change the default SSH port number, you must configure SSH clients to connect to the new port. Also, you should be careful not to assign SSH to a port that is used by another service. If you change the SSH port number, Foundry recommends that you change it to a port number greater than 1024.
Syntax: ip ssh port <number>
Possible values: a valid TCP port number
Default value: 22
ip ssh pub-key-fileCauses a public key file to be loaded onto the Foundry device.
EXAMPLE:
To cause a public key file called pkeys.txt to be loaded from the Management IV module’s PCMCIA flash card each time the Foundry device is booted, enter the following command:
ServerIron(config)# ip ssh pub-key-file slot1 pkeys.txt
Syntax: [no] ip ssh pub-key-file slot1 | slot2 <filename>
To cause a public key file called pkeys.txt to be loaded from a TFTP server each time the Foundry device is booted, enter a command such as the following:
ServerIron(config)# ip ssh pub-key-file tftp 192.168.1.234 pkeys.txt
Syntax: [no] ip ssh pub-key-file tftp <tftp-server-ip-addr> <filename>
To reload the public keys from the file on the TFTP server or PCMCIA flash card, enter the following command:
ServerIron(config)# ip ssh pub-key-file reload
Syntax: [no] ip ssh pub-key-file reload
To make the public keys in the active configuration part of the startup-config file, enter the following commands:
ServerIron(config)# ip ssh pub-key-file flash-memoryServerIron(config)# write memory
Syntax: [no] ip ssh pub-key-file flash-memory
Possible values: N/A
6 - 42 February 2002
Global CONFIG Commands
Default value: N/A
ip ssh rsa-authenticationDisables or re-enables RSA challenge-response authentication.
EXAMPLE:
To disable RSA challenge-response authentication:
ServerIron(config)# ip ssh rsa-authentication no
Syntax: [no] ip ssh rsa-authentication yes | no
Possible values: yes or no
Default value: RSA challenge-response authentication is enabled by default.
ip ssh scpDisables or re-enables Secure Copy (SCP).
EXAMPLE:
To disable SCP:
ServerIron(config)# ip ssh scp disable
Syntax: [no] ip ssh scp disable | enable
Possible values: disable or enable
Default value: SCP is enabled by default.
NOTE: If you disable SSH, SCP is also disabled.
ip ssh timeoutChanges the SSH timeout value. When the SSH server attempts to negotiate a session key and encryption method with a connecting client, it waits a maximum of 120 seconds for a response from the client. If there is no response from the client after 120 seconds, the SSH server disconnects.
EXAMPLE:
ServerIron(config)# ip ssh timeout 60
Syntax: ip ssh timeout <seconds>
Possible values: 1 – 120 second
Default value: 120 seconds
ip strict-acl-modeEnables the strict ACL TCP mode.
By default, when you use ACLs to filter TCP traffic, the Foundry device does not compare all TCP packets against the ACLs. Instead, the device compares TCP control packets against the ACLs, but not data packets. Control packets include packet types such as SYN (Synchronization) packets, FIN (Finish) packets, and RST (Reset) packets.
In normal TCP operation, TCP data packets are present only if a TCP control session for the packets also is established. For example, data packets for a session never occur if the TCP SYN for that session is dropped. Therefore, by filtering the control packets, the Foundry device also implicitly filters the data packets associated with the control packets. This mode of filtering optimizes forwarding performance for TCP traffic by forwarding data packets without examining them. Since the data packets are present in normal TCP traffic only if a corresponding TCP control session is established, comparing the packets for the control session to the ACLs is sufficient for filtering the entire session including the data.
However, it is possible to generate TCP data packets without corresponding control packets, in test or research situations for example. In this case, the default ACL mode does not filter the data packets, since there is no
February 2002 6 - 43
Foundry ServerIron Command Line Interface Reference
corresponding control session to filter. To filter this type of TCP traffic, use the strict ACL TCP mode. This mode compares all TCP packets to the configured ACLs, regardless of whether the packets are control packets or data packets.
Regardless of whether the strict mode is enabled or disabled, the device always compares TCP control packets against the configured ACLs.
NOTE: If the device's configuration currently has ACLs associated with interfaces, remove the ACLs from the interfaces before changing the ACL mode.
EXAMPLE:
To enable the strict ACL TCP mode, enter the following command at the global CONFIG level of the CLI:
ServerIron(config)# ip strict-acl-mode
Syntax: [no] ip strict-acl-mode
This command configures the device to compare all TCP packets against the configured ACLs before forwarding them.
To disable the strict ACL mode and return to the default ACL behavior, enter the following command:
ServerIron(config)# no ip strict-acl-mode
Possible values: N/A
Default value: Disabled
ip tcp burstCauses the Foundry device to drop TCP SYN packets when excessive numbers are encountered, as is the case when the device is the victim of a TCP SYN attack. This command allows you to set threshold values for TCP SYN packets targeted at the router and drop them when the thresholds are exceeded.
EXAMPLE:
In the following example, if the number of TCP SYN packets received per second exceeds 10, the excess packets are dropped. If the number of TCP SYN packets received per second exceeds 100, the device drops all TCP SYN packets for the next 300 seconds (five minutes).
ServerIron(config)# ip tcp burst-normal 10 burst-max 100 lockup 300
Syntax: ip tcp burst-normal <value> burst-max <value> lockup <seconds>
The burst-normal value can be from 1 – 100000.
The burst-max value can be from 1 – 100000.
The lockup value can be from 1 – 10000.
The number of incoming TCP SYN packets per second are measured and compared to the threshold values as follows:
• If the number of TCP SYN packets exceeds the burst-normal value, the excess TCP SYN packets are dropped.
• If the number of TCP SYN packets exceeds the burst-max value, all TCP SYN packets are dropped for the number of seconds specified by the lockup value. When the lockup period expires, the packet counter is reset and measurement is restarted.
Possible values: The burst-normal and burst-max values can be between 1 – 100000 packets. The burst-normal value must be smaller than the burst-max value. The lockup value can be between 1 – 10000 seconds.
Default value: N/A
ip tcp conn-rateConfigures the ServerIron 400 or ServerIron 800 to log information about the TCP connection rate and attack rate on the device.
6 - 44 February 2002
Global CONFIG Commands
EXAMPLE:
ServerIron(config)# ip tcp conn-rate conn-rate 10000 attack-rate 10000
Syntax: ip tcp conn-rate conn-rate <rate> attack-rate <rate>
Possible values: The conn-rate <rate> parameter specifies a threshold for the number of global TCP connections per second that are expected on the ServerIron. A global TCP connection is defined as any packet that requires session processing. For example, 1 SLB, 1 TCS, and 1 SYN-Guard connection would equal 3 global TCP connections, since there are three different connections that require session processing.
The attack-rate <rate> parameter specifies a threshold for the number of TCP SYN attack packets per second that are expected on the ServerIron.
Syslog entries are generated under the following circumstances:
• If the connection rate or attack rate on the ServerIron reaches 80% of the configured threshold.
• If the connection rate or attack rate is still between 80% and 100% of the configured threshold 6 minutes after the last message.
• If the connection rate or attack rate exceeds 100% of the configured threshold.
• If the connection rate or attack rate exceeds 100% of the configured threshold, and has gone up by the configured rate change percentage.
• One minute after the last message indicating that the connection rate or attack rate still exceeds 100% of the configured threshold, and has gone up by the configured rate change percentage.
• Three minutes after the last message, if the connection rate or attack rate is still between 80% and 100% of the configured threshold, and has gone up by the configured rate change percentage.
ip tcp conn-rate-changeConfigures thresholds for the TCP connection rate and attack rate change, used in conjunction with the ip tcp conn-rate command on the ServerIron 400 or ServerIron 800.
EXAMPLE:
ServerIron(config)# ip tcp conn-rate-change conn-rate 50 attack-rate 100
Syntax: ip tcp conn-rate-change conn-rate <percentage> attack-rate <percentage>
Possible values: The conn-rate <rate> parameter specifies a percentage change threshold for the number of global TCP connections per second that are expected on the ServerIron.
The attack-rate <rate> parameter specifies a percentage change threshold for the number of TCP SYN attack packets per second that are expected on the ServerIron.
ip tcp syn-proxyActivates the SYN-Guard feature, which completes the TCP three-way handshake on behalf of a connecting client, and sets the amount of time the ServerIron 400 or ServerIron 800 waits for the client to send an ACK.
EXAMPLE:
ServerIron(config)# ip tcp syn-proxy 12
Syntax: ip tcp syn-proxy <threshold>
Possible values: 1 – 40 seconds
Default value: 8 seconds
ip ttlSets the maximum time that a packet will live on the network.
EXAMPLE:
ServerIron(config)# ip ttl 25
Syntax: ip ttl <hops>
February 2002 6 - 45
Foundry ServerIron Command Line Interface Reference
Possible values: 1 – 255 hops
Default value: 64 hops
ip-protoThis command creates an IP protocol VLAN on a switch or router.
When creating an IP protocol VLAN on a switch, all ports are dynamically assigned to the VLAN.
On a router, no ports are dynamically assigned to an IP protocol VLAN. VLAN port membership must be assigned using the static command, as shown in the example below. Because no dynamic port assignment is made for IP Protocol VLANs on a router, there is no need to exclude any ports, only specify membership with the static command.
An IP protocol and IP sub-net VLAN cannot operate simultaneously on a Foundry switch or router. This restriction is also true for IPX and IPX network VLANs. If you have previously defined an IP sub-net VLAN on the system, you need to delete it before an IP protocol VLAN can be created.
EXAMPLE:
To assign ports 1, 2, 6 and 8 to an IP protocol VLAN, enter the following:
ServerIron(config)# ip-proto
ServerIron(config-ip-proto)# static e1 to 2 e6 e8
Syntax: ip-proto
Possible values: N/A
Default value: N/A
ip-subnetCreates an IP sub-net protocol VLAN on a switch or router. This allows you to provide additional granularity than that of an IP protocol VLAN, by allowing broadcast domains to be partitioned by sub-net. As with the IP protocol VLAN, port membership can be modified using the static commands. In creating an IP sub-net VLAN, an IP address is used as an identifier.
When creating an IP sub-net VLAN on a switch, all ports are dynamically assigned to the VLAN.
On a router, no ports are dynamically assigned to an IP sub-net VLAN. VLAN port membership must be assigned using the static command, as shown in the example below. Because no dynamic port assignment is made for IP sub-net VLANs on a router, there is no need to exclude any ports, only specify membership with the static command.
NOTE: An IP Protocol and IP sub-net VLAN cannot operate simultaneously on a Foundry switch or router. This restriction is also true for IPX and IPX network VLANs. If you have previously defined an IP protocol VLAN on the system, you need to delete it before an IP sub-net VLAN can be created.
EXAMPLE:
To create an IP sub-net of IP address 192.75.3.0 with permanent port membership of 1 and 2, enter the following commands.
ServerIron(config)# ip-subnet 192.75.3.0 255.255.255.0
ServerIron(config-ip-subnet)# static e1 to 2
ServerIron(config-ip-subnet)# exit
Syntax: ip-subnet <ip-addr> <ip-mask>
Possible values: N/A
Default value: N/A
6 - 46 February 2002
Global CONFIG Commands
ipx-networkCreates an IPX network protocol VLAN on a switch or router. This allows you to provide additional granularity than that of the IPX protocol VLAN, by partitioning the broadcast domains by IPX network number. The frame type must also be specified when creating the IPX network VLAN.
When creating an IPX network VLAN on a switch, all ports are dynamically assigned to the VLAN.
On a router, no ports are dynamically assigned to an IPX network VLAN. VLAN port membership must be assigned using the static command, as shown in the example below. Because no dynamic port assignment is made for IPX network VLANs on a router, there is no need to exclude any ports, only specify membership with the static command.
NOTE: An IPX protocol and IPX network VLAN cannot operate simultaneously on a Foundry switch or router. This restriction is also true for IP and IP sub-net VLANs. If you have previously defined an IPX protocol VLAN on the system, you need to delete it before an IPX network VLAN can be created.
EXAMPLE:
To create an IPX network VLAN with a network number of 500 and frame type of 802.2 with permanent port membership of 10 and 14, enter the following commands.
ServerIron(config)# ipx-network 500 ethernet_802.2
ServerIron(config-ipx-proto)# static e10 e14
ServerIron(config-ipx-proto)# exit
Syntax: ipx-network <ipx-network-number> <frame-encapsulation-type> netbios-allow | netbios-disallow
Possible values: Frame encapsulation type values: ethernet_ii, ethernet_802.2, ethernet_802.3, or ethernet_snap
Default value: N/A
ipx-protoThis command creates an IPX protocol VLAN on a switch or router.
When creating an IPX protocol VLAN on a switch, all ports are dynamically assigned to the VLAN.
On a router, no ports are dynamically assigned to an IPX protocol VLAN. VLAN port membership must be assigned using the static command, as shown in the example below. Because no dynamic port assignment is made for IPX protocol VLANs on a router, there is no need to exclude any ports, only specify membership with the static command.
NOTE: An IPX protocol and IPX network VLAN cannot operate simultaneously on a Foundry switch or router. This restriction is also true for IP and IP sub-net VLANs. If you have previously defined an IPX network VLAN on the system, you need to deleted it before an IPX protocol VLAN can be created.
EXAMPLE:
To assign ports 1, 2, 6 and 8 to an IPX protocol, enter the following:
ServerIron(config)# ipx-proto
ServerIron(config-ipx-proto)# static e1 to 2 e6 e8
ServerIron(config-ipx-proto)# exit
Syntax: ipx-proto
Possible values: N/A
Default value: N/A
February 2002 6 - 47
Foundry ServerIron Command Line Interface Reference
lock-address ethernetAllows you to limit the number of devices that have access to a specific port. Access violations are reported by SNMP traps.
EXAMPLE:
ServerIron(config)# lock e2 addr 15
ServerIron(config-if)# end
ServerIron# write memory
Syntax: lock-address ethernet <portnum> [addr-count <num>]
Possible values: Address count: 1 – 2048
Default value: Address count: 8
loggingThe logging commands enable or disable logging, configure the size of the local log buffer, and specify a SyslogD server.
EXAMPLE:
To disable logging of SNMP traps to a locally saved event log, enter the following command:
ServerIron(config)# no logging on
To re-enable logging, enter the following command:
ServerIron(config)# logging on
Syntax: [no] logging on [<udp-port>]
Possible values: See above
Default value: Enabled; UDP port 514
EXAMPLE:
To specify two third-party SyslogD servers to receive Syslog messages in addition to the device’s local Syslog buffer, enter commands such as the following:
ServerIron(config)# logging 10.0.0.99
ServerIron(config)# logging 209.157.23.69
Syntax: logging <ip-addr> | <server-name>
EXAMPLE:
To change the logging facility from the default facility user to local7, enter the following command:
ServerIron(config)# logging local7
Syntax: logging facility <facility-name>
Possible values:
• kern – kernel messages
• user – random user-level messages
• mail – mail system
• daemon – system daemons
• auth – security/authorization messages
• syslog – messages generated internally by syslogd
• lpr – line printer subsystem
• news – netnews subsystem
6 - 48 February 2002
Global CONFIG Commands
• uucp – uucp subsystem
• sys9 – cron/at subsystem
• sys10 – reserved for system use
• sys11 – reserved for system use
• sys12 – reserved for system use
• sys13 – reserved for system use
• sys14 – reserved for system use
• cron – cron/at subsystem
• local0 – reserved for local use
• local1 – reserved for local use
• local2 – reserved for local use
• local3 – reserved for local use
• local4 – reserved for local use
• local5 – reserved for local use
• local6 – reserved for local use
• local7 – reserved for local use
Default value: user
EXAMPLE:
To disable logging of debugging and informational messages, enter the following commands:
ServerIron(config)# no logging buffered debugging
ServerIron(config)# no logging buffered informational
Syntax: [no] logging buffered <level> | <num-entries>
Possible values: <level> can be alerts, critical, debugging, emergencies, errors, informational, notifications, or warnings. All message levels are enabled by default. You can disable message levels individually.
<num-entries> can be 1 – 100.
Default value: all message levels are logged; default local buffer capacity is 50 entries.
EXAMPLE:
By default, a message is logged whenever a user logs into or out of the CLI’s User EXEC or Privileged EXEC mode. If you want to disable logging of users’ CLI access, enter the following command:
ServerIron(config)# no logging enable user-login
Syntax: [no] logging enable user-login
Possible values: N/A
Default value: User logins are logged by default.
mac-age-timeSets the aging period for all address entries in the switch or router address table.
EXAMPLE:
ServerIron(config)# mac-age 600
Syntax: mac-age-time <value>
Possible values: 0 – 65535 seconds. If you specify 0, the entries do not age.
February 2002 6 - 49
Foundry ServerIron Command Line Interface Reference
Default value: 300 seconds
mac filterAllows you to define filters for Layer 2 filtering on MAC addresses. After you define the filters, you can apply them to individual interfaces using the mac filter-group command. See “mac filter-group” on page 8-10.
NOTE: You cannot use Layer 2 filters to filter Layer 4 information. To filter Layer 4 information, use ACLs. See the "Using Access Control Lists (ACLs)" chapter in the Foundry Switch and Router Installation and Basic Configuration Guide. The standard and extended ACLs described in that chapter are supported on the ServerIron.
EXAMPLE:
To configure and apply a MAC filter, enter commands such as the following:
ServerIron(config)# mac filter 1 deny 3565.3475.3676 ffff.0000.0000 any etype eq 806ServerIron(config)# mac filter 1024 permit any anyServerIron(config)# int e 1/1ServerIron(config-if-1/1)# mac filter-group 1
These commands configure a filter to deny ARP traffic with a source MAC address that begins with “3565” to any destination. The second filter permits all traffic that is not denied by another filter.
NOTE: Once you define a MAC filter, the device drops Layer 2 traffic that does not match a MAC permit filter.
Syntax: mac filter <filter-num> permit | deny <src-mac> <mask> | any <dest-mac> <mask> | any etype | IIc | snap eq | gt | lt | neq <frame-type>
Possible values:
The <filter-num> is 1 – 64 (64 is the default system-max setting). If you use the system-max mac-filter-sys command, you can increase the maximum number of MAC filters support to 128 for global filter definitions.
The permit | deny argument determines the action the software takes when a match occurs.
The <src-mac> <mask> | any parameter specifies the source MAC address. You can enter a specific address value and a comparison mask or the keyword any to filter on all MAC addresses. Specify the mask using f’s (ones) and zeros. For example, to match on the first two bytes of the address aabb.ccdd.eeff, use the mask ffff.0000.0000. In this case, the filter matches on all MAC addresses that contain "aabb" as the first two bytes. The filter accepts any value for the remaining bytes of the MAC address. If you specify any, do not specify a mask. In this case, the filter matches on all MAC addresses.
The <dest-mac> <mask> | any parameter specifies the destination MAC address. The syntax rules are the same as those for the <src-mac> <mask> | any parameter.
Use the etype | llc | snap argument if you want to filter on information beyond the source and destination address. The MAC filter allows for you to filter on the following encapsulation types:
• etype (Ethertype) – a two byte field indicating the protocol type of the frame. This can range from 0x0600 to 0xFFFF.
• llc (IEEE 802.3 LLC1 SSAP and DSAP) – a two byte sequence providing similar function as the EtherType but for an IEEE 802.3 frame.
• snap (IEEE 802.3 LLC1 SNAP) – a specific LLC1 type packet.
To determine which type of frame is used on your network, use a protocol analyzer. If byte 12 of an Ethernet packet is equal to or greater than 0600 (hex), it is an Ethernet framed packet. Any number below this indicates an IEEE 802.3 frame (byte 12 will now indicate the length of the data field). Some well-known Ethernet types are 0800 (TCP/IP), 0600 (XNS), and 8137 (Novell Netware). Refer to RFC 1042 for a complete listing of EtherTypes.
For IEEE 802.3 frame, you can further distinguish the SSAP and DSAP of LLC header. Some well-known SAPs include: FE (OSI), F0 (NetBIOS), 42 (Spanning Tree BPDU), and AA (SNAP). Usually the DSAP and SSAP are the same.
6 - 50 February 2002
Global CONFIG Commands
NOTE: You must type in both bytes, otherwise the software will fill the field, left justified with a 00. Refer to RFC 1042 for a complete listing of SAP numbers.
SNAP is defined as an IEEE 802.3 frame with the SSAP, DSAP, and control field set to AA, AA, and 03. Immediately following these is a five-byte SNAP header. The first three bytes in this header are not used by the MAC filters. However, the next two bytes usually are set to the EtherType, so you can define the EtherType inside the SNAP header that you want to filter on.
The eq | gt | lt | neq argument specifies the possible operator: eq (equal), gt (greater than), lt (less than) and neq (not equal).
The <frame-type> argument is a hexadecimal number for the frame type. For example, the hex number for ARP is 806.
Default value: N/A
Additional Examples of Layer 2 MAC Filter Definitions
ServerIron(config)# mac filter 1 permit any any etype eq 0800
This filter configures the device to permit (forward) any inbound packet with the Ethertype field set to 0800 (IP).
ServerIron(config)# mac filter 2 deny 0080.0020.000 ffff.ffff.0000 any etype eq 0800
This filter configures the device to deny an inbound packet with the first four bytes set to 0800.0020.xxxx and an EtherType field set to 0800 (IP). The destination field does not matter.
ServerIron(config)# mac filter 3 deny any 00e0.5200.1234 ffff.ffff.ffff snap eq 0800
This filter configures the device to deny any inbound IEEE 802.3 packet with a destination set to 00e0.5200.1234 and a SNAP EtherType set to 0800. The source address does not matter.
ServerIron(config)# mac filter 32 permit any any
This filter permits all packets. This filter is used as the last filter assigned in a filter-group that has previous deny filters in the group.
Abbreviating the Address or Mask
Address and Mask abbreviations are allowed. However, be careful when configuring them. The default fill character is a 0 and it will fill a byte range as left justified. This applies only to the MAC address and mask. A range of frame types cannot be filtered. Each frame type must be entered. Here are some examples.
ServerIron(config)# mac filter 1 deny 0800.0700 ffff.ff00 any
This command expands to the following: mac filter 1 deny 0800.0700.0000 ffff.ff00.0000
The filter shown above denied forwarding of an inbound frame that has the source address set to 080007 as the first three bytes. All other information is not significant.
Here is another example of the fill feature.
ServerIron(config)# mac filter 2 deny 0260.8C00.0102 0.0.ffff any
This command expands to the following: mac filter 1 deny 0260.8C00.0102 0000.0000.ffff any
Since the fill character is 0's and the fill is left justified, certain filters will not allow for abbreviations. For example, suppose you want to deny an inbound packet that contained a broadcast destination address. Enter the following command:
ServerIron(config)# mac filter 5 deny any ff ff
This command contains a destination of address all F's and mask of F's. The command expands to the following:
ServerIron(config)# mac filter 1 deny any 00ff.0000.0000 00ff.0000.0000
Here is another example for DSAP and SSAP.
ServerIron(config)# mac filter 10 deny any any llc eq F0
February 2002 6 - 51
Foundry ServerIron Command Line Interface Reference
This command expands to the following: mac filter 2 deny any any llc eq 00f0
If you want to filter on both the SSAP and DSAP, then the following example shows this:
ServerIron(config)# mac filter 4 deny any 0020.0010.1000 ffff.ffff.0000 llc eq e0e0
mac filter log-enableEnables logging of packets that are denied by Layer 2 MAC filters. When you enable this feature, the device generates Syslog entries and SNMP traps for denied packets.
EXAMPLE:
ServerIron(config)# mac filter log-enable
Syntax: mac filter log-enable
Possible values: N/A
Default value: Disabled
mac-age-timeSets the aging period for all address entries in the ServerIron address table.
EXAMPLE:
ServerIron(config)# mac-age 600
Syntax: mac-age-time <value>
Possible values: 0 – 65535 seconds. If you specify 0, the entries do not age.
Default value: 300 seconds
mirror-portEnables and assigns a specific port to operate as a mirror port for other ports on a ServerIron. Once enabled, you can connect an external traffic analyzer to the port for traffic analysis.
You also need to enable the monitor command on a port for it to be mirrored by this port.
EXAMPLE:
To assign port 1 as the mirror port and port 5 as the port to be monitored, enter the following:
ServerIron(config)# mirror-port e 1
ServerIron(config)# interface e 5
ServerIron(config-if)# monitor on
To define a mirror port on a Chassis device, define a slot number in addition to the port number as seen in the syntax below.
Syntax: mirror-port ethernet <portnum>
Possible values: N/A
Default value: Undefined
moduleAdds a hardware module to a Foundry Chassis device.
EXAMPLE:
To add an 8-port Gigabit Ethernet management module to slot 3 in a ServerIron 800, enter the following command:
ServerIron(config)# module 3 bi-8-port-gig-management-module
Syntax: module <slot-num> <module-type>
The <slot-num> parameter indicates the chassis slot number.
6 - 52 February 2002
Global CONFIG Commands
• Slots on the ServerIron 400 are numbered 1 – 4, from top to bottom.
• Slots on the ServerIron 800 are numbered 1 – 8, from left to right.
The <module-type> parameter specifies the module. For a list of the valid module types, enter module <slot-num> ? at the CLI prompt.
Possible values: see above
Default value: N/A
multicast filterConfigures a Layer 2 filter for multicast packets. You can filter on all multicast packets or on specific multicast groups.
EXAMPLE:
To configure a Layer 2 multicast filter to filter all multicast groups, then apply the filter to ports 2/4, 2/5, and 2/8, enter the following commands:
ServerIron(config)# multicast filter 1 any
ServerIron(config-mcast-filter-id-1)# exclude-ports ethernet 2/4 to 2/5 ethernet 2/8
ServerIron(config-mcast-filter-id-1)# write mem
EXAMPLE:
To configure a multicast filter to block all multicast traffic destined for multicast addresses 0100.5e00.5200 – 0100.5e00.52ff on port 4/8, enter the following commands:
ServerIron(config)# multicast filter 2 any 0100.5e00.5200 ffff.ffff.ff00
ServerIron(config-mcast-filter-id-2)# exclude-ports ethernet 4/8
ServerIron(config-mcast-filter-id-2)# write mem
The software calculates the range by combining the mask with the multicast address. In this example, all but the last two bits in the mask are “significant bits” (ones). The last two bits are zeros and thus match on any value.
Syntax: [no] multicast filter <filter-id> any | ip udp mac <multicast-address> | any [mask <ip-mask>] [vlan <vlan-id>]
The parameter values are the same as the for the broadcast filter command. In addition, the multicast filter command requires the mac <multicast-address> | any parameter, which specifies the multicast address. Enter mac any to filter on all multicast addresses. Enter mac followed by a specific multicast address to filter only on that multicast address.
To filter on a range of multicast addresses, use the mask <ip-mask> parameter. For example, to filter on multicast groups 0100.5e00.5200 – 0100.5e00.52ff, use mask ffff.ffff.ff00. The default mask matches all bits (is all Fs). You can leave the mask off if you want the filter to match on all bits in the multicast address.
Possible values: see above
Default value: N/A
multicast limitSpecifies the maximum number of multicast packets the device can forward each second. By default the device sends multicasts and all other traffic at wire speed and is limited only by the capacities of the hardware. However, if other devices in the network cannot handle unlimited multicast traffic, this command allows you to relieve those devices by throttling the multicasts at the Foundry device.
NOTE: The multicast limit does not affect broadcast or unicast traffic. However, you can use the broadcast limit and unknown-unicast limit commands to control these types of traffic. See “broadcast limit” on page 6-12 and “unknown-unicast limit” on page 6-98.
February 2002 6 - 53
Foundry ServerIron Command Line Interface Reference
EXAMPLE:
ServerIron(config)# multicast limit 30000
Syntax: multicast limit <num>
Possible values: 0 – 4294967295
Default value: N/A
netbios-protoThis command creates a NetBIOS protocol VLAN on a Foundry switch or router. All ports of the system are assumed, by default, to be members of the VLAN when initially created. VLAN Membership can be modified using the dynamic, static, or exclude commands.
EXAMPLE:
To create a NetBIOS Protocol VLAN on an 18 port device with permanent port membership of 4 and 5 and ports 8 through 12 as dynamic member ports, enter the following commands.
ServerIron(config)# netbios-proto
ServerIron(config-netbios-proto)# static e4 e5
ServerIron(config-netbios-proto)# exclude e1 to 3 e6 e7 e13 to 18
ServerIron(config-netbios-proto)# exit
Syntax: netbios-proto [<name>]
The name can be up to 16 characters long and can contain blanks. The name appears in VLAN show displays.
Possible values: N/A
Default value: N/A
noThis command is used to disable many commands. To do so, place the word no before the command.
other-protoCreates an Other protocol VLAN on the system. All ports of the switch are by default dynamically assigned to the newly created VLAN. VLAN Membership can be modified using the dynamic, static, or exclude commands.
You can use this option to define a protocol-based VLAN for protocols that are not specified as supported protocol VLANs on a switch or router, or do not require dedicated, separate broadcast domains.
EXAMPLE:
On a 16 port ServerIron, ports 13 through 16 represent protocols Decnet and AppleTalk. You do not need to separate traffic by protocol into separate broadcast domains. Instead, create an Other Protocol VLAN with just those ports as members.
ServerIron(config)# other-protoServerIron(config-other-proto)# static e13 to 16ServerIron(config-other-proto)# exclude e1 to 12ServerIron(config-other-proto)# exit
Syntax: other-proto [<name>]
The name can be up to 16 characters long and can contain blanks. The name appears in VLAN show displays.
Possible values: N/A
Default value: N/A
password-changeThis command allows you to define those access points from which the system password can be defined. Options are serial-port-only, telnet-only, or any. ‘Any’ would allow the password to be modified from a serial port, telnet session or through IronView.
6 - 54 February 2002
Global CONFIG Commands
EXAMPLE:
To allow password changes from a serial port connection only, enter the following command:
ServerIron(config)# password-change cli
Syntax: password-change any | cli | console-cli | telnet-cli
Possible values: any, cli, console-cli, telnet-cli
Default value: None
privilegeThis command augments the default access privileges for an access level. When you configure a user account, you can give the account one of three privilege levels: full access, port-configuration access, and read-only access. Each privilege level provides access to specific areas of the CLI by default:
• Full access provides access to all commands and displays.
• Port-configuration access gives access to:
• The User EXEC and Privileged EXEC levels, and the port-specific parts of the CONFIG level
• All interface configuration levels
• Read-only access gives access to:
• The User EXEC and Privileged EXEC levels
EXAMPLE:
To enhance the port-configuration privilege level so users also can enter ip commands at the global CONFIG level (useful for adding IP addresses for multinetting), enter the following command:
ServerIron(config)# privilege configure level 4 ip
In this command, configure specifies that the enhanced access is for a command at the global CONFIG level of the CLI. The level 4 parameter indicates that the enhanced access is for privilege level 4 (port-configuration). All users with port-configuration privileges will have the enhanced access. The ip parameter indicates that the enhanced access is for the IP commands. Users who log in with valid port-configuration level user names and passwords can enter commands that begin with "ip" at the global CONFIG level.
Syntax: [no] privilege <cli-level> level <privilege-level> <command-string>
The <cli-level> parameter specifies the CLI level and can be one of the following values:
• exec – EXEC level; for example, ServerIron> or ServerIron#
• configure – CONFIG level; for example, ServerIron(config)#
• interface – interface level; for example, ServerIron(config-if-6)#
• port-vlan – Port-based VLAN level; for example, ServerIron(config-vlan)#
• protocol-vlan – Protocol-based VLAN level; for example, ServerIron(config-vlan)#
The <privilege-level> indicates the privilege level you are augmenting.
The level parameter specifies the privilege-level. You can specify one of the following:
• 0 – Full access (super-user)
• 4 – Port-configuration access
• 5 – Read-only access
The <command-string> parameter specifies the command you are allowing users with the specified privilege level to enter. To display a list of the commands at a CLI level, enter "?" at that level's command prompt and press Return.
quitThis command returns you from any level of the CLI to the User EXEC mode.
February 2002 6 - 55
Foundry ServerIron Command Line Interface Reference
EXAMPLE:
ServerIron(config) quit
ServerIron>
Syntax: quit
Possible values: N/A
Default value: N/A
perf-modeAllows you to define the performance mode as 'high' to allow flow control to activate at an earlier stage, when heavy congestion exists on the network. This feature must be saved to memory and the system reset before it becomes active.
EXAMPLE:
ServerIron(config)# perf-mode hi
Syntax: perf-mode normal | hi
Possible values: hi
Default value: normal
radius-serverIdentifies a RADIUS server and sets other RADIUS parameters.
EXAMPLE:
ServerIron(config)# radius-server host 209.157.22.99
Syntax: radius-server host <ip-addr> | <server-name> [auth-port <number>] [acct-port <number>]
<ip-addr> | <server-name> is either an IP address or an ASCII text string.
<auth-port> is the Authentication port number; it is an optional parameter. The default is 1645.
<acct-port> is the Accounting port number; it is an optional parameter. The default is 1646.
Syntax: radius-server [key <key-string>] [timeout <number>] [retransmit <number>] [dead-time <number>]
The key <key-string> parameter is the encryption key; valid key string length is from 1 – 16.
The timeout <number> is how many seconds to wait before declaring a RADIUS server timeout for the authentication request. The default timeout is 3 seconds. The range of possible timeout values is from 1 – 15.
The retransmit <number> is the maximum number of retransmission attempts. When an authentication request timeout, the Foundry software will retransmit the request up to the maximum number of retransmissions configured. The default retransmit value is 3 seconds. The possible retransmit value is from 1 – 5.
The dead-time parameter is not used in this software release. When the software allows multiple authentication servers, this parameter will specify how long the Foundry device waist for the primary authentication server to reply before deciding the server is dead and trying to authenticate using the next server. The dead-time value can be from 1 – 5 seconds. The default is 3.
Possible values: see above
Default value: see above
relative-utilizationAllows you to configure uplink utilization lists that display the percentage of a given uplink port’s bandwidth that is used by a specific list of downlink ports. The percentages are based on 30-second intervals of RMON packet statistics for the ports. Both transmit and receive traffic is counted in each percentage.
6 - 56 February 2002
Global CONFIG Commands
NOTE: This feature is intended for ISP or collocation environments in which downlink ports are dedicated to various customers’ traffic and are isolated from one another. If traffic regularly passes between the downlink ports, the information displayed by the utilization lists does not provide a clear depiction of traffic exchanged by the downlink ports and the uplink port.
Each uplink utilization list consists of the following:
• Utilization list number (1, 2, 3, or 4)
• One or more uplink ports
• One or more downlink ports
Each list displays the uplink port and the percentage of that port’s bandwidth that was utilized by the downlink ports over the most recent 30-second interval. You can configure up to four bandwidth utilization lists.
EXAMPLE:
To configure a link utilization list with port 1 as the uplink port and ports 2 and 3 as the downlink ports:
ServerIron(config)# relative-utilization 1 uplink eth 1 downlink eth 2 to 3
Syntax: [no] relative-utilization <num> uplink ethernet <portnum> [to <portnum> | <portnum>…] downlink ethernet <portnum> [to <portnum> | <portnum>…]
Possible values: The <num> parameter specifies the list number. You can configure up to four lists. Specify a number from 1 – 4.
The uplink ethernet parameters and the port number(s) you specify after the parameters indicate the uplink port(s).
The downlink ethernet parameters and the port number(s) you specify after the parameters indicate the downlink port(s).
Default value: N/A
rmon alarmThe RMON alarm command defines what MIB objects are monitored, the type of thresholds will be monitored (falling, rising or both), the value of those thresholds, and the sample type (absolute or delta).
An alarm event will be reported each time that a threshold is exceeded. The alarm entry also defines the action (event) to take should the threshold be exceeded.
A sample CLI alarm entry and its syntax is shown below:
EXAMPLE:
ServerIron(config)# rmon alarm 1 ifInOctets.6 10 delta rising-threshold 100 1 falling threshold 50 1 owner nyc02
Syntax: rmon alarm <entry-number> <MIB-object.interface-number> <sampling-time> <sample-type> <threshold-type> <threshold-value> <event-number> <threshold-type> <threshold-value> <event-number> owner <text>
Possible values:
• Threshold type: rising-threshold or falling threshold
• Sample type: delta or absolute
Default value: N/A
rmon eventThere are two elements to the RMON event group 9, the event control table and the event log table.
The event control table defines the action to be taken when an alarm is reported. Defined events can be found by entering the CLI command, show event.
The event log table collects and stores reported events for retrieval by an RMON application.
February 2002 6 - 57
Foundry ServerIron Command Line Interface Reference
EXAMPLE:
ServerIron(config)# rmon event 1 description ‘testing a longer string’ log-and-trap public owner nyc02
Syntax: rmon event <event-entry> description <text-string> log | trap | log-and-trap owner <rmon-station>
Possible values: N/A
Default value: N/A
rmon historyAll active ServerIron ports by default will generate two RMON history (group 2) control data entries. If a port becomes inactive, then the two entries will automatically be deleted.
Two history entries are generated for each switch by default:
• a sampling of statistics every 30 seconds
• a sampling of statistics every 30 minutes
You can modify how many of these historical entries are saved in an event log (buckets) as well as how often these intervals are taken. The station (owner) that collects these entries can also be defined.
To review the control data entry for each port or interface, enter the show rmon history command.
EXAMPLE:
ServerIron(config)# rmon history 1 interface 1 buckets 10 interval 10 owner nyc02
Syntax: rmon history <entry-number> interface <portnum> buckets <number> interval <sampling-interval> owner <text-string>
Possible values: Buckets: 1 – 50 entries.
Default value: N/A
router ripEnables the Routing Information Protocol (RIP).
NOTE: This command applies only to IP forwarding (Layer 3 IP).
NOTE: You also must enable RIP locally on the virtual routing interface. See “ip rip” on page 8-7.
EXAMPLE:
To enable RIP globally, enter the following command:
ServerIron(config)# router ripServerIron(config-rip-router)#
Notice that the command also changes the CLI to RIP configuration level. See “Routing Information Protocol (RIP) Commands” on page 20-1.
Syntax: [no] router rip
Possible values: N/A
Default value: Disabled
rshowDisplays the real and virtual server configuration information on a remote site ServerIron in the GSLB ServerIron’s CLI. The command also displays the session and CPU information used by the GSLB policy. You can view detailed configuration information and statistics for the site ServerIron, from the GSLB ServerIron’s management console. For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.
6 - 58 February 2002
Global CONFIG Commands
server active-active-portProvides redundancy for NAT or the SYN-Guard feature when not used with FWLB or SLB. This command specifies the ServerIron port connected to the other ServerIron in the configuration.
EXAMPLE:
ServerIron(config)# server active-active-port ethernet 4/5
This command configures the active-active link on port 4/5.
ServerIron(config)# server active-active-port ethernet 4/5 300
This command configures the active-active link on port 4/5 on VLAN 300 only. The active-active traffic is not forwarded to the other VLANs that port 3/5 is in.
Syntax: [no] server active-active-port ethernet <portnum> [<vlan-id>]
The <portnum> parameter is the first port MAC address where the peer ServerIron resides. This is the MAC address displayed as the "Boot Prom MAC" in the output of the show chassis command on the peer ServerIron. You must add a static MAC entry for this MAC address.
The <vlan-id> parameter specifies the VLAN you want to use for active-active synchronization traffic. Use this parameter if the port is a tagged member of multiple VLANs.
NOTE: The VLAN you specify must be used only for synchronization traffic. Do not specify a VLAN that also will carry data traffic.
Possible values: See above
Default value: N/A
server allow-stickyAccepts new connections on a real server whose sticky port has been unbound.
When you unbind an application port from a server, the ServerIron temporarily places the port in the aw_unbnd (awaiting unbind) state. If you delete an application port, the ServerIron temporarily places the port in the aw_del (awaiting delete) state. These temporary states allow open sessions on the port to be completed before the port is unbound or removed.
By default, when the ServerIron receives a new request associated with a sticky port in the aw_unbnd state, the ServerIron establishes the session on another real server, not the real server from which you are unbinding the port.
This command configures the ServerIron to accept new sessions for the same real server for a sticky port, even under the following conditions:
• The real server port is in the aw_unbnd state.
• The real server port is in the aw_del state.
• The real server port is disabled.
EXAMPLE:
ServerIron(config)# server allow-sticky
Syntax: [no] server allow-sticky [refresh-age]
The refresh-age parameter configures the ServerIron to reset the age of a sticky session on the port whenever a new connection associated with the sticky port is established. This parameter ensures that the session stays up indefinitely until it is no longer needed.
By default, the ServerIron does not reset the age of the session when new connections are established. Instead, the session times out after the sticky age expires.
If you use the refresh-age parameter, the ServerIron resets the age of the session to the value of the sticky age. For example, if the sticky age is five minutes (the default), when the ServerIron establishes a new session on the
February 2002 6 - 59
Foundry ServerIron Command Line Interface Reference
sticky port, the ServerIron resets the age time for the session to five minutes. Each time the ServerIron receives another connection request associated with the sticky session, the ServerIron resets the session age again.
Possible values: See above
Default value: Disabled
server backupThe server backup command sets up the server load balancing redundancy on ServerIron switches. The two switches used in the configuration must be configured with the same MAC address. The MAC address used for the two switches can be any MAC address supported on either of the switches.
EXAMPLE:
ServerIron(config)# server backup ethernet 13 00e0.5201.0c72
Syntax: server backup ethernet <portnum> <HHHH.HHHH.HHHH>
Possible values: N/A
Default value: N/A
server backup-groupConfigures a hot-standby group ID. Use the group ID when you are configuring more than one pair of ServerIrons for SLB hot standby within the same Layer 2 broadcast domain.
Configure a backup group ID on each of the ServerIrons, so that both ServerIrons in a given pair have the same ID. The backup group ID uniquely identifies the pair.
When you configure a backup group ID, both ServerIrons in a hot-standby pair use the ID when exchanging backup information. If a ServerIron receives a backup information packet but the packet’s backup group ID does not match the ServerIron’s backup group ID, the ServerIron discards the packet.
If the broadcast domain contains multiple hot-standby pairs, you must configure backup group IDs on all pairs. If the broadcast domain contains only one hot-standby pair, you do not need to configure a backup group ID.
EXAMPLE:
ServerIron(config)# server backup-group 1
Syntax: [no] server backup-group <num>
The <num> parameter specifies the backup group ID and can be a number from 0 – 7. Enter the same ID on both ServerIrons in a hot-standby pair. Do not enter the same ID on a ServerIron that is not one of the ServerIrons in the hot-standby pair.
Possible values: 0 – 7
Default value: N/A
server backup-portConfigures the active-active (synchronization) port for SSLB. The active-active port connects the ServerIron to its SSLB partner.
EXAMPLE:
ServerIron(config)# server backup-port ethernet 3/5
This command configures the active-active link on port 3/5.
ServerIron(config)# server backup-port ethernet 3/5 200
This command configures the active-active link on port 3/5 on VLAN 200 only. The active-active traffic is not forwarded to the other VLANs that port 3/5 is in.
Syntax: [no] server backup-port ethernet <portnum> [<vlan-id>]
The <vlan-id> parameter specifies the VLAN you want to use for active-active synchronization traffic. Use the <vlan-id> parameter if the port is a tagged member of more than one VLAN.
6 - 60 February 2002
Global CONFIG Commands
NOTE: The VLAN you specify must be used only for synchronization traffic. Do not specify a VLAN that also will carry data traffic.
Possible values: See above
Default value: N/A
server backup-preferenceConfigures a ServerIron in an active-standby pair to always be the active ServerIron. Without the backup preference, ServerIrons in a hot-standby pair elect the active ServerIron based on a random timer on each ServerIron.
NOTE: This command does not apply to FWLB.
EXAMPLE:
To configure a ServerIron in an active-standby pair to always be the active ServerIron, enter the following command at the global CONFIG level of the CLI:
ServerIron(config)# server backup-preference 5
Syntax: server backup-preference <wait-time>
The <wait-time> parameter specifies how long the ServerIron waits before assuming the active role. The ServerIron does not immediately become the active ServerIron but instead waits the number of minutes you specify.
Possible values: 5 – 30 minutes
Default value: None
server backup-timerChanges the backup timer on a ServerIron in an active-standby pair. The timer specifies how long a backup ServerIron will wait for a Hello message or synchronization data from the active ServerIron before assuming the active ServerIron is no longer available, and then taking over the active role.
NOTE: This command does not apply to FWLB.
EXAMPLE:
ServerIron(config)# server backup-timer 50
This command sets the backup timer to 5 seconds (50 * 100 milliseconds).
Syntax: server backup-timer <time>
The <time> parameter specifies how long this ServerIron, when it is the backup ServerIron, will wait for a Hello message or synchronization data from the active ServerIron before assuming the active ServerIron is no longer available.
Possible values: 5 (one half second) – 100 (10 seconds), in units of 100 milliseconds each
Default value: 10 (one second)
server cache-groupTCS requires that all cache servers be assigned to a cache-group. By default, all cache servers are assigned to cache group 1. To assign cache servers to a different cache group, use this command.
EXAMPLE:
To assign cache servers server1 and server2 to cache group 2, enter the following:
ServerIron(config)# server cache-group 1
ServerIron(config-tc-1)# cache-name server1
February 2002 6 - 61
Foundry ServerIron Command Line Interface Reference
ServerIron(config-tc-1)# cache-name server2
Syntax: server cache-group 1
Possible values: N/A
Default value: N/A
server cache-nameThis command is used to assign a name and IP address to a cache server.
EXAMPLE:
To identify a cache-server with an IP address of 207.95.5.19 as web2, enter the following:
ServerIron(config)# server cache-name web2 207.95.5.19
Syntax: server cache-name <text> <ip-addr>
Possible values: N/A
Default value: N/A
server cache-router-offloadThis command enables the ServerIron Cache Route Optimization feature, which redirects HTTP traffic from a cache server directly toward the clients. Use this command when the ServerIron sits between a remote access server (RAS) and a border access router (BAR) and the cache server’s default gateway is the BAR.
For more information, see the "Configuring Transparent Cache Switching" chapter in the Foundry ServerIron Installation and Configuration Guide.
EXAMPLE:
To enable Cache Route Optimization on a switch operating with TCS, enter the following:
ServerIron(config)# server cache-router-offload
Syntax: [no] server cache-router-offload
Possible values: N/A
Default value: N/A
server cache-statefulDisables stateful TCS. In stateful TCS, the ServerIron creates session table entries for the client connections redirected to cache servers. If you disable stateful TCS, the ServerIron does not create session table entries for the load-balanced traffic, but instead uses hash-based redirection on a packet by packet basis. In addition, the ServerIron uses the return traffic as one means to assess the health of a cache server. If you disable stateful TCS, the ServerIron does not monitor the return traffic.
NOTE: Stateful TCS provides more benefit than stateless TCS in almost all TCS configurations. Do not disable stateful TCS unless advised to do so by Foundry Networks Technical Support.
