Documentos de Académico
Documentos de Profesional
Documentos de Cultura
February 2002
Copyright 2002 by Foundry Networks, Inc.
Contents
CHAPTER 1
GETTING STARTED ...................................................................................... 1-1
INTRODUCTION ...........................................................................................................................................1-1
AUDIENCE ..................................................................................................................................................1-1
NOMENCLATURE .........................................................................................................................................1-1
RELATED PUBLICATIONS .............................................................................................................................1-2
HOW TO GET HELP .....................................................................................................................................1-2
WARRANTY COVERAGE ........................................................................................................................1-2
CHAPTER 2
USING THE COMMAND LINE INTERFACE ....................................................... 2-1
EXEC COMMANDS .....................................................................................................................................2-2
USER LEVEL ........................................................................................................................................2-2
PRIVILEGED LEVEL ...............................................................................................................................2-2
CONFIG C OMMANDS .................................................................................................................................2-2
GLOBAL LEVEL .....................................................................................................................................2-2
REDUNDANCY LEVEL ............................................................................................................................2-3
INTERFACE LEVEL ................................................................................................................................2-3
VLAN LEVEL .......................................................................................................................................2-3
REAL SERVER, CACHE SERVER, AND FIREWALL LEVEL ..........................................................................2-3
VIRTUAL SERVER LEVEL .......................................................................................................................2-3
CACHE GROUP AND FIREWALL GROUP LEVEL .......................................................................................2-3
GLOBAL AFFINITY LEVEL ......................................................................................................................2-3
GLOBAL SLB DNS ZONE LEVEL ...........