EXAMPLE:
To disable stateful TCS, enter the following command:
ServerIron(config)# no server cache-stateful
Syntax: [no] server cache-stateful
Possible values: N/A
Default value: Enabled
server clock-scaleProvides a clock multiplier for the TCP age and UDP age timers, which are used to age out the entries in the session table. This command is useful for configurations that require TCP or UDP timeouts longer than the
6 - 62 February 2002
Global CONFIG Commands
maximum configurable value (60 minutes). For example, if you set the clock scale to 2, the TCP and UDP age timer values are multiplied by 2. Thus, a TCP age of 60 would then be equivalent to 120 minutes instead of 60 minutes.
EXAMPLE:
ServerIron(config)# server clock-scale 2
Syntax: server clock-scale <multiplier>
Possible values: 1 – 20
Default value: 1
server connection-logEnables TCP/UDP session logging. When TCP/UDP session logging is enabled, the ServerIron sends a message to the external Syslog servers when the software creates a session table entry.
EXAMPLE:
To enable session logging for all TCP and UDP ports, enter a command such as the following:
ServerIron(config)# server connection-log all
The command in this example enables logging for all new session table entries. To enable logging only for new sessions that are used for Source NAT, enter the following command:
ServerIron(config)# server connection-log src-nat
Syntax: server connection-log all | src-nat [url] [cookie]
The all parameter enables logging for all sessions.
The src-nat parameter enables logging only for sessions that are used for Source NAT.
The url parameter enables logging of URL information for sessions that contain a URL.
The cookie parameter enables logging of Cookie information for sessions that contain a Cookie.
NOTE: The URL logging option applies only when URL switching is enabled. The Cookie logging option applies only when Cookie switching is enabled.
To enable session logging for a specific TCP or UDP port, enter commands such as the following:
ServerIron(config)# server port 80ServerIron(config-port-80)# connection-log all url cookie
Syntax: connection-log all | src-nat [url] [cookie]
The parameter values are the same as the values for globally enabling logging.
Possible values: see above
Default value: Disabled
server delay-symmetricDelays reactivation of a failed ServerIron in an SSLB configuration following the ServerIron’s recovery. By delaying reactivation of a recovered ServerIron, you provide time for sessions created by the standby ServerIron to terminate normally.
NOTE: This command applies only to active-standby SSLB in software release 07.1.x. Software 07.2.x uses active-active SSLB instead. See the "Active-Standby SSLB" section in the "Configuring Symmetric SLB and SwitchBack" chapter of the Foundry ServerIron Installation and Configuration Guide.
When you enable session synchronization in a ServerIronXL SSLB configuration, the active ServerIron for a VIP sends session synchronization information to the standby ServerIron. If the VIP’s active ServerIron becomes
February 2002 6 - 63
Foundry ServerIron Command Line Interface Reference
unavailable, the open sessions for the VIP fail over to the other ServerIron, which provides uninterrupted service for the sessions.
The active ServerIron sends session synchronization information to a VIP’s standby ServerIron when the session is created. Following a failover, when the standby ServerIron for a VIP has taken over, the standby ServerIron can create new sessions for the VIP. However, because the ServerIron with the higher priority for the VIP is unavailable, the standby ServerIron cannot send synchronization information for the newly created sessions. As a result, when the other ServerIron becomes available again, it resumes service for the VIP but cannot continue the sessions that were created by the standby ServerIron.
EXAMPLE:
To enable reactivation delay following recovery of a ServerIron, enter the following command at the global CONFIG level of the CLI:
ServerIron(config)# server delay-symmetric
Syntax: [no] server delay-symmetric [<mins>]
The <mins> parameter specifies the number of minutes you want the recovered ServerIron to wait before becoming active again. You can specify from 2 – 120 minutes. The default is 60 minutes.
NOTE: You must enter the same command using the same number of minutes on both ServerIrons in the configuration.
Possible values: See above
Default value: See above
server force-deleteThis command allows you to force termination of existing server load balancing connections when the supporting server or service is disabled or deleted.
By default, when a service is disabled or deleted, the ServerIron does not send new connections the real servers for that service. However, the ServerIron does allow existing connections to complete normally, however long that may take.
You can use the server force-delete command to force the existing connections to be terminated within two minutes.
NOTE: If you disable or delete a service, do not enter an additional command to reverse the command you used to disable or delete the service, while the server is in graceful shutdown.
NOTE: For important information about shutting down services or servers, see the "Configuring Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.
EXAMPLE:
To force the shutdown of all deleted servers on a ServerIron, enter the following:
ServerIron(config)# server force-delete
NOTE: Once enabled, this feature controls all future deletions. To see whether force delete is active, enter the show configuration command. If active, this option will appear in the summary of global parameters. Because the server force-delete command is a global command, there is no need to specify real server 15. It will automatically end the connections of all servers or services awaiting deletion.
NOTE: To display active sessions for a specific server, enter the show sessions real server <number> command and a display as seen below will appear. Notice that the display below shows the Telnet connection on server 15 as awaiting unbinding. Without the server force-delete command, this feature will stay in this state until the session ends naturally.
6 - 64 February 2002
Global CONFIG Commands
ServerIron(config-vs-building)# show server real s15
Real Servers Info
Server State - 1:enabled, 2:failed, 3:test, 4:suspect, 5:grace_dn, 6:active
Name: s15 IP: 207.95.18.15 State: 6 Wt: 1 Max-conn: 1000000
Port State CurConn TotConns Rx-pkts Tx-pkts Rx-octet Tx-octet Reas
http active 0 1711509 0 1206 0 82402 0
ftp active 0 0 0 0 0 0 0
telnet aw_unbnd 1 2 388 374 23618 22452 0
default unbnd 0 0 0 0 0 0 0
Server Total 1 1711511 388 1580 23618 104854 0
Because the binding is awaiting deletion, it will also still be seen as an active binding, if you enter the show session bind command, as seen below:
ServerIron(config-vs-building)# show server bind
Virtual Server Name: building, IP: 207.95.5.130 http -------> s21: 207.95.18.21, http s15: 207.95.18.15, http s50: 207.95.18.50, http ftp -------> s50: 207.95.18.50, ftp s21: 207.95.18.21, ftp s15: 207.95.18.15, ftp telnet -------> s15: 207.95.18.15, telnet s21: 207.95.18.21, telnet s50: 207.95.18.50, telnet
Once force delete is enabled, the unbinding will occur within two minutes and the show session real server s15 will show that connection as unbound, as seen below:
ServerIron(config)# show session real s15
Real Servers Info
Server State - 1:enabled, 2:failed, 3:test, 4:suspect, 5:grace_dn, 6:active
Name: s15 IP: 207.95.18.15 State: 6 Wt: 1 Max-conn: 1000000
Port State CurConn TotConns Rx-pkts Tx-pkts Rx-octet Tx-octet Reas
http active 0 1711509 0 1206 0 82402 0
ftp active 0 0 0 0 0 0 0
telnet unbnd 0 2 406 385 24700 23112 0
default unbnd 0 0 0 0 0 0 0
Server Total 0 1711511 406 1591 24700 105514 0
NOTE: The binding for the real server will also be eliminated from the show server bind display.
Syntax: server force-delete
Possible values: enabled or disabled
February 2002 6 - 65
Foundry ServerIron Command Line Interface Reference
Default value: disabled
server fw-groupChanges the CLI to the Firewall Group level. At this level, you can configure parameters for firewall load balancing. For information about this feature, see the Foundry ServerIron Firewall Load Balancing Guide.
The default firewall group is 2. This is the only firewall group supported. All ServerIron ports are in this firewall group by default.
EXAMPLE:
To change the CLI to the Firewall Group level for firewall group 2, enter the following command:
ServerIron(config)# server fw-group 2
ServerIron(config-tc-2)#
Syntax: server fw-group 2
Possible values: 2
Default value: N/A
server fw-nameAdds a firewall for firewall load balancing.
EXAMPLE:
To define a firewall called FW1, enter the following command:
ServerIron(config)# server fw-name FW1 209.157.22.3
Syntax: fw-name <string> <ip-addr>
NOTE: When you add a firewall name, the CLI level changes to the Firewall level.
Syntax: fw-name <string> <ip-addr>
Possible values: a string up to 32 characters long; a valid IP address
Default value: N/A
server fw-portIf you are configuring the ServerIron for IronClad Firewall Load Balancing, this command identifies the port that connects this ServerIron to its partner. If you configure a trunk group for the link between the two partners, specify the first port (the primary port for the group) in the trunk group. On the 8-port, 16-port, and 24-port ServerIrons, you can configure a trunk group with two or four members and the lead ports are the odd-numbered ports.
EXAMPLE:
ServerIron(config)# server fw-port 5
Syntax: fw-port <portnum>
Possible values: N/A
Default value: N/A
server fw-recv-statefulEnables receive stateful FWLB for application traffic coming from the firewalls to the ServerIron. For information, see the Foundry ServerIron Firewall Load Balancing Guide.
EXAMPLE:
ServerIron(config)# server fw-recv-stateful
Syntax: [no] server fw-recv-stateful
Possible values: N/A
6 - 66 February 2002
Global CONFIG Commands
Default value: Disabled
server fw-slbEnables FWLB-to-SLB. For information, see the Foundry ServerIron Firewall Load Balancing Guide.
EXAMPLE:
ServerIronB(config)# server fw-slb
Syntax: [no] server fw-slb
Possible values: N/A
Default value: Disabled
server fw-statefulEnables stateful FWLB for application traffic coming from the ServerIron to the firewalls. For information, see the Foundry ServerIron Firewall Load Balancing Guide.
EXAMPLE:
ServerIron(config)# server fw-stateful
Syntax: [no] server fw-stateful
Possible values: N/A
Default value: Disabled
server fw-strict-secConfigures the ServerIron to forward a TCP data packet only if the ServerIron has already received a TCP SYN for the packet's traffic flow (source and destination addresses). This command provides tighter security. For example, with the tighter security enabled, the ServerIron does not forward a TCP data packet to 1.1.1.1 unless the ServerIron has already received a TCP SYN for the session between the packet's source and 1.1.1.1.
By default, the ServerIron sends a properly addressed TCP data packet to a firewall regardless of whether the ServerIron has received a TCP SYN for the traffic flow. For example, if the ServerIron receives a TCP packet addressed to TCP port 8080 on IP address 1.1.1.1, the ServerIron forwards the packet to firewall connected to 1,1.1.1 regardless of whether the ServerIron has received a TCP SYN for the session between the packet's source and 1.1.1.1.
EXAMPLE:
ServerIron(config)# server fw-strict-sec
Syntax: [no] server fw-strict-sec
The feature applies globally to all TCP traffic received for FWLB.
Possible values: N/A
Default value: Disabled
server fw-superzoneEnables the superzone FWLB feature.
NOTE: This command does not enable FWLB. The command only enables superzone support.
EXAMPLE:
ServerIron(config)# server fw-superzone
Syntax: [no] server fw-superzone
Possible values: N/A
Default value: Disabled
February 2002 6 - 67
Foundry ServerIron Command Line Interface Reference
server icmp-messageEnables the ICMP message feature. This feature configures the ServerIron to send ICMP “Destination Unreachable” messages to clients who request HTTP ports that are unavailable. Generally, a port is unavailable if all the real servers that contain the port are busy or are down, or the port is not configured on the servers.
EXAMPLE:
To enable the ICMP message feature, enter the following command:
ServerIron(config)# server icmp-message
Syntax: [no] server icmp-message
Possible values: N/A
Default value: disabled
server l4-checkGlobally disables or re-enables Layer 4 TCP or UDP health checks for servers. The Layer 4 health checks are enabled by default.
If you are configuring the ServerIron to load balance traffic to multiple servers on the other side of routers and you want to load-balance the traffic according to TCP or UDP application, use the no server l4-check command to disable the Layer 4 health checks. If you do not disable the health checks in this type of configuration, the routers will fail the health checks (because the target applications for the health checks are not on the routers themselves) and the ServerIron will stop forwarding traffic to those servers.
NOTE: If you are using the ServerIron to load-balance TCP and UDP traffic through routers, you also must add each router as a real server and disable the HTTP port on each of the real servers. HTTP is enabled by default on all real servers.
NOTE: This command also disables all Boolean health-check policies when entered on a ServerIron 400 or ServerIron 800.
EXAMPLE:
To disable the Layer 4 TCP and UDP health checks, enter the following command:
ServerIron(config)# no server l4-check
Syntax: [no] server l4-check
Possible values: N/A
Default value: enabled
server max-conn-trapSpecifies the number of seconds that elapse between traps for logging information about the TCP connection rate and attack rate on the device.
EXAMPLE:
ServerIron(config)# server max-conn-trap 30
Syntax: server max-conn-trap <seconds>
Possible values: 1 – 300 seconds
Default value: 30 seconds
server max-ssl-session-idChanges the number of entries associating a session_id with a real server that the ServerIron can store in its database.
6 - 68 February 2002
Global CONFIG Commands
EXAMPLE:
To change the maximum number of database entries from 8,192 to 64,000:
ServerIron(config)# server max-ssl-session-id 64000
Syntax: server max-ssl-session-id <number>
Possible values: On the ServerIronXL and ServerIronXL/G, the number of database entries can range from 8,192 to 64,000. On the ServerIron 400 and ServerIron 800, the number of database entries can range from 8,192 to 256,000.
Default value: 8,192
server max-url-switchChanges the maximum number of concurrent web switching connections.
EXAMPLE:
To change the maximum number of concurrent web switching connections from 100,000 to 160,000:
ServerIron(config)# server max-url-switch 160000
Syntax: server max-url-switch <number>
Possible values: On the ServerIronXL and ServerIronXL/G, the number of concurrent web switching connections can range from 100,000 to 160,000. On the ServerIron 400 and ServerIron 800, the number of concurrent web switching connections can range from 100,000 to 512,000.
Default value: 100,000
server monitorEnters the Layer 4 monitor CLI level.
EXAMPLE:
ServerIron(config)# server monitor
Syntax: server monitor
Possible values: N/A
Default value: N/A
server mslSets the amount of time sessions for ports configured with the udp-fast-age command stay in the delete queue before being deleted.
EXAMPLE:
ServerIron(config)# server msl 2
Syntax: server msl <seconds>
Possible values: 1 – 40 seconds
Default value: 8 seconds
server no-fast-bringupEnables the health-checking procedure for application ports used in releases prior to 7.1.05.
• In releases prior to 7.1.05, the ServerIron performed a Layer 4 health check on a port on a real server, followed by a Layer 7 health check, if one was enabled on the port. If the port passed both health checks, it was then marked ACTIVE.
• Starting with release 7.1.05, by default when a port passes a Layer 4 health check, it is then marked ACTIVE. The ServerIron then performs a Layer 7 health check, if one is enabled on the port. Based on the result of the Layer 7 health check (if enabled), the port is then marked ACTIVE or FAILED.
February 2002 6 - 69
Foundry ServerIron Command Line Interface Reference
This change was made so that ports could be brought up more quickly. You can optionally change the default behavior so that a port is not marked ACTIVE until it passes both the Layer 4 and (if one is enabled) Layer 7 health checks.
EXAMPLE:
To enable the health-checking procedure that existed in releases prior to 7.1.05:
ServerIron(config)# server no-fast-bringup
Syntax: [no] server no-fast-bringup
Possible values: N/A
Default value: N/A
server no-real-l3-checkGlobally disables the initial Layer 3 health check for local real servers. When you disable the health check, the ServerIron sends an ARP request for the default gateway and makes the server’s state ACTIVE as long as the ARP entry is present in the ServerIron’s ARP cache.
By default, when you add a real server configuration to the ServerIron, the ServerIron uses a Layer 3 health check (IP ping) to determine the server’s reachability. If the real server responds to the ping, the ServerIron changes the server’s state to ACTIVE and begins using the server for client requests.
NOTE: This command applies only to local real servers (servers added using the server real-name command).
EXAMPLE:
ServerIron(config)# server no-real-l3-check
Syntax: [no] server no-real-l3-check
Possible values: N/A
Default value: Health check is enabled
server no-remote-l3-checkGlobally disables the initial Layer 3 health check for remote real servers. When you disable the health check, the ServerIron sends an ARP request for the default gateway and makes the remote server’s state ACTIVE as long as the ARP entry is present in the ServerIron’s ARP cache.
By default, when you add a real server configuration to the ServerIron, the ServerIron uses a Layer 3 health check (IP ping) to determine the server’s reachability. If the real server responds to the ping, the ServerIron changes the server’s state to ACTIVE and begins using the server for client requests.
NOTE: This command applies only to remote servers (servers added using the server remote-name command).
EXAMPLE:
ServerIron(config)# server no-remote-l3-check
Syntax: [no] server no-remote-l3-check
Possible values: N/A
Default value: Health check is enabled
server no-slow-startGlobally disables the slow-start mechanism. When you disable the slow-start mechanism, the ServerIron can immediately send up to the maximum number of connections specified for the real server when the server comes up. Disabling slow-start does not remove the slow-start configuration information from the real servers. To reactive slow-start, globally re-enable the feature.
6 - 70 February 2002
Global CONFIG Commands
EXAMPLE:
ServerIron(config)# server no-slow-start
Syntax: [no] server no-slow-start
To globally re-enable slow-start, enter the following command:
ServerIron(config)# no server no-slow-start
Possible values: N/A
Default value: Enabled
server partner-portsEnables the standby ServerIron in an IronClad FWLB configuration that uses the always-active feature to learn the MAC addresses of hosts whose packets pass through the active ServerIron to reach the standby ServerIron.
For more information about the use of this command, see the "Preventing Unnecessary Broadcasts in an Always-Active IronClad Configuration" section in the "Using the Always-Active Feature for Simplified Topologies" appendix of the Foundry ServerIron Firewall Load Balancing Guide.
NOTE: This command applies only to IronClad FWLB configurations that use the always-active option.
EXAMPLE:
ServerIron(config)# server partner-ports 5
Syntax: [no] server partner-ports <portnum>...
The <portnum> parameter specifies the port(s) that are in the always-active VLAN. This is the VLAN that contains the data link between the two ServerIrons.
• On the ServerIronXL, ServerIron 400, and ServerIron 800 you can specify up to eight ports on the same command line. Use a space after each port number to separate them.
• On the ServerIronXL/G, you can specify one port on the same command line. However, you can enter the command multiple times for multiple ports.
Possible values: See above
Default value: None configured
server path-groupThis command is for a specific configuration. Do not use this command unless advised to do so by Foundry Networks’ technical staff.
server peer-groupConfigures stateless health checking. Use stateless health checking when you configure multiple ServerIrons to load balance for a common set of TCP or UDP application ports. For example, a transparent VIP configuration that uses stateless application ports can benefit from stateless health checking. A stateless application port is one for which the ServerIron does not create session table entries.
EXAMPLE:
To configure a stateless health check group, enter a command such as the following on each ServerIron in the group.
ServerIronA(config)# server peer-group 1 192.168.3.9 192.168.4.9
This command configures group 1 to contain two ServerIrons.
Syntax: [no] server peer-group <num> <ip-addr>...
The <num> parameter specifies the stateless health check group ID. You can specify a number from 1 – 16. There is no default.
February 2002 6 - 71
Foundry ServerIron Command Line Interface Reference
The <ip-addr>... parameter specifies a list of ServerIron management IP addresses. You can specify up to four addresses with the command. Separate each address with a space. You can configure up to 16 ServerIron management IP addresses. To do so, enter the command four times and specify different addresses each time.
NOTE: Make sure you add the management IP address for each of the other ServerIrons in the group. Do not include the ServerIron’s own management address in the list.
To configure a ServerIron’s stateless health check priority, enter a command such as the following on each ServerIron in the stateless health check group.
NOTE: If you do not set the stateless health check priority on a ServerIron, that ServerIron does not participate in stateless health checking. If you set the same priority on all the ServerIrons, their priorities are based on their management IP addresses instead. In this case, a higher management IP address has more priority than a lower management IP address.
ServerIronA(config)# server peer-group 1 self-priority 16
This command sets the stateless health check priority on ServerIron A to 16, the highest priority.
Syntax: [no] server peer-group <num> <priority>
The <priority> parameter specifies the ServerIron’s priority for stateless health checks. You can specify a number from 1 (lowest) – 16 (highest). The ServerIron with the highest stateless health check priority in the group becomes the master for stateless health checks.
To set the priority on ServerIron B, enter a command such as the following:
ServerIronB(config)# server peer-group 1 self-priority 1
This command sets the stateless health check priority on ServerIron B to 1, the lowest priority.
Possible values: See above
Default value: See above
server ping-intervalIn a client server environment, if a server does not respond within five seconds to active traffic, then that server will be marked suspect and the switch will send out a ping to the server. The number of times the server is pinged by the switch is defined by the server ping-retries command. The interval between the pings is defined by this command, the server ping-interval.
This command is used in conjunction with the feature server load balancing on the ServerIron switch.
EXAMPLE:
To modify the interval between ping retries to 8 seconds from the default value of 2 seconds, enter the following command:
ServerIron(config)# server ping-interval 8
Syntax: server ping-interval <value>
Possible values: 1 – 10 seconds
Default value: 2 seconds
server ping-retriesThis command configures how often the server is pinged before placing the server in a failed state. Possible values are between 2 and 10 with a default value of 4.
This command is used in conjunction with the feature server load balancing on the ServerIron switch.
EXAMPLE:
To modify how often a switch pings a server before declaring the server down to a value of 7 from the default value of 4, enter the following command:
6 - 72 February 2002
Global CONFIG Commands
ServerIron(config)# server ping-retries 7
Syntax: server ping-retries <value>
Possible values: 2 – 10 retries
Default value: 4 retries
server policy-hash-aclOverrides the global hash mask for all traffic that matches the source and destination information in the specified ACL.
EXAMPLE:
ServerIron(config)# access-list 100 permit ip any 192.168.1.16 0.0.0.15ServerIron(config)# access-list 100 permit ip any 192.168.2.0 0.0.0.255ServerIron(config)# access-list 100 permit ip any 192.168.3.192 0.0.0.63ServerIron(config)# access-list 100 permit ip any 192.168.4.0 0.0.0.255ServerIron(config)# access-list 100 permit ip any 192.168.3.160 0.0.0.31ServerIron(config)# access-list 100 permit ip any 192.168.3.0 0.0.0.127ServerIron(config)# access-list 100 permit ip any 64.129.1.0 0.0.0.255ServerIron(config)# server fw-group-2ServerIron(config-tc-2)# hash-mask 255.255.255.255 0.0.0.0ServerIron(config-tc-2)# policy-hash-acl 100 255.255.255.255 255.255.255.255
In this example, FWLB will use the hash mask 255.255.255.255 0.0.0.0 for all traffic except the traffic that matches ACL 100.
Syntax: [no] server policy-hash-acl <acl-id> <src-mask> <dst-mask>
This command overrides the global hash mask for all traffic that matches the source and destination information in the specified ACL.
The <acl-id> parameter specifies a standard or extended ACL. Configure each entry in the ACL to permit the addresses for which you want to override the global hash mask.
The <src-mask> parameter species the source mask.
The <dst-mask> parameter species the destination mask.
Possible values: See above
Default value: N/A; the global hash values are used
server portConfigures a port profile for a TCP/UDP port. The port profile globally defines the following attributes for the port.
NOTE: For additional information, see the "Configuring a Port Profile" section in the "Configuring Port and Health Check Parameters" chapter of the Foundry ServerIron Installation and Configuration Guide.
Table 6.1: Port Profile Attributes
Attribute Description
Port type (TCP or UDP)
This attribute applies only to ports for which the ServerIron does not already know the type. For example, if a real server uses port 8080 for HTTP (a TCP port), you can globally identify 8080 as a TCP port. The ServerIron assumes that ports for which it does not know the type are UDP ports.
Note: To display a list of the ports for the ServerIron already knows the type, enter the server port ? command at the global CONFIG level of the CLI.
February 2002 6 - 73
Foundry ServerIron Command Line Interface Reference
EXAMPLE:
To add port 8080 and specify that it is a TCP port, enter the following command:
Keepalive interval and retries
The number of seconds between health checks and the number of times the ServerIron re-attempts a health check to which the server does not respond. You can specify from 2 – 120 seconds for the interval. You can specify from 1 – 5 retries.
Keepalive state Whether the ServerIron’s health check for the port is enabled or disabled. Recurring Layer 4 and Layer 7 health checks are disabled by default. When you configure a port profile, the software automatically globally enables the health check for the application. You also can explicitly disable or re-enable the keepalive health check at this level.
Note: If you are configuring a port profile for a port that is known to the ServerIron, the keepalive parameters affect Layer 7 health checks. For other ports, the keepalive parameters affect Layer 4 health checks.
Keepalive port By default, the ServerIron bases the health of an application port on the port itself. You can specify a different application port for the health check. In this case, the ServerIron bases the health of an application port on the health of the other port you specify.
Note: You cannot base the health of a port well-known to the ServerIron on the health of another port, whether the port is well-known or not well-known.
Source of health for alias port
By default, the ServerIron performs independent health checks on an alias port and its master port. You can configure the ServerIron to base the health of an alias port on the state of its master port.
TCP or UDP age The number of minutes a TCP or UDP session table entry can remain inactive before the ServerIron times out the entry. This parameter is set globally for all TCP or UDP ports but you can override the global setting for an individual port by changing that port’s profile. You can set the TCP or UDP age from 2 – 60 minutes. The default TCP age is 30 minutes. The default UDP age is five minutes.
Note: Since UDP is a connectionless protocol, the ServerIron does not remove a UDP session from its session table until the session times out. TCP is a connection-based protocol. Thus, for TCP sessions, the ServerIron removes the session as soon as the client or server closes the session.
Session synchronization
In Symmetric SLB configurations, this attribute provides failover for individual sessions on the application port. Normally, existing sessions are not carried over from one ServerIron to another during failover.
Connection logging You can enable logging for session table entries created for this port.
Slow start Configures the ServerIron to control the rate of new connections to the application port to allow the server to ramp up.
Smooth factor If you plan to use server response time as a load-balancing method, you can adjust the amount of preference the ServerIron gives the most recent response time compared to the previous response time.
Server cluster support Configures the ServerIron to stop sending requests to a server when the requested application is down on the server. This feature is useful for server cluster applications such as NFS.
Table 6.1: Port Profile Attributes (Continued)
Attribute Description
6 - 74 February 2002
Global CONFIG Commands
ServerIron(config)# server port 8080
ServerIron(config-port-8080)# tcp
Syntax: server port <tcp/udp-portnum>
Syntax: tcp | udp [keepalive [<interval> <retries>]]
Syntax: tcp | udp [keepalive [disable | enable]]
Possible values: see above
Default values: interval 5, retries 2
If you do not specify the port type (TCP or UDP), the ServerIron assumes that the port type is UDP.
EXAMPLE:
To override the default TCP age and set the age for TCP port 80 to 15 minutes, enter the following commands:
ServerIron(config)# server port 80
ServerIron(config-port-80)# tcp 15
Syntax: server port <tcp/udp-portnum>
Syntax: tcp | udp <2-60>
Possible values: 2 – 60 minutes
Default values: 30 minutes for TCP; 5 minutes for UDP
EXAMPLE:
To change the HTTP (TCP port 80) keepalive interval to 15 seconds and the retries to 5, enter the following commands:
ServerIron(config)# server port 80ServerIron(config-port-80)# tcp keepalive 15 5
Syntax: server port <tcp/udp-portnum>
Syntax: tcp | udp keepalive <interval> <retries>
Possible values: You can specify from 2 – 120 seconds for the interval. You can specify from 1 – 5 retries.
Default values: interval 5; retries 2
EXAMPLE:
To enable session synchronization for port 80, enter the following commands:
ServerIron(config)# server port 80ServerIron(config-port-80)# session-sync
Syntax: [no] server port <tcp/udp-portnum>
Syntax: [no] session-sync
In Symmetric SLB configurations, if the active ServerIron becomes unavailable, service for the VIPs that ServerIron was load balancing is assumed by the backup ServerIron. By default, open sessions on the ServerIron that becomes unavailable are not carried over to the standby ServerIron. Instead, the sessions end and must be re-established by the clients or servers.
You can configure session failover on an individual TCP or UDP port basis by enabling session synchronization \in the port’s profile.
EXAMPLE:
You can configure the ServerIron to base the health of a port that is not well-known to the ServerIron on the health of one of the following ports that are well-known to the ServerIron:
• DNS – the well-known name for port 53
February 2002 6 - 75
Foundry ServerIron Command Line Interface Reference
• FTP – the well-known name for port 21. (Ports 20 and 21 both are FTP ports but on the ServerIron, the name “FTP” corresponds to port 21.)
• HTTP – the well-known name for port 80
• IMAP4 – the well-known name for port 143
• LDAP – the well-known name for port 389
• POP3 – the well-known name for port 110
• NNTP – the well-known name for port 119
• SMTP – the well-known name for port 25
• TELNET – the well-known name for port 23
To base a port’s health on the health of another port, enter a command such as the following:
ServerIron(config-port-1234)# tcp keepalive port 80
Syntax: tcp | udp keepalive port <TCP/UDP-portnum>
The command in this example configures the ServerIron to base the health of port 1234 on the health of port 80 (HTTP). If the health of port 80 changes, the ServerIron applies the change to port 1234.
NOTE: You cannot base the health of a port well-known to the ServerIron on the health of another port, whether the port is well-known or not well-known.
EXAMPLE:
To configure an unknown TCP port to use the Layer 7 health check for a well-known TCP application, enter commands such as the following:
ServerIron(config)# server port 999ServerIron(config-port-999)# tcp keepalive protocol smtp
These commands configure port profile parameters for port 999. The second command in the example makes the port a TCP port and assigns the SMTP Layer 7 health check to the port.
Syntax: [no] server port <TCP-portnum>
Syntax: [no] tcp keepalive protocol <TCP-port>
The protocol <TCP-port> parameter specifies the type of Layer 7 health you want to use for the port. You can specify one of the following:
• ftp or 21
• imap4 or 143
• ldap or 389
• pop3 or 110
• smtp or 25
• telnet or 23
EXAMPLE:
To configure an unknown UDP port to use a DNS Layer 7 health check, enter commands such as the following:
ServerIron(config)# server port 999ServerIron(config-port-999)# udp keepalive protocol dns
Syntax: server port <UDP-portnum>
Syntax: udp keepalive protocol <UDP-portnum>
The protocol <UDP-port> parameter specifies the type of Layer 7 health you want to use for the port. You can specify dns or 53.
6 - 76 February 2002
Global CONFIG Commands
EXAMPLE:
You can globally disable a Layer 4 port on the ServerIron. The port can be disabled for all real servers, all virtual servers or all real and virtual servers. After you disable a port globally, you can enable the port on individual real or virtual servers as necessary. By default, all real and virtual ports are enabled.
When the ServerIron is booted, if the command to globally disable a real or virtual port exists in the startup-config file, the specified port is disabled at startup. When a real or virtual port is created, and the port has been disabled globally, the real or virtual port is disabled as well. You must enable the port explicitly.
To disable all real HTTP ports:
ServerIron(config)# server port 80ServerIron(config-port-http)# disable realServerIron(config-port-http)#
To disable all virtual HTTP ports:
ServerIron(config)# server port 80ServerIron(config-port-http)# disable virtualServerIron(config-port-http)#
To disable all real and virtual HTTP ports:
ServerIron(config)# server port 80ServerIron(config-port-http)# disableServerIron(config-port-http)#
Syntax: disable [real | virtual]
EXAMPLE:
To configure an alias port’s health to be based on its master port’s health, edit the alias port’s profile by entering commands such as the following:
ServerIron(config)# server port 8080ServerIron(config-port-8080)# tcp keepalive use-master-state
Syntax: [no] tcp keepalive use-master-state
NOTE: You can base an alias port’s health on the health of a TCP port that is well-known to the ServerIron. You cannot base an alias port’s health on the health of a UDP port or a port that is not well-known to the ServerIron.
NOTE: The health checks for the alias ports must be enabled. Otherwise, the ServerIron will not check the master port’s state, and the alias port will not go down when the master port goes down.
EXAMPLE:
NOTE: This section applies only to the ServerIron 400 and ServerIron 800.
To configure the ServerIron to stop sending requests to a real server for an application that is down on the server, enter the following command at the configuration level for the port’s profile:
ServerIron(config-port-80)# reset-port-on-reset
Syntax: [no] reset-port-on-reset
By default, if an application on a real server becomes unavailable but the real server itself is still up, the ServerIron continues to include the real server in its load balancing decisions for the application. For example, if the HTTP application on a real server stops responding to Layer 4 health checks but the real server continues to respond to Layer 3 health checks (IP pings) from the ServerIron, the ServerIron continues to forward HTTP requests to the real server.
In some configurations, such as those that use a cluster of servers for an application, you might want to configure the ServerIron to stop sending requests to a server when the requested application is down on the server. For example, this feature is useful in an NFS configuration.
February 2002 6 - 77
Foundry ServerIron Command Line Interface Reference
When you enable this feature, the ServerIron does one of the following in addition to redirecting future requests away from the real server:
• UDP – For an unavailable UDP application, the ServerIron terminates the connection.
• TCP – For an unavailable TCP application, the ServerIron resets the connection.
Possible values: See above
Default values: See above
server predictorThis command is used to select the load-balancing method. By default, the least connections method is enabled.
EXAMPLE:
To change the server load-balancing method from the default value of least connections to the round-robin method, enter the following:
ServerIron(config)# server predictor round-robin
Syntax: [no] server predictor least-conn | response-time | round-robin | weighted
Possible values: See above
Default value: least-conn
NOTE: When you assign the weighted percentage metric, you must configure both the virtual and real servers involved. Each real server is assigned a weight from 0 – 64000.
server real-nameThis command assigns a name and IP address to the real server. The server name is used to bind the server IP address, so that the real server name can be used to represent the server. The server name can be any alphanumeric string of up to 32 characters.
This command is used in conjunction with the server load balancing feature on the ServerIron switch.
NOTE: Use this command only if the server is attached to the ServerIron at Layer 2. If the server is attached through one or more router hops, use the server remote-name command instead. See “server remote-name” on page 6-79.
EXAMPLE:
ServerIron(config)# server real-name Wolalak_Wuwanich 192.168.1.159
Syntax: server real-name <text> <ip-addr>
Possible values: a string up to 32 alphanumeric characters long
Default value: N/A
server reassign-thresholdThis command modifies the number of contiguous unacknowledged TCP SYN ACKs the ServerIron allows to accumulate for a real server, before determining that the server is down and marking it FAILED.
If the server responds to a TCP SYN, the counter returns to zero.
EXAMPLE:
ServerIron(config)# server reassign-threshold 215
Syntax: server reassign-threshold <6-254>
Possible values: 6 – 254
Default value: 20
6 - 78 February 2002
Global CONFIG Commands
server remote-nameThis command assigns a name and IP address to a remote real server. When you add a real server using the server remote-name command instead of the server real-name command, the ServerIron does not include the server in the predictor (load-balancing method). Instead, the ServerIron sends traffic to the remote server only if all local real servers (added using the server real-name command) are unavailable.
The server name is used to bind the server IP address, so that the real server name can be used to represent the server. The server name can be any alphanumeric string of up to 32 characters.
This command is used in conjunction with the Server Load Balancing feature on the ServerIron switch.
NOTE: Use this command only if the server is attached through one or more router hops. If the server is attached to the ServerIron at Layer 2, use the server real-name command instead. See “server real-name” on page 6-78.
EXAMPLE:
ServerIron(config)# server remote-name webfailover 209.157.22.37
Syntax: server remote-name <text> <ip-addr>
Possible values: N/A
Default value: N/A
server response-timeGlobally configures response-time warning and shutdown thresholds for all real servers.
You can specify a warning threshold and a shutdown threshold:
• Warning – If an application’s average response time is longer than the number of milliseconds of the warning threshold, the software generates a Syslog message and an SNMP trap.
• Shutdown – If an application’s average response time is longer than the number of milliseconds of the shutdown threshold, the software generates a Syslog message and an SNMP trap and also shuts down the application port on the real server. Other application ports on the real server are not affected.
By default, a real server does not have a warning threshold or a shutdown threshold. For each threshold, you can specify a threshold value from 0 (disabled) – 65535 milliseconds (65 seconds).
You can configure one or both thresholds globally or on an individual real server basis. The thresholds configured on an individual real server override the globally configured thresholds. After bringing down the application port, the ServerIron periodically attempts to reach the port and brings the port back up once the port responds. For information, see the "Application Port States" section in the "Configuring Port and Health Check Parameters" chapter of the Foundry ServerIron Installation and Configuration Guide.
NOTE: This feature requires the Layer 4 and Layer 7 health checks to enabled. If the health checks are not enabled, the ServerIron does not apply the response thresholds you configure.
NOTE: This feature applies only to TCP ports.
EXAMPLE:
ServerIron(config)# server response-time 200 300
The command in this example configures the ServerIron to generate a warning message for an application port if its average response time is longer than 200 milliseconds. The command also configures the ServerIron to shut down a port if its average response time is longer than 300 milliseconds.
Syntax: [no] server response-time <warning-threshold> [<shutdown-threshold>]
The <warning-threshold> parameter specifies the average number of milliseconds within which an application port must respond to avoid a warning message. You can specify from 0 – 65535 milliseconds (65 seconds). There is no default. If you specify 0, the warning threshold is disabled.
February 2002 6 - 79
Foundry ServerIron Command Line Interface Reference
The <shutdown-threshold> parameter specifies the average number of milliseconds within which an application port must respond to avoid being shut down. You can specify from 0 – 65535 milliseconds (65 seconds). There is no default. If you specify 0, the shutdown threshold is disabled.
If you want the ServerIron to generate a warning message but you do not want the ServerIron to shut down an application port, configure the warning threshold but not the shutdown threshold. Here is an example:
ServerIron(config)# server response-time 100
To set the shutdown threshold without also setting a warning threshold, enter 0 for the warning threshold, as shown in the following example:
ServerIron(config)# server response-time 0 300
Possible values: 0 – 65535 milliseconds (65 seconds)
Default value: not configured
server reverse-natThis command enables Reverse NAT. Reverse NAT allows the ServerIron to change the source IP address of some traffic initiated by a real server. Specifically, the feature causes the ServerIron to change the source IP address for traffic that the real server initiates on TCP or UDP ports that are bound to a VIP.
By default, the ServerIron does not perform address translation for any traffic initiated by the real server. However, if you enable Reverse NAT, the ServerIron does perform address translation for connections that the server initiates on ports that are bound to a VIP on the ServerIron.
Reverse NAT works with any port number you use for binding the real server to the VIP. However, TCP and UDP traffic initiated by a real server usually uses a port that is chosen by the server when the traffic is sent. As a result, it is not easy to predict the port numbers the real server will use. You can ensure that the ServerIron translates the source address of the traffic by binding the real server to a VIP using the “default” port. For example, if you configure VIP1 and bind it to real server RS1 using the default port, the ServerIron translates the source IP address in all TCP and UDP traffic initiated by RS1 from the real server’s IP address into the VIP address.
Even when Reverse NAT is enabled, the ServerIron does not translate the source address for traffic that the real server initiates over ports that are not bound to a VIP.
If you bind a real server to more than one VIP, the ServerIron will use the address of the VIP that is bound to the server using the default port. For example, if you bind a real server to VIP1 using TCP port 80 and bind the same server to VIP2 using the default port, the ServerIron always uses VIP2 for Reverse NAT.
NOTE: Reverse NAT does not affect reply traffic from the server. The feature applies only to traffic initiated by the server. In addition, the feature applies only to traffic on the TCP and UDP ports that are used to bind the real server to a VIP configured on the ServerIron. If the real server and VIP are bound using the default port, Reverse NAT applies to all TCP and UDP traffic initiated by the server.
Reverse NAT is disabled by default. If you need to enable reverse NAT, use one of the following methods.
EXAMPLE:
ServerIron(config)# server real-name R1 10.10.10.1ServerIron(config-rs-RS1)# port httpServerIron(config-rs-RS1)# exitServerIron(config)# server virtual-name VIP1 192.168.1.10ServerIron(config-vs-VIP1)# bind http RS1 httpServerIron(config-rs-RS1)# exitServerIron(config)# server virtual-name VIP2 192.168.1.69ServerIron(config-vs-VIP1)# bind default RS1 defaultServerIron(config)# server reverse-nat
The commands in this example create real server R1 and VIPs VIP1 and VIP2. VIP1 is bound to RS1 using TCP port 80 (HTTP). VIP2 is bound to RS1 using the default port. When RS1 initiates TCP or UDP traffic, the ServerIron translates the source IP address from 10.10.10.1 to 192.168.1.69. The ServerIron uses VIP2’s IP address instead of VIP1’s IP address for Reverse NAT because VIP2 is bound using the default port.
6 - 80 February 2002
Global CONFIG Commands
Syntax: [no] server reverse-nat
Possible values: N/A
Default value: disabled
server router-portsThis command is used to identify ports on a ServerIron switch that are connected to a router. Use this command when multiple ports on the switch are attached to routers.
This command is used in conjunction with the SLB feature on the ServerIron switch.
NOTE: The command is not supported on Foundry Layer 3 Switchs.
EXAMPLE:
ServerIron(config)# server router-ports 8
Syntax: server router-ports <1-26>
Possible values: N/A
Default value: N/A
server session-id-ageThis command is used in conjunction with the SSL session ID switching feature on the ServerIron. By default, the ServerIron keeps the entry associating an SSL session ID with a real server in its database for 30 minutes. After 30 minutes, the entry ages out of the database. Use this command to change the length of time the ServerIron keeps the entry in the database.
EXAMPLE:
To change the aging period to 10 minutes:
ServerIron(config)# server session-id-age 10
Syntax: server session-id-age <minutes>
Possible values: 2 – 60 minutes
Default value: 30 minutes
server session-limitThis command is used to limit the maximum number of active sessions allowed on a ServerIron. An active session is a session entry in the ServerIron’s session table. Thus, a UDP or TCP session that has become idle but has not yet timed out (according to the UDP or TCP age timer) is an “active” session in this table.
NOTE: This command applies only to SLB and is not supported on Foundry Layer 3 Switches.
EXAMPLE:
ServerIron(config)# server session-limit 550000
Syntax: server session-limit <value>
Possible values: The <value> for ServerIron 400 and ServerIron 800 systems can be from 32,768 – 2,000,000. On 32M ServerIron systems, the <value> can be from 32,768 – 1,000,000. On 8M ServerIron systems, the <value> can be from 32,768 – 160,000.
Default value: for 32MB systems: 524,288; for 8MB systems: 131,072.
server slb-fwEnables SLB-to-FWLB. For information, see the Foundry ServerIron Firewall Load Balancing Guide.
EXAMPLE:
ServerIronB(config)# server slb-fw
February 2002 6 - 81
Foundry ServerIron Command Line Interface Reference
Syntax: [no] server slb-fw
Possible values: N/A
Default value: Disabled
server source-ipAdds an IP address to the ServerIron for use by the real servers as their default gateway address. Source IP addresses, when used with the source NAT feature, enable you to place the ServerIron in a multinetted environment.
You can configure up to 64 source IP addresses on a ServerIronXL running software release 07.3.00 or later. You can configure up to 40 source IP addresses on other models running 07.1.x or 07.2.x software.
NOTE: If you are configuring a pair of ServerIrons for hot-standby (active-standby) and you want to use the same source IP address as the real servers’ default gateway on each ServerIron, use the server source-standby-ip command instead. See “server source-standby-ip”.
EXAMPLE:
ServerIron(config)# server source-ip 209.157.22.28 255.255.255.0 209.157.22.1
Syntax: [no] server source-ip <ip-addr> <ip-mask> <default-gateway>
NOTE: The gateway parameter is required. If you do not want to specify a gateway, enter "0.0.0.0".
Possible values: See above
Default value: N/A
server source-natEnables the ServerIron to change the source IP address for traffic the ServerIron forwards to a real server. When source NAT is enabled, the ServerIron translates the source IP address from the client’s into a source IP address you have configured.
Source NAT is disabled by default.
NOTE: If you are configuring a pair of ServerIrons for hot-standby (active-standby) and you want to use the same source IP address on each ServerIron, use the server source-nat-ip command instead. See “server source-nat-ip”.
EXAMPLE:
ServerIron(config)# server source-nat
Syntax: [no] server source-nat
Possible values: N/A
Default value: Disabled
server source-nat-ipIn a hot-standby (active-standby) SLB configuration, configures a shared source IP address for NAT. Enter the same command with the same source IP address on each of the ServerIrons. The address is active only on one ServerIron (the ServerIron that is currently active) at a time.
NOTE: This command applies only to hot-standby (active-standby) configurations.
NOTE: If you are configuring a shared source IP address for use by the real servers as their default gateway, use the server source-standby-ip address instead. See “server source-standby-ip”.
6 - 82 February 2002
Global CONFIG Commands
EXAMPLE:
Enter the following command on each ServerIron in the active-standby pair.
ServerIron(config)# server source-nat-ip 10.10.10.5 255.255.255.0 0.0.0.0
Syntax: [no] server source-nat-ip <ip-addr> <ip-mask> <default-gateway>
NOTE: The gateway parameter is required. If you do not want to specify a gateway, enter "0.0.0.0".
Possible values: See above
Default value: Disabled
server source-standby-ipIn a hot-standby (active-standby) SLB configuration, configures a shared source IP address for use by the real servers as their default gateway. Enter the same command with the same source IP address on each of the ServerIrons. The address is active only on one ServerIron (the ServerIron that is currently active) at a time.
NOTE: This command applies only to hot-standby (active-standby) configurations.
NOTE: If you are configuring a shared source IP address for NAT, use the server source-nat-ip command instead. See “server source-nat-ip”.
EXAMPLE:
Enter the following command on each ServerIron in the active-standby pair.
ServerIron(config)# server source-standby-ip 10.10.10.5 255.255.255.0 0.0.0.0
Syntax: [no] server source-standby-ip <ip-addr> <ip-mask> <default-gateway>
NOTE: The gateway parameter is required. If you do not want to specify a gateway, enter "0.0.0.0".
Possible values: See above
Default value: Disabled
server sticky-ageThis command is used in conjunction with the SLB on the ServerIron switch. It allows you to modify the aging out parameter for inactive sticky server connections.
Sticky connections are defined on the virtual server port of a ServerIron for those instances when sequential TCP/UDP port connections must be service by the same server.
EXAMPLE:
To set a sticky age of 25 minutes, enter the following:
ServerIron(config)# server sticky-age 25
Syntax: server sticky-age
Possible values: 2 – 60 minutes
Default value: 5 minutes
server sym-pdu-rateChanges the interval and wait time for SSLB discovery packets.
A ServerIron in an SSLB configuration uses SSLB discovery packets to request SSLB information from the other ServerIrons. SSLB discovery packets are proprietary Layer 2 broadcast packets and are sent on all ports in all port-based VLANs.
February 2002 6 - 83
Foundry ServerIron Command Line Interface Reference
By default, a ServerIron in an SSLB configuration sends SSLB discovery packets at 200-millisecond intervals. The ServerIron will wait up to 20 equivalent intervals to receive an SSLB discovery packet from another ServerIron. If the ServerIron does not receive an SSLB discovery packet from the other ServerIron within the 20 intervals, the ServerIron concludes that its partner ServerIron is unavailable and assumes control of the VIPs being managed by that ServerIron. For example, if the interval for sending SSLB discovery packets is 200 milliseconds (the default), the ServerIron will wait 20 x 200 milliseconds (four seconds) to receive an SSLB discovery packet from another ServerIron.
You can change the discovery interval multiplier and the wait time multiplier.
• The discovery interval is equal to 200 milliseconds multiplied by the discovery interval multiplier. The default discovery interval multiplier is 1, so the default discovery interval is 200 milliseconds. You can specify a multiplier from 1 – 60.
• The wait time interval is equal to the discovery interval multiplied by the wait time multiplier. The default wait time multiplier is 20. Assuming the discovery interval is 200 milliseconds (the default), the default wait time is four seconds (20 x 200 milliseconds).
NOTE: The SSLB timer affects the rate at which the ServerIron sends SSLB protocol packets to its SSLB partners. The timer does not affect client or server traffic to or from a VIP.
NOTE: All the ServerIrons in your configuration must use the same SSLB discovery interval and wait time. If you change the interval and wait time on one ServerIron, make the same change on all the other ServerIrons in the SSLB configuration.
EXAMPLE:
To change the SSLB discovery interval multiplier and wait time multiplier, enter a command such as the following:
ServerIron(config)# server sym-pdu-rate 2 30
This command changes the interval at which the ServerIron sends SSLB discovery packets to once every 400 milliseconds, and changes the maximum amount of time the ServerIron will wait for an SSLB discovery packet from another ServerIron to 12 seconds (30 x 400 milliseconds).
Syntax: [no] server sym-pdu-rate <disc-mult> <wait-time-mult>
Possible values: <disc-mult> 1 – 60; <wait-time-mult> 1 – 60
Default value: <disc-mult> 1; <wait-time-mult> 20
server syn-defProtects against TCP SYN attacks by setting a threshold for the amount of time it takes for a connecting host to send back an ACK packet. If this threshold is exceeded, the ServerIron removes the entry for the connection from its session table, and a TCP RESET packet is sent to the destination real server, causing it to remove the entry from its session table as well.
EXAMPLE:
To configure the ServerIron to remove an entry from its session table if the connection remains incomplete for 6 or more seconds:
ServerIron(config)# server syn-def 6
Syntax: server syn-def <threshold>
Possible values: The threshold parameter can be between 0 – 16 seconds. A threshold of 0 disables this feature. Foundry recommends a threshold above 5 seconds.
Default value: 8 seconds
server syn-limitThis command is used to limit the maximum number of TCP SYN requests on a per-second basis per server.
6 - 84 February 2002
Global CONFIG Commands
NOTE: This command applies only to SLB and is not supported on Foundry Layer 3 Switchs.
EXAMPLE:
ServerIron(config)# server syn-limit 2000
Syntax: server syn-limit <value>
Possible values: 1 – 65535
Default value: 65535
server tcp-ageThis command allows you to modify the aging out parameter for inactive TCP server connections.
If you change the TCP age, the change affects only new TCP sessions that start after you make the change. The maximum age for sessions that are already in the session table does not change.
EXAMPLE:
To modify the server TCP age to 20 minutes from the default value of 30 minutes, enter the following command:
ServerIron(config)# server tcp-age 20
Syntax: server tcp-age <value>
Possible values: 2 – 60 minutes
Default value: 30 minutes
server transparent-vipEnables the transparent VIP feature.
NOTE: After you enabling the ServerIron for transparent VIP, you still must enable individual VIPs for the feature. See “transparent-vip” on page 11-9.
EXAMPLE:
ServerIron(config)# server transparent-vipServerIron(config)# ip policy 1 cache tcp 80 localServerIron(config)# interface ethernet 1ServerIron(config-if-1)# ip-policy 1
These commands enable transparent VIP globally for TCP port 80 (HTTP), then configure a cache redirection policy and apply it locally to the ServerIron port(s) connected to the clients. The cache redirection policy identifies the application port(s) on the VIP that you want to load balance.
Syntax: [no] server transparent-vip
Possible values: N/A
Default value: Disabled
server udp-ageThis command allows you to modify the aging out parameter for inactive UDP server connections. Possible values are between 2 and 60 minutes with a default value of 5 minutes.
EXAMPLE:
To modify the server UDP age to 20 minutes from the default value of 5 minutes, enter the following command:
ServerIron(config)# server udp-age 20
Syntax: server udp-age <value>
Possible values: 2 – 60 minutes
Default value: 5 minutes
February 2002 6 - 85
Foundry ServerIron Command Line Interface Reference
server use-simple-ssl-health-checkConfigures the ServerIronXL to use the SSL health check method from software releases earlier than 07.1.18.
By default, the ServerIronXL uses the following method for SSL health checks.
The ServerIron initiates an SSL connection with the server on TCP port 443, a secure link is negotiated, and encrypted data is transferred across it. After the SSL connection is established, the ServerIron sends the SSL server an HTTP GET or HEAD request. The GET or HEAD request specifies a page containing the URL of a page on the server. By default, the ServerIron sends a HEAD request for the default page, “1.0”, although this can be changed with the port ssl url command.
• If the server responds with an acceptable status code, the ServerIron resets the connection and marks the port ACTIVE.
• If the server does not respond, the ServerIron retries the health check up to the number of times configured (the default is two retries). If the server still does not respond, the ServerIron marks the server port FAILED and removes the server from the load-balancing rotation for SSL service.
All other ServerIron models use the following health check method.
The ServerIron sends an SSL client hello with the SSL SID set to 0:
• If the server responds, then the ServerIron resets the connection and marks the port ACTIVE.
• If the server does not respond, the ServerIron retries the health check up to the number of times configured (the default is two retries). If the server still does not respond, the ServerIron marks the server port FAILED and removes the server from the load-balancing rotation for SSL service.
The server use-simple-ssl-health-check command configures the ServerIronXL to also use this method.
EXAMPLE:
ServerIron(config)# server use-simple-ssl-health-check
Syntax: [no] server use-simple-ssl-health-check
Possible values: N/A
Default value: Disabled
server virtual-nameThis command is used to define the virtual server name and IP address. The virtual server name can be any alphanumeric text string of up to 32 characters.
This command is used in conjunction with the feature server load balancing on the ServerIron switch.
EXAMPLE:
ServerIron(config)# server virtual-name noi 192.168.1.10
Syntax: server virtual-name <text> [<ip-addr>]
Possible values: a string up to 32 alphanumeric characters long
Default value: N/A
server vpn-lbConfigures the ServerIron to provide FWLB for a VPN firewall such as the Check Point VPN-1 Gateway/FireWall-1. Use this command to enable VPN load balancing on the ServerIron that is on the Internet side of the firewalls.
NOTE: This command’s optional parameters apply only to site-to-site VPN, not to SecureRemote-to-site VPN. From the ServerIron’s perspective, the difference between these two types of VPN is as follows:
• Site-to-site VPN – All Internet Security Association and Key Management Protocol (ISAKMP) packets are addressed to the Cluster IP address. ISAKMP is used by Check Point firewalls and is described in RFC 2408.
• SecureRemote-to-site VPN – Only the first ISAKMP packet is addressed to the Cluster IP address. Subsequent ISAKMP packets are to a firewall.
6 - 86 February 2002
Global CONFIG Commands
EXAMPLE:
ServerIron(config)# server vpn-lb
Syntax: [no] server vpn-lb [tunnel-mode [load-balance round-robin | source-ip | spi]]
The tunnel-mode parameter enables site-to-site VPN load balancing.
The load-balance round-robin | source-ip | spi parameter specifies the load balancing method.
• round-robin – Encrypted VPN traffic is load balanced in round robin fashion, regardless of source or destination IP address. You can use this method if the firewalls are synchronized.
NOTE: When this load balancing method is used, the ServerIron does not maintain sessions for the traffic. A session would associate a given pair of source and destination IP addresses with a specific firewall, but the round robin method does not associate the traffic’s addresses with a specific firewall.
• source-ip – Encrypted VPN traffic to the firewalls is load balanced based on the source IP address of the traffic. Once the software selects a firewall for the first packet from a given IP address, all subsequent packets from the same address go to the same firewall. This is the default.
NOTE: In a site-to-site VPN load balancing configuration, this load balancing method can result in all the VPN traffic going to the same firewall, since all the traffic from a given site has the same source IP address.
• spi – Encrypted VPN traffic to the firewalls is load balanced based on the Security Parameter Index (SPI) of the traffic. The SPI is a unique value associated with the tunnel between each pair of source and destination sites or hosts. You can configure the Check Point firewalls to establish multiple tunnels to exchange traffic. If you configure the firewalls this way, the spi option enables the ServerIron to load balance the tunnels across multiple firewalls even though the tunnels appear to be originated by the same source IP address.
Possible values: See above
Default value: Disabled
server vpn-lb-insideConfigures the ServerIron to provide FWLB for a VPN firewall such as the Check Point VPN-1 Gateway/FireWall-1. Use this command to enable VPN load balancing on the ServerIron that is on the private side of the firewalls.
EXAMPLE:
ServerIron(config)# server vpn-lb-inside
Syntax: [no] server vpn-lb-inside
Possible values: N/A
Default value: Disabled
service password-encryptionThis command enables password encryption. When encryption is enabled, users cannot learn the device’s passwords by viewing the configuration file. Password encryption is enabled by default.
NOTE: Password encryption does not encrypt the password in Telnet packets sent to the device. This feature applies only to the configuration file.
EXAMPLE:
ServerIron(config)# no service password-encryption
Syntax: [no] service password-encryption
Possible values: N/A
February 2002 6 - 87
Foundry ServerIron Command Line Interface Reference
Default value: Enabled
show…Displays a variety of configuration and statistical information about the ServerIron. To see a description of the show commands, see “Show Commands” on page 21-1.
snmp-clientRestricts SNMP management access to the Foundry device to the host whose IP address you specify. No other device except the one with the specified IP address can access the Foundry device through IronView or any other SNMP application.
If you want to restrict access from Telnet or the Web, use one or two of the following commands:
• telnet client – restricts Telnet access. See “telnet client” on page 6-95.
• web client – restricts Web access. See “web client” on page 6-100.
If you want to restrict all management access, you can use the commands above and the snmp-client command or you can use the following command: all-client. See “all-client” on page 6-7.
EXAMPLE:
To restrict SNMP access (which includes IronView) to the Foundry device to the host with IP address 209.157.22.26, enter the following command:
ServerIron(config)# snmp-client 209.157.22.26
Syntax: [no] snmp-client <ip-addr>
Possible values: a valid IP address. You can enter one IP address with the command. You can use the command up to ten times for up to ten IP addresses.
Default value: N/A
snmp-server communityAssigns a SNMP community string for the system. It will register to the configuration file, a user-specified network community string and an access type of either:
• read-only (public)
• read-write (private)
EXAMPLE:
ServerIron(config)# snmp-server community planet1 ro
Syntax: snmp-server community <string> ro | rw
Possible values: Up to 32 alphanumeric characters for the community string.
Default value: The default read-only community string is “public”. There is no default read-write community string.
snmp-server contactIdentifies a system contact. You can designate a contact name for the ServerIron and save it in the configuration file for later reference. You can later access contact information using the show snmp server command.
EXAMPLE:
ServerIron(config)# snmp-server contact Noi Lampa
Syntax: snmp-server contact <text>
Possible values: up to 32 alphanumeric characters for the system contact text string.
Default value: N/A
6 - 88 February 2002
Global CONFIG Commands
snmp-server enable trapsWhen the command is preceded with the word ‘no’, the command is used to stop certain traps from being generated by a system. The following SNMP Traps are collected by default: authentication key, cold-start, link-up, link-down, new-root, topology-change, power-supply-failure and locked-address-violation.
EXAMPLE:
To stop reporting incidences of links that are down, enter the following commands:
ServerIron(config)# no snmp-server enable traps link-down
Syntax: [no] snmp-server enable traps <trap>
Possible values: trap type (for example, cold-start, new-root, etc.)
Default value: All of the following SNMP traps are enabled and will be generated by default for a system: authentication key, cold-start, link-up, link-down, new-root, topology-change, power-supply-failure and locked-address-violation
To disable a fan failure trap or power supply trap, use one of the following values: ps1 | ps2 | ps3 | ps4 | fan1 | fan2 | fan3 | fan4.
snmp-server enable vlanAllows SNMP access only to clients in a specific VLAN.
EXAMPLE:
The following example configures the device to allow SNMP access only to clients connected to ports within port-based VLAN 40. Clients connected to ports that are not in VLAN 40 are denied access.
ServerIron(config)# snmp-server enable vlan 40
Syntax: [no] snmp-server enable vlan <vlan-id>
Possible values: N/A
Default value: N/A
snmp-server hostAssigns or removes a station as SNMP trap receiver. To assign the trap receiver, use the command: snmp-server host. To later remove the trap receiver feature, enter no snmp-server host.
EXAMPLE:
To disable a station as a SNMP trap receiver, enter the following:
ServerIron(config)# no snmp-server host 192.22.3.33 public
Syntax: [no] snmp-server host <ip-addr> <community-string>
Possible values: IP address of trap receiver station, community string
Default value: no system default
snmp-server locationIdentifies a system location for the ServerIron. This information is saved in the configuration file for later reference. You can later access system location information using the show snmp server command.
EXAMPLE:
ServerIron(config)# snmp-server location pulchritude_lane
Syntax: snmp-server location <text>
Possible values: up to 32 alphanumeric characters for the location text string
Default value: N/A
February 2002 6 - 89
Foundry ServerIron Command Line Interface Reference
snmp-server pw-checkDisables password checking for SNMP set requests. If a third-party SNMP management application does not add a password to the password field when it sends SNMP set requests to a Foundry device, by default the Foundry device rejects the request. You can disable this password checking with the no snmp-server pw-check command.
EXAMPLE:
ServerIron(config)# no snmp-server pw-check
Syntax: [no] snmp-server pw-check
Possible values: N/A
Default value: N/A
snmp-server trap-sourceSpecifies a port or virtual interface whose first configured IP address the Foundry device must use as the source for all SNMP traps sent by the device.
EXAMPLE:
ServerIron(config)# snmp trap-source ethernet 4
Syntax: snmp-server trap-source ethernet <portnum> | ve <num>
Possible values: The ethernet <portnum> parameter specifies a physical port on the device. Alternatively, you can specify a virtual interface using the ve <num> parameter, where <num> is the number of a virtual interface configured on the device.
Default value: N/A
snmp-server viewConfigures an SNMP view. You can use an SNMP view as an argument with other commands.
SNMP views are named groups of MIB objects that can be associated with user accounts to allow limited access for viewing and modification of SNMP statistics and system configuration. SNMP views can also be used with other commands that take SNMP views as an argument. SNMP views reference MIB objects using object names, numbers, wildcards, or a combination of the three. The numbers represent the hierarchical location of the object in the MIB tree. You can reference individual objects in the MIB tree or a subset of objects from the MIB tree.
NOTE: The snmp-server view command supports the MIB objects as defined in RFC 1445.
EXAMPLE:
To add an SNMP view, use the following CLI method:
ServerIron(config)# snmp-server view Maynes system includedServerIron(config)# snmp-server view Maynes system.2 excludedServerIron(config)# snmp-server view Maynes 2.3.*.6ServerIron(config)# write mem
Syntax: [no] snmp-server view <name> <mib_tree> included | excluded
The <name> parameter can be any alphanumeric name you choose to identify the view. The names cannot contain spaces.
The <mib_tree> parameter is the name of the MIB object or family. MIB objects and MIB sub-trees can be identified by name or by the numbers representing the position of the object or sub-tree in the MIB hierarchy. You can use a wildcard (*) in the numbers to specify a sub-tree family.
The included | excluded parameter specifies whether the MIB objects identified by the <mib_family> parameter are included in the view or excluded from the view.
To delete a view, use the no parameter before the command.
Possible values: See above
6 - 90 February 2002
Global CONFIG Commands
Default value: N/A
sntp poll-intervalThis parameter sets how often clock updates are requested from a SNTP server.
EXAMPLE:
To configure the ServerIron to poll for clock updates from a SNTP server every 15 minutes, enter the following:
ServerIron(config)# sntp poll-interval 900
Syntax: sntp poll-interval <1-65535>
Possible values: 1 – 65535 seconds
Default value: 1800 seconds
sntp serverThis command allows you to define the SNTP server that will be used for clock synchronization for the ServerIron. You can either enter the SNTP server’s IP address or its hostname.
Up to three SNTP server entries can be defined.
EXAMPLE:
To define the SNTP server (IP address 192.1.4.69) that will be polled by the ServerIron for time updates, enter:
ServerIron(config)# sntp server 192.1.4.69
Syntax: sntp server <ip-addr> | <hostname> [<version>]
The <version> parameter specifies the SNTP version the server is running and can be from 1 – 4. The default is 1. You can configure up to three SNTP servers by entering three separate sntp server commands.
Possible values: See above.
Default value: N/A
spanning-treeEnables or disables (no) Spanning Tree on the switch. This change can be viewed by the show spanning tree command.
For switches, this feature is enabled by default.
For routers, this feature is disabled by default.
To disable this feature, enter no spanning-tree. To later re-enable spanning tree on the router, enter spanning-tree.
EXAMPLE:
To disable spanning tree, enter the following:
ServerIron(config)# no spanning-tree
EXAMPLE:
To enable spanning tree, enter the following:
ServerIron(config)# spanning-tree
Syntax: [no] spanning-tree
Possible values: N/A
Default value: Enabled on switches. Disabled on routers.
spanning-tree <parameter>Spanning Tree bridge and port parameters are configurable using one CLI command. When no port-based VLANs are active on the system, spanning tree parameters are set at the Global CONFIG Level.
February 2002 6 - 91
Foundry ServerIron Command Line Interface Reference
When port-based VLANs are active on the system, spanning tree protocol bridge and port parameters can be configured globally at the VLAN Level. Additionally, you can disable or enable STP on an interface basis.
NOTE: If VLANs are active on a switch or router, spanning-tree will not be seen as an option at the Global CONFIG Level of the CLI but will be an option of the VLAN Level.
All bridge and port parameters have default values and do not need to be modified unless required to match network needs. Additionally, all values will be globally applied to the switch or router. By default this feature is enabled on switches and disabled on routers.
You can modify the following STP Parameters:
1. Modify bridge parameters—forward delay, maximum age, hello time and priority
2. Modify port parameters—priority and path cost
EXAMPLE:
Suppose you want to enable spanning tree on a system in which no port-based VLANs are active and change the hello-time from the default value of 2 to 8 seconds. Additionally, suppose you want to change the path and priority costs for port 5 only. To do so, enter the following commands.
ServerIron(config)# span hello-time 8
ServerIron(config)# span ethernet 5 path-cost 15 priority 64
Syntax: span [ethernet <portnum> path-cost <value> priority <value>] forward-delay <value> hello-time <value> maximum-age <time> priority <value>
Possible values: see below
Bridge Parameters:
• Forward-delay: Possible values: 4 – 30 seconds. Default is 15 seconds.
• Max-age: Possible values: 6 – 40 seconds. Default is 20 seconds.
• Hello-time: Possible values: 1 – 10 seconds. Default is 2 seconds.
• Priority: Possible values: 1 – 65,535. Default is 32,768. A higher numerical value means a lower priority; thus, the highest priority is 0.
Port Parameters:
• Path: Possible values: 1-65,535. Default: Auto
NOTE: The default value ‘Auto’ means that the port will adjust the default value automatically based on the port speed. The default value is based on the following formula:
• Half-duplex ports: 1000/port speed
• Full-duplex ports: (1000/port speed)/2
• Priority: possible values are 0-255. Default is 128. A higher numerical value means a lower priority; thus, the highest priority is 0.
static-mac-addressDefines a static MAC addresses on an individual switch or switching port to ensure it is not aged out. The parameter option, router-type or host-type, is not available for the FastIron Workgroup switch or Stackable Layer 3 Switchs.
NOTE: If you enter the command at the global CONFIG level, the static MAC entry applies to the default port-based VLAN (VLAN 1). If you enter the command at the configuration level for a specific port-based VLAN, the entry applies to that VLAN and not to the default VLAN.
6 - 92 February 2002
Global CONFIG Commands
NOTE: If you want to include a trunk group when you configure a static MAC entry that has multiple ports, include only the primary port of the trunk group. If you include all the trunk group’s ports, the ServerIron uses all the ports to forward traffic for the MAC address instead of using only the active trunk port.
EXAMPLE:
ServerIron(config)# static-mac-address 1145.5563.67FF e12 7 router-type
The syntax for adding static MAC entries differs depending on whether you are using a stackable or chassis ServerIron.
Syntax for chassis devices:
Syntax: static-mac-address <mac-addr> ethernet <portnum> [priority <0-7>] [host-type | router-type]
Syntax for stackable devices:
Syntax: static-mac-address <mac-addr> ethernet <portnum> [to <portnum> ethernet <portnum>] [normal-priority | high-priority] [host-type | router-type | fixed-host]
The priority can be 0 – 7 (0 is lowest and 7 is highest) for chassis devices and either normal-priority or high-priority for stackable devices.
NOTE: The fixed-host parameter is supported only on stackable ServerIrons. Use the fixed-host parameter for Layer 2 firewall configurations. The parameter "fixes" the address to the ServerIron port you specify and prevents other ports on the ServerIron from learning it. Use the router-type parameter for all other types of FWLB configurations. For more information, see the Foundry ServerIron Firewall Load Balancing Guide.
To create a static MAC entry that is associated with multiple ports, enter a command such as the following:
ServerIron(config)# static-mac-address aaaa.bbbb.cccc ethernet 1 ethernet 3 to 5
This command creates a static MAC entry that is associated with port 1 and ports 3 – 5. The ServerIron forwards traffic addressed to aaaa.bbbb.cccc out all the ports you specify, in this case 1, 3, 4, and 5.
Syntax: static-mac-address <mac-addr> ethernet <portnum> [to <portnum> ethernet <portnum>] [normal-priority | high-priority] [host-type | router-type | fixed-host]
NOTE: If you enter the command at the global CONFIG level, the static MAC entry applies to the default port-based VLAN (VLAN 1). If you enter the command at the configuration level for a specific port-based VLAN, the entry applies to that VLAN and not to the default VLAN.
Foundry recommends that you configure a static ARP entry to match the static MAC entry. In fact, the software automatically creates a static MAC entry when you create a static ARP entry.
NOTE: When a static MAC entry has a corresponding static ARP entry, you cannot delete the static MAC entry unless you first delete the static ARP entry.
To create a static ARP entry for a static MAC entry, enter a command such as the following:
ServerIron(config)# arp 1 192.53.4.2 aaaa.bbbb.cccc ethernet 1
NOTE: The arp command allows you to specify only one port number. To create a static ARP entry for a static MAC entry that is associated with multiple ports, specify the first (lowest-numbered) port associated with the static MAC entry.
Possible values: See above.
Default value: host-type and 0 or normal priority
February 2002 6 - 93
Foundry ServerIron Command Line Interface Reference
system-maxAllows you to modify the default settings for parameters that use system memory. The configurable parameters and their defaults and maximums differ depending on the device. To display the configurable parameters, their defaults, and the maximum configurable values for each, enter the following command at any level of the CLI: show default values. See “show default” on page 21-3.
EXAMPLE:
To increase the number of real servers available on the ServerIron:
ServerIron(config)# system-max l4-real 2048
Syntax: system-max l4-real-server <real-servers>
The <real-servers> value can be from 64 – 2048
To increase the number of virtual servers available on the ServerIron:
ServerIron(config)# system-max l4-virtual-server 512
Syntax: system-max l4-virtual-server <virtual-servers>
The <virtual-servers> value can be from 64 – 512
To increase the number of TCP/UDP ports available on the ServerIron:
ServerIron(config)# system-max l4-server-port 4096
Syntax: system-max l4-server-port <number-of-ports>
The <number-of-ports> value can be from 256 – 4096
To increase the number of TCP buffers available on the ServerIron:
ServerIron(config)# system-max tcp-buffer 2048
Syntax: system-max tcp-buffer <number-of-buffers>
The ServerIron uses TCP buffers for TCP sessions. Applications such as GSLB use many TCP buffers, since buffers are required for TCP health checks as well as client connections with real servers. If you receive a message that the ServerIron cannot perform a health check or other TCP tasks, you might need to allocate more memory for TCP buffers.
The <number-of-buffers> value can be from 128 – 2048
Possible values: These depend on the device you are configuring. See the System Parameters section in the show default values display. The CLI will display the acceptable range if you enter a value that is outside the range.
Default value: See above
tacacs-serverIdentifies a TACACS or TACACS+ server and sets other TACACS/TACACS+ parameters for authenticating access to the Foundry device.
EXAMPLE:
ServerIron(config)# tacacs-server host 209.157.22.99
Syntax: tacacs-server host <ip-addr> | <server-name> [auth-port <number>]
The only required parameter is the IP address or host name of the server.
NOTE: To specify the server's host name instead of its IP address, you must first identify a DNS server using the ip dns server-address <ip-addr> command at the global CONFIG level. See the “Configuring Basic Features” chapter of the Foundry Switch and Router Installation and Basic Configuration Guide.
The auth-port parameter specifies the UDP port number of the authentication port on the server. The default port number is 49.
6 - 94 February 2002
Global CONFIG Commands
Syntax: tacacs-server [key <key-string>] [timeout <number>] [retransmit <number>] [dead-time <number>]
The key parameter specifies the value that the Foundry device sends to the server when trying to authenticate user access. The TACACS/TACACS+ server uses the key to determine whether the Foundry device has authority to request authentication from the server. The key can be from 1 – 16 characters in length.
The timeout parameter specifies how many seconds the Foundry device waits for a response from the TACACS/TACACS+ server before either retrying the authentication request or determining that the TACACS/TACACS+ server is unavailable and moving on to the next authentication method in the authentication-method list. The timeout can be from 1 – 15 seconds. The default is 3 seconds.
The retransmit parameter specifies how many times the Foundry device will re-send an authentication request when the TACACS/TACACS+ server does not respond. The retransmit value can be from 1 – 5 times. The default is 3 times.
The dead-time parameter is not used in this software release. When the software allows multiple authentication servers, this parameter will specify how long the Foundry device waits for the primary authentication server to reply before deciding the server is dead and trying to authenticate using the next server. The dead-time value can be from 1 – 5 seconds. The default is 3.
Possible values: see above
Default value: see above
tag-typeThis parameter defines the value that will be sent out on a packet to indicate it as tagged VLAN port. The 802.1q standard recognizes the value of 8100 for this purpose. Other values can be assigned to this parameter but are not recommended.
EXAMPLE:
ServerIron(config)# tag-type 8100
Syntax: tag-type <value>
Possible values: 1-65535
Default value: 8100
telnet access-groupApplies an ACL to control Telnet access to the device.
EXAMPLE:
The following commands configure ACL 10, then apply the ACL as the access list for Telnet access. The device will allow Telnet access to all IP addresses except those listed in ACL 10.
ServerIron(config)# access-list 10 deny host 209.157.22.32 logServerIron(config)# access-list 10 deny 209.157.23.0 0.0.0.255 logServerIron(config)# access-list 10 deny 209.157.24.0 0.0.0.255 logServerIron(config)# access-list 10 deny 209.157.25.0/24 logServerIron(config)# access-list 10 permit any ServerIron(config)# telnet access-group 10ServerIron(config)# write mem
Syntax: telnet access-group <num>
Possible values: The <num> parameter specifies the number of a standard ACL and must be from 1 – 99.
Default value: N/A
telnet clientRestricts Telnet management access to the Foundry device to the host whose IP address you specify. No other device except the one with the specified IP address can access the Foundry device’s CLI through Telnet.
If you want to restrict access from SNMP or the Web, use one or two of the following commands:
February 2002 6 - 95
Foundry ServerIron Command Line Interface Reference
• snmp-client – restricts SNMP access (including IronView). See “snmp-client” on page 6-88.
• web client – restricts web access. See “web client” on page 6-100.
If you want to restrict all management access, you can use the commands above and the telnet client command or you can use the following command: all-client. See “all-client” on page 6-7.
EXAMPLE:
To restrict Telnet access (which includes IronView) to the Foundry device to the host with IP address 209.157.22.26, enter the following command:
ServerIron(config)# telnet client 209.157.22.26
Syntax: [no] telnet client <ip-addr>
Possible values: a valid IP address. You can enter one IP address with the command. You can use the command up to ten times for up to ten IP addresses.
Default value: N/A
telnet login-timeoutChanges the login timeout period for Telnet sessions.
EXAMPLE:
To change the login timeout period for Telnet sessions to 5 minutes:
ServerIron(config)# telnet login-timeout 5
Syntax: [no] telnet login-timeout <minutes>
Possible values: 1 – 10 minutes
Default value: 1 minute
telnet serverThis command enables or disables Telnet access to a ServerIron. By default, Telnet access is allowed on a system.
EXAMPLE:
To disable Telnet access to a switch, enter the following:
ServerIron(config)# no telnet server
Syntax: [no] telnet server
Possible values: Enabled or disabled
Default value: Enabled
telnet server enable vlanAllows Telnet access only to clients in a specific VLAN.
EXAMPLE:
The following command configures the device to allow Telnet management access only to clients connected to ports within port-based VLAN 10. Clients connected to ports that are not in VLAN 10 are denied management access.
ServerIron(config)# telnet server enable vlan 10
Syntax: [no] telnet server enable vlan <vlan-id>
Possible values: N/A
Default value: N/A
6 - 96 February 2002
Global CONFIG Commands
telnet timeoutThis parameter defines how long a Telnet session can remain idle before it is timed out. By default, Telnet sessions do not time out.
EXAMPLE:
ServerIron(config)# telnet timeout 120
Syntax: telnet timeout <0-240>
Possible values: 0 – 240 seconds
Default value: 0 seconds (no timeout)
tftp client enable vlanAllows TFTP access only to clients in a specific VLAN.
EXAMPLE:
The following example configures the device to allow TFTP access only to clients connected to ports within port-based VLAN 40. Clients connected to ports that are not in VLAN 40 are denied access.
ServerIron(config)# tftp client enable vlan 40
Syntax: [no] tftp client enable vlan <vlan-id>
Possible values: N/A
Default value: N/A
trunk switch | server ethernetThis command allows you to add a trunk group to a switch, router or server for high-speed connections.
NOTE: On the ServerIron 400 or ServerIron 800, you must use the default trunk type, which is "switch". The "server" parameter is not supported.
EXAMPLE:
To assign ports 1, 2 and 3 to a trunk group on the system, enter the following command:
ServerIron(config)# trunk switch e 1 to 3
A trunk group must then also be configured on the connecting Foundry Networks switch or router at the other end of the trunk group. The term switch in the above command can refer to either a Foundry Networks switch, ServerIron, or router.
If you are going to connect to a server, then enter the following command:
ServerIron(config)# trunk server e1 to 3
This will connect a trunk group of ports 1, 2 and 3 to a server.
Summary of Trunk Group Rules
• The trunk type must be "switch" on the ServerIron 400 and ServerIron 800, and "server" on all other models.
• Up to four trunk groups may be assigned (up to three for a TurboIron).
• Trunk group port assignment should always start with the lead port, i.e. 1, 5, 9, 13 or 17. (1, 3 or 5 for a TurboIron).
• Port assignment must be contiguous
• Ports cannot be assigned across multiple trunk group boundaries; for example, ports 4 and 5 cannot be in the same trunk group.
• All of the trunk group member properties must match the lead port of the trunk group with respect to the following parameters:
• port tag type (untagged or tagged port)
February 2002 6 - 97
Foundry ServerIron Command Line Interface Reference
• port speed and duplex
• QoS priority
Syntax: trunk server | switch ethernet <portnum> to <portnum>
Possible values: Port or port ranges
Default value: Disabled
unknown-unicast limitSpecifies the maximum number of unknown-unicast packets the device can forward each second. By default the device sends unknown unicasts and all other traffic at wire speed and is limited only by the capacities of the hardware. However, if other devices in the network cannot handle unlimited unknown-unicast traffic, this command allows you to relieve those devices by throttling the unknown unicasts at the Foundry device.
NOTE: The unknown-unicast limit does not affect broadcast or multicast traffic. However, you can use the broadcast limit and multicast limit commands to control these types of traffic. See “broadcast limit” on page 6-12 and “multicast limit” on page 6-53.
EXAMPLE:
ServerIron(config)# unknown-unicast limit 30000
Syntax: unknown-unicast limit <num>
Possible values: 0 – 4294967295
Default value: N/A
url-mapThis command is used in conjunction with the URL switching feature on the ServerIron. This command assigns a name to a URL switching policy and enters the URL switching policy CONFIG level.
EXAMPLE:
To create a URL switching policy named p1:
ServerIron(config)# url-map p1
Syntax: url-map <policy-name>
Possible values: URL switching policy name
Default value: N/A
usernameThis command configures a local user account. For each user account, you specify the user name. You also can specify the following parameters:
• A password
• The privilege level, which can be one of the following:
• Full access (super-user). This is the default.
• Port-configuration access
• Read-only access
EXAMPLE:
To configure a user account, enter a command such as the following at the global CONFIG level of the CLI.
ServerIron(config)# username wonka password willy
This command adds a user account for a super-user with the user name "wonka" and the password "willy", with privilege level super-user. This user has full access to all configuration and display features.
6 - 98 February 2002
Global CONFIG Commands
NOTE: If you configure user accounts, you must add a user account for super-user access before you can add accounts for other access levels. You will need the super-user account to make further administrative changes.
ServerIron(config)# username waldo privilege 5 password whereis
This command adds a user account for user name "waldo", password "whereis", with privilege level read-only. Waldo can look for information but cannot make configuration changes.
Syntax: [no] username <user-string> privilege <privilege-level> password | nopassword <password-string>
The privilege parameter specifies the privilege-level. You can specify one of the following:
• 0 – Full access (super-user)
• 4 – Port-configuration access
• 5 – Read-only access
The default privilege level is 0. If you want to assign full access to the user account, you can enter the command without "privilege 0", as shown in the command example above.
The password | nopassword parameter indicates whether the user must enter a password. If you specify password, enter the string for the user's password.
NOTE: You must be logged on with super-user access (privilege level 0, or with a valid Enable password for super-user access) to add user accounts or configure other access parameters.
vlanCreates or changes the CLI focus to a port-based VLAN.
EXAMPLE:
ServerIron(config)# vlan 200 by port
ServerIron(config)# vlan 200 name WebMgr
Syntax: vlan <num> by port
Syntax: vlan <num> name <string>
NOTE: The second command is optional and also creates the VLAN if the VLAN does not already exist. You can enter the first command after you enter the second command if you first exit to the global CONFIG level of the CLI.
Possible values: VLAN ID 1 – 1024; VLAN name can be a string up to 16 characters. You can use blank spaces in the name if you enclose the name in double quotes (for example, “Tanya Inman”.)
Default value: N/A
vlan-dynamic-discoveryDisables or re-enables dynamic discovery of protocol VLANs on switch-to-switch links. This feature enables switch-to-switch links to be automatically included in protocol VLANs that have dynamic port membership.
EXAMPLE:
To disable the feature, enter the following command:
ServerIron(config)# no vlan-dynamic-discovery
Syntax: [no] vlan-dynamic-discovery
Possible values: Enabled or disabled
Default value: Enabled
February 2002 6 - 99
Foundry ServerIron Command Line Interface Reference
vlan max-vlansAllows you to assign a set number of VLANs to be supported on a ServerIron. This allows you to set a smaller value than the default to preserve memory on the system.
EXAMPLE:
ServerIron(config)# vlan max-vlans 200
Syntax: vlan max-vlans <value>
Possible values: 1 – 1024
Default value: 32
web access-groupApplies an ACL to control Web access to the device.
EXAMPLE:
The following commands configure ACL 10, then apply the ACL as the access list for Web access. The device will allow Web access to all IP addresses except those listed in ACL 10.
ServerIron(config)# access-list 10 deny host 209.157.22.32 logServerIron(config)# access-list 10 deny 209.157.23.0 0.0.0.255 logServerIron(config)# access-list 10 deny 209.157.24.0 0.0.0.255 logServerIron(config)# access-list 10 deny 209.157.25.0/24 logServerIron(config)# access-list 10 permit any ServerIron(config)# web access-group 10ServerIron(config)# write mem
Syntax: web access-group <num>
Possible values: The <num> parameter specifies the number of a standard ACL and must be from 1 – 99.
Default value: N/A
web clientRestricts Web management access to the Foundry device to the host whose IP address you specify. No other device except the one with the specified IP address can access the Foundry device’s Web management interface.
If you want to restrict access from SNMP or Telnet, use one or two of the following commands:
• snmp-client – restricts SNMP access (including IronView). See “snmp-client” on page 6-88.
• telnet client – restricts Telnet access to the CLI. See “telnet client” on page 6-95.
If you want to restrict all management access, you can use the commands above and the web client command or you can use the following command: all-client. See “all-client” on page 6-7.
EXAMPLE:
To restrict Web access to the Foundry device to the host with IP address 209.157.22.26, enter the following command:
ServerIron(config)# web client 209.157.22.26
Syntax: [no] web client <ip-addr>
Possible values: a valid IP address. You can enter one IP address with the command. You can use the command up to ten times for up to ten IP addresses.
Default value: N/A
web-managementThis command enables or disables the Web management interface on a ServerIron. By default this feature is enabled on a system.
6 - 100 February 2002
Global CONFIG Commands
EXAMPLE:
ServerIron(config)# no web-management
Syntax: [no] web-management
Possible values: Enabled, Disabled
Default value: Enabled
web-management enable vlanAllows Web management access only to clients in a specific VLAN.
EXAMPLE:
The following example configures the device to allow Web management access only to clients connected to ports within port-based VLAN 10. Clients connected to ports that are not in VLAN 10 are denied management access.
ServerIron(config)# web-management enable vlan 10
Syntax: [no] web-management enable vlan <vlan-id>
Possible values: N/A
Default value: N/A
write memorySaves the running-time configuration into the startup-config file.
EXAMPLE:
ServerIron(config)# write memory
Syntax: write memory
Possible values: N/A
Default value: N/A
write terminalDisplays the running-configuration of the ServerIron on the terminal screen.
EXAMPLE:
ServerIron(config)# write terminal
Syntax: write terminal
Possible values: N/A
Default value: N/A
wsm bootChanges the default boot source for the Web Switching Management Module.
By default, the Web Switching Management Module’s processors boot from the primary flash areas on the module. Each processor boots from its own primary flash. The MP boots first, then the WSM CPUs boot.
You can change the default boot source to one of the following:
• Primary flash (the default)
• Secondary flash
• Interactive
The interactive option pauses during bootup of the WSM CPUs to allow you to select the boot source for the WSM CPUs. You must use this method if you want to boot the WSM CPUs from a TFTP server. Otherwise, this method is used for troubleshooting.
February 2002 6 - 101
Foundry ServerIron Command Line Interface Reference
EXAMPLE:
To change the default boot source, enter commands such as the following at the global CONFIG level of the CLI:
ServerIron(config)# wsm boot secondaryServerIron(config)# write memory
This command configures the module to boot from the secondary flash by default.
NOTE: The write memory command saves the change to the startup-config file. You must save the configuration change for the change to remain in effect after you reboot.
Syntax: wsm boot primary | secondary | interactive
The primary and secondary parameters specify a flash memory location. The interactive parameter causes the device to pause during bootup to allow you to specify the boot source for the WSM CPUs. You must use this method if you want to boot the WSM CPUs from a TFTP server. Otherwise, the interactive parameter is used for troubleshooting.
To configure the module to pause during booting to allow you to specify the boot source, enter the following command:
ServerIron(config)# wsm boot interactive
After you set the boot source to interactive and reboot, enter a command such as the following at the Privileged EXEC level of the CLI to boot the WSM CPUs:
ServerIron# wsm boot tftp 192.168.1.170 wsp07200.bin
This command copies the WSM CPU flash code image from the specified TFTP server to a WSM CPU address space from which the WSM CPU can boot.
Syntax: wsm boot primary | secondary | tftp <ip-addr> <image-file-name>
Possible values: See above
Default value: primary
wsm wsm-mapRemaps processing for a forwarding module to a specific WSM CPU.
NOTE: Foundry recommends that you change slot allocations only if Foundry technical support advises the change or the documentation for a feature states that the change is required.
EXAMPLE:
ServerIron(config)# wsm wsm-map slot 3 wsm-slot 2 wsm-cpu 1
This command remaps processing for the forwarding module in slot 3 to WSM CPU 1 on the Web Switching Management Module in slot 2.
Syntax: wsm wsm-map <from-slotnum> wsm-slot <to-slotnum> wsm-cpu <cpunum>
The <from-slotnum> parameter specifies the slot that contains the forwarding module.
The <to-slotnum> parameter specifies the slot that contains the Web Switching Management Module.
The <cpunum> parameter specifies the WSM CPU on <to-slotnum> that will perform the processing. The WSM CPUs are numbered from 1 – 3.
6 - 102 February 2002
Chapter 7Redundant Management Module
CONFIG Commands
active-managementIn chassis containing redundant management modules, changes the default assignment of the active management module. By default, the redundant management module in the lower slot number becomes the active redundant management module. You must use this command to override the default and make the redundant management module in the higher slot number the default active module.
NOTE: This command applies only to devices containing redundant management modules.
NOTE: The change does not take effect until you reload the system. If you save the change to the active module's system-config file before reloading, the change persists across system reloads. Otherwise, the change affects only the next system reload.
EXAMPLE:
To override the default and specify the active redundant management module, enter the following commands:
BigServerIron(config)# redundancyBigServerIron(config-redundancy)# active-management 5
This command overrides the default and makes the redundant management module in slot 5 the active module following the next reload. The change affects only the next reload and does not remain in effect for future reloads.
Syntax: active-management <slot-num>
NOTE:
• Slots in a four-slot chassis are numbered 1 – 4, from top to bottom.
• Slots in an eight-slot chassis are numbered 1 – 8, from left to right.
To make the change permanent across future reloads, enter the write memory command to save the change to the startup-config file, as shown in the following example:
BigServerIron(config)# redundancyBigServerIron(config-redundancy)# active-management 5BigServerIron(config-redundancy)# write memory
NOTE: If you do not save the change to the startup-config file, the change affects only the next reload.
February 2002 7 - 1
Foundry ServerIron Command Line Interface Reference
endMoves activity to the privileged EXEC level from any level of the CLI, with the exception of the user level.
EXAMPLE:
To move to the privileged level, enter the following from any level of the CLI.
BigServerIron(config-redundancy)# endBigServerIron#
Syntax: end
Possible values: N/A
Default value: N/A
exitMoves activity up one level from the current level. In this case, activity will be moved to the privileged level.
EXAMPLE:
To move from the global level, back to the privileged level, enter the following:
BigServerIron(config-redundancy)# exitBigServerIron#
Syntax: exit
Possible values: N/A
Default value: N/A
noDisables other commands. To disable a command, place the word no before the command.
quitReturns you from any level of the CLI to the User EXEC mode.
EXAMPLE:
BigServerIron(config-redundancy)# quitBigServerIron>
Syntax: quit
Possible values: N/A
Default value: N/A
showDisplays a variety of configuration and statistical information about the switch or router. See “Show Commands” on page 21-1.
sync-standbyAutomates synchronization of software between active and standby redundant management modules.
EXAMPLE:
To change the automatic synchronization setting, use one of the following commands:
Syntax: [no] sync-standby boot
Syntax: [no] sync-standby code
Syntax: [no] sync-standby startup-config
Syntax: [no] sync-standby running-config [<num>]
7 - 2 February 2002
Redundant Management Module CONFIG Commands
To disable automatic synchronization of the boot code, flash code, or startup-config file, enter “no” in front of the command.
The <num> parameter with the sync-standby running-config command specifies the synchronization interval. You can specify from 4 – 20 seconds. The default is 10 seconds. To disable automatic synchronization of the running-config, set the synchronization interval (the <num> parameter) to 0.
Possible values: See above
Default value: Automatic synchronization of the flash code, running-config, and system-config file is enabled by default. Automatic synchronization of the boot code is disabled by default. The default synchronization interval for the running-config is 10 seconds.
write memorySaves the running configuration into the startup-config file.
EXAMPLE:
BigServerIron(config-redundancy)# write memory
Syntax: write memory
Possible values: N/A
Default value: N/A
write terminalDisplays the running configuration of the Foundry switch or router on the terminal screen.
NOTE: This command is equivalent to the show running-config command.
EXAMPLE:
BigServerIron(config-redundancy)# write terminal
Syntax: write terminal
Possible values: N/A
Default value: N/A
February 2002 7 - 3
Foundry ServerIron Command Line Interface Reference
7 - 4 February 2002
Chapter 8Interface Commands
auto-gigEnables auto-negotiating on a gigabit interface in accordance with the flow control specification 802.3x. Both sides of the circuit need to be configured with this feature.
EXAMPLE:
ServerIron(config)# int e 1ServerIron(config-if-1)# auto-gig
Syntax: [no] auto-gig
Possible values: on or off
Default value: disabled
broadcast limitSpecifies the maximum number of broadcast packets the device can forward each second. By default the device sends broadcasts and all other traffic at wire speed and is limited only by the capacities of the hardware. However, if other devices in the network cannot handle unlimited broadcast traffic, this command allows you to relieve those devices by throttling the broadcasts at the Foundry device.
NOTE: The broadcast limit does not affect multicast or unicast traffic. However, you can use the multicast limit and unknown-unicast limit commands to control these types of traffic. See “multicast limit” on page 8-11 and “unknown-unicast limit” on page 8-14.
EXAMPLE:
ServerIron(config)# int e 6ServerIron(config-if-6)# broadcast limit 30000
Syntax: broadcast limit <num>
Possible values: 0 – 4294967295
Default value: N/A
cache-groupApplies the port to a TCS cache group. The port’s membership in a cache group allows client traffic received on the port to be redirected to the cache servers in the cache group.
EXAMPLE:
ServerIron(config)# int e 6ServerIron(config-if-6)# cache-group 1
February 2002 8 - 1
Foundry ServerIron Command Line Interface Reference
Syntax: cache-group 1
Possible values: 1
Default value: 1
clearClears statistics or clears entries from a cache or table. See the descriptions for the individual clear commands in “Privileged EXEC Commands” on page 5-1.
dhcp-gateway-list This parameter assigns a defined DHCP gateway list to a specific interface on a Foundry switch. DHCP gateway lists must be defined at the Global Level and the DHCP Assist feature enabled to support assignment of this feature on switches.
NOTE: This feature is not supported on Foundry routers.
NOTE: For more details on this command and the DHCP Assist feature, see the Foundry Switch and Router Installation and Basic Configuration Guide.
EXAMPLE:
To assign a defined DHCP gateway list (1) to interface 2/5, enter the following:
ServerIron(config)# int e 2ServerIron(config-if-2)# dhcp-gateway-list 1
Syntax: dhcp-gateway-list <number>
Possible values: N/A
Default value: N/A
disableDisables a specific port.
EXAMPLE:
ServerIron(config)# interface e 1ServerIron(config-if-1)# disable
Syntax: disable
Possible values: N/A
Default value: N/A
enableEnables a specific port. All ports are enabled at initial startup. This command is only necessary if a port has been disabled, as all ports are by default enabled at system startup.
EXAMPLE:
ServerIron(config)# interface e 1ServerIron(config-if-1)# enable
Syntax: enable
Possible values: N/A
Default value: All ports are enabled at system startup.
endMoves activity to the privileged level from any level of the CLI with the exception of the User level.
8 - 2 February 2002
Interface Commands
EXAMPLE:
To move to the privileged level, enter the following:
ServerIron(config-if-5)# endServerIron#
Syntax: end
Possible values: N/A
Default value: N/A
exitMoves activity up one level from the current level of the CLI. This command is available at all levels.
EXAMPLE:
To move from the interface level, back to the global level, enter the following:
ServerIron(config-if-4)# exitServerIron(config)#
Syntax: exit
Possible values: N/A
Default value: N/A
flow-controlAllows you to turn flow control (802.3x) for full-duplex ports on or off (no). Flow control is configured on, by default.
EXAMPLE:
To turn the feature off, enter the following:
ServerIron(config)# int e5ServerIron(config-if-5)# no flow control
To turn the feature on after being turned off, enter the following:
ServerIron(config-if-5)# flow-control
Syntax: [no] flow-control
Possible values: N/A
Default value: on
fw-groupAssigns a port to a firewall group.
EXAMPLE:
To assign port 5 to firewall group 2:
ServerIron(config)# int e 5ServerIron(config-if-5)# fw-group 2
Syntax: fw-group 2
Possible values: 2
Default value: All ports are assigned to firewall group 2 by default.
gig-defaultOverrides the global default setting for Gigabit negotiation mode. You can configure the Gigabit negotiation mode for a port to be one of the following:
• Default – The port uses the negotiation mode that was set at the global level.
February 2002 8 - 3
Foundry ServerIron Command Line Interface Reference
• Negotiate-full-auto – The port first tries to perform a handshake with the other port to exchange capability information. If the other port does not respond to the handshake attempt, the port uses the manually configured configuration information (or the defaults if an administrator has not set the information). This is the default for Chassis devices (including the TurboIron/8).
• Auto-Gigabit – The port tries to perform a handshake with the other port to exchange capability information. This is still the default for Stackable devices.
• Negotiation-off – The port does not try to perform a handshake. Instead, the port uses configuration information manually configured by an administrator.
See the “Configuring Basic features” chapter of the Foundry Switch and Router Installation and Basic Configuration Guide for more information.
NOTE: This command does not apply to Stackable devices. To change the negotiation mode for a Stackable Gigabit Ethernet port, use the [no] auto-gig command at the Interface level. See “auto-gig” on page 8-1.
EXAMPLE:
To override the global setting and set the negotiation mode to auto-Gigabit for ports 4/1 – 4/4, enter the following commands:
ServerIron(config)# int ethernet 4/1 to 4/4ServerIron(config-mif-4/1-4/4)# gig-default auto-gig
Syntax: gig-default neg-full-auto | auto-gig | neg-off
Possible values: see above
Default value: neg-full-auto
ip access-groupApplies an ACL to an interface.
EXAMPLE:
To configure a standard ACL and apply it to outgoing traffic on port 1, enter the following commands.
ServerIron(config)# access-list 1 deny host 209.157.22.26 logServerIron(config)# access-list 1 deny 209.157.29.12 logServerIron(config)# access-list 1 deny host IPHost1 logServerIron(config)# access-list 1 permit any ServerIron(config)# int eth 1ServerIron(config-if-1)# ip access-group 1 out ServerIron(config)# write memory
The commands in this example configure an ACL to deny packets from three source IP addresses from being forwarded on port 1. The last ACL entry in this ACL permits all packets that are not explicitly denied by the first three ACL entries.
Syntax: [no] ip access-group <num> in | out
The <num> parameter is the access list number and can be from 1 – 99.
EXAMPLE:
To apply an ACL to a subset of ports within a virtual interface, enter commands such as the following:
ServerIron(config)# vlan 10 name IP-subnet-vlanServerIron(config-vlan-10)# untag ethernet 1/1 to 2/12ServerIron(config-vlan-10)# router-interface ve 1ServerIron(config-vlan-10)# exitServerIron(config)# access-list 1 deny host 209.157.22.26 logServerIron(config)# access-list 1 deny 209.157.29.12 logServerIron(config)# access-list 1 deny host IPHost1 logServerIron(config)# access-list 1 permit any ServerIron(config)# interface ve 1
8 - 4 February 2002
Interface Commands
ServerIron(config-vif-1)# ip access-group 1 in ethernet 1/1 ethernet 1/3 ethernet 2/1 to 2/4
The commands in this example configure port-based VLAN 10, add ports 1/1 – 2/12 to the VLAN, and add virtual routing interface 1 to the VLAN. The commands following the VLAN configuration commands configure ACL 1. Finally, the last two commands apply ACL 1 to a subset of the ports associated with virtual interface 1.
Syntax: [no] ip access-group <num> in ethernet <portnum> [<portnum>...] to <portnum>
Possible values: see above
Default value: N/A
ip addressConfigures an IP interface for use with IP forwarding. You must configure the IP interface on a virtual routing interface. You cannot configure the interface on a physical port. See “router-interface” on page 9-6.
NOTE: This command applies only to Layer 3 IP interfaces for use with IP forwarding. To configure the ServerIron’s management IP address, see “ip address” on page 6-34.
EXAMPLE:
To add an IP interface, enter commands such as the following:
ServerIron(config)# interface ve 1ServerIron(config-vif-1)# ip address 10.10.10.1 255.255.255.0
The interface ve 1 command changes the CLI to the configuration level for virtual routing interface 1. The ip address command adds an IP interface.
Syntax: [no] ip address | nat-address | standby-address <ip-addr> <ip-mask>
or
Syntax: [no] ip address | nat-address | standby-address <ip-addr>/<mask-bits>
The address | nat-address | standby-address parameter identifies the type of IP interface you are adding.
• The address parameter adds a standard IP interface. This option is applicable in most cases.
• The nat-address parameter applies to active-standby configurations. This parameter configures a shared IP interface for use with SLB source NAT. Enter the same command with the same IP address on each of the ServerIrons in the active-standby configuration. The address is active only on one ServerIron (the ServerIron that is currently active) at a time.
NOTE: SLB source NAT is different from standard Network Address Translation (NAT).
• The standby-address parameter applies to active-standby configurations and allows both ServerIrons to share the same router interface. One of the ServerIrons actively supports the interface while the other ServerIron provides failover for the interface if the first ServerIron becomes unavailable. Real servers can use the shared interface as their default gateway. Enter the same command with the same IP address on each of the ServerIrons in the active-standby configuration. The address is active only on one ServerIron (the ServerIron that is currently active) at a time.
The <ip-addr> parameter specifies the IP address.
The <ip-mask> parameter specifies a class-based (or “Classical”) IP sub-net mask.
The <mask-bits> parameter specifies the number of significant bits in a Classless Interdomain Routing (CIDR) sub-net mask.
You can use either format to configure the interface. For example, both the following commands are valid and produce the same result:
• ip address 10.10.10.1 255.255.255.0
• ip address 10.10.10.1/24
February 2002 8 - 5
Foundry ServerIron Command Line Interface Reference
Possible values: See above
Default value: N/A
ip icmp burstCauses the Foundry device to drop ICMP packets when excessive numbers are encountered, as is the case when the device is the victim of a Smurf attack. This command allows you to set threshold values for ICMP packets targeted at the router and drop them when the thresholds are exceeded.
EXAMPLE:
In the following example, if the number of ICMP packets received per second exceeds 5,000, the excess packets are dropped. If the number of ICMP packets received per second exceeds 10,000, the device drops all ICMP packets for the next 300 seconds (five minutes).
ServerIron(config-if-e100-1)# ip icmp burst-normal 5000 burst-max 10000 lockup 300
Syntax: ip icmp burst-normal <value> burst-max <value> lockup <seconds>
The burst-normal value can be from 1 – 100000.
The burst-max value can be from 1 – 100000.
The lockup value can be from 1 – 10000.
The number of incoming ICMP packets per second are measured and compared to the threshold values as follows:
• If the number of ICMP packets exceeds the burst-normal value, the excess ICMP packets are dropped.
• If the number of ICMP packets exceeds the burst-max value, all ICMP packets are dropped for the number of seconds specified by the lockup value. When the lockup period expires, the packet counter is reset and measurement is restarted.
Possible values: The burst-normal and burst-max values can be between 1 – 100000 packets. The burst-normal value must be smaller than the burst-max value. The lockup value can be between 1 – 10000 seconds.
Default value: N/A
ip-multicast-disableDisables disable Internet Group Membership Protocol (IGMP) queries from being sent or received on the port.
EXAMPLE:
To disable IGMP queries on an interface, enter commands such as the following:
ServerIron(config)# int e5ServerIron(config-if-5)# ip-multicast-disable
To re-enable the IGMP queries on the interface, enter the following command:
ServerIron(config-if-5)# no ip-multicast-disable
Syntax: [no] ip-multicast-disable
Possible values: N/A
Default value: IGMP queries are enabled.
ip-policyLocally enables TCS or firewall load balancing on the interface. Use this command if you did not enable TCS or firewall load balancing globally. See “ip policy” on page 6-39.
NOTE: You must use the ip policy command to configure the policy before using the ip-policy command. See “ip policy” on page 6-39.
8 - 6 February 2002
Interface Commands
NOTE: This command does not configure permit and deny filters. To configure this type of filter, see “ip filter…” on page 6-35.
See the following for more information:
• The "Configuring Transparent Cache Switching" chapter of the Foundry ServerIron Installation and Configuration Guide
• The Foundry ServerIron Firewall Load Balancing Guide
EXAMPLE:
To enable transparent cache switching of HTTP traffic for port 18 only, as opposed to globally on all of the ports, enter the following commands:
ServerIron(config)# ip policy 2 cache tcp 80 localServerIron(config)# int e 18ServerIron(config-if-18)# ip-policy 2
EXAMPLE:
To enable firewall load balancing on port 9, enter the following commands:
ServerIron(config)# ip policy 3 fw tcp 0 localServerIron(config)# ip policy 4 fw udp 0 localServerIron(config)# int e 9ServerIron(config-if-9)# ip-policy 3ServerIron(config-if-9)# ip-policy 4
Syntax: ip policy <index> cache | fw | high | normal tcp | udp <tcp/udp-portnum> global | local
Syntax: ip-policy <index>
NOTE: When enabling firewall load balancing, you must specify "0" for the <tcp/udp-portnum> parameter of the ip policy command. This value allows all ports of the specified type (TCP or UDP).
Possible values: See above
Default value: N/A
ip ripEnables the Routing Information Protocol (RIP) version on a virtual routing interface.
NOTE: This command applies only to IP forwarding (Layer 3 IP).
EXAMPLE:
ServerIron(config-rip-router)# interface ve 1ServerIron(config-vif-1)# ip rip v1-only
This command changes the CLI to the configuration level for virtual routing interface 1 and enables RIP version 1 on the interface. You must specify the version.
Syntax: [no] ip rip v1-only | v1-compatible-v2 | v2-only
Possible values: See above
Default value: Disabled; no version specified
ip rip learn-defaultEnables the ServerIron to learn RIP default routes.
NOTE: This command applies only to IP forwarding (Layer 3 IP).
February 2002 8 - 7
Foundry ServerIron Command Line Interface Reference
EXAMPLE:
ServerIron(config)# interface ve 1ServerIron(config-vif-1)# ip rip learn-default
Syntax: [no] ip rip learn-default
Possible values: N/A
Default value: Disabled
ip rip poison-reverseChanges the method of loop prevention that RIP uses.
NOTE: This command applies only to IP forwarding (Layer 3 IP).
RIP can use one of the following loop-prevention methods:
• Split horizon – The ServerIron does not advertise a route on the same interface as the one on which the ServerIron learned the route.
• Poison reverse – The ServerIron assigns a cost of 16 (“infinite” or “unreachable”) to a route before advertising it on the same interface as the one on which the ServerIron learned the route. This is the default.
NOTE: These methods are in addition to RIP’s maximum valid route cost of 15.
EXAMPLE:
To enable split horizon, enter commands such as the following:
ServerIron(config)# interface ve 1ServerIron(config-vif-1)# no ip rip poison-reverse
Syntax: [no] ip rip poison-reverse
Possible values: See above
Default value: Poison reverse
ip tcp burstCauses the Foundry device to drop TCP SYN packets when excessive numbers are encountered, as is the case when the device is the victim of a TCP SYN attack. This command allows you to set threshold values for TCP SYN packets targeted at the router and drop them when the thresholds are exceeded.
EXAMPLE:
In the following example, if the number of TCP SYN packets received per second exceeds 10, the excess packets are dropped. If the number of TCP SYN packets received per second exceeds 100, the device drops all TCP SYN packets for the next 300 seconds (five minutes).
ServerIron(config)# int e 1ServerIron(config-if-e100-1)# ip tcp burst-normal 10 burst-max 100 lockup 300
Syntax: ip tcp burst-normal <value> burst-max <value> lockup <seconds>
The burst-normal value can be from 1 – 100000.
The burst-max value can be from 1 – 100000.
The lockup value can be from 1 – 10000.
The number of incoming TCP SYN packets per second are measured and compared to the threshold values as follows:
• If the number of TCP SYN packets exceeds the burst-normal value, the excess TCP SYN packets are dropped.
8 - 8 February 2002
Interface Commands
• If the number of TCP SYN packets exceeds the burst-max value, all TCP SYN packets are dropped for the number of seconds specified by the lockup value. When the lockup period expires, the packet counter is reset and measurement is restarted.
Possible values: The burst-normal and burst-max values can be between 1 – 100000 packets. The burst-normal value must be smaller than the burst-max value. The lockup value can be between 1 – 10000 seconds.
Default value: N/A
ip tcp syn-proxyEnables the SYN-Guard feature on individual ports on the ServerIron 400 or ServerIron 800. This feature can be applied to inbound SYN requests (for Web site traffic) and/or outbound SYN requests (for ISP and institution outgoing traffic).
EXAMPLE:
To use the SYN-Guard feature for inbound SYN requests on interface 3/1:
ServerIron(config)# interface e 3/1ServerIron(config-if-3/1)# ip tcp syn-proxy in
Syntax: ip tcp syn-proxy in | out
When applied to inbound SYN requests, the SYN-Guard feature can be used with all ServerIron features, including TCS, FWLB, and SLB. However, when applied to outbound SYN requests, the SYN-Guard feature is the only process that can act on the packet.
Possible values: N/A
Default value: N/A
iipg10This command allows you to modify the inter-packet gap (delay) between packets on a 10Mbps Ethernet segment. By default, the delay between packets will be 12 bytes or 9.6 microseconds.
Use this command only to adjust the inter-packet gap to match older adapters that do not meet the default IPG requirements for Ethernet.
In determining the value to enter in the CLI command, note that one byte equals.8 microseconds for packets on a 10Mbps segment, so the following equation can be used:
IPG10 = 9.6 microseconds + (value *.8), where value is the number of bytes by which you want to increase the inter-packet gap.
EXAMPLE:
To increase the delay between packets by 3.2 microseconds, enter the port to be modified and then enter the value of 4 (4*.8 =3.2 microseconds).
ServerIron(config)# int e 4ServerIron(config-if-4)# ipg10 4
Syntax: ipg10 <value>
Possible values: 0 – 100 bytes
Default value: 12 bytes or ipg10 0
NOTE: Entering the value of 0 within the ipg10, ipg100, and ipg1000 commands restore the inter-packet gap (IPG) to the default of 12 bytes.
ipg100This command allows you to modify the inter-packet gap (delay) between packets on a 100Mbps Ethernet segment on a port-by-port basis. By default, the delay between packets will be 12 bytes or 0.96 microseconds.
February 2002 8 - 9
Foundry ServerIron Command Line Interface Reference
Use this command only to adjust the inter-packet gap to match that of older adapters that do not meet the default IPG requirements for Fast Ethernet.
In determining the value to enter in the CLI command, note that one byte equals.08 microseconds for packets on a 100Mbps segment, so the following equation can be used:
IPG100 = 0.96 microseconds + (value *.08), where value is the number of bytes by which you want to increase the inter-packet gap.
EXAMPLE:
To increase the delay between packets by 3.2 microseconds, enter the port to be modified and then enter the value of 40(40*.08 =3.2 microseconds)
ServerIron(config)# int e 3ServerIron(config-if-3)# ipg100 40
Syntax: ipg100 <value>
Possible values: 0 – 100
Default value: 12 bytes or ipg100 0
ipg1000This command allows you to modify the inter-packet gap (delay) between packets on a 1000Mbps Gigabit Ethernet segment on a port-by-port basis. By default, the delay between packets will be 12 bytes or.096 microseconds.
Use this command only to adjust the inter-packet gap to match that of older adapters that do not meet the default IPG requirements for Gigabit Ethernet.
In determining the value to enter in the CLI command, note that one byte equals.008 microseconds for packets on a 1000Mbps segment, so the following equation can be used:
IPG1000 =.096 microseconds + (value *.008), where value is the number of bytes by which you want to increase the inter-packet gap.
EXAMPLE:
To increase the delay between packets by.32 microseconds, first enter the port to be modified and then enter the value of 40(40*.008 =.32 microseconds)
ServerIron(config)# int e 3ServerIron(config-if-3)# ipg1000 40
Syntax: ipg1000 <value>
Possible values: 1 – 100
Default value: 12 bytes or ipg1000 0
mac filter-groupApplies a group of MAC filters to an interface. You can configure one filter group on each interface.
NOTE: You must define the filters at the global CONFIG level using the mac filter command (see “mac filter” on page 6-50) before you can apply them in a filter group.
NOTE: The filters must be applied as a group. For example, if you want to apply four filters to an interface, they must all appear on the same command line.
NOTE: You cannot add or remove individual filters in the group. To add or remove a filter on an interface, apply the filter group again containing all the filters you want to apply to the port.
8 - 10 February 2002
Interface Commands
NOTE: If you apply a filter group to a port that already has a filter group applied, the older filter group is replaced by the new filter group.
EXAMPLE:
To apply MAC filters 1, 2, 3, and 1024 to interface 6, enter the following command:
ServerIron(config)# int e 6ServerIron(config-if-6)# mac filter-group 1 2 3 1024
Syntax: mac-filter-group <filter-list>
Possible values: 1 – 1024
Default value: N/A
monitorThis allows you to select a port to be diagnosed by a designated mirror port. You can configure incoming, outgoing or both incoming and outgoing traffic to be monitored on the port.
EXAMPLE:
To monitor both incoming and outgoing traffic on interface 5:
ServerIron(config)# interface e5ServerIron(config-if-5)# monitor both
Syntax: monitor input | output | both
Possible values: N/A
Default value: Disabled
multicast limitSpecifies the maximum number of multicast packets the device can forward each second. By default the device sends multicasts and all other traffic at wire speed and is limited only by the capacities of the hardware. However, if other devices in the network cannot handle unlimited multicast traffic, this command allows you to relieve those devices by throttling the multicasts at the Foundry device.
NOTE: The multicast limit does not affect broadcast or unicast traffic. However, you can use the broadcast limit and unknown-unicast limit commands to control these types of traffic. See “broadcast limit” on page 8-1 and “unknown-unicast limit” on page 8-14.
EXAMPLE:
ServerIron(config)# interface e5ServerIron(config-if-5)# multicast limit 30000
Syntax: multicast limit <num>
Possible values: 0 – 4294967295
Default value: N/A
neg-offOverrides the default negotiation mode for a Gigabit port on Chassis devices. When you invoke this command, the port does not try to perform a handshake. Instead, the port uses configuration information manually configured by an administrator.
EXAMPLE:
To change the negotiation mode for the port to negotiation-off:
ServerIron(config)# int e3ServerIron(config-if-3)# neg-off
Syntax: neg-off
February 2002 8 - 11
Foundry ServerIron Command Line Interface Reference
Possible values: N/A
Default value: N/A
noThis command disables other commands. To disable a command, place the word no before the command.
phy-modeIf a port on a ServerIron is to be attached to a Bay Networks™ 28000 switch, enter this command at the Interface Level as shown below.
This command helps the ServerIron to adjust to interoperability requirements of the 28000.
EXAMPLE:
ServerIron(config)# int e3ServerIron(config-if-3)# phy-mode 28k
Syntax: phy-mode 28k
Possible values: 28k
Default value: Option is turned off.
port-nameAssignment of a name to an interface provides additional identification for a segment on the network.
EXAMPLE:
ServerIron(config)# interface e 1ServerIron(config-if-1)# port-name marketing-funk
Syntax: port-name <text>
Possible values: N/A
Default value: N/A
pvst-modeStatically enables support for Cisco Systems’ Per VLAN Spanning Tree (PVST).
PVST/PVST+ support is automatically enabled on a port if the port receives a BPDU in PVST/PVST+ format. However, you can statically enable PVST/PVST+ support on a port if desired. In this case, the support is enabled immediately and support for Foundry tagged BPDUs is disabled at the same time.
NOTE: When PVST/PVST+ support is enabled on a port, support for Foundry BPDUs is disabled.
For more information, see the "Configuring Spanning Tree Protocol (STP) and IronSpan" chapter in the Foundry Switch and Router Installation and Basic Configuration Guide.
EXAMPLE:
To enable PVST/PVST+ support on a port, enter commands such as the following:
ServerIron(config)# interface ethernet 1/1ServerIron(config-if-1/1)# pvst-mode
Syntax: [no] pvst-mode
NOTE: If you disable PVST/PVST+ support, the software still automatically enables PVST/PVST+ support if the port receives an STP BPDU with PVST/PVST+ format.
Possible values: N/A
Default value: Enabled automatically when a PVST/PVST+ BPDU is received on the port
8 - 12 February 2002
Interface Commands
qos-prioritySets the Quality-of-Service (QoS) priority level for a port, VLAN, static MAC address, or Layer 4 session. You can select the normal queue or the high-priority queue. All traffic is in the normal queue by default. When you allocate a port, VLAN, static MAC address, or Layer 4 session to the high-priority queue, all traffic queued up for that item is processed before any traffic in the normal queue for the same item is processed.
QoS applies to outbound traffic only.
EXAMPLE:
To allocate port 6 traffic to the high-priority queue, enter the following command:
ServerIron(config)# interface e 6ServerIron(config-if-6)# qos-priority high
Syntax: qos-priority normal | high
Possible values: normal or high
Default value: normal
quitThis command returns you from any level of the CLI to the User EXEC mode.
EXAMPLE:
ServerIron(config-if-6)# quitServerIron>
Syntax: quit
Possible values: N/A
Default value: N/A
rshowDisplays the real and virtual server configuration information on a remote site ServerIron in the GSLB ServerIron’s CLI. The command also displays the session and CPU information used by the GSLB policy. You can view detailed configuration information and statistics for the site ServerIron, from the GSLB ServerIron’s management console. For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.
show…Displays a variety of configuration and statistical information about the ServerIron. To see a description of the show commands, see “Show Commands” on page 21-1.
spanning-tree Spanning tree can be disabled or enabled on an interface basis.
EXAMPLE:
To disable spanning tree on physical port 4 of a system with no VLANs operating, enter the following:
ServerIron(config)# interface ethernet 4ServerIron(config-if-4) no spanning-tree
EXAMPLE:
To disable spanning tree on physical port 4 of a system within VLAN 2, enter the following:
ServerIron(config)# vlan 2ServerIron(config-vlan-2) no spanning-tree
Syntax: spanning-tree
Possible values: N/A
Default value: Disabled
February 2002 8 - 13
Foundry ServerIron Command Line Interface Reference
speed-duplexModifies port speed and duplex. It defines the speed and duplex mode for a 10BaseT and 100BaseTx ports.
Gigabit (1000BaseSx and 1000BaseLx) and 100BaseFx ports operate at a fixed speed and mode (full-duplex) and cannot be modified.
EXAMPLE:
ServerIron(config)# interface e8ServerIron(config-if-8)# speed-duplex 10-full
Syntax: speed-duplex <value>
Possible values: 10-full, 10-half, 100-full, 100-half, auto
Default value: 10/100 autosense
unknown-unicast limitSpecifies the maximum number of unknown-unicast packets the device can forward each second. By default the device sends unknown unicasts and all other traffic at wire speed and is limited only by the capacities of the hardware. However, if other devices in the network cannot handle unlimited unknown-unicast traffic, this command allows you to relieve those devices by throttling the unknown unicasts at the Foundry device.
NOTE: The unknown-unicast limit does not affect broadcast or multicast traffic. However, you can use the broadcast limit and multicast limit commands to control these types of traffic. See “broadcast limit” on page 8-1 and “multicast limit” on page 8-11.
EXAMPLE:
ServerIron(config)# interface e8ServerIron(config-if-8)# unknown-unicast limit 30000
Syntax: unknown-unicast limit <num>
Possible values: 0 – 4294967295
Default value: N/A
write memorySaves the running-time configuration into the startup-config file.
EXAMPLE:
ServerIron(config-if-8)# write memory
Syntax: write memory
Possible values: N/A
Default value: N/A
write terminalDisplays the running-configuration of the ServerIron on the terminal screen.
EXAMPLE:
ServerIron(config-if-8)# write terminal
Syntax: write terminal
Possible values: N/A
Default value: N/A
8 - 14 February 2002
Chapter 9VLAN Commands
always-activeConfigures a link between active and standby ServerIrons in some FWLB configurations to forward Layer 2 traffic without causing loops. See the Foundry ServerIron Firewall Load Balancing Guide.
atalk-protoThis command creates an AppleTalk protocol VLAN within a ServerIron port-based VLAN when entered at the VLAN Level. All ports are assumed by default to be members of the VLAN when initially created. Protocol VLAN membership can be modified using the dynamic, static, or exclude commands.
EXAMPLE:
To create an AppleTalk Protocol VLAN with permanent port membership of 9 and 13 and no dynamic ports within an already defined port-based VLAN 2, enter the following commands.
ServerIron(config)# vlan 2
ServerIron(config-vlan-2)# atalk-proto
ServerIron(config-vlan-atalk-proto)# static e 9 e 13
ServerIron(config-vlan-atalk-proto)# no dynamic
NOTE: If configuring this on a switch, enter vlan 2 by port at the CONFIG Level versus vlan 2, as shown in the example above.
Syntax: atalk-proto [<name>]
The name can be up to 16 characters long and can contain blanks. The name appears in VLAN show displays.
To specify a VLAN name, use the name keyword followed by a string. The name keyword and string are the last arguments in the command. For example, to name an AppleTalk VLAN, enter the following command:
ServerIron(config)# atalk-proto name AppleVLAN1
To name an IP VLAN, enter the following commands:
ServerIron(config)# ip-proto 192.75.5.0/24 name "Ship and Recv"
This example shows how to specify a name that contains a blank. Use double quotation marks before and after the name.
Possible values: N/A
Default value: N/A
February 2002 9 - 1
Foundry ServerIron Command Line Interface Reference
decnet-protoThis command creates a Decnet protocol VLAN within a ServerIron port-based VLAN, when entered at the VLAN Level. All ports are assumed by default to be members of the VLAN when initially created. Protocol VLAN membership can be modified using the dynamic, static, or exclude commands.
EXAMPLE:
To create a Decnet protocol VLAN with permanent port membership of 15 and 16 with port 17 as dynamic member port, within VLAN 5, enter the following commands.
ServerIron(config)# vlan 5
ServerIron(config-vlan-5)# decnet-proto
ServerIron(config-vlan-decnet-proto)# exclude e 1 to 14 e18
NOTE: If configuring this on a switch, enter vlan 5 by port at the CONFIG Level versus vlan 5, as shown in the example above.
Syntax: decnet-proto [<name>]
Syntax: atalk-proto [<name>]
The name can be up to 16 characters long and can contain blanks. The name appears in VLAN show displays.
To specify a VLAN name, use the name keyword followed by a string. The name keyword and string are the last arguments in the command. The name can contain blank spaces if you use double quotation marks before and after the name.
Possible values: N/A
Default value: N/A
endMoves activity to the privileged EXEC level from any level of the CLI, with the exception of the user level.
EXAMPLE:
To move to the privileged level, enter the following from any level of the CLI.
ServerIron(config-vlan-decnet-proto)# endServerIron#
Syntax: end
Possible values: N/A
Default value: N/A
exitMoves activity up one level from the current level. In this case, activity will be moved to the port-based VLAN level if configuring a protocol VLAN. If configuring a poet-based VLAN, activity would be moved to the global level.
EXAMPLE:
ServerIron(config-vlan-decnet-proto)# exitServerIron(config)#
Syntax: exit
Possible values: N/A
Default value: N/A
ip-protoThis command creates an IP protocol VLAN on a ServerIron within a port-based VLAN, when entered at the VLAN Level.
9 - 2 February 2002
VLAN Commands
When configuring on a switch, all ports are dynamically allocated to the VLAN. You can modify port membership by using the static or exclude commands.
NOTE: If configuring on a Foundry router, ports must be added to the VLAN with the static command. Ports are not dynamically allocated to IP protocol VLANs.
EXAMPLE:
To assign ports 1, 2, 6 and 8 to an IP protocol VLAN within VLAN 7, enter the following:
ServerIron(config)# vlan 7
ServerIron(config-vlan-7)# ip-proto
ServerIron(config-vlan-ip-proto)# static e 1 to 2 e 6 e 8
NOTE: If configuring this on a switch, enter vlan 7 by port at the CONFIG Level versus vlan 7, as shown in the example above.
NOTE: An IP protocol and IP sub-net VLAN cannot both be configured to operate on a ServerIron at the same time. This restriction is also true for IPX and IPX network VLANs.
Syntax: ip-proto [<name>]
The name can be up to 16 characters long and can contain blanks. The name appears in VLAN show displays.
Possible values: N/A
Default value: N/A
ip-subnetThis command creates an IP sub-net protocol VLAN on a ServerIron within a port-based VLAN, when entered at the VLAN Level. This allows you to define additional granularity than that of an IP protocol VLAN, by partitioning the broadcast domains by sub-net. In creating an IP sub-net VLAN, an IP address is used as identifier.
When configuring on a switch, all ports are dynamically allocated to the VLAN. You can modify port membership by using the static or exclude commands.
NOTE: When configuring on a Foundry router, ports must be added to the VLAN with the static command. Ports are not dynamically allocated to IP sub-net VLANs.
EXAMPLE:
To create an IP sub-net of IP address 192.75.3.0 with permanent port membership of 1 and 2 (module 2), within VLAN 10, enter the following commands.
ServerIron(config)# vlan 10
ServerIron(config-vlan-10)# ip-subnet 192.75.3.0 255.255.255.0
ServerIron(config-vlan-ip-subnet)# static e 1 to 2
NOTE: If configuring this on a switch, enter vlan 10 by port at the CONFIG Level versus vlan 10, as shown in the example above.
NOTE: An IP protocol and IP sub-net VLAN cannot both be configured to operate simultaneously on a Foundry switch or router. This restriction is also true for IPX and IPX Network VLANs.
Syntax: ip-subnet <ip-addr> <ip-mask> [<name>]
The name can be up to 16 characters long and can contain blanks. The name appears in VLAN show displays.
February 2002 9 - 3
Foundry ServerIron Command Line Interface Reference
To specify a VLAN name, use the name keyword followed by a string. The name keyword and string are the last arguments in the command. The name can contain blank spaces if you use double quotation marks before and after the name.
Possible values: N/A
Default value: N/A
ipx-networkThis command creates an IPX network VLAN on a ServerIron within a port-based VLAN, when entered at the VLAN Level. This allows you to define additional granularity than that of the IPX protocol VLAN, by partitioning the broadcast domains by IPX network number. In creating an IPX network VLAN, an IPX network number is used as identifier. The frame type must also be specified.
When configuring on a switch, all ports are dynamically allocated to the VLAN. You can modify port membership by using the static or exclude commands.
NOTE: When configuring on a Foundry router, ports must be added to the VLAN with the static command. Ports are not dynamically allocated to IPX network VLANs.
EXAMPLE:
To create an IPX network VLAN with a network number of 500 and frame type of 802.2 with permanent port membership of 10 and 14 within port-based VLAN 15, enter the following commands.
ServerIron(config)# vlan 15
ServerIron(config-vlan-15)# ipx-network 500 ethernet_802.2
ServerIron(config-vlan-ipx-proto)# static e 10 e 14
Syntax: ipx-network <ipx-network-number> <frame-type> [<name>]
NOTE: If configuring this on a switch, enter vlan 15 by port at the CONFIG Level versus vlan 15, as shown in the example above.
NOTE: An IPX network and IPX protocol VLAN cannot both be configured to operate simultaneously on a Foundry switch or router. This restriction is also true for IP protocol and IP sub-net VLANs.
Possible values: Frame type: ethernet_ii, ethernet_802.2, ethernet_802.3, ethernet_snap
The <name> parameter can be up to 16 characters long and can contain blanks. The name appears in VLAN show displays.
Default value: N/A
ipx-protoThis command creates an IPX protocol VLAN on a ServerIron within a port-based VLAN, when entered at the VLAN Level.
When configuring on a switch, all ports are dynamically allocated to the VLAN. You can modify port membership by using the static or exclude commands.
NOTE: If configuring on a Foundry router, ports must be added to the VLAN with the static command. Ports are not dynamically allocated to IPX protocol VLANs.
EXAMPLE:
To assign ports 1, 2, 6 and 8 to an IPX protocol VLAN within port-based VLAN 22, enter the following:
ServerIron(config)# vlan 22
ServerIron(config-vlan-22)# ipx-proto
ServerIron(config-vlan-ipx-proto)# static e 1 to 2 e 6 e 8
9 - 4 February 2002
VLAN Commands
NOTE: If configuring this on a switch, enter vlan 22 by port at the CONFIG Level versus vlan 22, as shown in the example above.
NOTE: An IPX protocol and IPX network VLAN cannot both be configured to operate simultaneously on a Foundry switch or router. This restriction is also true for IP and IP sub-net VLANs.
Syntax: ipx-proto [<name>]
The name can be up to 16 characters long and can contain blanks. The name appears in VLAN show displays.
To specify a VLAN name, use the name keyword followed by a string. The name keyword and string are the last arguments in the command. The name can contain blank spaces if you use double quotation marks before and after the name.
Possible values: N/A
Default value: N/A
netbios-protoThis command creates a NetBIOS protocol VLAN on a ServerIron within a port-based VLAN, when entered at the VLAN Level.
All ports are dynamically allocated to a NetBIOS VLAN when it is created. VLAN Membership can be modified using the dynamic, static, or exclude commands.
EXAMPLE:
To create a NetBIOS Protocol VLAN with permanent port membership of 4 and 5 and ports 8 through 12 as dynamic member ports, within port-based VLAN 25, enter the following commands.
ServerIron(config)# vlan 25
ServerIron(config-vlan-25)# netbios-proto
ServerIron(config-vlan-netbios-proto)# static e 2 e 2
ServerIron(config-vlan-netbios-proto)# exclude e 2 to 2 e 2 e 2 e 2 to 2
NOTE: If configuring this on a switch, enter vlan 25 by port at the CONFIG Level versus vlan 25, as shown in the example above.
Syntax: netbios-proto [<name>]
The name can be up to 16 characters long and can contain blanks. The name appears in VLAN show displays.
To specify a VLAN name, use the name keyword followed by a string. The name keyword and string are the last arguments in the command. The name can contain blank spaces if you use double quotation marks before and after the name.
Possible values: N/A
Default value: N/A
noThis command is used to disable other commands. To do so, place the word no before the command.
other-protoThis command creates an other-protocol VLAN on a ServerIron within a port-based VLAN, when entered at the VLAN Level.
All ports of the ServerIron are by default dynamically assigned to a newly created other protocol VLAN. VLAN Membership can be modified using the dynamic, static, or exclude commands.
February 2002 9 - 5
Foundry ServerIron Command Line Interface Reference
You can use this option to define a protocol-based VLAN for protocols that do not require a singular protocol broadcast domain or are not currently supported on the ServerIron.
EXAMPLE:
On a 16 port switch ports 13 through 16 represent protocols Decnet and AppleTalk. You do not need to separate traffic by protocol into separate broadcast domains. Instead, create an other-protocol VLAN, with just those ports as members, within port-based VLAN 50.
ServerIron(config)# vlan 50
ServerIron(config-vlan-50)# other-proto
ServerIron(config-vlan-other-proto)# static e13 to 16
ServerIron(config-vlan-other-proto)# exclude e1 to 12
NOTE: If configuring this on a switch, enter vlan 50 by port at the CONFIG Level versus vlan 50, as shown in the example above.
Syntax: other-proto [<name>]
The name can be up to 16 characters long and can contain blanks. The name appears in VLAN show displays.
To specify a VLAN name, use the name keyword followed by a string. The name keyword and string are the last arguments in the command. The name can contain blank spaces if you use double quotation marks before and after the name.
Possible values: N/A
Default value: N/A
priorityThis assigns a higher priority to a VLAN so that in times of congestion, it will receive precedence over other transmissions. Up to eight levels of priority can be assigned to a VLAN.
EXAMPLE:
ServerIron(config)# vlan 25
ServerIron(config-vlan-25)# priority high
Syntax: priority normal | high
Possible values: N/A
Default value: N/A
quitThis command returns you from any level of the CLI to the User EXEC mode.
EXAMPLE:
ServerIron(config-vlan-6)# quit
ServerIron>
Syntax: quit
Possible values: N/A
Default value: N/A
router-interfaceConfigures a virtual routing interface for use with IP forwarding. After you add the virtual routing interface, you can configure IP addresses on the routing interface.
EXAMPLE:
ServerIron(config)# vlan 1
9 - 6 February 2002
VLAN Commands
ServerIron(config-vlan-1)# router-interface ve 1
The vlan 1 command changes the CLI to the configuration level for VLAN 1. The router-interface ve 1 command adds virtual routing interface 1.
Syntax: [no] router-interface ve <num>
The <num> parameter specifies the interface ID and can be from 1 – 24.
Possible values: 1 – 24
Default value: N/A
rshowDisplays the real and virtual server configuration information on a remote site ServerIron in the GSLB ServerIron’s CLI. The command also displays the session and CPU information used by the GSLB policy. You can view detailed configuration information and statistics for the site ServerIron, from the GSLB ServerIron’s management console. For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.
show…Displays a variety of configuration and statistical information about the ServerIron. To see a description of the show commands, see “Show Commands” on page 21-1.
spanning-treeSpanning Tree bridge and port parameters are configurable using one command set at the global level for VLANs.
NOTE: When port-based VLANs are not operating on the system, spanning tree is set on a system level at the Global CONFIG Level.
EXAMPLE:
Suppose you want to change the hello-time value of VLAN 3 from the default value. Additionally, you want to change the path and priority costs for port 5, a member of VLAN 3. Enter the following commands:
ServerIron(config)# vlan 3
ServerIron(config-vlan-3)# span hello-time 8
ServerIron(config-vlan-3)# span ethernet 5 path-cost 15 priority 64
NOTE: You do not need to configure values for the spanning tree parameters. All parameters have default values as noted below. Additionally, all values will be globally applied to all ports on the system or port-based VLAN for which they are defined.
To configure a specific path-cost or priority value for a given Ethernet port, enter those values using the key words found in the brackets [ ] shown in the syntax summary below. If you do not want to specify any specific values for any given Ethernet port, this portion of the command is not required.
Syntax: spanning-tree [ethernet <portnum> path-cost <value> priority <value>] forward-delay <value> hello-time <value> maximum-age <time> priority <value>
Bridge STP Parameters (applied to all ports within a VLAN)
• Forward Delay: the period of time a bridge will wait (the listen and learn period) before forwarding data packets. Possible values: 4 – 30 seconds. Default is 15.
• Maximum Age: the interval a bridge will wait for receipt of a hello packet before initiating a topology change. Possible values: 6 – 40 seconds. Default is 20.
• Hello Time: the interval of time between each configuration BPDU sent by the root bridge. Possible values: 1 – 10 seconds. Default is 2.
• Priority: a parameter used to identify the root bridge in a network. The bridge with the lowest value has the highest priority and is the root. Possible values: 0 – 255. Default is 128.
February 2002 9 - 7
Foundry ServerIron Command Line Interface Reference
Port Parameters (applied to a specified port within a VLAN)
• Path Cost: a parameter used to assign a higher or lower path cost to a port. Possible values: 1 – 65535. Default is (1000/Port Speed) for Half-Duplex ports and is (1000/Port Speed)/2 for Full-Duplex ports.
• Priority: value determines when a port will be rerouted in relation to other ports. Possible values: 0 – 255. Default is 128.
static-mac-addressThis command allows you to define a static MAC addresses for a port on a ServerIron to ensure the device is not aged out. When defining the MAC address entry, you can also define the port’s priority and whether or not it is a router-type or host-type.
NOTE: If you enter the command at the global CONFIG level, the static MAC entry applies to the default port-based VLAN (VLAN 1). If you enter the command at the configuration level for a specific port-based VLAN, the entry applies to that VLAN and not to the default VLAN.
NOTE: If you want to include a trunk group when you configure a static MAC entry that has multiple ports, include only the primary port of the trunk group. If you include all the trunk group’s ports, the ServerIron uses all the ports to forward traffic for the MAC address instead of using only the active trunk port.
EXAMPLE:
To enter a static MAC address entry for port 5, that is also resident in port-based VLAN 4, enter the following:
ServerIron(config)# vlan 4
ServerIron(config-vlan-4)# static-mac-address 023.876.735 ethernet 5 high-priority router-type
The syntax for adding static MAC entries differs depending on whether you are using a stackable or chassis ServerIron.
Syntax for chassis devices:
Syntax: static-mac-address <mac-addr> ethernet <portnum> [priority <0-7>] [host-type | router-type]
Syntax for stackable devices:
Syntax: static-mac-address <mac-addr> ethernet <portnum> [to <portnum> ethernet <portnum>] [normal-priority | high-priority] [host-type | router-type | fixed-host]
The priority can be 0 – 7 (0 is lowest and 7 is highest) for chassis devices and either normal-priority or high-priority for stackable devices.
NOTE: The fixed-host parameter is supported only on stackable ServerIrons. Use the fixed-host parameter for Layer 2 firewall configurations. The parameter "fixes" the address to the ServerIron port you specify and prevents other ports on the ServerIron from learning it. Use the router-type parameter for all other types of FWLB configurations. For more information, see the Foundry ServerIron Firewall Load Balancing Guide.
To create a static MAC entry that is associated with multiple ports, enter a command such as the following:
ServerIron(config-vlan-4)# static-mac-address aaaa.bbbb.cccc ethernet 1 ethernet 3 to 5
This command creates a static MAC entry that is associated with port 1 and ports 3 – 5. The ServerIron forwards traffic addressed to aaaa.bbbb.cccc out all the ports you specified, in this case 1, 3, 4, and 5.
Syntax: static-mac-address <mac-addr> ethernet <portnum> [to <portnum> ethernet <portnum>] [normal-priority | high-priority] [host-type | router-type | fixed-host]
9 - 8 February 2002
VLAN Commands
NOTE: If you enter the command at the global CONFIG level, the static MAC entry applies to the default port-based VLAN (VLAN 1). If you enter the command at the configuration level for a specific port-based VLAN, the entry applies to that VLAN and not to the default VLAN.
Foundry recommends that you configure a static ARP entry to match the static MAC entry. In fact, the software automatically creates a static MAC entry when you create a static ARP entry.
NOTE: When a static MAC entry has a corresponding static ARP entry, you cannot delete the static MAC entry unless you first delete the static ARP entry.
To create a static ARP entry for a static MAC entry, enter a command such as the following:
ServerIron(config-vlan-4)# arp 1 192.53.4.2 aaaa.bbbb.cccc ethernet 1
NOTE: The arp command allows you to specify only one port number. To create a static ARP entry for a static MAC entry that is associated with multiple ports, specify the first (lowest-numbered) port associated with the static MAC entry.
Possible values: See above.
Default value: See above.
taggedOnce a port-based VLAN is created, port membership for that VLAN must be defined. To assign a port to a port-based VLAN, either the tagged or untagged command is used. When a port is tagged, it can be a member of multiple port-based VLANs.
When a port is tagged, it allows communication among the different VLANs to which it is assigned. A common use for this might be to place an email server that multiple groups may need access to on a tagged port, that in turn, is resident in all VLANs that members need access to the server.
EXAMPLE:
Suppose you want to make port 5 (module 5), a member of port-based VLAN 4, a tagged port, enter the following:
ServerIron(config)# vlan 4
ServerIron(config-vlan-4)# tagged ethernet 3/5
Syntax: tagged ethernet <portnum> [to <portnum> [ethernet <portnum>]]
Possible values: see above.
Default value: N/A
untagged Once a port-based VLAN is created, port membership for that VLAN must be defined. To assign a port to a port-based VLAN, either the tagged or untagged command is used. When a port is ‘untagged’ it can only be a member of one VLAN.
EXAMPLE:
Suppose you want to assign all ports on a 16-port ServerIron except port 5 (module 3) as untagged to a VLAN. To assign ports 1-4 and 6-16 to VLAN 4, enter the following:
ServerIron(config)# vlan 4
ServerIron(config-vlan-4)# untagged ethernet 3/1 to 3/4 e 3/6 to 3/16
Syntax: untagged ethernet <portnum> [to <portnum> ethernet <portnum>]
Possible values: see above.
Default value: N/A
February 2002 9 - 9
Foundry ServerIron Command Line Interface Reference
uplink-switchConfigures a set of ports within a port-based VLAN as uplink ports for the VLAN. All broadcast and unknown-unicast traffic goes only to the uplink ports, not to the other ports in the VLAN.
For more information, see the "Configuring Virtual LANs (VLANs)" chapter in the Foundry Switch and Router Installation and Basic Configuration Guide.
EXAMPLE:
To configure a port-based VLAN containing uplink ports, enter commands such as the following:
ServerIron(config)# vlan 10 by portServerIron(config-vlan-10)# untag ethernet 1/1 to 1/24ServerIron(config-vlan-10)# untag ethernet 2/1 to 2/2ServerIron(config-vlan-10)# uplink-switch ethernet 2/1 to 2/2
Syntax: [no] uplink-switch ethernet <portnum> [to <portnum> | ethernet <portnum>]
In this example, 24 ports on a 10/100 module and two Gigabit ports on a Gigabit module are added to port-based VLAN 10. The two Gigabit ports are then configured as uplink ports.
Possible values: see above.
Default value: N/A
write memorySaves the running-time configuration into the startup-config file.
EXAMPLE:
ServerIron(config-vlan-4)# write memory
Syntax: write memory
Possible values: N/A
Default value: N/A
write terminalDisplays the running-configuration of the ServerIron on the terminal screen.
EXAMPLE:
ServerIron(config-vlan-4)# write terminal
Syntax: write terminal
Possible values: N/A
Default value: N/A
9 - 10 February 2002
Chapter 10Real Server Commands
asymmetricOverrides the ServerIron’s default mechanism for checking the health of cache servers. Normally, the ServerIron uses cache responses forwarded back though the ServerIron as indications of a cache server’s health. However, in some topologies, the cache responses do not pass through the ServerIron.
EXAMPLE:
ServerIron(config-rs-realserver1)# asymmetric
Syntax: asymmetric
Possible values: N/A
Default value: Disabled
backupDesignates a real server to be a backup server.
By default, the virtual server uses the locally attached real servers (added using the server real-name command) as the primary load-balancing servers and uses the remotely attached servers (added using the server remote-name command) as backups.
NOTE: This command applies only to the ServerIron 400 or ServerIron 800 running software release 07.2.23 or later.
EXAMPLE:
ServerIron(config-rs-R3)# backup
Syntax: [no] backup
You also need to configure virtual servers to use the primary and backup servers you designate. See “port” on page 11-3.
Possible values: N/A
Default value: Primary if locally attached; backup if remotely attached
clearClears statistics or clears entries from a cache or table. See the descriptions for the individual clear commands in “Privileged EXEC Commands” on page 5-1.
February 2002 10 - 1
Foundry ServerIron Command Line Interface Reference
clone-serverMakes a copy ("clone") of a real server’s configuration. When you clone a real server, you make a copy of the real server’s configuration information under a new name. The copy includes the port bindings to the virtual server.
EXAMPLE:
ServerIron(config)# server real rs1 1.2.3.4 ServerIron(config-rs-rs1)# clone-server rs2 5.6.7.8
The first command changes the CLI to the configuration level for the real server you want to copy. The second command creates a clone of real server rs1. The clone is named "rs2" and has IP address 5.6.7.8.
Syntax: clone-server <name> <ip-addr>
The <name> parameter specifies the name of the clone.
The <ip-addr> parameter specifies the IP address of the clone.
NOTE: To delete a server clone, you must manually edit the startup-config file to remove the command. The "no" option is not supported for this command.
Possible values: See above
Default value: N/A
descriptionAdds a description to a real server, virtual server, firewall, or cache. The description appears in the output of show commands and in the running-config and startup-config files.
EXAMPLE:
ServerIron(config)# server real RS20 1.2.3.4ServerIron(config-rs-RS20)# description "Real Server # 20"
Syntax: description <"text">
Possible values: N/A
Default value: N/A
endMoves activity to the privileged EXEC level from any level of the CLI, with the exception of the user level.
EXAMPLE:
To move to the privileged level, enter the following from any level of the CLI.
ServerIron(config-rs-webland)# end
ServerIron#
Syntax: end
Possible values: N/A
Default value: N/A
exceed-max-dropDrops HTTP requests when all the real servers in a server group have reached their maximum number of connections.
EXAMPLE:
ServerIron(config)# server real-name server1 207.95.7.1ServerIron(config-rs-server1)# exceed-max-dropServerIron(config-rs-server1)# exit
Syntax: exceed-max-drop
10 - 2 February 2002
Real Server Commands
Possible values: N/A
Default value: N/A
exitMoves activity up one level from the current level. In this case, activity will be moved to the global level.
EXAMPLE:
ServerIron(config-rs-webland)# exit
ServerIron(config)#
Syntax: exit
Possible values: N/A
Default value: N/A
filter-matchThis command enables policy-based caching, which selectively caches web sites on specific cache servers. For example, an ISP can use a ServerIron configured for policy-based caching to redirect HTTP traffic to a series of web cache servers made by different vendors with different caching criteria.
To take advantage of policy-based caching, you also need to define IP access policy filters.
EXAMPLE:
ServerIron(config-rs-fixedcontent)# filter-match
Syntax: filter-match
Possible values: N/A
Default value: N/A
history-groupThis command is used with the Layer 4 statistics monitoring function on the ServerIron. This command binds a history list to a real server. You can bind up to 8 history lists to a real server or port on a real server.
EXAMPLE:
To bind history list 1 to port 80 (HTTP) on real server aaa:
ServerIron(config)# server real aaaServerIron(config-rs-aaa)# port http history-group 1
Syntax: history-group <entry-numbers>
Possible values: You can bind up to 8 history lists to a real server or port on a real server
Default value: N/A
host-rangeCreates a range of contiguous virtual IP addresses (VIPs) based on the VIP address of the virtual server. The ServerIron creates the range by creating the number of VIPs that you specify with this command. You do not specify a range; you specify the number of hosts in the range. The beginning address in the range is always the VIP.
NOTE: The IP addresses must be contiguous on the real server.
EXAMPLE:
To define a range of 500 contiguous VIPs, enter the following commands:
ServerIron(config)# server real-name r1 10.4.4.4
ServerIron(config-rs-r1)# host-range 500
February 2002 10 - 3
Foundry ServerIron Command Line Interface Reference
ServerIron(config-rs-r1)# exit
ServerIron(config)# server real-name r2 10.4.4.5
ServerIron(config-rs-r2)# host-range 500
ServerIron(config-rs-r2)# exit
ServerIron(config)# server virtual-name lotsofhosts 209.157.22.99
ServerIron(config-vs-lotsofhosts)# host-range 500
ServerIron(config-vs-lotsofhosts)# exit
Syntax: host-range <range>
Possible values: 0 – 4294967295
Default value: N/A
ip-addressChanges a real server’s IP address.
You can change the IP address even when the real server is active. This capability is useful when you want to perform some maintenance on the real server (either the server itself or the server’s configuration on the ServerIron) or when the network topology has changed.
By default, when you change a server’s IP address, the ServerIron performs the change gracefully, as follows:
• Existing connections are allowed to continue on the old IP address until they terminate normally.
• New client requests are sent to the new IP address.
Optionally, you can force all existing connections to be reset instead of waiting for them to terminate normally. When you force the connections to be reset, the ServerIron immediately resets a connection when it receives client data for the connection.
EXAMPLE:
ServerIron(config)# server real rs1ServerIron(config-rs-rs1)# ip-address 5.6.7.8
Syntax: [no] ip-address <ip-addr> [force-shutdown]
The <ip-addr> parameter specifies the real server’s new IP address.
The force-shutdown parameter immediately resets a client’s connection to the IP address when the ServerIron receives TCP data from the client. By default, the ServerIron allows existing connections to terminate normally following the address change.
Possible values: valid IP address
Default value: the address you specified when you configured the server
max-connAllows you to specify the maximum number of sessions the ServerIron will maintain in its session table for a specific real server.
NOTE: The configured value cannot exceed the maximum value configured for active sessions using the server session-limit command at the global level.
EXAMPLE:
ServerIron(config)# server real-name web2
ServerIron(config-rs-web2)# max-conn 1000
Syntax: max-conn <value>
Possible values: 1 – 1,000,000
10 - 4 February 2002
Real Server Commands
Default value: 1,000,000
max-tcp-conn-rateConfigures Connection Rate Limiting (CRL) for a TCP application port on a real server, cache server, or firewall.
EXAMPLE:
ServerIron(config-rs-FW1)# max-tcp-conn-rate 1000
The command in this example specifies a maximum TCP connection rate of 1000 connections per second on firewall FW1.
Syntax: [no] max-tcp-conn-rate <num>
The <num> parameter specifies the maximum number of connections per second and can be a number from 1 – 65535. The default is 65535.
Possible values: 1 – 65535
Default value: 65535
max-udp-conn-rateConfigures Connection Rate Limiting (CRL) for a UDP application port on a real server, cache server, or firewall.
EXAMPLE:
ServerIron(config-rs-FW1)# max-udp-conn-rate 800
The command in this example specifies a maximum UDP connection rate of 800 connections per second on firewall FW1.
Syntax: [no] max-udp-conn-rate <num>
The <num> parameter specifies the maximum number of connections per second and can be a number from 1 – 65535. The default is 65535.
Possible values: 1 – 65535
Default value: 65535
noThis command is used to disable other commands. To do so, place the word no before the command.
other-ipConfigures a second IP address for certain multihomed devices. This command can be used in some FWLB configurations where a pair of ServerIrons is configured as an active-standby pair and the firewalls are multihomed. In this type of configuration, the other-ip command identifies the IP address of the firewall interface connected to the other ServerIron in the pair.
portAllows you to override global port attributes set in the port’s profile. In addition, this command allows you to configure application-specific health check parameters for HTTP, DNS, and RADIUS ports.
EXAMPLE:
To disable a port, enter commands such as the following:
ServerIron(config)# server real-name web2ServerIron(config-rs-web2)# port http disable
Syntax: [no] port <port> [disable | enable]
EXAMPLE:
To locally enable a TCP/UDP health check, enter a command such as the following at the Real Server level of the CLI:
ServerIron(config-rs-jet)# port dns keepalive
February 2002 10 - 5
Foundry ServerIron Command Line Interface Reference
Syntax: [no] port <port> [keepalive]
If you use the "no" parameter in front of the command, you are locally disabling the health check. The health checks are locally disabled by default.
The <port> parameter can have one of the following values:
• dns – the well-known name for port 53
NOTE: If you are configuring Global SLB, you must use the proxy parameter following dns; for example, port dns proxy. For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.
• ftp – the well-known name for port 21. (Ports 20 and 21 both are FTP ports but in the ServerIron, the name “ftp” corresponds to port 21.)
• http – the well-known name for port 80
• imap4 – the well-known name for port 143
• ldap – the well-known name for port 389
• mms – the well-known name for port 1755
• nntp – the well-known name for port 119
• ntp – the well-known name for port 123
• pnm – the well-known name for port 7070
• pop2 – the well-known name for port 109
• pop3 – the well-known name for port 110
• radius – the well-known name for udp port 1812
• smtp – the well-known name for port 25
• snmp – the well-known name for port 161
• ssl – the well-known name for port 443
• rtsp – the well-known name for port 554
• telnet – the well-known name for port 23
• tftp – the well-known name for port 69
• <number>
NOTE: Specify the port number if the port is not one of the well-known names listed above.
EXAMPLE:
To configure the HTTP keepalive request to send a HEAD request for “sales.html”, enter the following commands:
ServerIron(config)# server real Jet 207.96.3.251
ServerIron(config-rs-jet)# port http url "/sales.html"
ServerIron(config-rs-jet)# exit
ServerIron(config)# server virtual NiceServer 207.96.4.250
ServerIron(config-vs-NiceServer)# port http
ServerIron(config-vs-NiceServer)# bind http Jet http
Syntax: port http url “[GET | HEAD] [/]<URL-page-name>”
10 - 6 February 2002
Real Server Commands
GET or HEAD is an optional parameter that specifies the request type. By default, HTTP keepalive uses HEAD to retrieve the URL page. You can override the default and configure the ServerIron to use GET to retrieve the URL page.
The slash ( / ) is an optional parameter. If you do not set the GET or HEAD parameter, and the slash is not in the configured URL page, then ServerIron automatically inserts a slash before retrieving the URL page.
EXAMPLE:
To configure the domain name for address-based DNS health checking, enter the following command:
ServerIron(config-rs-jet)# port dns addr_query "abc.zone1.com"
Syntax: [no] port dns addr_query "<name>"
To configure the zone name for zone-based DNS health checking, enter the following command:
ServerIron(config-rs-jet)# port dns zone foundrynet.com
Syntax: [no] port dns zone <zone-name>
EXAMPLE:
To configure the parameters for a RADIUS health check, enter commands such as the following at the Real Server level of the CLI:
ServerIron(config-rs-jet)# port radius username willy
ServerIron(config-rs-jet)# port radius password wonka
ServerIron(config-rs-jet)# port radius key chklt
Syntax: [no] port radius username <string>
Syntax: [no] port radius password <string>
Syntax: [no] port radius key <string>
Possible values: See above
Default value: See above
EXAMPLE:
In a web switching configuration, to specify the server group(s) to which the real server belongs:
ServerIron(config-rs-jet)# port http group-id 1 5
Syntax: [no] port http group-id <server-group-id-pairs>
Possible values: The server group is expressed as a pair of numbers, indicating a range of real server group IDs. The first number is the lowest-numbered server group ID, and the second is the highest-numbered server group ID. For example, if a real server belongs only to the server group with ID = 1, the last two numbers in the port http group-id command would be 1 1. (Note the space between the two numbers.) If a real server belongs to server groups 1 – 10, the last two numbers in the command would be 1 10. To include a real server in groups that are not consecutively numbered, you can enter up to four server group ID pairs. Valid numbers for server group IDs are 0 – 1023.
Default value: N/A
EXAMPLE:
To disable the Layer 4 health check for an individual application on an individual firewall, enter a command such as the following at the firewall configuration level of the CLI:
ServerIron(config-rs-FW1)# port http no-health-check
The command in this example disables Layer 4 health checks for port HTTP on firewall FW1.
Syntax: [no] no-health-check
EXAMPLE:
To limit the rate of new connections for a specific application port, enter commands such as the following:
February 2002 10 - 7
Foundry ServerIron Command Line Interface Reference
ServerIron(config-rs-RS1)# port httpServerIron(config-rs-RS1)# port http max-tcp-conn-rate 600
These commands add port HTTP (80) to the real server and limit the rate of new connections to the port to 600.
Syntax: port <TCP/UDP-portnum> max-tcp-conn-rate <num>
Syntax: port <TCP/UDP-portnum> max-udp-conn-rate <num>
The port <TCP/UDP-portnum> parameter specifies the application port.
The <num> parameter specifies the maximum number of connections per second.
Possible values: See above
Default value: Follows the global state of the Layer 4 path health check. See “fw-health-check tcp | udp” on page 12-5.
port disable-allDisables all the application ports on a real server.
NOTE: This command applies only to the ServerIron 400 and ServerIron 800.
EXAMPLE:
ServerIron(config-rs-R1)# port disable-all
To re-enable all the application ports, enter the following command:
ServerIron(config-rs-R1)# no port disable-all
Syntax: [no] port disable-all
Possible values: N/A
Default value: Enabled
port unbind-allUnbinds all of a real server’s application ports from all virtual servers.
NOTE: This command applies only to the ServerIron 400 and ServerIron 800.
EXAMPLE:
To unbind a real server’s application ports, enter the following command at the configuration level for the server:
ServerIron(config-rs-R1)# port unbind-all
Syntax: port unbind-all
NOTE: Once you unbind the ports, you can rebind them only on an individual virtual server and port basis.
To re-bind an application port, you must use the bind command at the configuration level for the virtual server. For example, if server R1 has two application ports, 80 and 8080, enter the following commands to rebind the ports to virtual server VIP1. This example assumes that the VIP uses two real servers (R1 and R2) for the application ports.
ServerIron(config-vs-VIP1)# bind http R1 http R2 httpServerIron(config-vs-VIP1)# bind 8080 R1 8080 R2 8080
Possible values: N/A
Default value: Bound to the virtual servers to which you bound them
quitThis command returns you from any level of the CLI to the User EXEC mode.
10 - 8 February 2002
Real Server Commands
EXAMPLE:
ServerIron(config-rs-test)# quit
ServerIron>
Syntax: quit
Possible values: N/A
Default value: N/A
response-timeConfigures server response-time warning and shutdown thresholds for an individual server.
For information about response-time thresholds, see “server response-time” on page 6-79.
EXAMPLE:
ServerIron(config-rs-R1)# response-time 50 75
This command sets the warning threshold to 50 milliseconds and the shutdown threshold to 75 milliseconds, for this real server only.
NOTE: The threshold values you configure on an individual real server override the globally configured thresholds.
Syntax: [no] response-time <warning-threshold> [<shutdown-threshold>]
The <warning-threshold> parameter specifies the average number of milliseconds within which an application port must respond to avoid a warning message. You can specify from 0 – 65535 milliseconds (65 seconds). There is no default. If you specify 0, the warning threshold is disabled.
The <shutdown-threshold> parameter specifies the average number of milliseconds within which an application port must respond to avoid being shut down. You can specify from 0 – 65535 milliseconds (65 seconds). There is no default. If you specify 0, the shutdown threshold is disabled.
If you want the ServerIron to generate a warning message but you do not want the ServerIron to shut down an application port, configure the warning threshold but not the shutdown threshold. Here is an example:
ServerIron(config-rs-R1)# response-time 100
To set the shutdown threshold without also setting a warning threshold, enter 0 for the warning threshold, as shown in the following example:
ServerIron(config-rs-R1)# response-time 0 300
Possible values: 0 – 65535 milliseconds (65 seconds)
Default value: not configured
rshowDisplays the real and virtual server configuration information on a remote site ServerIron in the GSLB ServerIron’s CLI. The command also displays the session and CPU information used by the GSLB policy. You can view detailed configuration information and statistics for the site ServerIron, from the GSLB ServerIron’s management console. For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.
show…Displays a variety of configuration and statistical information about the ServerIron. To see a description of the show commands, see “Show Commands” on page 21-1.
source-natIn an SLB configuration, configures the ServerIron to translate the source address of client requests the ServerIron forwards to real servers. The ServerIron changes the address to a source IP address you have configured on the ServerIron.
February 2002 10 - 9
Foundry ServerIron Command Line Interface Reference
Add source IP addresses and enable source NAT if the ServerIron and real server are in different sub-nets. See the "Configuring Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.
EXAMPLE:
ServerIron(config-rs-june)# source-nat
Syntax: [no] source-nat
Possible values: N/A
Default value: Disabled
weightAllows you to assign a performance weight to each server. Servers assigned a larger or higher weight receive a larger percentage of connections.
EXAMPLE:
To set the weight for a server to 5 from the default value of 1, enter the following command:
ServerIron(config)# server real web5ServerIron(config-rs-web5)# weight 5
Syntax: weight <least-connections-weight> [<response-time-weight>]
The <least-connections-weight> parameter specifies the real server’s weight relative to other real servers in terms of the number of connections on the server. More precisely, this weight is based on the number of session table entries the ServerIron has for TCP or UDP sessions with the real server. You can specify a value from 0 – 65000. The default is 1. This parameter is required. However, if you want to use a weight value only for the Server Response Time but not for the number of connections, specify 0 for this parameter.
The <response-time-weight> parameter specifies the real server’s weight relative to other real servers in terms of the server’s response time to client requests sent to the server. You can specify a value from 0 – 65000. The default is 0 (disabled). This weight is applicable only when the server response time load-balancing method is enabled.
If you enter a value for <response-time-weight>, the ServerIron adds the two weight values together when selecting a real server. If you specify equal values for each parameter, the ServerIron treats the weights equally. The number of connections on the server is just as relevant as the server’s response time. However, if you set one parameter to a higher value than the other, the ServerIron places more emphasis (weight) on the parameter with the higher value. For example, if you specify a higher server response time weight than the weight for the number of connections, the ServerIron pays more attention to the server’s response time than to the number of connections it currently has when considering the real server for a new connection.
NOTE: If you use the server response time method, you also can modify the smooth factor on individual application ports. See the "Configuring Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.
Possible values: See above
Default value: 0
write memorySaves the running-time configuration into the startup-config file.
EXAMPLE:
ServerIron(config-rs-web5)# write memory
Syntax: write memory
Possible values: N/A
Default value: N/A
10 - 10 February 2002
Real Server Commands
write terminalDisplays the running-configuration of the ServerIron on the terminal screen.
EXAMPLE:
ServerIron(config-rs-web5)# write terminal
Syntax: write terminal
Possible values: N/A
Default value: N/A
February 2002 10 - 11
Foundry ServerIron Command Line Interface Reference
10 - 12 February 2002
Chapter 11Virtual Server Commands
acl-idContact Foundry engineering for information about using this command as part of a virtual server configuration.
bindAllows you to bind virtual server service to real server services. A virtual server service can bind one or more real-server services.
EXAMPLE:
To bind a virtual server to HTTP services on real servers web1 and web2, enter the following:
ServerIron(config)# server virtual www.foundrynet.com 207.95.5.1ServerIron(config-vs-www.foundrynet.com)# bind http web1 http web2 http
Syntax: bind <tcp/udp-port-number> <real-server-name> <tcp/udp-port-number>
EXAMPLE:
• TCP/UDP port numbers:
• default – all the well-known names listed below
• dns – the well-known name for port 53
• ftp – the well-known name for port 21. (Ports 20 and 21 both are ftp ports but on the ServerIron, the name “ftp” corresponds to port 21.)
• http – the well-known name for port 80
• imap4 – the well-known name for port 143
• ldap – the well-known name for port 389
• mms – the well-known name for port 1755
• nntp – the well-known name for port 119
• ntp – the well-known name for port 123
• pnm – the well-known name for port 7070
• pop2 – the well-known name for port 109
• pop3 – the well-known name for port 110
• radius – the well-known name for udp port 1812
• smtp – the well-known name for port 25
February 2002 11 - 1
Foundry ServerIron Command Line Interface Reference
• snmp – the well-known name for port 161
• ssl – the well-known name for port 443
• rtsp – the well-known name for port 554
• telnet – the well-known name for port 23
• tftp – the well-known name for port 69
• Virtual server name: any previously defined virtual server
Default value: N/A
cache-enableEnables the Active Cache feature, which configures the ServerIron to try resolving a client request using a cache server first, then using a load balanced server if the cache does not contain the requested content. For an example of how to use this feature, see the "Configuring Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.
NOTE: By default, this command enables combined TCS and SLB service only for the HTTP port (port 80). To enable combined TCS and SLB service for other ports, you must specify the port name or number.
EXAMPLE:
To enable Active Cache for VIP “Foundry“, enter the following command:
ServerIron(config-vs-Foundry)# cache-enable
To enable Active Cache for the SSL port (port 443) on VIP “Foundry“, enter the following command:
ServerIron(config-vs-Foundry)# port ssl cache-enable
Syntax: [no] cache-enable
Syntax: [no] port <tcp/udp-port> cache-enable
Possible values: N/A
clearClears statistics or clears entries from a cache or table. See the descriptions for the individual clear commands in “Privileged EXEC Commands” on page 5-1.
endMoves activity to the privileged EXEC level from any level of the CLI, with the exception of the user level.
EXAMPLE:
To move to the privileged level, enter the following from any level of the CLI.
ServerIron(config-vs-www.rumors.com)# end
ServerIron#
Syntax: end
Possible values: N/A
Default value: N/A
exitMoves activity up one level from the current level. In this case, activity will be moved to the global level.
EXAMPLE:
ServerIron(config-vs-www.rumors.com)# exitServerIron(config)#
Syntax: exit
11 - 2 February 2002
Virtual Server Commands
Possible values: N/A
Default value: N/A
host-rangeEnables you to define a range of virtual IP addresses (VIPs) simply by defining a base VIP and the number of hosts in the range.
NOTE: The VIPs must be contiguous and must map to a contiguous range of real IP addresses on the real server.
EXAMPLE:
To define a range of 500 contiguous VIPs, enter the following commands:
ServerIron(config)# server virtual-name lotsofhosts 209.157.22.99ServerIron(config-vs-lotsofhosts)# host-range 500ServerIron(config-vs-lotsofhosts)# exitServerIron(config)# server virtual-name cache1 10.4.4.4ServerIron(config-rs-cache1)# host-range 500ServerIron(config-rs-cache1)# exit
Syntax: host-range <range>
Possible values: 0 – 4294967295
Default value: N/A
httpredirectIn configurations that use remote failover servers, the remote server sends replies back to the ServerIron or directly to the client:
• If you configure a source IP address and enable source NAT, the remote server sends the response back to the ServerIron.
• If you do not use source NAT (whether you have configured a source IP address or not), the remote real server sends the response directly to the client. In this case, the client refuses the connection request because the client believes it is talking to the virtual IP address, not the real server IP address. In this case, you can configure the ServerIron to send an HTTP redirect message to the client so that the client redirects its HTTP connection to the real server’s IP address instead of the VIP.
EXAMPLE:
To enable HTTP redirect, enter the following command:
ServerIron(config-vs-lotsofhosts)# httpredirect
Syntax: httpredirect
Possible values: N/A
Default value: Disabled
noThis command is used to disable other commands. To do so, place the word no before the command.
portAllows you to add a TCP/UDP port to a VIP. If you are using the SwitchBack feature, you can use the dsr parameter to enable SwitchBack for the port.
NOTE: SwitchBack also requires that you configure a loopback interface on each real server. The loopback interface must have the same address as the VIP. See the "Configuring Symmetric SLB and SwitchBack" chapter of the Foundry ServerIron Installation and Configuration Guide for more information about this feature.
February 2002 11 - 3
Foundry ServerIron Command Line Interface Reference
NOTE: For servers that use passive FTP, configure the FTP ports to be both sticky and concurrent.
EXAMPLE:
To add port 80 (HTTP) to a VIP called Web1, enter the following command:
ServerIron(config-vs-Web1)# port http
EXAMPLE:
To add port 80 (HTTP) to a VIP called Web69 and enable SwitchBack for the port, enter the following command:
ServerIron(config-vs-Web69)# port http dsr
Syntax: port <tcp/udp-port> [dsr]
EXAMPLE:
To disable port 8080 on VIP Web69, enter the following command:
ServerIron(config-vs-Web69)# port 8080 disable
Syntax: port <tcp/udp-port> [disable]
EXAMPLE:
To configure port 80 on VIP Web69 to support concurrent connections from a client, enter the following command:
ServerIron(config-vs-Web69)# port 8080 concurrent
Syntax: port <tcp/udp-port> [concurrent]
EXAMPLE:
To make port 80 on VIP Web69 "sticky" so that subsequent requests for the port from the same client go to the same real server, enter the following command:
ServerIron(config-vs-Web69)# port 8080 sticky
Syntax: port <tcp/udp-port> [sticky]
EXAMPLE:
To disable port translation for port 180 on VIP2, thus allowing many-to-one port binding for the port, enter the following commands.
NOTE: Port translation is enabled by default. Do not disable it unless you are configuring the "many-to-one" feature. See the "Many-To-One TCP/UDP Port Binding" application example in the "Configuring Server Load Balancing" chapter of the Foundry ServerIron Installation and Configuration Guide. Also make sure you follow the configuration rules in that section. Improper configuration can result in unexpected and difficult-to-diagnose results.
ServerIron(config)# server virtual-name VIP1 209.157.22.88ServerIron(config-vs-VIP1)# port httpServerIron(config-vs-VIP1)# bind http r1 http r2 httpServerIron(config-vs-VIP1)# exitServerIron(config)# server virtual-name VIP2 209.157.22.99ServerIron(config-vs-VIP2)# port httpServerIron(config-vs-VIP2)# no port http translateServerIron(config-vs-VIP2)# bind http r1 180 r2 180
Syntax: port <tcp/udp-port> [translate]
EXAMPLE:
To enable URL switching on a virtual server, enter the following commands.
ServerIron(config)# server virtual-name mysite 209.157.22.63ServerIron(config-vs-mysite)# port httpServerIron(config-vs-mysite)# port http url-map p1
11 - 4 February 2002
Virtual Server Commands
ServerIron(config-vs-mysite)# port http url-switchServerIron(config-vs-mysite)# bind http rs1 httpServerIron(config-vs-mysite)# bind http rs2 httpServerIron(config-vs-mysite)# bind http rs3 httpServerIron(config-vs-mysite)# exit
Syntax: port http
Syntax: port http url-map <policy-name>
Syntax: port http url-switch
Syntax: bind http <real-server-name> http
EXAMPLE:
To configure session persistence in a proxy environment, configure a standard IP ACL containing the addresses, then use the sticky-acl option with the application ports on the virtual server. The sticky-acl option configures the Virtual Source feature.
In a Virtual Source configuration, the ServerIron sends all client traffic from a specified range of IP addresses to the same real server for the application ports you specify. To specify the IP addresses, configure a standard IP ACL. Use this command in configurations where a proxy device allocates IP addresses to client traffic before sending the traffic to the VIP. In some configurations, the proxy device assigns different IP addresses to traffic from the same client. Unless you configure the addresses to go to the same real server, the ServerIron might load balance the client traffic to different servers. This makes applications that require continued access to the same real server unusable.
ServerIron(config)# access-list 1 permit 209.157.22.0ServerIron(config)# server virtual fromproxy 1.1.1.1ServerIron(config-vs-fromproxy)# port 80 sticky-acl 1
Syntax: [no] access-list <num> deny | permit <source-ip> | <hostname> <wildcard> [log]
or
Syntax: [no] access-list <num> deny | permit <source-ip>/<mask-bits> | <hostname> [log]
Syntax: [no] port <tcp/udp-port> sticky-acl <num>
NOTE: This feature is different from the sticky feature, which you can associate with ports on the virtual server level. The sticky attribute ensures that subsequent packets from the same client during the same TCP session go to the same real server. In this case, the ServerIron knows the packets are from the same client based on the source IP address. When a proxy is used, subsequent packets from the same client can have different IP addresses.
For standard IP ACL configuration information, see the “Configuring Standard ACLs” section in the “Using Access Control Lists (ACLs)” chapter of the Foundry Switch and Router Installation and Basic Configuration Guide.
EXAMPLE:
To configure an application port to be stateless, enable the stateless parameter on the port in the virtual server. Here is an example:
ServerIron(config)# server real R1 10.10.10.1ServerIron(config-rs-R1)# port httpServerIron(config-rs-R1)# exitServerIron(config)# server real R2 10.10.11.1ServerIron(config-rs-R2)# port httpServerIron(config-rs-R2)# exitServerIron(config)# server virtual StatelessHTTP 192.168.4.69ServerIron(config-vs-StatelessHTTP)# port http statelessServerIron(config-vs-StatelessHTTP)# bind http R1 httpServerIron(config-vs-StatelessHTTP)# bind http R2 http
Syntax: [no] port <tcp/udp-port> stateless
February 2002 11 - 5
Foundry ServerIron Command Line Interface Reference
The <tcp/udp-port> parameter specifies the application port you want to make stateless.
EXAMPLE:
By default, stateless SLB uses a hashing algorithm to select a real server. The ServerIron calculates a hash value for a given client request based on the request’s source IP address and source TCP/UDP port. The request is sent to a real server corresponding to this hash value.
For UDP connections consisting of one client packet and one server response packet, you can disable the stateless SLB hashing algorithm. When the stateless SLB hashing algorithm is disabled for UDP ports, the ServerIron uses the round-robin load balancing method to select a real server for the request. In this case, the ServerIron load balances UDP packets destined for the VIP without creating a session and without calculating hash values based on UDP port number and source IP address.
DNS is an example of a UDP port where this feature can be used. The advantage of disabling the stateless SLB hashing algorithm is that a new real server can be selected immediately after it is brought up.
For example, to disable the stateless SLB hashing algorithm for the DNS port (UDP port 53):
ServerIron(config)# server virtual Stateless 192.168.4.69ServerIron(config-vs-Stateless)# port dns stateless no-hash
Syntax: [no] port <udp-portnum> stateless no-hash
The <udp-port> parameter specifies the UDP application port you want to make stateless.
EXAMPLE:
This example applies to health-check policies (see “healthck (ServerIronXL)” on page 6-23). After you configure logical expressions, you can bind them to application ports on VIPs. A health-check policy does not take effect until you bind the policy to an application port on a VIP.
To bind a health-check policy to an application port on a VIP, enter commands such as the following:
ServerIron(config)# server virtual-name VIP1 1.1.1.1ServerIron(config-vs-VIP1)# port http healthck Router2
This command configures virtual IP address VIP1 to use the heath-check policy named "Router2" to check the health of HTTP (port 80) for the VIP.
Syntax: [no] port <tcp/udp-portnum> healthck <policy-name>
The <tcp/udp-portnum> parameter specifies a TCP or UDP application port. The <policy-name> parameter specifies the health-check policy you want to use to check the Layer 3 health of a device associated with the application port.
EXAMPLE:
When fast aging for UDP sessions is configured, a client request causes the ServerIron to add an entry to its session table; when a response is detected, the ServerIron immediately deletes the session table entry.
When this feature is configured, if the ServerIron detects a server response to a client request, and the response is not fragmented, the session table entry is deleted immediately. If the response is fragmented, the SI waits for the last fragment to arrive, forwards it to the client, and then sends the session to the delete queue. The session stays in the delete queue for 8 seconds by default before being deleted. You can change the amount of time the session stays in the delete queue to between 1 – 40 seconds.
To activate this feature for port 1234:
ServerIron(config)# server virtual vs1 192.168.1.2ServerIron(config-vs-vs1)# port 1234 udp-fast-age
Syntax: port <udp-portnum> udp-fast-age
EXAMPLE:
NOTE: This example applies only to the ServerIron 400 or ServerIron 800 running software release 07.2.23 or later.
11 - 6 February 2002
Virtual Server Commands
To enable a VIP to use the servers designated as backups only as backups, and use the other servers as the primary load-balancing servers, enter the following command at the configuration level for the VIP:
ServerIron(config-vs-VIP1)# port http lb-pri-servers
This command enables VIP1 to use the backup and primary servers for application port HTTP.
To configure the VIP and application port to continue using the backup servers even after the primary servers become available again, use the backup-stay-active parameter, as in the following example:
ServerIron(config-vs-VIP1)# port http lb-pri-servers backup-stay-active
Syntax: [no] port <tcp/udp-port> lb-pri-servers [backup-stay-active]
You also must explicitly designate the backup real servers as backups. See “backup” on page 10-1.
Possible values: See above
Default value: N/A
predictorThis command is used to select the session's distribution algorithm that will be used on the specified virtual server. This command will override any globally configured value for a virtual server. By default, the least connections method is enabled.
EXAMPLE:
To change the virtual server predictor method from the default value of least connections to the round-robin method, enter the following:
ServerIron(config)# server virtual www.foundrynet.com 207.95.5.1ServerIron(config-vs-www.foundrynet.com)# predictor round-robin
Syntax: [no] predictor least-conn | response-time | round-robin | weighted
Possible values: See above
Default value: least-conn
quitThis command returns you from any level of the CLI to the User EXEC mode.
EXAMPLE:
ServerIron(config-vs-Foundry)# quitServerIron>
Syntax: quit
Possible values: N/A
Default value: N/A
rshowDisplays the real and virtual server configuration information on a remote site ServerIron in the GSLB ServerIron’s CLI. The command also displays the session and CPU information used by the GSLB policy. You can view detailed configuration information and statistics for the site ServerIron, from the GSLB ServerIron’s management console. For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.
show…Displays a variety of configuration and statistical information about the ServerIron. To see a description of the show commands, see “Show Commands” on page 21-1.
source-stickyAllows you to disable or re-enable this feature. Use this command only if advised to do so by Foundry technical support.
February 2002 11 - 7
Foundry ServerIron Command Line Interface Reference
sym-activeEnables active-active Symmetric SLB on a VIP.
EXAMPLE:
ServerIronA(config)# server virtual-name VIP1 1.1.1.1ServerIronA(config-vs-VIP1)# port 80ServerIronA(config-vs-VIP1)# sym-priority 69ServerIronA(config-vs-VIP1)# sym-active
This example configures VIP1 by adding port 80, enabling SSLB, then enabling active-active SSLB. The sym-priority command enables SSLB. The command requires a number from 1 – 255 to enable SSLB. Once you enter the sym-active command to enable active-active SSLB, the software ignores the priority value you specified.
Syntax: [no] sym-active
Possible values: N/A
Default value: Disabled
sym-priorityAssigns a Symmetric SLB priority to a virtual IP address (VIP). The priority determines which ServerIron in a Symmetric SLB configuration is the default active ServerIron for the VIP. The priority can be from 0 (disabled) – 255 (highest priority).
NOTE: Foundry recommends that you specify 2 (instead of 1) as a low priority or 254 (instead of 255) as a high priority. This way, you can easily force failover of the high priority ServerIron to the low priority ServerIron by changing the priority on just one of the ServerIrons. For example, you can force a failover by changing the priority on the high priority ServerIron from 254 to 1. Since the priority on the low priority ServerIron is 2, the low priority ServerIron takes over for the VIP. Likewise, you can force the low priority ServerIron to take over by changing its priority to 255, since the priority on the high priority ServerIron is only 254.
See the "Configuring Symmetric SLB and SwitchBack" chapter of the Foundry ServerIron Installation and Configuration Guide for more information about this feature.
EXAMPLE:
To configure VIPs V1 and V2 on two ServerIrons for Symmetric SLB, enter the following commands. After you enter these commands, the first ServerIron is the active ServerIron for VIP V1 (1.1.1.1) and is the backup ServerIron for VIP2 (2.2.2.2). The second ServerIron is the active ServerIron for VIP V2 (2.2.2.2) and the backup ServerIron for VIP1 (1.1.1.1).
Commands for the first ServerIron:
ServerIron(config)# server virtual-name V1 1.1.1.1ServerIron(config-vs-V1)# sym-priority 2ServerIron(config-vs-V1)# exitServerIron(config)# server virtual-name V2 2.2.2.2ServerIron(config-vs-V2)# sym-priority 254ServerIron(config-vs-V2)# write mem
Commands for the second ServerIron:
ServerIron(config)# server virtual-name V1 1.1.1.1ServerIron(config-vs-V1)# sym-priority 254ServerIron(config-vs-V1)# exitServerIron(config)# server virtual-name V2 2.2.2.2ServerIron(config-vs-V2)# sym-priority 2ServerIron(config-vs-V2)# write mem
Syntax: sym-priority <num>
Possible values: 0 – 255; setting the priority to 0 removes the priority setting
11 - 8 February 2002
Virtual Server Commands
Default value: N/A
trackConfigures up to four TCP/UDP ports to “track” another, “primary” TCP/UDP port. This feature enables the ServerIron to group applications. After the ServerIron sends a request for the master TCP/UDP port to a real server, requests from the same client for the ports that track the master port also go to the same real server.
For more information about the feature, see the "Configuring Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.
EXAMPLE:
To configure TCP/UDP ports 8080 and 9090 to track port 80, enter the following command
ServerIron(config-vs-Foundry)# track 80 8080 9090
Syntax: track <primary-port> <tcp/udp-port> [<tcp/udp-port>[<tcp/udp-port>[<tcp/udp-port>]]]
Possible values: a TCP or UDP port number.
Default value: N/A
track-groupCauses the ServerIron to use the same server for applications associated with a set of grouped ports, as long as the all the ports in the group are active. After the ServerIron sends a client to a real server for any of the grouped ports, subsequent requests from that client for any of the grouped ports go to the same real server.
EXAMPLE:
To group the HTTP port (80), Telnet port (23), and TFTP port (69) together:
ServerIron(config-vs-v1)# track-group 80 69 23
Whenever a client attempts to connect to a port within the group, the ServerIron ensures all ports in the group are active before granting the connection.
NOTE: The sticky parameter makes the TCP/UDP ports sticky. The sticky parameter must be set for all ports in the group.
Possible values: a TCP or UDP port number. Up to eight ports can be grouped together using the track group function. A port can be part of only one group. The track-group and track commands for a port are mutually exclusive.
Default value: N/A
transparent-vipEnables an individual VIP for transparent VIP. Transparent VIP applies only to the VIPs on which you enable it.
NOTE: You must globally enable transparent VIP support in addition to enabling the feature on individual VIPs. See “server transparent-vip” on page 6-85.
EXAMPLE:
ServerIron(config-vs-TransVIP)# transparent-vip
Syntax: [no] transparent-vip
Possible values: N/A
Default value: Disabled
write memorySaves the running-time configuration into the startup-config file.
EXAMPLE:
ServerIron(config-vs-Foundry)# write memory
February 2002 11 - 9
Foundry ServerIron Command Line Interface Reference
Syntax: write memory
Possible values: N/A
Default value: N/A
write terminalDisplays the running-configuration of the ServerIron on the terminal screen.
EXAMPLE:
ServerIron(config-vs-Foundry)# write terminal
Syntax: write terminal
Possible values: N/A
Default value: N/A
11 - 10 February 2002
Chapter 12Cache Group Commands
acl-idIdentifies an IP ACL for use with your configuration. For example, you can use the command to identify an ACL for denying FWLB for a specific TCP or UDP application port.
EXAMPLE:
To deny FWLB for TCP port 80 (HTTP) but allow FWLB for all other TCP and UDP application ports, enter commands such as the following:
ServerIronA(config)# access-list 101 deny tcp any any eq httpServerIronA(config)# access-list 101 permit tcp any anyServerIronA(config)# access-list 101 permit udp any anyServerIronA(config)# server fw-group 2ServerIronA(config-tc-2)# acl-id 101
The first three commands configure three ACL entries. The first entry denies FWLB for packets addressed to TCP port 80 (HTTP). The second ACL permits FWLB for all TCP applications. Packets that do not match the first ACL entry match the second ACL entry and are provided with FWLB. The third ACL permits FWLB for all UDP applications. The last two commands change the CLI level to the firewall group configuration level and apply ACL 101 to the firewall group.
Syntax: [no] access-list <num> deny | permit <ip-protocol> <source-ip> | <hostname> <wildcard> [<operator> <source-tcp/udp-port>] <destination-ip> | <hostname> <wildcard> [<operator> <destination-tcp/udp-port>] [precedence <name> | <num>] [tos <name> | <num>] [log]
Syntax: [no] acl-id <num>
For detailed information about the ACL syntax, see the “Using Access Control Lists (ACLs)” chapter in the Foundry Switch and Router Installation and Basic Configuration Guide.
Possible values: The ID of a configured IP ACL.
Default value: N/A
cache-nameThis command assigns a cache server to the cache group. The cache server must already be configured. (See “server cache-name” on page 6-62.)
NOTE: A cache server can be in only one cache group. If you add a cache server to a cache group, the ServerIron automatically removes the cache server from the cache group the cache server was already in.
February 2002 12 - 1
Foundry ServerIron Command Line Interface Reference
EXAMPLE:
To assign a cache server named “web2” to cache group 2, enter the following:
ServerIron(config)# server cache-group 2
ServerIron(config-tc-2)# cache-name web2
Syntax: server cache-name <text>
Possible values: N/A
Default value: N/A
clearClears statistics or clears entries from a cache or table. See the descriptions for the individual clear commands in “Privileged EXEC Commands” on page 5-1.
dest-natThis command enables destination NAT for TCS.
By default, the ServerIron translates the destination MAC address of a client request into the MAC address of the cache server. However, the ServerIron does not translate the IP address of the request to the cache server’s IP address. Instead, the ServerIron leaves the destination IP address untranslated.
This behavior assumes that the cache server is operating in promiscuous mode, which allows the cache server to receive requests for any IP address so long as the MAC address in the request is the cache server’s. This behavior works well in most caching environments. However, if your cache server requires that the client traffic arrive in directed IP unicast packets, you can enable destination NAT.
Destination NAT is disabled by default.
NOTE: This option is rarely used. If your cache server operates in promiscuous mode, you probably do not need to enable destination NAT. Otherwise, enable destination NAT. Consult your cache server documentation if you are unsure whether you need to enable destination NAT.
EXAMPLE:
To enable destination NAT for cache group 1, enter the following command:
ServerIron(config)# server cache-group 1
ServerIron(config-tc-1)# dest-nat
Syntax: dest-nat
disable This command disables the cache group.
EXAMPLE:
To disable cache group 2, enter the following command.
ServerIron(config-tc-1)# disable
Syntax: [no] disable
Possible values: Disabled or Enabled
Default value: Enabled
endMoves activity to the privileged EXEC level from any level of the CLI, with the exception of the user level.
EXAMPLE:
To move to the privileged level, enter the following from any level of the CLI.
ServerIron(config-tc-1)# end
12 - 2 February 2002
Cache Group Commands
ServerIron#
Syntax: end
Possible values: N/A
Default value: N/A
exitMoves activity up one level from the current level. In this case, activity will be moved to the global level.
EXAMPLE:
ServerIron(config-tc-1)# exit
ServerIron(config)#
Syntax: exit
Possible values: N/A
Default value: N/A
failover-aclContact Foundry engineering for information about this command.
fwall-infoConfigures a path for firewall load balancing.
EXAMPLE:
To configure paths for two firewalls, enter the following commands. See the Foundry ServerIron Firewall Load Balancing Guide for complete configuration examples.
ServerIron(config)# server fw-group 2ServerIron(config-tc-2)# fwall-info 1 3 209.157.23.3 209.157.22.3ServerIron(config-tc-2)# fwall-info 2 5 209.157.23.3 209.157.22.4
Syntax: [no] fwall-info <path-num> <portnum> <other-ServerIron-ip> <next-hop-ip> [path-group-id <num>] [remote-id <num>]
The <path-num> parameter specifies the path ID.
The path ID – A number that identifies the path. In basic FWLB configurations, the paths go from one ServerIron to the other through the firewalls. In IronClad FWLB, additional paths go to routers. On each ServerIron, the path IDs must be contiguous (with no gaps), starting with path ID 1.
The <portnum> parameter specifies the number of the port that connects the ServerIron to the firewall or router.
The <other-ServerIron-ip> parameter specifies the IP address of the device at the other end of the path. For firewall paths, specify the management address or source IP address of the ServerIron on the other side of the firewall. For router paths, specify the router’s IP interface with the ServerIron.
• On the external ServerIrons, specify the internal ServerIrons’ management addresses for the trusted zone but specify the source IP addresses for the other zones.
• On the internal ServerIrons, specify the external ServerIrons’ management addresses for the non-trusted zone, which is the only zone on the external ServerIrons.
The <next-hop-ip> parameter specifies the IP address of the next hop in the path. For firewall paths, specify the IP address of the firewall interface connected to this ServerIron. For router paths, specify the router’s IP interface with the ServerIron.
The path-group-id <num> parameter specifies the number that indicates the firewall through which the paths go.
NOTE: Router paths do not use path IDs.
February 2002 12 - 3
Foundry ServerIron Command Line Interface Reference
The remote-id <num> parameter is a number (1 or 2) representing the ServerIron at the remote end of the path in a superzone FWLB configuration. Specify 1 for a basic configuration. Specify 1 and 2 for the two ServerIrons in a high-availability configuration.
NOTE: The remote-id <num> parameter applies only to superzone FWLB. See the "Configuring Superzone FWLB" chapter in the Foundry ServerIron Firewall Load Balancing Guide.
Possible values: See above
Default value: N/A
fwall-zoneConfigures a firewall zone. Use this command when configuring multi-zone FWLB. For a complete configuration example, see the Foundry ServerIron Firewall Load Balancing Guide.
EXAMPLE:
To configure an ACL and a firewall zone that uses the ACL, enter commands such as the following:
Zone1-SI(config)# access-list 2 permit 209.157.25.0 0.0.0.255Zone1-SI(config)# server fw-group 2Zone1-SI(config-tc-2)# fwall-zone Zone2 2 2
Syntax: [no] fwall-zone <string> <zonenum> <acl-id>
The <string> parameter specifies the zone name.
The <zonenum> parameter specifies the zone number. You can specify a value from 1 – 10.
The <acl-id> field specifies the ACL that defines the range of IP addresses in the zone.
Possible values: See above
Default value: N/A
fw-exceed-max-dropConfigures the ServerIron to drop the traffic instead of load balancing it using the hashing mechanism.
By default, if the ServerIron receives traffic that it needs to forward to a firewall, but the firewall already has the maximum number of sessions open or has exceeded its maximum connection rate, the ServerIron uses a hashing mechanism to select another firewall. The hashing mechanism selects another firewall based on the source and destination IP addresses and application port numbers in the packet.
The ServerIron drops traffic only until the firewall again has available sessions.
EXAMPLE:
ServerIron(config-tc-2)# fw-exceed-max-drop
Syntax: [no] fw-exceed-max-drop
Possible values: N/A
Default value: Disabled
fw-health-check icmpChanges the number of times the ServerIron attempts a Layer 3 health check of an FWLB path before concluding that the path is unhealthy.
By default, the ServerIron checks the health of each firewall and router path by sending an ICMP ping on the path every 400 milliseconds.
• If the ServerIron receives one or more responses within 1.2 seconds, the ServerIron concludes that the path is healthy.
• Otherwise, the ServerIron reattempts the health check by sending another ping. By default, the ServerIron reattempts an unanswered path health check up to three times before concluding that the path is unhealthy.
12 - 4 February 2002
Cache Group Commands
You can change the maximum number of retries to a value from 3 – 31 (ServerIron 400 and ServerIron 800) or 8 – 31 (all other ServerIron models).
EXAMPLE:
ServerIron(config-tc-2)# fw-health-check icmp 20
Syntax: [no] fw-health-check icmp <num>
The <num> parameter specifies the maximum number of retries and can be a number from 3 – 31 (ServerIron 400 and ServerIron 800) or 8 – 31 (all other ServerIron models). The default is 3.
Possible values: 3 – 31 (ServerIron 400 and ServerIron 800) or 8 – 31 (all other ServerIron models)
Default value: 3
fw-health-check tcp | udpYou can configure the ServerIrons in an FWLB configuration to use Layer 4 health checks instead of Layer 3 health checks for firewall paths.
By default, the ServerIron performs Layer 3 health checks of firewall paths, but does not perform Layer 4 health checks of the paths. When you configure a Layer 4 health check, the Layer 3 (ICMP) health check, which is used by default, is disabled.
NOTE: The Layer 4 health check applies only to firewall paths. The ServerIron always uses a Layer 3 (ICMP) health check to test the path to the router.
When you configure a Layer 4 health check for firewall paths, the ServerIron sends Layer 4 health checks and also responds at Layer 4 to health checks from the ServerIron at the other end of the firewall path.
To configure a Layer 4 health check, specify the protocol (TCP or UDP). Optionally, you also can specify the port.
• UDP – The ServerIron sends and listens for path health check packets on the port you specify. If you do not specify a port, the ServerIron uses port 7777 by default. The port number is used as both the source and destination UDP port number in the health check packets.
• TCP – The ServerIron listens for path health check packets on the port you specify, but sends them using a randomly generated port number. If you do not specify a port, the ServerIron uses port 999 as the destination port by default.
NOTE: You must configure the same Layer 4 health check parameters on all the ServerIrons in the FWLB configuration. Otherwise, the paths will fail the health checks.
EXAMPLE:
ServerIron(config-tc-2)# fw-health-check udp
The command in this example enables Layer 4 health checks on UDP port 7777. This ServerIron sends firewall path health checks to UDP port 7777 and listens for health checks on UDP port 7777.
Syntax: [no] fw-health-check udp | tcp [<tcp/udp-portnum> <num>]
The <tcp/udp-portnum> parameter specifies the TCP or UDP port and can be a number from 1 – 65535.
The <num> parameter specifies the maximum number of retries and can be a number from 8 – 31. The default is 3.
You can disable the Layer 4 health checks on individual firewalls if needed. To disable the Layer 4 health check for an individual application on an individual firewall, enter a command such as the following at the firewall configuration level of the CLI:
ServerIron(config-rs-FW1)# port http no-health-check
The command in this example disables Layer 4 health checks for port HTTP on firewall FW1.
Syntax: [no] no-health-check
Possible values: See above
February 2002 12 - 5
Foundry ServerIron Command Line Interface Reference
Default value: Disabled
fw-nameAdds a firewall to the firewall group for firewall load balancing.
EXAMPLE:
To add a firewall named FW99 to firewall group 2, enter the following commands:
ServerIron(config)# server fw-group 2ServerIron(config-tc-2)# fw-name FW99
NOTE: The command prompt looks the same for cache groups and the firewall group. Make sure you enter the fw-group 2 command instead of the cache-group <num> command to reach the CLI prompt shown in this example.
Syntax: fw-name <string> <ip-addr>
Possible values: See above
Default value: N/A
fw-predictorConfigures the ServerIron to load balance based on the lowest number of connections for the traffic flow’s application. By default, the ServerIron load balances firewall traffic flows by selecting the firewall with the lowest number of total connections.
For example, suppose a configuration has two firewalls (FW1 and FW2), and each firewall has two application ports defined (HTTP and SMTP). Also assume the following:
• FW1 has 10 HTTP connections and 80 SMTP connections.
• FW2 has 60 HTTP connections and 10 SMTP connections.
Using the default load balancing method, traffic for a new flow is load balanced to FW2, since this firewall has fewer total connections. This is true regardless of the application in the traffic. However, using the load balancing by application method, a new traffic flow carrying HTTP traffic is load balanced to FW1 instead of FW2, because FW1 has fewer HTTP connections. A new traffic flow for SMTP is load balanced to FW2, since FW2 has fewer SMTP connections.
EXAMPLE:
ServerIron(config-tc-2)# fw-predictor per-service-least-conn
Syntax: [no] fw-predictor total-least-conn | per-service-least-conn
The total-least-conn parameter load balances traffic based on the total number of connections only. This is the default.
The per-service-least-conn parameter load balances traffic based on the total number of connections for the traffic’s application. This is valid for TCP or UDP applications.
Possible values: See above
Default value: total-least-conn
hash-maskThis command defines how requests are distributed among multiple web cache servers or firewalls within a cache group or firewall group.
EXAMPLE:
To direct all web queries destined for the same web site (such as “www.rumors.com”) to the same cache server for processing, enter the following hash-mask command:
ServerIron(config-tc-1)# hash-mask 255.255.255.255 0.0.0.0
12 - 6 February 2002
Cache Group Commands
NOTE: This is useful for networks that have many users accessing the same web site locations. It may be more useful to use only the first three octets of the Destination IP address (255.255.255.0) for web sites that may return multiple web server addresses (for example “www.rumors1.com” and "www.rumors2.com") in response to www.rumors.com queries.
EXAMPLE:
To direct all users from the same Class B sub-net (255.255.0.0) to either server1 or server2 and to direct all redundant requests destined to the same web site (255.255.255.0) to the same web cache server, enter the following hash-mask command:
ServerIron(config-tc-1)# hash-mask 255.255.255.0 255.255.0.0
EXAMPLE:
To configure a hash mask for firewall load balancing, enter the following command:
ServerIron(config-tc-1)# hash-mask 255.255.255.255 255.255.255.255
NOTE: The command prompt looks the same for cache groups and the firewall group. Make sure you enter the fw-group 2 command instead of the cache-group <num> command to reach the CLI prompt shown in this example.
Syntax: hash-mask <destination-mask> <source-mask>
Possible values: valid IP addresses
Default value: destination mask 255.255.255.0, source mask 0.0.0.0.
hash-port-rangeSpecifies a range of TCP or UDP application port numbers for use in FWLB hashing calculations. This is useful in environments where the same source-and-destination pairs generate a lot of traffic and you want to load balance the traffic across more than one firewall.
By default, the FWLB hashing algorithm uses the source and destination IP addresses of a packet for hashing but disregards the source and destination TCP or UDP application port numbers.
NOTE: You also can specify a list of ports, in which case the software hashes based on the combined set of ports from the list and the range. If you specify both a list and a range of ports, the software uses the source and destination application ports of a packet to hash, if the packet’s source or destination application port is one of the ports in the specified list or the specified range.
EXAMPLE:
To specify a range of application ports, enter a command such as the following at the firewall group configuration level of the CLI:
ServerIron(config-tc-2)# hash-port-range 69 80
Syntax: [no] hash-port-range <start-num> <end-num>
The <start-num> parameter specifies the starting port number in the range. Specify the port number at the lower end of the range.
The <end-num> parameter specifies the ending port number in the range. Specify the port number at the higher end of the range.
Possible values: See above
Default value: N/A
hash-portsSpecifies a list of TCP or UDP application port numbers for use in FWLB hashing calculations. This is useful in environments where the same source-and-destination pairs generate a lot of traffic and you want to load balance the traffic across more than one firewall.
February 2002 12 - 7
Foundry ServerIron Command Line Interface Reference
By default, the FWLB hashing algorithm uses the source and destination IP addresses of a packet for hashing but disregards the source and destination TCP or UDP application port numbers.
NOTE: You also can specify a range of ports, in which case the software hashes based on the combined set of ports from the list and the range. If you specify both a list and a range of ports, the software uses the source and destination application ports of a packet to hash, if the packet’s source or destination application port is one of the ports in the specified list or the specified range.
EXAMPLE:
To specify a list TCP/UDP ports to include in the hash calculations for firewall load balancing:
ServerIron(config)# server fw-group 2
ServerIron(config-tc-2)# hash-ports 69 80
Syntax: [no] hash-ports <num> [<num...>]
Possible values: The <num> parameters specify TCP or UDP port numbers. You can specify up to eight port numbers on the same command line.
Default value: N/A
http-cache-controlThis command is used in conjunction with the Content Aware Cache Switching feature on the ServerIron. This command ensures that HTTP 1.0 requests that have a pragma:no-cache header and HTTP 1.1 requests that have a Cache-Control header containing a no-cache directive are sent to the Internet. This is the default behavior. You can use the no form of this command to configure the ServerIron to ignore the pragma:no-cache or Cache-Control header in an HTTP request.
EXAMPLE:
To configure the ServerIron to ignore the pragma:no-cache or Cache-Control header in an HTTP request:
ServerIron(config-tc-1)# no http-cache-control
Syntax: [no] http-cache-control
Possible values: N/A
Default value: HTTP 1.0 requests that have a pragma:no-cache header and HTTP 1.1 requests that have a Cache-Control header containing a no-cache directive are sent to the Internet.
l2-fwallEnables Layer 2 FWLB for Layer 2 firewalls and for static route configurations.
EXAMPLE:
To enable the L2-fwall option on a ServerIron, enter the following commands:
ServerIron(config)# server fw-group 2
ServerIron(config-tc-2)# l2-fwall
Syntax: l2-fwall
Possible values: N/A
Default value: Disabled
noThis command is used to disable other commands. To do so, place the word no before the command.
no-group-failoverCauses requests to be dropped if a URL switching policy directs the requests to a server group, but none of the cache servers in the server group are available. Without this command, if none of the cache servers in a server group are available, the requests are directed to one of the other server groups configured on the device.
12 - 8 February 2002
Cache Group Commands
EXAMPLE:
ServerIron(config)# server cache-group 1ServerIron(config-tc-1)# no-group-failoverServerIron(config-tc-1)# exit
Syntax: no-group-failover
Possible values: N/A
Default value: N/A
no-http-downgradePrevents the ServerIron from downgrading the HTTP version in a request to 1.0.
In a content aware cache switching configuration, when the ServerIron receives an HTTP request from a client, it determines to which cache server it should send the request. The ServerIron then establishes a TCP connection with the selected cache server and sends it the request.
If the request sent from the client to the ServerIron uses HTTP version 1.1, the ServerIron downgrades the HTTP version to 1.0 when it sends the request to the cache server. If you want to use HTTP 1.1 for the connection between the ServerIron and the cache servers, you can prevent the ServerIron from downgrading the HTTP version to 1.0.
EXAMPLE:
ServerIron(config)# server cache-group 1ServerIron(config-vs-tc-1)# no-http-downgradeServerIron(config-vs-tc-1)# exit
Syntax: no-http-downgrade
Possible values: N/A
Default value: N/A
prefer-cntSpecifies a path link tolerance for firewall paths. The default failover tolerance for firewall paths is one half the configured firewall paths.
NOTE: The minimum number of required paths must match on each ServerIron in an active-standby pair. For example, if you specify one router path and three firewall paths as the minimum on the active ServerIron, you must configure the same minimums on the standby ServerIron.
EXAMPLE:
To specify the minimum number of paths required on a ServerIron:
ServerIron(config)# server fw-group 2
ServerIron(config-tc-2)# prefer-cnt 3
This example specifies that a minimum of three firewall paths must be available for the ServerIron to remain active. Thus, if the ServerIron has three firewall paths, one path can be unavailable and the ServerIron will remain the active ServerIron.
Syntax: prefer-cnt <num>
Possible values: The <num> parameter specifies the minimum number of paths required.
Default value: half the configured paths
prefer-router-cntSpecifies a path link tolerance for router paths. The default tolerance for router ports is one half the configured router ports.
February 2002 12 - 9
Foundry ServerIron Command Line Interface Reference
NOTE: The minimum number of required paths must match on each ServerIron in an active-standby pair. For example, if you specify one router path and three firewall paths as the minimum on the active ServerIron, you must configure the same minimums on the standby ServerIron.
EXAMPLE:
To specify the minimum number of paths required on a ServerIron:
ServerIron(config)# server fw-group 2
ServerIron(config-tc-2)# prefer-router-cnt 3
This example specifies that a minimum of three router paths must be available for the ServerIron to remain active. Thus, if the ServerIron has three router paths, one path can be unavailable and the ServerIron will remain the active ServerIron.
Syntax: prefer-router-cnt <num>
Possible values: The <num> parameter specifies the minimum number of paths required.
Default value: half the configured router ports
quitThis command returns you from any level of the CLI to the User EXEC mode.
EXAMPLE:
ServerIron(config-tc-1)# quit
ServerIron>
Syntax: quit
Possible values: N/A
Default value: N/A
rshowDisplays the real and virtual server configuration information on a remote site ServerIron in the GSLB ServerIron’s CLI. The command also displays the session and CPU information used by the GSLB policy. You can view detailed configuration information and statistics for the site ServerIron, from the GSLB ServerIron’s management console. For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.
show…Displays a variety of configuration and statistical information about the ServerIron. To see a description of the show commands, see “Show Commands” on page 21-1.
spoof-supportConfigures the ServerIron to support TCS using cache servers that send requests to the Internet using the requesting client's IP address as the source (known as cache server spoofing).
EXAMPLE:
ServerIron(config)# server cache-group 1ServerIron(config-tc-1)# spoof-support
Syntax: [no] spoof-support
Possible values: N/A
Default value: Cache server spoofing support is disabled by default.
source-natConfigures the ServerIron to translate the source address of client requests the ServerIron forwards to cache servers. The ServerIron changes the address to a source IP address you have configured on the ServerIron.
12 - 10 February 2002
Cache Group Commands
Add source IP addresses and enable source NAT if the ServerIron and cache server are in different sub-nets. For information, see the "Configuring Network Address Translation" chapter of the Foundry ServerIron Installation and Configuration Guide.
EXAMPLE:
ServerIron(config-tc-1)# source-nat
Syntax: [no] source-nat
Possible values: N/A
Default value: Disabled
sym-prioritySpecifies the priority of this ServerIron with respect to the other ServerIron for the firewalls in the firewall group. The ServerIron with the higher priority is the default active ServerIron for the firewalls within the group.
EXAMPLE:
SI-ActiveA(config)# server fw-group 2
SI-ActiveA(config-tc-2)# sym-priority 254
Syntax: sym-priority <priority>
Possible values: 0 – 255; setting the priority to 0 removes the priority setting from the configuration
Default value: N/A
url-host-idThis command is used in conjunction with the Content Aware Cache Switching feature on the ServerIron. This command causes HTTP requests for a specified host to be evaluated by a specified URL switching policy.
EXAMPLE:
To cause HTTP requests for www.mysite.com to be evaluated by policyA.
ServerIron(config-tc-1)# url-host-id www.mysite.com policyA
Syntax: url-host-id <host> <policy-name>
Possible values: Host name, URL switching policy name
Default value: N/A
url-mapThis command is used in conjunction with the Content Aware Cache Switching feature on the ServerIron. This command specifies a URL switching policy to be active for this cache group. If you configure more than one URL switching policy, the policies must be linked together.
EXAMPLE:
To specify a URL switching policy to be active for a cache group:
ServerIron(config-tc-1)# url-map p1
Syntax: url-map <policy-name>
Possible values: URL switching policy name
Default value: N/A
url-switchActivates Content Aware Cache Switching for this cache group. You must have already defined the URL switching policies before entering this command.
EXAMPLE:
To activate Content Aware Cache Switching for a cache group:
February 2002 12 - 11
Foundry ServerIron Command Line Interface Reference
ServerIron(config-tc-1)# url-switch
Syntax: url-switch
Possible values: N/A
Default value: N/A
virtual-ipThis command configures the ServerIron for either of the following features:
• Policy-based Cache Failover. See the "Configuring Transparent Cache Switching" chapter in the Foundry ServerIron Installation and Configuration Guide.
• FWLB for VPN firewalls. See the Foundry ServerIron Firewall Load Balancing Guide.
EXAMPLE:
To add virtual IP address 209.157.22.26 to cache group 1, enter the following command:
ServerIron(config-tc-1)# virtual-ip 209.157.22.26
EXAMPLE:
To enable the VPN Load Balancing feature and specify the FireWall-1 Cluster IP address, enter the following commands. These commands apply to the ServerIron that is connected to the Internet side of the firewalls.
ServerIron(config)# server vpn-lbServerIron(config)# server fw-group 2ServerIron(config-tc-2)# virtual-ip 10.10.1.10
Syntax: virtual-ip <ip-addr>
You do not need to enter a network mask.
Possible values: N/A
Default value: N/A
write memorySaves the running-time configuration into the startup-config file.
EXAMPLE:
ServerIron(config-tc-1)# write memory
Syntax: write memory
Possible values: N/A
Default value: N/A
write terminalDisplays the running-configuration of the ServerIron on the terminal screen.
EXAMPLE:
ServerIron(config-tc-1)# write terminal
Syntax: write terminal
Possible values: N/A
Default value: N/A
12 - 12 February 2002
Chapter 13GSLB Affinity Commands
endMoves activity to the privileged EXEC level from any level of the CLI, with the exception of the user level.
EXAMPLE:
To move to the privileged level, enter the following from any level of the CLI.
ServerIron(config-gslb-affinity)# end
ServerIron#
Syntax: end
Possible values: N/A
Default value: N/A
exitMoves activity up one level from the current level. In this case, activity will be moved to the global level.
EXAMPLE:
ServerIron(config-gslb-affinity)# exit
ServerIron(config)#
Syntax: exit
Possible values: N/A
Default value: N/A
noThis command is used to disable other commands. To do so, place the word no before the command.
preferConfigures a GSLB affinity definition. The GSLB Affinity feature configures the GSLB ServerIron to always prefer a specific site ServerIron for queries from clients whose addresses are within a given IP prefix. For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.
EXAMPLE:
To configure an affinity definition, enter commands such as the following:
ServerIron(config)# gslb affinity
February 2002 13 - 1
Foundry ServerIron Command Line Interface Reference
ServerIron(config-gslb-affinity)# prefer sunnyvale slb-1 for 0.0.0.0/0ServerIron(config-gslb-affinity)# prefer atlanta slb-1 for 192.108.22.0/22
These commands configure a default affinity definition (using the 0.0.0.0/0) prefix and an affinity definition that uses prefix 192.108.22.0/22. For clients that are not within the prefix in the second affinity definition, the ServerIron uses the default affinity definition. The ServerIron sends clients whose IP addresses are within the 192.108.22.0/22 prefix to a VIP on slb-1 at the “atlanta” site, when available. The ServerIron sends all other clients to a VIP on slb-1 at the “sunnyvale” site when available.
Syntax: gslb affinity
This command places the CLI at the affinity configuration level.
Syntax: [no] prefer <site-name> <si-name> | <si-ip-addr> for <ip-addr> <ip-mask> | <ip-addr>/<prefix-length>
You can refer to the ServerIron by its GSLB site name and ServerIron name or by its management IP address. Use one of the following parameters:
• The <site-name> and <si-name> parameters specify the remote site and a ServerIron at that site. If you use this method, you must specify both parameters.
• The <si-ip-addr> parameter specifies the site ServerIron’s management IP address.
NOTE: In either case, the running-config and the startup-config file refer to the ServerIron by its IP address.
The <ip-addr> <ip-mask> or <ip-addr>/<prefix-length> parameter specifies the prefix. You can specify a mask from 0.0.0.0 – 255.255.255.254. If you instead specify a prefix length, you can specify from 0 – 31 bits.
If you specify 0.0.0.0 0.0.0.0 or 0.0.0.0/0, the ServerIron applies the affinity definition to all client addresses. As a result, an address that does not match another affinity definition uses the zero affinity definition by default. If you do not configure a default affinity definition, the ServerIron uses the standard GSLB policy for clients whose addresses are not within a prefix in an affinity definition.
Possible values: See above.
Default value: N/A
quitThis command returns you from any level of the CLI to the User EXEC mode.
EXAMPLE:
ServerIron(config-gslb-affinity)# quit
ServerIron>
Syntax: quit
Possible values: N/A
Default value: N/A
rshowDisplays the real and virtual server configuration information on a remote site ServerIron in the GSLB ServerIron’s CLI. The command also displays the session and CPU information used by the GSLB policy. You can view detailed configuration information and statistics for the site ServerIron, from the GSLB ServerIron’s management console. For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.
show…Displays a variety of configuration and statistical information about the ServerIron. To see a description of the show commands, see “Show Commands” on page 21-1.
write memorySaves the running-time configuration into the startup-config file.
13 - 2 February 2002
GSLB Affinity Commands
EXAMPLE:
ServerIron(config-gslb-affinity)# write memory
Syntax: write memory
Possible values: N/A
Default value: N/A
write terminalDisplays the running-configuration of the ServerIron on the terminal screen.
EXAMPLE:
ServerIron(config-gslb-affinity)# write terminal
Syntax: write terminal
Possible values: N/A
Default value: N/A
February 2002 13 - 3
Chapter 14GSLB DNS Zone Commands
endMoves activity to the privileged EXEC level from any level of the CLI, with the exception of the user level.
EXAMPLE:
To move to the privileged level, enter the following from any level of the CLI.
ServerIron(config-gslb-dns-foundrynet.com)# end
ServerIron#
Syntax: end
Possible values: N/A
Default value: N/A
exitMoves activity up one level from the current level. In this case, activity will be moved to the global level.
EXAMPLE:
ServerIron(config-gslb-dns-foundrynet.com)# exit
ServerIron(config)#
Syntax: exit
Possible values: N/A
Default value: N/A
host-infoConfigures DNS zone and host information for GSLB.
EXAMPLE:
To specify the foundrynet.com zone and two host names, each of which is associated with an application, enter the following commands:
ServerIron(config)# gslb dns zone-name foundrynet.comServerIron(config-gslb-dns-foundrynet.com)# host-info www httpServerIron(config-gslb-dns-foundrynet.com)# host-info ftp ftp
The commands in this example add the zone foundrynet.com and add two hosts within that zone: www and ftp. The GSLB ServerIron will provide global SLB for these two hosts within the zone.
February 2002 14 - 1
GSLB DNS Zone Commands
Syntax: [no] gslb dns zone-name <name>
The <name> parameter specifies the DNS zone name.
NOTE: If you delete a DNS zone (by entering the no gslb dns zone-name <name> command), the zone and all the host names you associated with the zone are deleted.
Syntax: [no] host-info <host-name> <host-application> | <tcp/udp-portnum>
The <host-name> parameter specifies the host name. You do not need to enter the entire (fully-qualified) host name. Enter only the host portion of the name. For example, if the fully qualified host name is www.foundrynet.com, do not enter the entire name. Enter only “www”. The rest of the name is already specified by the gslb dns zone-name command. You can enter a name up to 32 characters long.
The <host-application> specifies the host application for which you want the GSLB ServerIron to provide global SLB. You can specify one of the following:
• FTP – the well-known name for port 21. (Ports 20 and 21 both are FTP ports but on the ServerIron, the name “FTP” corresponds to port 21.)
• TFTP – the well-known name for port 69
• HTTP – the well-known name for port 80
• IMAP4 – the well-known name for port 143
• LDAP – the well-known name for port 389
• NNTP – the well-known name for port 119
• POP3 – the well-known name for port 110
• SMTP – the well-known name for port 25
• TELNET – the well-known name for port 23
The <tcp/udp-portnum> parameter specifies a TCP/UDP port number instead of a well-known port. If the application is not one of those listed above, you still can configure the GSLB ServerIron to perform the Layer 4 health check on the specified port.
NOTE: If the application number does not correspond to one of the well-known ports recognized by the ServerIron, the GSLB ServerIron performs Layer 4 TCP or UDP health checks for the ports but does not perform application-specific health checks.
Possible values: see above
Default value: N/A
noThis command is used to disable other commands. To do so, place the word no before the command.
quitThis command returns you from any level of the CLI to the User EXEC mode.
EXAMPLE:
ServerIron(config-gslb-dns-foundrynet.com)# quit
ServerIron>
Syntax: quit
Possible values: N/A
Default value: N/A
February 2002 14 - 2
Foundry ServerIron Command Line Interface Reference
rshowDisplays the real and virtual server configuration information on a remote site ServerIron in the GSLB ServerIron’s CLI. The command also displays the session and CPU information used by the GSLB policy. You can view detailed configuration information and statistics for the site ServerIron, from the GSLB ServerIron’s management console. For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.
show…Displays a variety of configuration and statistical information about the ServerIron. To see a description of the show commands, see “Show Commands” on page 21-1.
write memorySaves the running-time configuration into the startup-config file.
EXAMPLE:
ServerIron(config-gslb-dns-foundrynet.com)# write memory
Syntax: write memory
Possible values: N/A
Default value: N/A
write terminalDisplays the running-configuration of the ServerIron on the terminal screen.
EXAMPLE:
ServerIron(config-gslb-dns-foundrynet.com)# write terminal
Syntax: write terminal
Possible values: N/A
Default value: N/A
14 - 3 February 2002
Chapter 15GSLB Site Commands
endMoves activity to the privileged EXEC level from any level of the CLI, with the exception of the user level.
EXAMPLE:
To move to the privileged level, enter the following from any level of the CLI.
ServerIron(config-gslb-site-sunnyvale)# end
ServerIron#
Syntax: end
Possible values: N/A
Default value: N/A
exitMoves activity up one level from the current level. In this case, activity will be moved to the global level.
EXAMPLE:
ServerIron(config-gslb-site-sunnyvale)# exit
ServerIron(config)#
Syntax: exit
Possible values: N/A
Default value: N/A
geo-locationExplicitly identifies the geographic location of a GSLB site. By default, the GSLB ServerIron uses a site’s IP address to determine its geographic location.
EXAMPLE:
To explicitly identify Sunnyvale’s geographic location as North America, enter the following commands:
ServerIron(config)# gslb site sunnyvaleServerIron(config-gslb-site-sunnyvale)# geo-location n-america
Syntax: [no] geo-location asia | europe | n-america | s-america
Possible values: see above
Default value: the region associated with the site’s IP address
February 2002 15 - 1
Foundry ServerIron Command Line Interface Reference
noThis command is used to disable other commands. To do so, place the word no before the command.
quitThis command returns you from any level of the CLI to the User EXEC mode.
EXAMPLE:
ServerIron(config-gslb-site-sunnyvale)# quit
ServerIron>
Syntax: quit
Possible values: N/A
Default value: N/A
rshowDisplays the real and virtual server configuration information on a remote site ServerIron in the GSLB ServerIron’s CLI. The command also displays the session and CPU information used by the GSLB policy. You can view detailed configuration information and statistics for the site ServerIron, from the GSLB ServerIron’s management console. For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.
show…Displays a variety of configuration and statistical information about the ServerIron. To see a description of the show commands, see “Show Commands” on page 21-1.
si-nameSpecifies the remote ServerIrons in a GSLB site.
EXAMPLE:
To identify two server sites, each containing two ServerIrons, enter the following commands:
ServerIron(config)# gslb site sunnyvaleServerIron(config-gslb-site-sunnyvale)# si-name slb-1 209.157.22.209ServerIron(config-gslb-site-sunnyvale)# si-name slb-2 209.157.22.210ServerIron(config)# gslb site atlantaServerIron(config-gslb-site-atlanta)# si-name slb-1 192.108.22.111ServerIron(config-gslb-site-atlanta)# si-name slb-2 192.108.22.112
These commands configure two GSLB sites. One of the sites is in Sunnyvale and the other is in Atlanta. Each site contains two ServerIrons that load balance traffic across server farms. The GSLB ServerIron you are configuring will use information provided by the other ServerIrons when it evaluates the servers listed in DNS replies.
Syntax: [no] si-name [<name>] <ip-addr> [<preference>]
The <name> parameter specifies a unique name for the ServerIron at the site. You can enter a string up to 16 characters long. The string can contain blanks. To use blanks, enclose the string in quotation marks. You can enter up to four pairs of ServerIron names and IP addresses on the same command line. The name is optional.
NOTE: Enter the ServerIron’s management IP address, not a virtual IP address (VIP) configured on the ServerIron or a source IP address added for source NAT.
The <preference> parameter sets the administrative preference for the site. When you enable the administrative preference as a GSLB metric, the administrative preference can be used by the GSLB policy when comparing this site with other sites. You can specify a preference from 0 – 255. The default preference is 128. The GSLB policy prefers high preference values over low preference values. If you specify 0, the site is administratively removed from selection by the GSLB policy but remains connected to the network.
15 - 2 February 2002
GSLB Site Commands
For example, to set the administrative preference for a site ServerIron to 255, enter a command such as the following:
ServerIron(config-gslb-site-sunnyvale)# si-name slb-1 209.157.22.20 255
To change the preference for a site ServerIron you have already configured, use the same command syntax. You do not need to reconfigure other site parameters when you change the preference. For example, to change the preference for a site ServerIron from the default (128) to 200, enter a command such as the following:
ServerIron(config-gslb-site-sunnyvale)# si-name slb-2 209.157.22.210 200
NOTE: The administrative preference metric is disabled by default, which means it is not used by the GSLB policy. The GSLB policy uses the preference values only if you enable this metric.
By default, the GSLB ServerIron uses a site’s IP address to determine its geographic location. Alternatively, you can explicitly identify the location. To do so, use the following command.
Syntax: [no] geo-location asia | europe | n-america | s-america
For example, to explicitly identify Sunnyvale’s geographic location as North America, enter the following commands:
ServerIron(config)# gslb site sunnyvaleServerIron(config-gslb-site-sunnyvale)# geo-location n-america
Possible values: see above
Default value: N/A
write memorySaves the running-time configuration into the startup-config file.
EXAMPLE:
ServerIron(config-gslb-site-sunnyvale)# write memory
Syntax: write memory
Possible values: N/A
Default value: N/A
write terminalDisplays the running-configuration of the ServerIron on the terminal screen.
EXAMPLE:
ServerIron(config-gslb-site-sunnyvale)# write terminal
Syntax: write terminal
Possible values: N/A
Default value: N/A
February 2002 15 - 3
Foundry ServerIron Command Line Interface Reference
15 - 4 February 2002
Chapter 16GSLB Policy Commands
capacityDisables or re-enables the capacity threshold GSLB metric. This metric represents a site ServerIron’s available TCP/UDP session capacity. This metric is enabled by default, which means the GSLB ServerIron uses this metric when evaluating the sites in a DNS reply to choose the best site.
EXAMPLE:
To disable this metric, enter the following command:
ServerIron(config-gslb-policy)# no capacity
To re-enable this metric, enter the following command:
ServerIron(config-gslb-policy)# capacity
Syntax: [no] capacity
Possible values: enabled or disabled
Default value: enabled
capacity thresholdSpecifies how close to the maximum session capacity the site ServerIron(remote ServerIron) can be and still be eligible as the best site for the client. This mechanism provides a way to shift load away from a site before the site becomes congested. The default value for the threshold is 90%. Thus a site ServerIron is eligible to be the best site only if its session utilization is below 90%.
EXAMPLE:
To change the session-table capacity metric, enter commands such as the following:
ServerIron(config)# gslb policy ServerIron(config-gslb-policy)# capacity threshold 99
Syntax: [no] capacity threshold <num>
The <num> parameter specifies the maximum percentage of a site ServerIron’s session table that can be in use. If the ServerIron’s session table utilization if greater than the specified percentage, the GSLB ServerIron prefers other sites over this site. You can specify a percentage from 0 – 100. The default is 90.
Possible values: 0 – 100
Default value: 90
February 2002 16 - 1
Foundry ServerIron Command Line Interface Reference
dns active-onlyConfigures the ServerIron to remove IP addresses from DNS replies when those addresses fail a health check. The ServerIron removes the addresses that fail the check so long as the DNS query still contains at least one address that passes the health check.
NOTE: A site must pass all applicable health checks (Layer 4 and Layer 7) to avoid being removed.
EXAMPLE:
To configure the ServerIron to remove IP addresses from DNS replies when those addresses fail a health check, enter the following commands.
ServerIron(config)# gslb policy ServerIron(config-gslb-policy)# dns active-only
Syntax: [no] dns active-only
Possible values: enabled or disabled
Default value: disabled
dns check-intervalChanges the refresh interval for DNS queries to refresh verify zone and host information. The GSLB ServerIron sends the queries to the DNS for which it is configured to be a proxy.
EXAMPLE:
To change the refresh interval, enter commands such as the following:
ServerIron(config)# gslb policy ServerIron(config-gslb-policy)# dns check-interval 50
Syntax: [no] dns check-interval <num>
The <num> parameter specifies the interval and can be from 0 – 1000000000 seconds. The default is 30 seconds.
Possible values: 0 – 1000000000 seconds
Default value: 30 seconds
dns ttlSpecifies the value to which the GSLB ServerIron changes the TTL of each DNS record contained in DNS replies received from the DNS for which the ServerIron is a proxy.
EXAMPLE:
To change the TTL, enter commands such as the following:
ServerIron(config)# gslb policy ServerIron(config-gslb-policy)# dns ttl 45
Syntax: [no] dns ttl <num>
The <num> parameter specifies the TTL and can be from 0 – 1000000000 seconds. The default is 10 seconds.
For all GSLB features except DNS cache proxy, the command no dns ttl configures the ServerIron to use the TTL from the DNS. If you are using DNS cache proxy, this command resets the TTL to 10.
Possible values: 0 – 1000000000 seconds
Default value: 10 seconds
endMoves activity to the privileged EXEC level from any level of the CLI, with the exception of the user level.
EXAMPLE:
To move to the privileged level, enter the following from any level of the CLI.
16 - 2 February 2002
GSLB Policy Commands
ServerIron(config-gslb-policy)# end
ServerIron#
Syntax: end
Possible values: N/A
Default value: N/A
exitMoves activity up one level from the current level. In this case, activity will be moved to the global level.
EXAMPLE:
ServerIron(config-gslb-policy)# exit
ServerIron(config)#
Syntax: exit
Possible values: N/A
Default value: N/A
flashbackDisables or re-enables the FlashBack GSLB metric. This metric indicates how quickly the GSLB ServerIron receives Layer 4-7 health check results. This metric is enabled by default, which means the GSLB ServerIron uses this metric when evaluating the sites in a DNS reply to choose the best site.
EXAMPLE:
To disable this metric, enter the following command:
ServerIron(config-gslb-policy)# no flashback
To re-enable this metric, enter the following command:
ServerIron(config-gslb-policy)# flashback
Syntax: [no] flashback
Possible values: enabled or disabled
Default value: enabled
flashback application | tcp tolerance <num>Modifies the following FlashBack parameters:
• Application tolerance
• TCP tolerance
The GSLB ServerIron uses a tolerance value when comparing the FlashBack speeds of different sites. The tolerance value specifies the percentage by which the FlashBack speeds of the two sites must differ in order for the ServerIron to choose one over the other. The default FlashBack tolerance is 10%. Thus, if the FlashBack speeds of two sites are within 10% of one another, the ServerIron considers the sites to be equal. However, if the speeds differ by more than 10%, the ServerIron prefers the site with the lower FlashBack speed.
FlashBack speeds are measured at Layer 4 for all TCP/UDP ports. For the application ports known to the ServerIron, the FlashBack speed of the application is also measured.
When the ServerIron compares the FlashBack speeds, it compares the Layer 7 (application-level) FlashBack speeds first, if applicable. If the application has a Layer 7 health check and if the FlashBack speeds are not equal, the ServerIron is through comparing the FlashBack speeds. However, if only the Layer 4 health check applies to the application, or if further tie-breaking is needed, the ServerIron then compares the Layer 4 FlashBack speeds.
February 2002 16 - 3
Foundry ServerIron Command Line Interface Reference
EXAMPLE:
To change the tolerances for the response times of TCP and application health checks, when used as a metric for selecting a site, enter commands such as the following:
ServerIron(config)# gslb policy ServerIron(config-gslb-policy)# flashback application tolerance 30ServerIron(config-gslb-policy)# flashback tcp tolerance 50
Syntax: [no] flashback application | tcp tolerance <num>
The application | tcp parameter specifies whether you are modifying the tolerance for the Layer 4 TCP health check or the Layer 7 application health checks. You can change one or both and the values do not need to be the same. For each, you can specify from 0 – 100. The default for each is 10.
Possible values: 0 – 100
Default value: 10
geographicDisables or re-enables the geographic GSLB metric. This metric indicates the geographic location of a site. This metric is enabled by default, which means the GSLB ServerIron uses this metric when evaluating the sites in a DNS reply to choose the best site.
EXAMPLE:
To disable this metric, enter the following command:
ServerIron(config-gslb-policy)# no geographic
To re-enable this metric, enter the following command:
ServerIron(config-gslb-policy)# geographic
Syntax: [no] geographic
Possible values: enabled or disabled
Default value: enabled
health-checkDisables or re-enables the health-check GSLB metric. This metric indicates whether the site has passed the Layer 4 and (if applicable) Layer 7 health checks. The GSLB ServerIron uses this metric when evaluating the sites in a DNS reply to choose the best site.
EXAMPLE:
To disable this metric, enter the following command:
ServerIron(config-gslb-policy)# no health-check
To re-enable this metric, enter the following command:
ServerIron(config-gslb-policy)# health-check
Syntax: [no] health-check
Possible values: enabled or disabled
Default value: enabled
metric-orderChanges the order in which the GSLB ServerIron applies the policy metrics. To change the order, specify the metrics in the desired order.
16 - 4 February 2002
GSLB Policy Commands
NOTE: Foundry Networks recommends that you always use the health check as the first metric. Otherwise, it is possible that the GSLB policy will not select a "best” choice, and thus send the DNS reply unchanged. For example, if the first metric is geographic location, and the DNS reply contains two sites, one in North America and the other in South America, for clients in South America the GSLB policy favors the South American site after the first comparison. However, if that site is down, the GSLB policy will find that none of the sites in the reply is the “best” one, and thus send the reply unchanged.
You cannot disable or change the position of the Least Response Selection metric. The GSLB ServerIron uses this metric as a tie-breaker if the other comparisons do not result is selection of a “best” site.
EXAMPLE:
To specify a new GSLB policy order, enter a command such as the following:
ServerIron(config)# gslb policy ServerIron(config-gslb-policy)# metric-order set round-trip-time capacity num-session flashback
This command changes the GSLB policy to the following:
• The round-trip time between the remote ServerIron and the DNS client
• The site ServerIron’s session capacity threshold
• The site ServerIron’s available session capacity
• The site ServerIron’s FlashBack speed (how quickly the GSLB receives the health check results)
• The Least Response selection (the site ServerIron that has been selected less often than others)
Two of the metrics, server health and geographic location, are not specified. As a result, these metrics are not used when evaluating site IP addresses in the DNS responses.
To display the GSLB policy after you change it, enter the show gslb policy command. For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.
Syntax: [no] metric-order set <list>
The <list> parameter is a list of the metrics you want to use, in the order you want the GSLB ServerIron to use them. The GSLB uses the metrics in the order you specify them. You can specify one or more of the following:
• capacity – The site ServerIron’s available session capacity
• flashback – The site ServerIron’s FlashBack speed (how quickly the GSLB receives the health check results)
• geographic – The geographic location of the server
• health-check – The Layer 4 and application health checks
• num-session – The site ServerIron’s session capacity threshold
• preference – The administratively configured preference for the site ServerIron
• round-trip-time – The round-trip time between the remote ServerIron and the DNS client
There is no parameter for the Least Response Selection. This metric is always enabled and is always the last one in the policy.
To reset the order of the GSLB policy metrics to the default (and also re-enable all disabled metrics), enter the following command:
ServerIron(config-gslb-policy)# metric-order default
Syntax: metric-order default
The no metric-order set command also resets the order and re-enables all disabled metrics. This command is equivalent to metric-order default.
February 2002 16 - 5
Foundry ServerIron Command Line Interface Reference
Possible values: any combination or order
Default value: The GSLB ServerIron applies the metrics in the following order:
• health-check
• num-session
• round-trip-time
• geographic
• capacity
• flashback
• administrative preference (when enabled; this metric is disabled by default)
• least-response (this metric is a tie-breaker and is always enabled and always last; you cannot disable or re-order this metric)
noThis command is used to disable other commands. To do so, place the word no before the command.
num-sessionDisables or re-enables the GSLB metric for the site ServerIron’s session capacity threshold. The capacity threshold specifies how close to the maximum session capacity the site ServerIron(remote ServerIron) can be and still be eligible as the best site for the client. This mechanism provides a way to shift load away from a site before the site becomes congested. The GSLB ServerIron uses this metric when evaluating the sites in a DNS reply to choose the best site.
EXAMPLE:
To disable this metric, enter the following command:
ServerIron(config-gslb-policy)# no num-session
To re-enable this metric, enter the following command:
ServerIron(config-gslb-policy)# num-session
Syntax: [no] num-session
Possible values: enabled or disabled
Default value: enabled
num-session toleranceSpecifies the percentage by which the number of available sessions on the site ServerIron can differ from the number of available sessions on another site ServerIron and still be considered an equally good site.
EXAMPLE:
To change the session-table tolerance metric, enter commands such as the following:
ServerIron(config)# gslb policy ServerIron(config-gslb-policy)# num-session tolerance 20
Syntax: [no] num-session tolerance <num>
The <num> parameter specifies the maximum percentage by which the session table utilization on ServerIrons at different sites can differ without the GSLB ServerIron selecting one over the other based on this metric. You can specify a tolerance from 0 – 100. The default is 10.
Possible values: 0 – 100
Default value: 90
16 - 6 February 2002
GSLB Policy Commands
preferenceEnables the administrative preference GSLB metric.
To assign preference values for individual site ServerIron’s, see “si-name” on page 15-2.
EXAMPLE:
ServerIron(config)# gslb policy ServerIron(config-gslb-policy)# preference
Possible values: N/A
Default value: Disabled
protocolEnables the GSLB protocol on a site ServerIron.
For security, remote ServerIrons do not listen to TCP port 182 (the GSLB protocol port) by default. This means the GSLB protocol is disabled on remote site ServerIrons by default. For a remote ServerIron to use the protocol, you must enable the protocol on the remote ServerIron.
NOTE: Enter this command on the site ServerIron, not on the GSLB ServerIron.
NOTE: You also can secure access to a ServerIron by configuring Access Control Lists (ACLs). For example, you can configure ACLs to control access to the device on TCP port 182. See the “Using Access Control Lists (ACLs)“ chapter in the Foundry Switch and Router Installation and Basic Configuration Guide.
EXAMPLE:
To enable a remote ServerIron to use the GSLB protocol, enter the following command:
ServerIron(config)# gslb protocol
Syntax: [no] gslb protocol
Possible values: N/A
Default value: Disabled
quitThis command returns you from any level of the CLI to the User EXEC mode.
EXAMPLE:
ServerIron(config-gslb-policy)# quit
ServerIron>
Syntax: quit
Possible values: N/A
Default value: N/A
round-trip-timeDisables or re-enables the GSLB metric for the round-trip time between the remote ServerIron and the DNS client. The Round-trip time (RTT) is the amount of time that passes between when the remote site initiates a TCP connection (sends a TCP SYN) to the client and when the remote site receives the client’s acknowledgment of the connection request (sends a TCP ACK). The GSLB ServerIron learns the RTT information from the site ServerIrons through the Foundry GSLB protocol and uses the information as a metric when comparing site IP addresses. The GSLB ServerIron uses this metric when evaluating the sites in a DNS reply to choose the best site.
EXAMPLE:
To disable this metric, enter the following command:
February 2002 16 - 7
Foundry ServerIron Command Line Interface Reference
ServerIron(config-gslb-policy)# no round-trip-time
To re-enable this metric, enter the following command:
ServerIron(config-gslb-policy)# round-trip-time
Syntax: [no] round-trip-time
Possible values: enabled or disabled
Default value: enabled
round-trip-time cache-intervalChanges the RTT cache interval, which specifies how often the site ServerIrons use the Foundry GSLB protocol to send RTT information to the GSLB ServerIron. The GSLB ServerIron stores this information in a cache. The GSLB ServerIron uses the entries in the cache when using the RTT metric to evaluate IP addresses in a DNS reply.
EXAMPLE:
To change the RTT cache interval, enter commands such as the following:
ServerIron(config)# gslb policy ServerIron(config-gslb-policy)# round-trip-time cache-interval 30
The command in this example changes the RTT cache interval from 10 seconds to 30 seconds.
Syntax: [no] round-trip-time cache-interval <num>
The <num> parameter specifies the aging interval and can be from 10 – 300 seconds. The default is 10 seconds.
Possible values: 10 – 300 seconds
Default value: 10 seconds
round-trip-time cache-prefixChanges the RTT cache prefix, which specifies the level of aggregation that occurs in the GSLB ServerIron’s RTT cache. The entries in the RTT cache include IP address information for the clients. To avoid overflowing the cache, cache entries are aggregated based on the IP information. For example, if the GSLB ServerIron receives RTT information for clients at 192.21.4.69 and 192.21.4.18, and the cache prefix is 31 bits, both addresses go in as separate entries. However, if the prefix is 16 bits, the GSLB ServerIron aggregates the addresses. In this case, only one entry, 192.21.x.x goes in the cache.
EXAMPLE:
To change the RTT cache prefix, enter commands such as the following:
ServerIron(config)# gslb policy ServerIron(config-gslb-policy)# round-trip-time cache-prefix 16
The command in this example changes the RTT cache prefix from 20 bits to 16 bits.
Syntax: [no] round-trip-time cache-prefix <num>
The <num> parameter specifies the number of significant bits in the prefix and can be from 1 – 31. The default is 20.
Possible values: 1 – 31
Default value: 20
round-trip-time explore-percentageChanges the RTT explore percentage, which prevents the GSLB ServerIron from unfairly biasing selection of the best site based on previous RTT responses.
Site ServerIrons send RTT information only for the sessions that clients open with them. These are clients referred to the site ServerIron by the GSLB ServerIron. If the metrics that come before this one (based on the GSLB policy order) do not select a “best” site, the ServerIron selects a site based on RTT.
16 - 8 February 2002
GSLB Policy Commands
Since the only RTT information received by the GSLB ServerIron comes from the site ServerIrons to which the GSLB ServerIron has referred clients, it is possible for the GSLB ServerIron to continually bias its selection toward the first site ServerIron that sent RTT information. To prevent this from occurring, the GSLB ServerIron intentionally ignores the RTT metric for a specified percentage of the requests from a given client network. You can specify an RTT explore percentage from 0 – 100. The default is 5. By default, the GSLB ServerIron ignores the RTT for 5% of the client requests from a given network.
EXAMPLE:
To change the RTT explore percentage, enter commands such as the following:
ServerIron(config)# gslb policy ServerIron(config-gslb-policy)# round-trip-time explore-percentage 10
The command in this example changes the RTT explore percentage from 5% to 10%.
Syntax: [no] round-trip-time explore-percentage <num>
The <num> parameter specifies the explore percentage and can be from 0 – 100. The default is 5.
Possible values: 0 – 100
Default value: 5
round-trip-time toleranceChanges the RTT tolerance. When the GSLB ServerIron compares two site IP addresses based on RTT, the GSLB ServerIron favors one site over the other only if the difference between the RTT values is greater than the specified percentage. This percentage is the RTT tolerance. You can set the RTT tolerance to a value from 0 – 100. The default is 10%.
EXAMPLE:
To change the RTT tolerance, enter commands such as the following:
ServerIron(config)# gslb policy ServerIron(config-gslb-policy)# round-trip-time tolerance 70
The command in this example changes the RTT tolerance from 10% to 70%.
Syntax: [no] round-trip-time tolerance <num>
The <num> parameter specifies the percentage above which the RTTs of two sites must differ for the GSLB ServerIron to favor one site over the other based on the RTT. You can specify a value from 0 – 100. The default is 10%.
Possible values: 0 – 100%
Default value: 10%
rshowDisplays the real and virtual server configuration information on a remote site ServerIron in the GSLB ServerIron’s CLI. The command also displays the session and CPU information used by the GSLB policy. You can view detailed configuration information and statistics for the site ServerIron, from the GSLB ServerIron’s management console. For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.
show…Displays a variety of configuration and statistical information about the ServerIron. To see a description of the show commands, see “Show Commands” on page 21-1.
static-prefixAdds static prefix information to the cache. For example, you can add static cache entries with longer prefix information than the dynamic cache entries to ensure that RTT information is stored under the static entries instead of dynamic cache entries with shorter prefixes. This is useful when you want to ensure that certain prefixes are always present in the cache regardless of how often the GSLB ServerIron receives RTT data for them. Static prefixes do not age out.
February 2002 16 - 9
Foundry ServerIron Command Line Interface Reference
NOTE: The GSLB ServerIron uses the most exact match when more than one prefix entry can apply to the same site address. To ensure that the GSLB ServerIron uses a static entry instead of certain dynamic entries for a given address, make sure prefix of the static entry is longer than the prefix for dynamic entries.
NOTE: Since RTT information is stored under individual domain names that are queried, the RTT information reported from remote ServerIrons are not recorded under the static records until the GSLB ServerIron receives the first DNS query or response.
EXAMPLE:
To add a static prefix cache entry, enter commands such as the following:
ServerIron(config)# gslb policyServerIron(config-gslb-policy)# static-prefix 61.1.1.1/20
Syntax: static-prefix <ip-addr>/<prefix-length>
The <ip-addr> specifies the address of the cache entry. This is not necessarily the address of a remote site. The address you specify here is combined with the prefix length to result in a network prefix (network portion of an IP address). The prefix length can be from 1 – 31.
NOTE: The prefix length 0 is not applicable to this feature and is ignored by the software.
You can enter more than one prefix on the same command line. Separate each prefix with a space. You can configure up to 250 static prefixes on a ServerIron.
The command in this example configures an entry for address 61.1.1.1 with a prefix of 20 bits. (Due to the prefix length, the value actually stored in the cache is 61.1.0.0.20.) When the GSLB ServerIron receives RTT information for an address within the specified prefix, the GSLB ServerIron stores the information in the static prefix entry configured above, instead of creating a dynamic entry.
Possible values: See above.
Default value: N/A
write memorySaves the running-time configuration into the startup-config file.
EXAMPLE:
ServerIron(config-gslb-policy)# write memory
Syntax: write memory
Possible values: N/A
Default value: N/A
write terminalDisplays the running-configuration of the ServerIron on the terminal screen.
EXAMPLE:
ServerIron(config-gslb-policy)# write terminal
Syntax: write terminal
Possible values: N/A
Default value: N/A
16 - 10 February 2002
Chapter 17URL Switching Commands
defaultSpecifies what happens when the URL string does not meet any of the selection criteria in a URL switching policy’s match command(s).
EXAMPLE:
The following commands define a URL switching policy called p1.
ServerIron(config)# url-map p1ServerIron(config-url-p1)# method prefixServerIron(config-url-p1)# match "/home" 1ServerIron(config-url-p1)# default p2ServerIron(config-url-p1)# exit
Syntax: default <server-group-id> | <policy-name>
Possible values: Either a real server group ID number or another URL switching policy
Default value: N/A
endMoves activity to the privileged EXEC level from any level of the CLI, with the exception of the user level.
EXAMPLE:
To move to the privileged level, enter the following from any level of the CLI.
ServerIron(config-url-p1)# end
ServerIron#
Syntax: end
Possible values: N/A
Default value: N/A
exitMoves activity up one level from the current level. In this case, activity will be moved to the global level.
EXAMPLE:
ServerIron(config-url-p1)# exit
ServerIron(config)#
Syntax: exit
February 2002 17 - 1
Foundry ServerIron Command Line Interface Reference
Possible values: N/A
Default value: N/A
matchSpecifies the selection criteria in a URL switching policy and indicates what to do when the URL string matches the selection criteria.
EXAMPLE:
ServerIron(config-url-p1)# match "/home" 1
Syntax: match "<selection-criteria>" <server-group-id> | <policy-name>
Possible values:
The selection criteria can be up to 80 characters in length. A URL switching policy can contain multiple match statements, each with different selection criteria. You can also use an asterisk (*) as a wildcard character to specify one or more characters at the end of a URL string.
The second part of the match statement must refer to a server group configured on the ServerIron or to another URL switching policy. In a Content Aware Cache Switching configuration, specifying 0 as the second part of the match statement causes requests meeting the selection criteria to be directed to the Internet, rather than to a cache server.
Default value: N/A
methodSpecifies what kind of matching the URL switching policy does on the selection criteria.
EXAMPLE:
ServerIron(config-url-p1)# method prefix
Syntax: method prefix | suffix | pattern
Possible values:
Three kinds of matching methods are supported:
prefix compares the selection criteria to the beginning of the URL string.
suffix compares the selection criteria to the end of the URL string.
pattern looks for the selection criteria anywhere within the URL string.
Default value: N/A
noThis command is used to disable other commands. To do so, place the word no before the command.
quitThis command returns you from any level of the CLI to the User EXEC mode.
EXAMPLE:
ServerIron(config-url-p1)# quit
ServerIron>
Syntax: quit
Possible values: N/A
Default value: N/A
rshowDisplays the real and virtual server configuration information on a remote site ServerIron in the GSLB ServerIron’s CLI. The command also displays the session and CPU information used by the GSLB policy. You can view
17 - 2 February 2002
URL Switching Commands
detailed configuration information and statistics for the site ServerIron, from the GSLB ServerIron’s management console. For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.
show…Displays a variety of configuration and statistical information about the ServerIron. To see a description of the show commands, see “Show Commands” on page 21-1.
tcp-portSpecifies a TCP port where HTTP requests evaluated by the URL switching policy are sent.
EXAMPLE:
ServerIron(config-url-urlmap3)# tcp-port 8081
Syntax: tcp-port <port-number>
Possible values: TCP port number
Default value: 80
write memorySaves the running-time configuration into the startup-config file.
EXAMPLE:
ServerIron(config-url-p1)# write memory
Syntax: write memory
Possible values: N/A
Default value: N/A
write terminalDisplays the running-configuration of the ServerIron on the terminal screen.
EXAMPLE:
ServerIron(config-url-p1)# write terminal
Syntax: write terminal
Possible values: N/A
Default value: N/A
February 2002 17 - 3
Foundry ServerIron Command Line Interface Reference
17 - 4 February 2002
Chapter 18HTTP Match List Commands
defaultSpecifies what happens if none of the HTML text in the HTTP response message meets the selection criteria in the matching list: either mark port 80 on the real server FAILED or ACTIVE.
EXAMPLE:
To cause port 80 on the real server to be marked FAILED if none of the selection criteria are found in the HTTP response message:
ServerIron(config)# http match-list m4ServerIron(config-http-ml-m4)# up compound "monkey see" "monkey do" logServerIron(config-http-ml-m4)# down compound "500" "Internal Server Error" logServerIron(config-http-ml-m4)# default downServerIron(config-http-ml-m4)# exit
Syntax: default down | up
Possible values: The down parameter causes port 80 on the real server to be marked FAILED if none of the selection criteria are found in the HTTP response message; the up parameter causes port 80 on the real server to be marked ACTIVE if none of the selection criteria are found in the HTTP response message.
Default value: up
down compoundSpecifies the beginning and ending parts of a set of selection criteria. Text that begins with the first part and ends with the second part meets the selection criteria. If the selection criteria is met, port 80 on the real server is marked FAILED.
EXAMPLE:
To specify that if the HTML file contains a text string that begins with “500” and ends with “Internal Server Error”, the port is marked FAILED:
ServerIron(config)# http match-list m4ServerIron(config-http-ml-m4)# down compound "500" "Internal Server Error" logServerIron(config-http-ml-m4)# exit
Syntax: down compound <start> <end> [log]
Possible values: The <start> and <end> parameters specify the beginning and end of a string of text. The log parameter causes a Warning message to be logged when the selection criteria is met:
Default value: N/A
February 2002 18 - 1
Foundry ServerIron Command Line Interface Reference
down simpleSpecifies the selection criteria in a matching list. If the selection criteria is met, port 80 on the real server is marked FAILED.
EXAMPLE:
To specify that if the HTML file contains the text “File Not Found”, the port is marked FAILED:
ServerIron(config)# http match-list m1ServerIron(config-http-ml-m1)# down simple "File Not Found"ServerIron(config-http-ml-m1)# exit
Syntax: down simple <text> [log]
Possible values: The <text> parameter specifies the selection criteria. The log parameter causes a Warning message to be logged when the selection criteria is met:
Default value: N/A
endMoves activity to the privileged EXEC level from any level of the CLI, with the exception of the user level.
EXAMPLE:
To move to the privileged level, enter the following from any level of the CLI.
ServerIron(config-http-ml-listname)# end
ServerIron#
Syntax: end
Possible values: N/A
Default value: N/A
exitMoves activity up one level from the current level. In this case, activity will be moved to the global level.
EXAMPLE:
ServerIron(config-http-ml-listname)# exit
ServerIron(config)#
Syntax: exit
Possible values: N/A
Default value: N/A
noThis command is used to disable other commands. To do so, place the word no before the command.
quitThis command returns you from any level of the CLI to the User EXEC mode.
EXAMPLE:
ServerIron(config-http-ml-listname)# quit
ServerIron>
Syntax: quit
Possible values: N/A
Default value: N/A
18 - 2 February 2002
HTTP Match List Commands
rshowDisplays the real and virtual server configuration information on a remote site ServerIron in the GSLB ServerIron’s CLI. The command also displays the session and CPU information used by the GSLB policy. You can view detailed configuration information and statistics for the site ServerIron, from the GSLB ServerIron’s management console. For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.
show…Displays a variety of configuration and statistical information about the ServerIron. To see a description of the show commands, see “Show Commands” on page 21-1.
up compoundSpecifies the beginning and ending parts of a set of selection criteria. Text that begins with the first part and ends with the second part meets the selection criteria. If the selection criteria is met, port 80 on the real server is marked ACTIVE.
EXAMPLE:
To specify that if the HTML file contains a text string that begins with “monkey see” and ends with “monkey do”, the port is marked ACTIVE:
ServerIron(config)# http match-list m4ServerIron(config-http-ml-m4)# up compound "monkey see" "monkey do" logServerIron(config-http-ml-m4)# exit
Syntax: up compound <start> <end> [log]
Possible values: The <start> and <end> parameters specify the beginning and end of a string of text. The log parameter causes a Warning message to be logged when the selection criteria is met:
Default value: N/A
up simpleSpecifies the selection criteria in a matching list. If the selection criteria is met, port 80 on the real server is marked ACTIVE.
EXAMPLE:
To specify that if the HTML file contains the text “File Not Found”, the port is marked FAILED:
ServerIron(config)# http match-list m1ServerIron(config-http-ml-m1)# up simple "elephant"ServerIron(config-http-ml-m1)# exit
Syntax: up simple <text> [log]
Possible values: The <text> parameter specifies the selection criteria. The log parameter causes a Warning message to be logged when the selection criteria is met:
Default value: N/A
write memorySaves the running-time configuration into the startup-config file.
EXAMPLE:
ServerIron(config-http-ml-listname)# write memory
Syntax: write memory
Possible values: N/A
Default value: N/A
write terminalDisplays the running-configuration of the ServerIron on the terminal screen.
February 2002 18 - 3
Foundry ServerIron Command Line Interface Reference
EXAMPLE:
ServerIron(config-http-ml-listname)# write terminal
Syntax: write terminal
Possible values: N/A
Default value: N/A
18 - 4 February 2002
Chapter 19Server Monitor Commands
endMoves activity to the privileged EXEC level from any level of the CLI, with the exception of the user level.
EXAMPLE:
To move to the privileged level, enter the following from any level of the CLI.
ServerIron(config-slb-mon)# end
ServerIron#
Syntax: end
Possible values: N/A
Default value: N/A
exitMoves activity up one level from the current level. In this case, activity will be moved to the global level.
EXAMPLE:
ServerIron(config-slb-mon)# exitServerIron(config)#
Syntax: exit
Possible values: N/A
Default value: N/A
historyConfigures a history list for the Layer 4 statistics monitoring function.
EXAMPLE:
ServerIron(config)# server monitorServerIron(config-slb-mon)# history 1 buckets 5 interval 30 owner rkwong
Syntax: history <entry-number> buckets <number> interval <sampling-interval> owner <text-string>
Possible values:
<entry-number> Is the index number for the history list. This can be a number from 1 – 100.
February 2002 19 - 1
Foundry ServerIron Command Line Interface Reference
buckets <number> Is the number of rows allocated to a data table for this history list. This can be a number from 1 – 65535. This number of samples are stored in the data table. For example, if you specify 10 buckets, the most recent 10 samples are stored in the data table.
interval <sampling-interval> Is the sampling interval in seconds. The sampling interval can be from 1 – 3600 seconds.
owner <text-string> Specifies the owner of the history list.
Default value: N/A
noThis command is used to disable other commands. To do so, place the word no before the command.
quitThis command returns you from any level of the CLI to the User EXEC mode.
EXAMPLE:
ServerIron(config-slb-mon)# quit
ServerIron>
Syntax: quit
Possible values: N/A
Default value: N/A
rshowDisplays the real and virtual server configuration information on a remote site ServerIron in the GSLB ServerIron’s CLI. The command also displays the session and CPU information used by the GSLB policy. You can view detailed configuration information and statistics for the site ServerIron, from the GSLB ServerIron’s management console. For more information, see the “Configuring Global Server Load Balancing” chapter in the Foundry ServerIron Installation and Configuration Guide.
show…Displays a variety of configuration and statistical information about the ServerIron. To see a description of the show commands, see “Show Commands” on page 21-1.
write memorySaves the running-time configuration into the startup-config file.
EXAMPLE:
ServerIron(config-slb-mon)# write memory
Syntax: write memory
Possible values: N/A
Default value: N/A
write terminalDisplays the running-configuration of the ServerIron on the terminal screen.
EXAMPLE:
ServerIron(config-slb-mon)# write terminal
Syntax: write terminal
Possible values: N/A
Default value: N/A
19 - 2 February 2002
Chapter 20Routing Information Protocol (RIP) Commands
NOTE: The RIP configuration level applies only to IP forwarding (Layer 3 IP).
deny redistributeConfigures a redistribution filter to deny redistribution for specific routes.
When you enable redistribution, all IP static routes are redistributed by default. If you want to deny certain routes from being redistributed into RIP, configure deny filters for those routes before you enable redistribution. You can configure up to 64 RIP redistribution filters. They are applied in ascending numerical order.
NOTE: The default redistribution action is still permit, even after you configure and apply redistribution filters to the virtual routing interface. If you want to tightly control redistribution, apply a filter to deny all routes as the last filter (filter ID 64), then apply filters with lower filter IDs to allow specific routes.
EXAMPLE:
To configure a redistribution filter, enter a command such as the following:
ServerIron(config-rip-router)# deny redistribute 1 static address 207.92.0.0 255.255.0.0
This command denies redistribution of all 207.92.x.x IP static routes.
Syntax: [no] deny redistribute <filter-num> static address <ip-addr> <ip-mask> [match-metric <value> | set-metric <value>]
The <filter-num> specifies the redistribution filter ID. Specify a number from 1 – 64. The software uses the filters in ascending numerical order. Thus, if filter 1 denies a route from being redistributed, the software does not redistribute that route even if a filter with a higher ID permits redistribution of the route.
The address <ip-addr> <ip-mask> parameters apply redistribution to the specified network and sub-net address. Use 0 to specify “any”. For example, “207.92.0.0 255.255.0.0“ means “any 207.92.x.x sub-net”. However, to specify any sub-net (all sub-nets match the filter), enter “address 255.255.255.255 255.255.255.255”.
The match-metric <value> parameter applies redistribution to those routes with a specific metric value; possible values are from 1 – 15.
The set-metric <value> parameter sets the RIP metric value that will be applied to the routes imported into RIP.
NOTE: The set-metric parameter does not apply to static routes.
The following command denies redistribution of a 207.92.x.x IP static route only if the route’s metric is 5.
February 2002 20 - 1
Foundry ServerIron Command Line Interface Reference
ServerIron(config-rip-router)# deny redistribute 2 static address 207.92.0.0 255.255.0.0 match-metric 5
The following commands deny redistribution of all routes except routes for 10.10.10.x and 20.20.20.x:
ServerIron(config-rip-router)# deny redistribute 64 static address 255.255.255.255 255.255.255.255ServerIron(config-rip-router)# permit redistribute 1 static address 10.10.10.0 255.255.255.0ServerIron(config-rip-router)# permit redistribute 2 static address 20.20.20.0 255.255.255.0
Possible values: See above
Default value: All routes are permitted to be redistributed
endMoves activity to the privileged EXEC level from any level of the CLI, with the exception of the user level.
EXAMPLE:
To move to the privileged level, enter the following from any level of the CLI.
ServerIron(config-rip-router)# end
ServerIron#
Syntax: end
Possible values: N/A
Default value: N/A
exitMoves activity up one level from the current level. In this case, activity will be moved to the global level.
EXAMPLE:
ServerIron(config-rip-router)# exitServerIron(config)#
Syntax: exit
Possible values: N/A
Default value: N/A
noThis command is used to disable other commands. To do so, place the word no before the command.
permit redistributeConfigures a redistribution filter to permit redistribution for specific routes.
When you enable redistribution, all IP static routes are redistributed by default. If you want to permit certain routes to be redistributed into RIP, configure permit filters for those routes before you enable redistribution. You can configure up to 64 RIP redistribution filters. They are applied in ascending numerical order.
NOTE: The default redistribution action is permit, even after you configure and apply redistribution filters to the virtual routing interface. If you want to tightly control redistribution, apply a filter to deny all routes as the last filter (filter ID 64), then apply filters with lower filter IDs to allow specific routes.
EXAMPLE:
To configure a redistribution filter, enter a command such as the following:
ServerIron(config-rip-router)# permit redistribute 1 static address 207.92.0.0 255.255.0.0
20 - 2 February 2002
Routing Information Protocol (RIP) Commands
This command permits redistribution of all 207.92.x.x IP static routes.
Syntax: [no] deny redistribute <filter-num> static address <ip-addr> <ip-mask> [match-metric <value> | set-metric <value>]
The <filter-num> specifies the redistribution filter ID. Specify a number from 1 – 64. The software uses the filters in ascending numerical order. Thus, if filter 1 denies a route from being redistributed, the software does not redistribute that route even if a filter with a higher ID permits redistribution of the route.
The address <ip-addr> <ip-mask> parameters apply redistribution to the specified network and sub-net address. Use 0 to specify “any”. For example, “207.92.0.0 255.255.0.0“ means “any 207.92.x.x sub-net”. However, to specify any sub-net (all sub-nets match the filter), enter “address 255.255.255.255 255.255.255.255”.
The match-metric <value> parameter applies redistribution to those routes with a specific metric value; possible values are from 1 – 15.
The set-metric <value> parameter sets the RIP metric value that will be applied to the routes imported into RIP.
NOTE: The set-metric parameter does not apply to static routes.
Possible values: See above
Default value: All routes are permitted to be redistributed
quitThis command returns you from any level of the CLI to the User EXEC mode.
EXAMPLE:
ServerIron(config-rip-router)# quit
ServerIron>
Syntax: quit
Possible values: N/A
Default value: N/A
redistributionEnables redistribution of routes into RIP.
NOTE: When you enable redistribution, all routes are redistributed by default. To control redistribution, configure redistribution filters first, then enable redistribution. See “deny redistribute” on page 20-1 and “permit redistribute” on page 20-2.
EXAMPLE:
To enable RIP redistribution, enter the following command:
ServerIron(config-rip-router)# redistribution
Syntax: [no] redistribution
Possible values: N/A
Default value: Disabled
rshowDisplays the real and virtual server configuration information on a remote site ServerIron in the GSLB ServerIron’s CLI. The command also displays the session and CPU information used by the GSLB policy. You can view detailed configuration information and statistics for the site ServerIron, from the GSLB ServerIron’s management console. For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.
February 2002 20 - 3
Foundry ServerIron Command Line Interface Reference
show…Displays a variety of configuration and statistical information about the ServerIron. To see a description of the show commands, see “Show Commands” on page 21-1.
write memorySaves the running-time configuration into the startup-config file.
EXAMPLE:
ServerIron(config-rip-router)# write memory
Syntax: write memory
Possible values: N/A
Default value: N/A
write terminalDisplays the running-configuration of the ServerIron on the terminal screen.
EXAMPLE:
ServerIron(config-rip-router)# write terminal
Syntax: write terminal
Possible values: N/A
Default value: N/A
20 - 4 February 2002
Chapter 21Show Commands
The following commands are found at all levels of the CLI for the ServerIron, except where noted. For simplicity, they are summarized in this section as well in the individual sections.
show aaaDisplays information about all TACACS+ and RADIUS servers identified on the device.
EXAMPLE:
ServerIron# show aaaTacacs+ key: foundryTacacs+ retries: 1Tacacs+ timeout: 15 secondsTacacs+ dead-time: 3 minutesTacacs+ Server: 207.95.6.90 Port:49: opens=6 closes=3 timeouts=3 errors=0 packets in=4 packets out=4no connection
Radius key: networksRadius retries: 3Radius timeout: 3 secondsRadius dead-time: 3 minutesRadius Server: 207.95.6.90 Auth Port=1645 Acct Port=1646: opens=2 closes=1 timeouts=1 errors=0 packets in=1 packets out=4no connection
Syntax: show aaa
Possible values: N/A
Default value: N/A
show arpDisplays the ARP cache of the ServerIron. For switches, the show arp command will not display the 'type' column, but will display a VLAN ID column.
EXAMPLE:
ServerIron(config)# show arp IP Mac Type Port Age VlanId
10.10.10.10 00d0.0958.9b07 Static 9 0 1
February 2002 21 - 1
Foundry ServerIron Command Line Interface Reference
192.168.2.14 0050.04bb.81fa Static 15 0 1192.168.2.1 00e0.5205.9056 Static 15 0 1192.168.2.157 00e0.2972.2ab5 Dynamic 15 0 1192.168.2.15 0010.5ad1.3701 Dynamic 15 0 1192.168.2.77 00e0.5202.de72 Dynamic 15 0 1Total Arp Entries : 6
Syntax: show arp [<ip-addr> [<ip-mask>] | ethernet <portnum> mac-address <xxxx.xxxx.xxxx> [<mask>]]
The <ip-addr> and <ip-mask> parameters let you restrict the display to entries for a specific IP address and network mask. Specify the IP address masks in standard decimal mask format (for example, 255.255.0.0).
NOTE: The <ip-mask> parameter and <mask> parameter perform different operations. The <ip-mask> parameter specifies the network mask for a specific IP address, whereas the <mask> parameter provides a filter for displaying multiple MAC addresses that have specific values in common.
Specify the MAC address mask as “f”s and “0”s, where “f”s are significant bits. Specify IP address masks in standard decimal mask format (for example, 255.255.0.0).
The ethernet <portnum> parameter lets you restrict the display to entries for a specific port.
The mac-address <xxxx.xxxx.xxxx> parameter lets you restrict the display to entries for a specific MAC address.
The <mask> parameter lets you specify a mask for the mac-address <xxxx.xxxx.xxxx> parameter, to display entries for multiple MAC addresses. Specify the MAC address mask as “f”s and “0”s, where “f”s are significant bits.
Here are some examples of how to use these commands.
The following command displays all ARP entries for MAC addresses that begin with “abcd”:
ServerIron# show arp mac-address a.b.c.d ffff.0000.0000
The following command displays all IP address entries for IP addresses that begin with "209.157":
ServerIron# show arp 209.157.0.0 255.255.0.0
Possible values: See above
Default value: N/A
show cache-groupDisplays configuration information for the TCS cache groups.
EXAMPLE:
ServerIron# show cache-group 1
Cache-group 1 has 1 members Admin-status = Enabledi Active = 0Hash_info: Dest_mask = 255.255.255.0 Src_mask = 0.0.0.0
Cache Server Name Admin-status Hash-distribution
HTTP Traffic From <-> to Web-Caches
Name: aa IP: 1.2.3.4 State: 1 Groups = 1
Syntax: show cache-group [<cache-group-number> | <cache-server-name>]
Possible values: Valid cache group number or cache server name.
Default value: N/A
show chassisDisplays the presence and status of power supplies and fans in the chassis.
21 - 2 February 2002
Show Commands
EXAMPLE:
ServerIron# show chassis
power supply 1 ok
power supply 2 not present
fan 1 ok
fan 2 ok
Syntax: show chassis
Possible values: N/A
Default value: N/A
show clockDisplays the current settings for the on-board time counter and Simple Network Time Protocol (SNTP) clock, if configured.
EXAMPLE:
ServerIron# show clock
Syntax: show clock [detail]
Possible values: N/A
Default value: N/A
show configurationLists the operating configuration of a ServerIron. This command allows you to check configuration changes before saving them to flash.
EXAMPLE:
ServerIron# show configuration
Syntax: show configuration
Possible values: N/A
Default value: N/A
show defaultDisplays the defaults for system parameters.
If you specify "default" but not the optional "values", the default states for parameters that can either be enabled or disabled are displayed. If you also specify "values", the default values for parameters that take a numeric value are displayed.
EXAMPLE:
ServerIron# show defaultsnmp ro community public spanning tree enabled fast port span enabledauto sense port speed port untagged port flow control onno username assigned no password assigned boot sys flash primarysystem traps enabled sntp disabled radius disabledip multicast disabled
EXAMPLE:
ServerIron# show default valuessys log buffers:50 mac age time:300 sec mac entries:8Ktelnet sessions:5
System Parameters Default Maximum Currentl4-real-server 1024 2048 1024
February 2002 21 - 3
Foundry ServerIron Command Line Interface Reference
l4-virtual-server 256 512 256l4-server-port 2048 4096 2048
Syntax: show default [values]
Possible values: N/A
Default value: N/A
show flashDisplays the version of the software image saved in the primary and secondary flash of a ServerIron.
EXAMPLE:
ServerIron# show flash
Syntax: show flash
Possible values: N/A
Default value: N/A
show fw-groupDisplays To display configuration information, state information, and traffic statistics for the firewall group. See the Foundry ServerIron Firewall Load Balancing Guide for information about the fields in this display.
EXAMPLE:
ServerIron(config)# show fw-group
Firewall-group 2 has 2 members Admin-status = Enabled Hash_info: Dest_mask = 255.255.255.255 Src_mask = 255.255.255.255
Firewall Server Name Admin-st Hash-distribution fw1 1 0 fw2 6 0
Traffic From<->to Firewall Servers=====================================
Name: fw1 IP: 10.10.0.1 State: 1 Groups = 2
Host->Firewall Firewall->Host State CurConn TotConn Packets Octets Packets OctetsFirewall active 0 0 0 0 0 0Total 0 0 0 0 0 0
Name: fw2 IP: 10.10.0.2 State: 6 Groups = 2
Host->Firewall Firewall->Host State CurConn TotConn Packets Octets Packets OctetsFirewall active 0 0 0 0 0 0Total 0 0 0 0 0 0
Syntax: show fw-group
Possible values: N/A
Default value: N/A
show fw-hashDisplays the firewall that the hashing algorithm selected for a given pair of source and destination addresses.
EXAMPLE:
ServerIron# show fw-hash 1.1.1.1 2.2.2.2 2fw3
21 - 4 February 2002
Show Commands
In this example, the command output indicates that the FWLB hashing algorithm selected firewall "fw3" for traffic to IP address 1.1.1.1 from IP address 2.2.2.2.
Syntax: show fw-hash <dst-ip-addr> <src-ip-addr> <fwall-group-id> [<protocol> <dst-tcp/udp-port> <src-tcp/udp-port>]
The <dst-ip-addr> parameter specifies the destination IP address.
The <src-ip-addr> parameter specifies the source IP address.
The <fwall-group-id> parameter specifies the FWLB group ID. Normally, the FWLB group ID is 2.
The <protocol> parameter specifies the protocol number for TCP or UDP. You can specify one of the following:
• 6 – TCP
• 17 – UDP
The <dst-tcp/udp-port> specifies the destination TCP or UDP application port number.
The <src-tcp/udp-port> specifies the source TCP or UDP application port number.
If you configured the ServerIron to hash based on source and destination TCP or UDP application ports as well as IP addresses, the ServerIron might select more than one firewall for the same pair of source and destination IP addresses, when the traffic uses different pairs of source and destination application ports. Use the optional parameters to ensure that the command’s output distinguishes among the selected firewalls based on the application ports. Here is an example:
ServerIron# show fw-hash 1.1.1.1 2.2.2.2 2 6 80 8080fw2ServerIron# show fw-hash 1.1.1.1 2.2.2.2 2 6 80 9000fw3
Possible values: See above
Default value: N/A
show gslb cacheDisplays RTT prefix cache entries.
The GSLB ServerIron maintains a cache of RTT information received from the site ServerIrons through the GSLB protocol. You can display the RTT information the GSLB ServerIron has related to a client IP address.
EXAMPLE:
ServerIron(config)# show gslb cache 209.156.100.100
prefix length = 20, prefix = 209.157.0.0, region = N-AMprefix source = client query
foundrynet.com: site = sunnyvale, SI = slb-1(209.157.22.209), rtt = 5 (x100 usec) site = atlanta, SI = slb-1(192.108.22.112), rtt = 10 (x100 usec)
The command in this example shows the RTT prefix information the GSLB ServerIron has related to client IP address 209.156.100.100. In this case, the GSLB ServerIron has two RTT entries for zone www.foundrynet.com.
Syntax: show gslb cache <ip-addr>
The <ip-addr> command specifies a site address.
Here is another example. In this example, a statically generated entry that the GSLB ServerIron created is displayed. The statically generated entries have an 8-bit prefix, whereas the prefix for dynamic entries is 20 bits long by default.
ServerIron(config)# show gslb cache 61.1.1.1
prefix length = 8, prefix = 60.0.0.0, region = ASIAprefix source = geographic
February 2002 21 - 5
Foundry ServerIron Command Line Interface Reference
For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.
Possible values: N/A
Default value: N/A
show gslb defaultDisplays the default GSLB policy parameters.
EXAMPLE:
To display the default GSLB policy, enter the following command:
ServerIron(config)# show gslb default
Default metric order: ENABLE Metric processing order: 1-Server health check 2-Remote SI's session capacity threshold 3-Round trip time between remote SI and client 4-Geographic location 5-Remote SI's available session capacity 6-Server flashback speed 7-Least response selection
DNS active-only: DISABLE, Modify DNS response TTL: ENABLE DNS TTL: 10 (sec), DNS check interval: 30 (sec) Session capacity threshold: 90%, session capacity tolerance: 10% Round trip time tolerance: 10%, round trip time explore percentage: 5% Round trip time cache prefix: 20, round trip time cache interval: 120 (sec) Flashback appl-level delay tolerance: 10%, TCP-level delay tolerance: 10%
Syntax: show gslb default
For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.
Possible values: N/A
Default value: N/A
show gslb dns detailDisplays all the information displayed by the show gslb dns zone command plus information about the site and the ServerIron on which a VIP is configured.
This command is especially useful for sites that are configured for Symmetric Server Load Balancing. For information about this load balancing feature, see the "Configuring Symmetric SLB and SwitchBack" chapter of the Foundry ServerIron Installation and Configuration Guide.
EXAMPLE:
ServerIron(config)# show gslb dns detail
ZONE: foundrynet.comHOST: www: Flashback DNS resp. delay selection (x100us) percentage TCP APP (%)* 209.157.22.227: dns v-ip ACTIVE N-AM. 6 60 40 site: sunnyvale, SI: slb-1 (209.157.22.209) session util: 0%, avail. sessions: 524287 preference: 128
21 - 6 February 2002
Show Commands
* 209.157.22.228: dns v-ip ACTIVE N-AM. 3 30 60 site: atlanta, SI: slb-1 (192.108.22.111) session util: 10%, avail. sessions: 414269 preference: 128* 210.224.100.5: dns real-ip DOWN ASIA -- -- 0* 201.100.100.6: dns real-ip DOWN S-AM. -- -- 0* 213.34.100.4: dns real-ip DOWN EUROPE -- -- 0
HOST: ftp: Flashback DNS resp. delay selection (x100us) percentage TCP APP (%)* 209.157.22.103: dns v-ip ACTIVE N-AM. 6 60 40 site: sunnyvale, SI: slb-2 (209.157.22.210) session util: 7%, avail. sessions: 414287 preference: 128* 209.157.22.104: dns v-ip ACTIVE N-AM. 3 30 60 site: atlanta, SI: slb-2 (192.108.22.112) session util: 14%, avail. sessions: 324269 preference: 128* 210.224.100.7: dns real-ip DOWN ASIA -- -- 0* 201.100.100.8: dns real-ip DOWN S-AM. -- -- 0* 213.34.100.9: dns real-ip DOWN EUROPE -- -- 0
For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.
Syntax: show gslb dns detail
Possible values: N/A
Default value: N/A
show gslb dns zoneDisplays information about all the DNS zones and host applications configured on the GSLB ServerIron.
EXAMPLE:
ServerIron(config)# show gslb dns zone
ZONE: foundrynet.comHOST: www: Flashback DNS resp. delay selection (x100us) percentage TCP APP (%) 209.157.22.100: dns v-ip ACTIVE N-AM. 6 60 40 209.157.22.101: dns v-ip ACTIVE N-AM. 3 30 60 210.224.100.5: dns real-ip DOWN ASIA -- -- 0 201.100.100.6: dns real-ip DOWN S-AM. -- -- 0 213.34.100.4: dns real-ip DOWN EUROPE -- -- 0
HOST: ftp: Flashback DNS resp. delay selection (x100us) percentage TCP APP (%) 209.157.22.103: dns v-ip ACTIVE N-AM. 6 60 40 209.157.22.104: dns v-ip ACTIVE N-AM. 3 30 60 210.224.100.7: dns real-ip DOWN ASIA -- -- 0 201.100.100.8: dns real-ip DOWN S-AM. -- -- 0 213.34.100.9: dns real-ip DOWN EUROPE -- -- 0
February 2002 21 - 7
Foundry ServerIron Command Line Interface Reference
Syntax: show gslb dns zone [<name>]
The <name> parameter specifies the zone name.
To display GSLB information for a specific DNS zone, enter a command such as the following:
ServerIron(config)# show gslb dns zone foundrynet.com
The information is the same as the information displayed when you do not specify a zone name, except the ZONE field is unneeded and thus does not appear.
For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.
Possible values: N/A
Default value: N/A
show gslb global-statDisplays statistics for transparent DNS query intercept and for DNS cache proxy.
EXAMPLE:
To display the statistics, enter the following command at any level of the CLI:
ServerIron(config)# show gslb global-stat DNS cache proxy stat:Direct response = 10
DNS query intercept stat:Redirect = 10 Direct response = 0
Syntax: show gslb global-stat
The Direct response field, under “DNS cache proxy stat”, lists how many DNS queries the GSLB ServerIron has responded to using the DNS cache proxy feature instead of forwarding the queries to the DNS. In this example, the GSLB ServerIron has responded directly to client queries ten times with the best site address among those cached on the ServerIron itself, instead of forwarding the request to the DNS.
The Redirect field shows the number of queries the ServerIron has redirected to an alternative (proxy) DNS or another ServerIron.
The Direct response field shows the number of queries to which the ServerIron has directly responded using a transparent DNS query intercept IP address configured on the ServerIron itself.
Possible values: N/A
Default value: N/A
show gslb policyDisplays the current GSLB policy parameter settings.
NOTE: If you have changed any of the settings from their default values, you can use this command along with the show gslb default command to identify the settings you have changed. For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.
EXAMPLE:
To display the user-configured GSLB policy, enter the following command:
ServerIron(config)# show gslb policy
Default metric order: DISABLE Metric processing order: 1-Round trip time between remote SI and client 2-Remote SI's session capacity threshold
21 - 8 February 2002
Show Commands
3-Remote SI's available session capacity 4-Server flashback speed 5-Remote SI's preference value 6-Least response selection
DNS active-only: DISABLE DNS best-only: DISABLE DNS override: DISABLE Modify DNS response TTL: ENABLE DNS TTL: 10 (sec), DNS check interval: 30 (sec) Remote SI status update period: 30 (sec) Session capacity threshold: 90%, session capacity tolerance: 10% Round trip time tolerance: 10%, round trip time explore percentage: 5% Round trip time cache prefix: 20, round trip time cache interval: 120 (sec) Flashback appl-level delay tolerance: 10%, TCP-level delay tolerance: 10%
Syntax: show gslb policy
In this example, the default order of the policy metrics is in effect. In the following example, the order has been changed and two of the metrics have been disabled.
ServerIron(config)# show gslb policy
Default metric order: DISABLE Metric processing order: 1-Round trip time between remote SI and client 2-Remote SI's session capacity threshold 3-Remote SI's available session capacity 4-Server flashback speed 5-Least response selection
DNS active-only: DISABLE, Modify DNS response TTL: ENABLE DNS TTL: 10 (sec), DNS check interval: 30 (sec) Session capacity threshold: 90%, session capacity tolerance: 10% Round trip time tolerance: 10%, round trip time explore percentage: 5% Round trip time cache prefix: 20, round trip time cache interval: 120 (sec) Flashback appl-level delay tolerance: 10%, TCP-level delay tolerance: 10%
For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.
Possible values: N/A
Default value: N/A
show gslb resourcesDisplays the current GSLB resource utilization and the ServerIron capacity for each GSLB resource.
For GSLB parameters, you can display the number of currently configured items and the maximum number of items you can configure on the ServerIron.
EXAMPLE:
To display GSLB resource information, enter the following command at any level of the CLI:
ServerIron(config)# show gslb resourcesGSLB resource usage:
Current Maximumsites 1 100SIs 2 200SIs' VIPs 2 2000dns zones 2 200dns hosts 2 400health-checks app. 2 600dns IP addrs. 5 2000affinities 0 50
February 2002 21 - 9
Foundry ServerIron Command Line Interface Reference
static prefixes 4 250prefix cache 104 5050RTT entries 1 10000
The values in the Current column indicate how many of each GSLB configuration or data item are currently on the GSLB ServerIron. The values in the Maximum column list the maximum number of each item the GSLB ServerIron can hold.
For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.
Possible values: N/A
Default value: N/A
show gslb siteDisplays information for all the configured sites.
EXAMPLE:
ServerIron(config)# show gslb site
SITE: sunnyvaleSI: slb-1 209.157.22.209:state: CONNECTION ESTABLISHED
Current num. Session CPU load Preference Location sessions util(%) (%) 500000 50 35 128 N-AM
Virtual IPs: 209.157.22.227(A) 209.157.22.103(A)
SI: slb-2 209.157.22.210:state: CONNECTION ESTABLISHED
Current num. Session CPU load Preference Location sessions util(%) (%) 1 0 16 128 N-AM
Virtual IPs: 209.157.22.227(S)
SITE: atlantaSI: slb-1 192.108.22.111:state: CONNECTION ESTABLISHED
Current num. Session CPU load Preference Location sessions util(%) (%) 750000 75 41 128 N-AM
Virtual IPs: 209.157.22.227(A) 209.157.22.104(A)
SI: slb-1 192.108.22.111:state: CONNECTION ESTABLISHED
Current num. Session CPU load Preference Location sessions util(%) (%) 1 0 16 128 N-AM
Virtual IPs: 209.157.22.227(S)
Syntax: show gslb site [<name>]
The <name> parameter specifies a site name.
21 - 10 February 2002
Show Commands
To display information about the GSLB site called “sunnyvale” and the ServerIrons providing SLB within those sites, enter the following command:
ServerIron(config)# show gslb site sunnyvale
SITE: sunnyvaleSI: slb-1 209.157.22.209:state: CONNECTION ESTABLISHED
Current num. Session CPU load Location sessions util(%) (%) 500000 50 35 N-AM
Virtual IPs: 209.157.22.227(A)
SI: slb-2 209.157.22.210:state: CONNECTION ESTABLISHED
Current num. Session CPU load Location sessions util(%) (%) 1 0 16 N-AM
Virtual IPs: 209.157.22.227(B)
For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.
Possible values: N/A
Default value: N/A
show healthckDisplays a list of the configured health-check policies and their current status. For information about the fields in this display, see one of the following:
• ServerIronXL – the "Configuring Boolean Health-Check Policies (ServerIronXL)" section in the "Configuring Port and Health Check Parameters" chapter of the Foundry ServerIron Installation and Configuration Guide.
• ServerIron 400 and ServerIron 800 – the "Configuring Boolean Health-Check Policies (ServerIron 400 and ServerIron 800)" section in the "Configuring Port and Health Check Parameters" chapter of the Foundry ServerIron Installation and Configuration Guide.
EXAMPLE:
Here is an example for the ServerIronXL.
ServerIron(config)# show healthckTotal nodes: 4; Max nodes: 128 Name Value Type--------------------------------------------- Rtr1-ck1 N/B icmp 10.168.2.46 Rtr1-ck2 N/B icmp 10.168.2.47 Router1 N/B or Rtr1-ck1 Rtr1-ck2 Rtr2-ck1 TRUE icmp 10.168.2.56 Rtr2-ck2 TRUE icmp 10.168.2.57 Router2 TRUE and Rtr2-ck1 Rtr2-ck2 Rtr3-ck1 FALSE icmp 10.168.2.66 Rtr3-ck2 TRUE icmp 10.168.2.67 Router3 FALSE and Rtr3-ck1 Rtr3-ck2
EXAMPLE:
Here is an example for the ServerIron 400 or ServerIron 800.
ServerIron(config-hc-check1)# show healthck
February 2002 21 - 11
Foundry ServerIron Command Line Interface Reference
Total nodes: 6; Max nodes: 128 Name Value Enable Type Dest-IP Port Proto Layer-------------------------------------------------------------------------------- check1 TRUE YES tcp 10.10.10.50 http http l4-chk check2 TRUE YES tcp 10.10.10.40 http http l7-chk check3 TRUE NO udp 10.10.10.30 http http l4-chk check4 TRUE NO udp 10.10.10.40 http http l4-chk check5 N/A NO udp - dns dns l4-chk httpsrvr TRUE YES and check1 check2 nested1 N/A na and check1 check2 nested2 N/A na or check3 check4
Syntax: show healthck
Possible values: N/A
Default value: N/A
show healthck statisticsDisplays health-check policy statistics. For information about the fields in this display, see the "Displaying Health-Check Policy Information" section in the "Configuring Port and Health Check Parameters" chapter of the Foundry ServerIron Installation and Configuration Guide.
EXAMPLE:
ServerIron(config)# show healthck statisticsPing Statistics:Sent: 1524 Received: 1524Invalid Replies: 0 Dropped Replies: 0
Syntax: show healthck statistics
Possible values: N/A
Default value: N/A
show http match-listDisplays information about HTTP content verification matching lists. For information about this health-check feature, see the "Configuring Port and Health Check Parameters" in the Foundry ServerIron Installation and Configuration Guide.
EXAMPLE:
ServerIron# show http match-listhttp match-list m1 down simple "404" down simple "File Not Found"http match-list m4 default down up compound "monkey see" "monkey do" log down compound "500" "Internal Server Error" log down compound "503" "Service Unavailable" log
Syntax: show http match-list
Possible values: N/A
Default value: N/A
show interfacesDisplays all port interfaces of the ServerIron and their state, duplex mode, STP state, priority and MAC address.
EXAMPLE:
ServerIron# show interfaces e 1
21 - 12 February 2002
Show Commands
FastEthernet1 is down Hardware is FastEthernet, address is 00e0.5202.8bc6 (bia 00e0.5202.8bc6) Configured speed auto, actual unknown, configured duplex fdx, actual unknown Member of L2 VLAN ID 1, port is untagged, port state is BLOCKING STP configured to ON, priority is high, flow control enabled mirror disabled, monitor disabled Not member of any active trunks Member of configured trunk ports 1-3, primary port No port name 5 minute input rate: 0 bits/sec, 0 packets/sec, 0.00% utilization 5 minute output rate: 0 bits/sec, 0 packets/sec, 0.00% utilization 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 ignored 0 multicast 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions
Syntax: show interfaces [ethernet <portnum>]
Possible values: Valid port number
Default value: N/A
show ipDisplays IP configuration information.
EXAMPLE:
ServerIron(config)# show ip
Disabled : IP_Forwarding
Disabled : RIP RIP-Redist
Switch IP address: 192.168.2.100
Subnet mask: 255.255.255.0
Default router address: 192.168.2.1 TFTP server address: None
Configuration filename: None Image filename: None
For information about the fields in this display, see the "Displaying the IP Forwarding State" section in the "Configuring IP Forwarding" chapter of the Foundry ServerIron Installation and Configuration Guide.
Syntax: show ip
Possible values: N/A
Default value: N/A
show ip cacheDisplays the IP host table showing indexes to MAC addresses and the IP address of the next hop for ServerIrons configured to operate in a multinetted environment.
EXAMPLE:
ServerIron#[ 1] sh ip cache IP Mac Port Age VlanId Cam CamF Hw FCnt
209.157.20.1 0000.0000.0000 6 0 3144 0 0 0 0
February 2002 21 - 13
Foundry ServerIron Command Line Interface Reference
Syntax: show ip cache [<ip-addr> [<ip-addr>]]
Possible values: N/A
Default value: N/A
show ip client-public-keyDisplays the currently loaded public keys.
EXAMPLE:
ServerIron# show ip client-public-key
1024 65537 162566050678380006149460550286514061230306797782065166110686648548574949573392322599631573796819248476346145327421786527672319957469414416047146826800064453679033330420291249056907718288654183965655676902543288147725297813592782167540629478392662275128774861815448523997023618173312328476660721888873946758201 user@csp_client
1024 35 152676199889856769693556155614587291553826312328095300428421494164360924762074755452346792684432337622953129794188335259756957757051018052125410080748772658611985742270289700411216885214507408796984064240845174271455859236169370590874837875599405503479603024287131312793895007927438074972787423695977635251943 root@unix_machine
There are 2 authorized client public keys configured
Syntax: show ip client-public-key
Possible values: N/A
Default value: N/A
show ip filter-cacheDisplays all active IP filter definitions for a Foundry switch operating with Layer 3 switching.
EXAMPLE:
ServerIron# show ip filter-cache
Syntax: show ip filter-cache [<ip-addr>]
Possible values: N/A
Default value: N/A
show ip interfaceDisplays information about the IP interfaces configured on virtual routing interfaces.
NOTE: This command applies only to IP forwarding (Layer 3).
EXAMPLE:
ServerIron(config)# show ip interfaceInterface IP-Address OK? Method Status ProtocolVe 1 192.168.2.1 YES manual up upVe 1 10.10.10.1 YES manual up upVe 1 20.20.20.1 YES manual up upVe 10 120.120.120.1 YES manual down upVe 10 130.130.130.1 YES manual down up
Syntax: show ip interface
Possible values: N/A
Default value: N/A
21 - 14 February 2002
Show Commands
show ip multicastIndicates if IP multicast is active on a Foundry switch or not, and notes its operating mode—active or passive.
EXAMPLE:
ServerIron# show ip multicast
Syntax: show ip multicast
Possible values: N/A
Default value: N/A
show ip nat statisticsDisplays Network Address Translation (NAT) statistics.
NOTE: On the ServerIron 400 and ServerIron 800, you can enter this command only when logged in to a WSM CPU. The command is not supported on the Main Processor CPU. To log in to a WSM CPU, see the "Logging In to a WSM CPU" section in the "Using the Web Switching Management Module" chapter of the Foundry ServerIron Installation and Configuration Guide.
EXAMPLE:
To display the NAT statistics, enter the following command at any level of the CLI:
ServerIron(config)# show ip nat statistics
Total translations: 2 (1 static, 1 dynamic)Hits: 2 Misses: 2Expired translations: 4Dynamic mappings: pool OutAdds: netmask 255.255.255.0 start 209.157.1.2 end 209.157.1.254 total addresses 252
Syntax: show ip nat statistics
For information, see the "Configuring Network Address Translation" chapter in the Foundry ServerIron Installation and Configuration Guide.
Possible values: N/A
Default value: N/A
show ip nat translationDisplays currently active NAT entries.
NOTE: On the ServerIron 400 and ServerIron 800, you can enter this command only when logged in to a WSM CPU. The command is not supported on the Main Processor CPU. To log in to a WSM CPU, see the "Logging In to a WSM CPU" section in the "Using the Web Switching Management Module" chapter of the Foundry ServerIron Installation and Configuration Guide.
EXAMPLE:
To display the currently active NAT translations, enter the following command at any level of the CLI:
ServerIron(config)# show ip nat translationPro Inside global Inside local Outside local Outside global--- 209.157.1.69 10.10.10.69 207.195.2.12 207.195.2.12--- 209.157.1.72 10.10.10.2 207.195.4.69 207.195.4.69
Syntax: show ip nat translation
For information, see the "Configuring Network Address Translation" chapter in the Foundry ServerIron Installation and Configuration Guide.
February 2002 21 - 15
Foundry ServerIron Command Line Interface Reference
Possible values: N/A
Default value: N/A
show ip policyDisplays the configured global and local session policies defined via the ip policy command.
EXAMPLE:
Index Priority Protocol Socket Type 1 high tcp pop3 global 2 high udp dns global
Syntax: show ip policy
Possible values: N/A
Default value: N/A
show ip routeDisplays the IP route table.
NOTE: This command applies only to IP forwarding (Layer 3).
EXAMPLE:
ServerIron(config)# show ip routeTotal number of IP routes: 9Start index: 1 D:Connected S:Static *:Candidate default
Destination NetMask Gateway Port Cost Type1 10.10.10.0 255.255.255.0 0.0.0.0 ve1 1 D2 20.20.20.0 255.255.255.0 0.0.0.0 ve1 1 D3 50.50.50.0 255.255.255.0 20.20.20.10 ve1 1 S4 60.60.60.0 255.255.255.0 20.20.20.10 ve1 1 S5 70.70.70.0 255.255.255.0 120.120.120.10 ve1 1 S6 120.120.120.0 255.255.255.0 0.0.0.0 ve1 1 D7 130.130.130.0 255.255.255.0 0.0.0.0 ve1 1 D8 192.168.2.0 255.255.255.0 0.0.0.0 ve1 1 D9 0.0.0.0 0.0.0.0 192.168.2.1 ve1 1 S
Possible values: N/A
Default value: N/A
show ip sshDisplays information about the SSH management sessions in effect on the device. Up to five SSH connections can be active on the Foundry device. For information about this display and about using SSH, see the “Configuring Secure Shell” chapter.
EXAMPLE:
ServerIron#show ip sshConnection Version Encryption State Username 1 1.5 ARCFOUR 0x82 neville 2 1.5 IDEA 0x82 lynval 3 1.5 3DES 0x82 terry 4 1.5 none 0x00 5 1.5 none 0x00
Syntax: show ip ssh
Possible values: N/A
Default value: N/A
21 - 16 February 2002
Show Commands
show ip static-arpDisplays the static ARP entries.
NOTE: This command applies only to IP forwarding (Layer 3).
EXAMPLE:
ServerIron(config)# show ip static-arpStatic ARP table size: 64, configurable from 64 to 128 Index IP Address MAC Address Port 1 10.10.10.10 00d0.0958.9b07 9 2 192.168.2.1 00e0.5205.9056 15 3 192.168.2.157 00e0.2972.2ab5 15 4 192.168.2.14 0050.04bb.81fa 15 5 192.168.2.15 0010.5ad1.3701 15
The <ip-addr> and <ip-mask> parameters let you restrict the display to entries for a specific IP address and network mask. Specify the IP address masks in standard decimal mask format (for example, 255.255.0.0).
NOTE: The <ip-mask> parameter and <mask> parameter perform different operations. The <ip-mask> parameter specifies the network mask for a specific IP address, whereas the <mask> parameter provides a filter for displaying multiple MAC addresses that have specific values in common.
Specify the MAC address mask as “f”s and “0”s, where “f”s are significant bits. Specify IP address masks in standard decimal mask format (for example, 255.255.0.0).
The ethernet <portnum> parameter lets you restrict the display to entries for a specific port.
The mac-address <xxxx.xxxx.xxxx> parameter lets you restrict the display to entries for a specific MAC address.
The <mask> parameter lets you specify a mask for the mac-address <xxxx.xxxx.xxxx> parameter, to display entries for multiple MAC addresses. Specify the MAC address mask as “f”s and “0”s, where “f”s are significant bits.
Possible values: See above
Default value: N/A
show ip trafficDisplays IP (ICMP, UDP, TCP, and RIP) traffic statistics for a ServerIron.
EXAMPLE:
ServerIron# show ip traffic
IP Statistics 587 received, 593 sent, 14 forwarded 0 fragmented, 0 reassembled, 0 bad header 489 no route, 0 unknown proto, 0 no buffer, 9 other errorsICMP StatisticsReceived: 0 total, 0 errors, 0 unreachable, 0 time exceed 0 parameter, 0 source sequence, 0 redirect, 0 echo, 0 echo reply, 0 timestamp, 0 timestamp rely, 0 addr mask 0 addr mask reply, 0 irdp advertisement, 0 irdp solicitationSent: 54 total, 0 errors, 0 unreachable, 0 time exceed 0 parameter, 0 source sequence, 0 redirect, 0 echo, 0 echo reply, 0 timestamp, 0 timestamp rely, 0 addr mask 0 addr mask reply, 54 irdp advertisement, 0 irdp solicitation
February 2002 21 - 17
Foundry ServerIron Command Line Interface Reference
NOTE: This example is an excerpt, not a complete display.
Syntax: show ip traffic
Possible values: N/A
Default value: N/A
show loggingDisplays the SNMP event log.
EXAMPLE:
This example shows some common Syslog messages.
ServerIron# show loggingSyslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Buffer logging: level ACDMEINW, 7 messages logged level code: A=alert C=critical D=debugging M=emergency E=error I=informational N=notification W=warning
Log Buffer (50 entries):
00d05h44m28s:info:Interface e3/11, state up00d05h44m28s:info:Bridge topology change, vlan 1, interface 3/11, changed stateto forwarding00d04h45m49s:info:Interface e3/11, state down00d04h45m20s:info:Interface e3/11, state up00d04h45m20s:info:Bridge topology change, vlan 1, interface 3/11, changed stateto forwarding00d01h45m13s:info:Interface e3/11, state down00d00h01m00s:info:Interface e3/11, state up00d00h00m05s:info:Bridge topology change, vlan 1, interface 3/11, changed stateto forwarding00d00h00m00s:info:Warm start
Syntax: show logging
Possible values: N/A
Default value: N/A
EXAMPLE:
This example shows log entries for authentication failures. If someone enters an invalid community string when attempting to access the SNMP server on the Foundry device, the device generates a trap in the device's syslog buffer. (If you have configured the device to use a third-party SyslogD server, the device also sends a log entry to the server.)
Here is an example of a log that contains SNMP authentication traps. In this example, someone attempted to access the Foundry device three times using invalid SNMP community strings. The unsuccessful attempts indicate either an authorized user who is also a poor typist, or an unauthorized user who is attempting to access the device.
ServerIron(config)# show logSyslog logging: enabled (0 messages dropped, 0 flushes, 1 overruns)Buffer logging: level ACDMEINW, 50 messages loggedlevel code: A=alert C=critical D=debugging M=emergency E=errorI=informational N=notification W=warning
Log Buffer (50 entries):
21 - 18 February 2002
Show Commands
00d01h45m13s:info:SNMP Authentication failure, intruder IP: 207.95.6.5500d00h01m00s:info:SNMP Authentication failure, intruder IP: 207.95.6.5500d00h00m05s:info:SNMP Authentication failure, intruder IP: 207.95.6.55
EXAMPLE:
This example shows a log entry for an IP address conflict between the Foundry device and another device on the network.
In addition to placing an entry in the log, the software sends a log message to the SyslogD server, if you have configured one, and sends a message to each open CLI session.
ServerIron(config)# show logSyslog logging: enabled (0 messages dropped, 0 flushes, 1 overruns)Buffer logging: level ACDMEINW, 50 messages loggedlevel code: A=alert C=critical D=debugging M=emergency E=errorI=informational N=notification W=warning
Log Buffer (50 entries):
00d01h45m13s:warning:Duplicate IP address 209.157.23.188 detected,sent from MAC address 00e0.5201.3bc9 coming from port 7/7
EXAMPLE:
Here are some examples of log entries for packets denied by Access Control Lists (ACLs).
NOTE: On devices that also use Layer 2 MAC filters, both types of log entries can appear in the same log. Only ACL log entries are shown in this example.
ServerIron(config)# show log
Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Buffer logging: level ACDMEINW, 38 messages logged level code: A=alert C=critical D=debugging M=emergency E=error I=informational N=notification W=warning
Log Buffer (50 entries):
21d07h02m40s:warning:list 101 denied tcp 209.157.22.191(0)(Ethernet 4/18 0010.5a1f.77ed) -> 198.99.4.69(http), 2 packets
00d07h03m30s:warning:list 101 denied tcp 209.157.22.26(0)(Ethernet 4/18 0010.5a1f.77ed) -> 198.99.4.69(http), 2 packets
00d06h58m30s:warning:list 101 denied tcp 209.157.22.198(0)(Ethernet 4/18 0010.5a1f.77ed) -> 198.99.4.69(http), 1 packets
The first time an entry in an ACL denies a packet and logging is enabled for that entry, the software generates a Syslog message and an SNMP trap. Messages for packets denied by ACLs are at the warning level of the Syslog.
When the first Syslog entry for a packet denied by an ACL is generated, the software starts a five-minute ACL timer. After this, the software sends Syslog messages every five minutes. The messages list the number of packets denied by each ACL during the previous five-minute interval. If an ACL entry does not deny any packets during the five-minute interval, the software does not generate a Syslog entry for that ACL entry.
NOTE: For an ACL entry to be eligible to generate a Syslog entry for denied packets, logging must be enabled for the entry. The Syslog contains entries only for the ACL entries that deny packets and have logging enabled.
February 2002 21 - 19
Foundry ServerIron Command Line Interface Reference
In this example, the two-line message at the bottom is the first entry, which the software immediately generates the first time an ACL entry permits or denies a packet. In this case, an entry in ACL 101denied a packet. The packet was a TCP packet from host 209.157.22.198 and was destined for TCP port 80 (HTTP) on host 198.99.4.69.
When the software places the first entry in the log, the software also starts the five-minute timer for subsequent log entries. Thus, five minutes after the first log entry, the software generates another log entry and SNMP trap for denied packets.
In this example, the software generates the second log entry five minutes later. The second entry indicates that the same ACL denied two packets.
The time stamp for the third entry is much later than the time stamps for the first two entries. In this case, no ACLs denied packets for a very long time. In fact, since no ACLs denied packets during the five-minute interval following the second entry, the software stopped the ACL log timer. The software generated the third entry as soon as the ACL denied a packet. The software restarted the five-minute ACL log timer at the same time. As long as at least one ACL entry permits or denies a packet, the timer continues to generate new log entries and SNMP traps every five minutes.
EXAMPLE:
Here are some examples of log messages for CLI access.
ServerIron(config)# show logging
Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)Buffer logging: level ACDMEINW, 12 messages loggedlevel code: A=alert C=critical D=debugging M=emergency E=errorI=informational N=notification W=warning
Log Buffer (50 entries):
Oct 15 18:01:11:info:dg logout from USER EXEC modeOct 15 17:59:22:info:dg logout from PRIVILEDGE EXEC modeOct 15 17:38:07:info:dg login to PRIVILEDGE EXEC modeOct 15 17:38:03:info:dg login to USER EXEC mode
The first message (the one on the bottom) indicates that user “dg” logged in to the CLI’s User EXEC level on October 15 at 5:38 PM and 3 seconds (Oct 15 17:38:03). The same user logged in to the Privileged EXEC level four seconds later.
The user remained in the Privileged EXEC mode until 5:59 PM and 22 seconds. (The user could have used the CONFIG modes as well. Once you access the Privileged EXEC level, no further authentication is required to access the CONFIG levels.) At 6:01 PM and 11 seconds, the user ended the CLI session.
show mac-addressDisplays all MAC addresses on a ServerIron.
EXAMPLE:
To display all MAC addresses on a ServerIron, enter the following:
ServerIron(config)# show mac-addressTotal entries from all ports = 75 MAC Port Age CamF CIDX0 CIDX1 CIDX2 CIDX3 CIDX4 CIDX50000.0300.0000 10 17293 00H 0 0 0 0 0 00060.089f.8086 1 12 0bH 23 15 0 6 0 00060.9709.914b 16 2130 00H 0 0 0 0 0 000a0.249a.0163 16 130 00H 0 0 0 0 0 00060.979d.41a5 11 475 00H 0 0 0 0 0 000a0.24c5.01d1 11 0 0cH 0 0 20 14 0 00060.979d.41df 11 570 00H 0 0 0 0 0 00060.9759.4226 16 240 00H 0 0 0 0 0 00060.9759.4235 16 130 00H 0 0 0 0 0 00800.208f.725b 2 135 00H 0 0 0 0 0 0
21 - 20 February 2002
Show Commands
0060.9759.4264 16 0 0aH 0 14 0 21 0 000a0.24c5.02a1 16 15 09H 5 0 0 33 0 00000.c02c.a2bf 7 11 03H 27 5 0 0 0 000a0.24c5.02f8 4 135 00H 0 0 0 0 0 000a0.24c5.02fc 6 0 06H 0 8 31 0 0 00800.207e.c312 2 2 0dH 25 0 24 13 0 00800.208f.5331 2 135 00H 0 0 0 0 0 000e0.5200.0385 10 5160 00H 0 0 0 0 0 0--More--, next page: Space/Return key, quit: Control-c
NOTE: The information displayed in columns with headings CamF, and CIDX0 through CIDX5, is not relevant for day-to-day management of the ServerIron. The information is used by engineering and technical support staff for debug purposes.
Syntax: show mac-address [ethernet <portnum> | <mac-addr> | session]
Possible values: The session keyword causes information about MAC session entries to be displayed.
Default value: N/A
show mac-address statisticsDisplays the total number of MAC addresses currently active on a ServerIron. This command serves as a numerical summary of the detailed summary provided by the command show mac-addresses.
For each port, the number of learned MAC addresses is displayed.
EXAMPLE:
ServerIron(config)# show mac-address-statistics
Total entries = 41
Port 1 2 3 4 5 6 7 8 9
0 6 11 1 1 1 2 1 1
Port 10 11 12 13 14 15 16
0 3 1 3 1 1 8
Syntax: show mac-address-statistics
Possible values: N/A
Default value: N/A
show mediaShows the types of ports active on a Chassis device.
EXAMPLE:
ServerIron(config)# show media
1/1:SX 1/2:SX 1/3:SX 1/4:SX
2/1:SX 2/2:SX 2/3:SX 2/4:SX 2/5:SX 2/6:SX 2/7:SX 2/8:SX
3/1:SX 3/2:SX 3/3:SX 3/4:SX 3/5:SX 3/6:SX 3/7:SX 3/8:SX
4/1:SX 4/2:SX 4/3:SX 4/4:SX 4/5:SX 4/6:SX 4/7:SX 4/8:SX
5/1:SX 5/2:SX 5/3:SX 5/4:SX 5/5:SX 5/6:SX 5/7:SX 5/8:SX
6/1:SX 6/2:SX 6/3:SX 6/4:SX 6/5:SX 6/6:SX 6/7:SX 6/8:SX
7/1:SX 7/2:SX 7/3:SX 7/4:SX 7/5:SX 7/6:SX 7/7:SX 7/8:SX
8/1:SX 8/2:SX 8/3:SX 8/4:SX 8/5:SX 8/6:SX 8/7:SX 8/8:SX
February 2002 21 - 21
Foundry ServerIron Command Line Interface Reference
Syntax: show media
Possible values: N/A
Default value: N/A
show moduleShows the types of modules installed on a Chassis device.
EXAMPLE:
Here is an example of the command’s display output on a ServerIron 800.
ServerIron# show module
Module Status Ports Starting MAC
S1: B8GM Fiber Management Module OK 8 00e0.52f0.5a00
S2: B24E Copper Switch Module OK 24 00e0.52f0.5a20
S3: B24E Copper Switch Module OK 24 00e0.52f0.5a40
S4: B24E Copper Switch Module OK 24 00e0.52f0.5a60
S5: B8G Fiber Switch Module OK 8 00e0.52f0.5a00
S6: B24E Copper Switch Module OK 24 00e0.52f0.5aa0
S7: B8G Fiber Switch Module OK 8 00e0.52f0.5a00
S8: B8G Fiber Switch Module OK 8 00e0.52f0.5a00
Possible values: N/A
Default value: N/A
show monitorDisplays the current port mirroring and monitoring configuration.
EXAMPLE:
ServerIron(config)# show monitorMirror Interface: ethernet 4/1Monitored Interfaces: Both Input Output --------------------------------------------------- ethernet 4/3
Syntax: show monitor
In this example, port 4/1 is the mirror interface, to which the software copies (“mirrors”) the traffic on port 4/3. In this case, both directions of traffic on the monitored port are mirrored to port 4/1.
If only the incoming traffic is mirrored, the monitored interface is listed under Input. If only the outbound traffic is mirrored, the monitored interface is listed under Output.
Possible values: N/A
Default value: N/A
show policy-mapDisplays information about the URL switching policies configured on the ServerIron.
21 - 22 February 2002
Show Commands
EXAMPLE:
ServerIron# show policy-map p1Current Policy: 3 Created: 8 Deleted: 5Table slot 210-------------------------------------------------Name : p1 Valid : YesTree root : Yes Method : prefix
Key Type Data--- ---- ----default Map Policy p2/home Group ID 1
Syntax: show policy-map [<policy-map-name>]
Possible values: <policy-map-name> is the name of a URL switching policy. If you omit this parameter, information about all URL switching policies is displayed.
Default value: N/A
show relative-utilizationDisplays an uplink utilization list, which allows you to observe the percentage of the uplink’s bandwidth that each of the downlink ports used during the most recent 30-second port statistics interval. The number of packets sent and received between the two ports is listed, as well as the ratio of each individual downlink port’s packets relative to the total number of packets on the uplink.
EXAMPLE:
To display an uplink utilization list:
ServerIron(config)# show relative-utilization 1 uplink: ethe 130-sec total uplink packet count = 3011packet count ratio (%) 1/ 2:60 1/ 3:40
In this example, ports 2 and 3 are sending traffic to port 1. Port 2 and port 3 are isolated (not shared by multiple clients) and typically do not exchange traffic with other ports except for the uplink port, port 1.
Syntax: show relative-utilization <num>
Possible values: The <num> parameter specifies the list number.
Default value: N/A
show reloadDisplays the time and date for scheduled system reloads.
EXAMPLE:
ServerIron# show reload
Syntax: show reload
Possible values: N/A
Default value: N/A
show rmon alarmThis command will display any reported RMON alarms for the system.
EXAMPLE:
ServerIron# show rmon alarm
Alarm table is empty
February 2002 21 - 23
Foundry ServerIron Command Line Interface Reference
Syntax: show rmon alarm [<alarm-table-entry>]
Possible values: N/A
Default value: N/A
show rmon eventThis command will display any reported RMON events for the system.
EXAMPLE:
ServerIron# show rmon event
Event table is empty
Syntax: show rmon event [<event-table-entry>]
Possible values: N/A
Default value: N/A
show rmon historyThis command will display the RMON history for the system.
EXAMPLE:
ServerIron# show rmon history
History 1 is active, owned by monitor
Monitors interface 1 (ifIndex 1) every 30 seconds
25 buckets were granted to store statistics
History 2 is active, owned by monitor
Monitors interface 1 (ifIndex 1) every 1800 seconds
25 buckets were granted to store statistics
History 3 is active, owned by monitor
Monitors interface 5 (ifIndex 5) every 30 seconds
25 buckets were granted to store statistics
History 4 is active, owned by monitor
Monitors interface 5 (ifIndex 5) every 1800 seconds
25 buckets were granted to store statistics
Syntax: show rmon history [<control-table-entry>]
Possible values: N/A
Default value: N/A
show rmon statisticsDisplays detailed statistics for each port.
EXAMPLE:
ServerIron# show rmon statistics
Syntax: show rmon statistics [ethernet <portnum>] | [<num>]
21 - 24 February 2002
Show Commands
The ethernet <portnum> parameter displays the RMON port statistics for the specified port.
The <num> parameter displays the specified entry. Entries are numbered beginning with 1.
Possible values: see above
Default value: N/A
show running-configDisplays the running configuration of the ServerIron on the terminal screen.
NOTE: This command is equivalent to the write terminal command.
EXAMPLE:
ServerIron# show running-config
Syntax: show running-config
Possible values: N/A
Default value: N/A
show server backupDisplays the backup configuration and the current backup status of the ServerIron.
NOTE: This command applies only to hot standby configurations. If you are using Symmetric SLB, see “show server symmetric” on page 21-29.
show server bindDisplays the services binding between virtual servers and real servers.
EXAMPLE:
ServerIron(config)# show server bind
Virtual Server Name: v100, IP: 209.157.23.100 http -------> s43: 209.157.23.43, http s60: 209.157.23.60, 8080 ftp -------> s43: 209.157.23.43, ftp s60: 209.157.23.60, ftp 70 -------> s43: 209.157.23.43, 70 s60: 209.157.23.60, 70Virtual Server Name: v105, IP: 209.157.23.105 telnet -------> s60: 209.157.23.60, 300 ftp -------> s60: 209.157.23.60, 200 http -------> s60: 209.157.23.60, 100 dns -------> s60: 209.157.23.60, 400 tftp -------> s60: 209.157.23.60, 500
Syntax: show server bind
For descriptions of the information shown in this display, see the "Configuring Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.
Possible values: N/A
Default value: N/A
show server conn-rateShows the global TCP connection rate (per second) and TCP SYN attack rate (per second). This command reports global connection rate information for the ServerIron as well as for each real server.
February 2002 21 - 25
Foundry ServerIron Command Line Interface Reference
EXAMPLE:
ServerIron# show server conn-rateAvail. Sessions = 524286 Total Sessions = 524288Total C->S Conn = 0 Total S->C Conn = 0Total Reassign = 0 Unsuccessful Conn = 0last conn rate = 0 max conn rate = 0last TCP attack rate = 0 max TCP attack rate = 0SYN def RST = 0 SYN flood = 0Server State - 1:enabled, 2:failed, 3:test, 4:suspect, 5:grace_dn, 6:active
Real Server State CurrConn TotConn LastRate CurrRate MaxRaters1 3 0 0 0 0 0
Syntax: show server conn-rate
For descriptions of the information shown in this display, see the "Protecting Against Denial of Service Attacks" chapter in the Foundry ServerIron Installation and Configuration Guide.
Possible values: N/A
Default value: N/A
show server dynamicShows dynamic real server and virtual server port bindings. These are bindings that the ServerIron builds automatically. Use this command if you are working with Foundry technical support to resolve a Global SLB configuration issue.
show server fw-pathShows information for paths configured for firewall load balancing. See the Foundry ServerIron Firewall Load Balancing Guide for information about the fields in this display.
EXAMPLE:
To display path information for firewall load balancing, enter the following command at any level of the CLI:
ServerIron(config)# show server fw-path
Firewall Server Path Info Number of Fwall = 2 Target-ip Next-hop-ip Port Path Status Tx Rx195.188.123.221 10.10.0.1 1 1 0 0 0195.188.123.221 10.10.0.2 2 2 0 0 0
Syntax: show server fw-path
Possible values: N/A
Default value: N/A
show server globalDisplays global server configuration parameters.
EXAMPLE:
ServerIron(config)# show server global
Server Load Balancing - global parameters Predictor = least-conn Force-deletion = 1 Reassign-threshold = 100 Reassign-limit = 3 Ping-interval = 8 Ping-retries = 7 Session ID age = 35
21 - 26 February 2002
Show Commands
TCP-age = 30 UDP-age = 5 Sticky-age = 30 TCP-syn-limit = 65535 TCP-total conn = 4337 Unsuccessful conn = 0 ICMP-message = Disabled
Syntax: show server global
For descriptions of the fields in this display, see the "Configuring Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.
Possible values: N/A
Default value: N/A
show server hashDisplays information about hashing bucket assignments and the number of hits each bucket has received.
EXAMPLE:
ServerIron# show server hash
Syntax: show server hash
Possible values: N/A
Default value: N/A
show server proxyDisplays web switching statistics.
EXAMPLE:
ServerIron# show server proxy
Slot alloc = 0 Curr free slot = 99999 Slot freed = 0 Slot alloc fail = 0 Pkt stored = 0 Max slot alloc = 0 Pkt freed = 0 Fwd Stored pkt = 0 Session T/O = 0 Sess T/O pkt free = 0 Session del = 0 Sess del pkt free = 0 DB cleanup cnt = 0 DB cleanup pkt free = 0 Serv RST to SYN = 0 Send RST to C = 0 URL not in 1st pkt = 0 Cookie not in 1st pk = 0 URL not complete = 0 Cookie not complete = 0 Sess T/O rev Sess 0 = 0 Sess T/O Sess diff = 0 Dup SYN Sess diff = 0 Curr slot used = 0 Curr pkt stored = 0
Syntax: show server proxy
Possible values: N/A
Default value: N/A
show server realDisplays real IP servers' state information and statistics.
EXAMPLE:
ServerIron(config)# show server real
Real Servers Info
February 2002 21 - 27
Foundry ServerIron Command Line Interface Reference
Server State - 1:enabled, 2:failed, 3:test, 4:suspect, 5:grace_dn, 6:activeName:rs1 IP: 209.157.23.60:4 State:1 Wt:1 Max-conn:1000000
Src-nat (cfg:op) = 0: 0 Dest-nat-(cfg:op) = 0: 0Remote server: No Dynamic: NoPort State Ms CurConn TotConns Rx-pkts Tx-pkts Rx-octet Tx-octet Reaspop2 enabled 0 0 0 0 0 0 0 0 Keepalive: Disabledradiusenabled 0 0 0 0 0 0 0 0 Keepalive: Disabled, Username : "reza" Password : "QA", Key : "arvind"imap4 enabled 0 0 0 0 0 0 0 0 Keepalive: Disabledldap enabled 0 0 0 0 0 0 0 0 Keepalive: Disabled, LDAP Version : 370 enabled 0 0 0 0 0 0 0 0 Keepalive: Enableddns enabled 0 0 0 0 0 0 0 0 Keepalive: Disabled, Zone : "foundrynet.com", Addr Query : ""snmp enabled 0 0 0 0 0 0 0 0 Keepalive: Disabledhttp enabled 0 0 0 0 0 0 0 0 Keepalive: Disabled, status code(s) default (200-299, 401) HTTP URL: "HEAD /"600 unbnd 0 0 0 0 0 0 0 0 Keepalive: Disabled500 enabled 0 0 0 0 0 0 0 0 Keepalive: Disableddefaulunbnd 0 0 0 0 0 0 0 0
Server Total 0 0 0 0 0 0 0
Syntax: show server real [<name> [detail]]
Syntax: show server real [dns | ftp | http | imap4 | ldap | nntp | pop3 | radius | smtp | telnet]
For descriptions of the information shown in this display, see the "Configuring Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.
Possible values: The optional keywords display keepalive and bring up statistics for the specified function.
Default value: N/A
show server sessionsDisplays the free and active sessions.
EXAMPLE:
ServerIron(config)# show server sessions
Avail. Sessions = 524287 Total Sessions = 524288Total C->S Conn = 4233 Total S->C Conn = 0Total Reassign = 0 Unsuccessful Conn = 0Server State - 1:enabled, 2:failed, 3:test, 4:suspect, 5:grace_dn, 6:active
Real Server State CurrConn TotConn TotRevConn CurrSess PeakConn
s60 1 0 0 0 0 0s43 1 0 4233 0 0 39
Syntax: show server sessions
21 - 28 February 2002
Show Commands
For descriptions of the information shown by this display, see the "Configuring Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.
Possible values: N/A
Default value: N/A
show server symmetricDisplays configuration information for Symmetric SLB.
EXAMPLE:
ServerIron# show server symmetric
Syntax: show server symmetric
For descriptions of the information this command shows, see the "Configuring Symmetric SLB and SwitchBack" chapter in the Foundry ServerIron Installation and Configuration Guide.
Possible values: N/A
Default value: N/A
show server trafficDisplays global IP server statistics.
EXAMPLE:
ServerIron(config)# show server traffic
Client->Server = 26753 Server->Client = 24817Drops = 4 Aged = 38Fw_drops = 0 Rev_drops = 0FIN_or_RST = 8429 old-conn = 0Disable_drop = 0 Exceed_drop = 0Stale_drop = 14 Unsuccessful = 0
Syntax: show server traffic
Possible values: N/A
For descriptions of the information shown in this display, see the "Configuring Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.
Default value: N/A
show server virtualDisplays virtual IP servers state information and statistics.
EXAMPLE:
ServerIron(config)# show server virtual
Virtual Servers Info
Server Name: v100 IP : 209.157.23.100 : 4Status: enabled Predictor: least-conn TotConn: 4233Dynamic: No HTTP redirect: disabledSym: group = 1 state = 5 priority = 2 keep = 0 Activates = 4, Inactive= 3Port State Sticky Concur CurConn TotConn PeakConn
radius-oenabled NO NO 0 0 0http enabled NO NO 0 4233 39ftp enabled NO NO 0 0 0telnet enabled NO NO 0 0 0
February 2002 21 - 29
Foundry ServerIron Command Line Interface Reference
ssl enabled YES NO 0 0 0smtp enabled NO NO 0 0 0nntp enabled NO NO 0 0 0ntp enabled NO NO 0 0 0dns enabled NO NO 0 0 0pop2 enabled NO NO 0 0 0pop3 enabled NO NO 0 0 0tftp enabled NO NO 0 0 0imap4 enabled NO NO 0 0 0snmp enabled NO NO 0 0 0ldap enabled NO NO 0 0 070 enabled NO NO 0 0 0default enabled NO NO 0 0 0
information for remaining virtual servers omitted for brevity...
Syntax: show server virtual [<virtual-server-name>]
For descriptions of the information shown in this display, see the "Configuring Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.
Possible values: N/A
Default value: N/A
show snmp serverLists system administrative information—contact name, system location, community strings and traps enabled for a ServerIron.
EXAMPLE:
ServerIron# show snmp serverContact: Jack Sphatt Location: HMB x1031Community(ro): publicCommunity(rw): privateTraps Cold start: Enable Link up: Enable Link down: Enable Authentication: Enable [ ..........] L4 switch standby: Enable Total Trap-Receiver Entries: 4 Trap-Receiver IP Address Community 1 207.95.6.211 2 207.95.5.21
Syntax: show snmp server
Possible values: N/A
Default value: N/A
show sntp associationsDisplays information about SNTP associations.
EXAMPLE:
ServerIron# show sntp associations address ref clock st when poll delay disp ~207.95.6.102 0.0.0.0 16 202 4 0.0 5.45 ~207.95.6.101 0.0.0.0 16 202 0 0.0 0.0* synced, ~ configured
21 - 30 February 2002
Show Commands
The following table describes the information displayed by the show sntp associations command.
Syntax: show sntp associations
Possible values: N/A
Default value: N/A
show sntp statusDisplays information about SNTP status.
EXAMPLE:
ServerIron# show sntp statusClock is unsynchronized, stratum = 0, no reference clockprecision is 2**0reference time is 0 .0clock offset is 0.0 msec, root delay is 0.0 msecroot dispersion is 0.0 msec, peer dispersion is 0.0 msec
The following table describes the information displayed by the show sntp status command.
This Field... Displays...
(leading character) One or both of the following:
* Synchronized to this peer
~ Peer is statically configured
address IP address of the peer
ref clock IP address of the peer’s reference clock
st NTP stratum level of the peer
when Amount of time since the last NTP packet was received from the peer
poll Poll interval in seconds
delay Round trip delay in milliseconds
disp Dispersion in seconds
This Field... Indicates...
unsynchronized System is not synchronized to an NTP peer.
synchronized System is synchronized to an NTP peer.
stratum NTP stratum level of this system
reference clock IP Address of the peer (if any) to which the unit is synchronized
precision Precision of this system's clock (in Hz)
reference time Reference time stamp
clock offset Offset of clock to synchronized peer
root delay Total delay along the path to the root clock
root dispersion Dispersion of the root path
February 2002 21 - 31
Foundry ServerIron Command Line Interface Reference
Syntax: show sntp status
Possible values: N/A
Default value: N/A
show spanDisplays spanning tree statistics for a ServerIron such as root cost, root port and priority.
EXAMPLE:
ServerIron# show span Global STP Parameters:VLAN Root Root Root Prio Max He- Ho- Fwd Last Chg Bridge ID ID Cost Port rity Age llo ld dly Chang cnt Address Hex sec sec sec sec sec 1 800000e052801400 0 Root 8000 20 2 2 15 0 1 00e052801400 Port STP Parameters: VLAN Port Prio Path State Fwd Design Design Design ID Num rity Cost Trans Cost Root Bridge Hex 1 1/1 80 1 FORWARDING 1 0 800000e052801400 800000e052801400 1 1/2 80 0 DISABLED 0 0 0000000000000000 0000000000000000 1 2/1 80 0 DISABLED 0 0 0000000000000000 0000000000000000 1 2/3 80 0 DISABLED 0 0 0000000000000000 0000000000000000 1 2/5 80 0 DISABLED 0 0 0000000000000000 0000000000000000
Syntax: show span
Possible values: N/A
Default value: N/A
show span vlanDisplays global and port STP for a given VLAN for a ServerIron.
EXAMPLE:
ServerIron# show span vlan 2Global Bridge Parameters:VLAN Root Root Root Prio Max He- Ho- Fwd Last Chg Bridge ID ID Cost Port rity Age llo ld dly Chang cnt Address Hex sec sec sec2 800000e0520002f5 0 Root 8000 20 2 2 15 0 0 00e0520002f5Port STP Parameters:VLAN Port Prio Path State Fwd Design Design Design ID Num rity Cost Trans Cost Root Bridge Hex 2 1 0080 0 DISABLED 0 0000000000000000 0000000000000000 2 2 0080 0 DISABLED 0 0000000000000000 0000000000000000 2 3 0080 0 DISABLED 0 0000000000000000 0000000000000000 2 4 0080 0 DISABLED 0
peer dispersion Dispersion of the synchronized peer
This Field... Indicates...
21 - 32 February 2002
Show Commands
0000000000000000 0000000000000000 2 5 0080 0 DISABLED 0 0000000000000000 0000000000000000
Syntax: show span vlan <vlan-id> [ethernet <portnum>]
Possible values: N/A
Default value: N/A
show statisticsDisplays port statistics for a ServerIron(transmit, receive, collisions, errors).
EXAMPLE:
ServerIron# show statistics Buffer Manager Queue [Pkt Receive Pkt Transmit] 0 0 Port Counters: Packets Collisions ErrorsPort [Receive Transmit] [Receive Transmit] [Align FCS Giant Short]1/1 15935 5443 0 0 0 0 0 01/2 0 0 0 0 0 0 0 01/3 0 0 0 0 0 0 0 01/4 0 0 0 0 0 0 0 02/1 0 0 0 0 0 0 0 02/2 0 0 0 0 0 0 0 02/3 0 0 0 0 0 0 0 02/4 0 0 0 0 0 0 0 02/5 0 0 0 0 0 0 0 02/6 0 0 0 0 0 0 0 02/7 0 0 0 0 0 0 0 02/8 0 0 0 0 0 0 0 0
Syntax: show statistics [ethernet <portnum>] | [slot <slot-num>]
The pos <portnum> parameter displays statistics for a specific POS port.
The ethernet <portnum> parameter displays statistics for a specific Ethernet port.
The slot <slot-num> parameter displays statistics for a specific chassis slot.
NOTE: The slot <slot-num> parameter applies only to Chassis devices.
NOTE: The pos <portnum> parameter applies only to the POS modules.
This display shows the following information for each port.
Table 21.1: CLI Display of Port Statistics
This Field... Displays...
Packet counters
Receive The number of packets received on this interface.
Transmit The number of packets transmitted on this interface.
Collision counters
Receive The number of collisions that have occurred when receiving packets.
February 2002 21 - 33
Foundry ServerIron Command Line Interface Reference
Possible values: see above
Default value: statistics for all ports are displayed
show statistics dos-attackDisplays information about ICMP and TCP SYN packets dropped because burst thresholds were exceeded.
EXAMPLE:
ServerIron# show statistics dos-attack---------------------------- Local Attack Statistics --------------------------ICMP Drop Count ICMP Block Count SYN Drop Count SYN Block Count--------------- ---------------- -------------- --------------- 0 0 0 0--------------------------- Transit Attack Statistics -------------------------Port ICMP Drop Count ICMP Block Count SYN Drop Count SYN Block Count----- --------------- ---------------- -------------- ---------------
Syntax: show statistics dos-attack
Possible values: N/A
Default value: N/A
show tech-supportShows technical details to you for assistance in troubleshooting issues when working with technical support. The information show is a sub-set of all the available information.
Syntax: show tech-support
Possible values: N/A
Default value: N/A
show telnetShows the IP address of the station with the active Telnet session. Up to five read access Telnet sessions can be supported on the ServerIron at one time. Write access through Telnet is limited to one session.
EXAMPLE:
ServerIron# show telnetConsole connections: established, active 14 seconds in idleTelnet connections:
Transmit The number of collisions that have occurred when sending packets.
Packet Errors
These fields show statistics for various types of packet errors. The device drops packets that contain one of these errors.
Align The number of packets that contained frame alignment errors.
FCS The number of packets that contained Frame Check Sequence errors.
Giant The number of packets that were longer than the configured MTU.
Short The number of packets that were shorter than the minimum valid length.
Table 21.1: CLI Display of Port Statistics (Continued)
This Field... Displays...
21 - 34 February 2002
Show Commands
1 established, client ip address 192.168.1.234 7 seconds in idle 2 established, client ip address 192.168.1.234 3 seconds in idle 3 closed 4 closed 5 closedSSH connections: 1 closed 2 closed 3 closed 4 closed 5 closed
Syntax: show telnet
Possible values: N/A
Default value: N/A
show trunkDisplays trunk groups and their port membership for ServerIrons.
EXAMPLE:
ServerIron(config-if)# show trunk
Configured trunks:
Trunk Group Ports
1 1 2 3
Operational trunks:
Trunk Group Ports Duplex Speed Tag Priority
1 1 2 3 Full 100M No High
Syntax: show trunk
Possible values: N/A
Default value: N/A
show usersLists the user accounts configured on the ServerIron. See the Foundry Security Guide.
EXAMPLE:
ServerIron# show users
Syntax: show users
Possible values: N/A
Default value: N/A
show versionLists software, hardware and firmware details for a ServerIron.
EXAMPLE:
ServerIron# show version
Syntax: show version
Possible values: N/A
Default value: N/A
February 2002 21 - 35
Foundry ServerIron Command Line Interface Reference
show vlansDisplays all VLANs configured on the system, their member ports, assigned priority and STP status. To view a specific VLAN, enter VLAN ID after the show vlans command.
EXAMPLE:
ServerIron(config)# show vlans
Syntax: show vlans [<vlan-id>]
Possible values: N/A
Default value: N/A
show web-connectionDisplays the access levels and IP addresses of the devices that currently have Web management interface sessions with the ServerIron.
To clear all sessions displayed by this command, see “clear web-connection” on page 5-8.
EXAMPLE:
ServerIron(config)# show web-connection
User Privilege IP addressset 0 192.168.1.234
Syntax: show web-connection
Possible values: N/A
Default value: N/A
show whoThe show who command lists the active console and Telnet CLI sessions. This command can be used in conjunction with the kill command, which lets you terminate an active CLI session.
EXAMPLE:
To display the active console and Telnet CLI sessions:
ServerIron# show whoConsole connections: establishedTelnet connections: 1 established, client ip address 209.157.22.63 2 closed 3 closed 4 closed 5 closed
Syntax: show who
Possible values: N/A
Default value: N/A
show wsm-mapDisplays the WSM CPU allocations for the forwarding modules in the chassis.
EXAMPLE:
To display the slot allocations for the WSM CPUs, enter the following command at any CLI level:
ServerIron(config)# show wsm-mapslot 2 (weight 24 x 100M) is processed by WSM 1/2 (weight 24)slot 3 (weight 8 x 1000M) is processed by WSM 1/1 (weight 80)slot 4 (weight 24 x 100M) is processed by WSM 1/3 (weight 24)
21 - 36 February 2002
Show Commands
Syntax: show wsm-map
This example shows the slot allocations for a four-slot chassis. Each row shows the following information:
• The chassis slot (“slot 2” in the first row of the example above)
• The weight of the module in the slot (“weight 24 x 100M” in the first row of the example above)
• The chassis slot that contains the Web Switching Management Module and the WSM CPU to which the forwarding module described by this row is allocated (“is processed by WSM 1/2”). The “1” in this example indicates the Web Switching Management Module is in chassis slot 1. The “2” in this example indicates that WSM CPU 2 is handling Layer 4 – 7 processing for the forwarding module in slot 2.
• The total weight assigned to the WSM CPU (“weight 24“ in the first row of this example)
Possible values: N/A
Default value: N/A
show wsm-stateDisplays general information for a Web Switching Management Module.
EXAMPLE:
ServerIron(config)# show wsm-state==================================================WSM MODULE (6) App CPU 0 MB SHM, 3 Application Processors CPU 0 in state of WSM_STATE_RUNNING CPU 1 in state of WSM_STATE_RUNNING CPU 2 in state of WSM_STATE_RUNNING---------------Module 6 App CPU 1, SW: Version 07.2.00T71Compiled on Sep 25 2000 at 21:33:50 labeled as wsm-cpu3bDRAM 268M, BRAM 262K, FPGA Version 0050Code Flash 4M: Primary (880346 bytes, 07.2.00T71), Secondary (871842 bytes, 07.0.00T71)Boot Flash 131K, Boot Version 06.00.00The system uptime is 0 day 1 hour 54 minute 17 secondGeneral Status: 0 ipc msg rec, 2 ipc msg sent---------------Module 6 App CPU 2, SW: Version 07.2.00T71Compiled on Sep 25 2000 at 21:33:50 labeled as wsm-cpu3bDRAM 134M, BRAM 262K, FPGA Version 0050Code Flash 4M: Primary (880346 bytes, 07.2.00T71), Secondary (871842 bytes, 07.0.00T71)Boot Flash 131K, Boot Version 06.00.00The system uptime is 0 day 1 hour 54 minute 17 secondGeneral Status: 0 ipc msg rec, 2 ipc msg sent---------------Module 6 App CPU 3, SW: Version 07.2.00T71Compiled on Sep 25 2000 at 21:33:50 labeled as wsm-cpu3bDRAM 268M, BRAM 262K, FPGA Version 0050Code Flash 4M: Primary (880346 bytes, 07.2.00T71), Secondary (871842 bytes, 07.0.00T71)Boot Flash 131K, Boot Version 06.00.00The system uptime is 0 day 1 hour 54 minute 17 secondGeneral Status: 0 ipc msg rec, 2 ipc msg sent
Syntax: show wsm-state
This command displays the state of the modules in the chassis, the software version running on the modules, and detailed information for each processor on the modules.
Possible values: N/A
February 2002 21 - 37
Foundry ServerIron Command Line Interface Reference
Default value: N/A
21 - 38 February 2002
Top Related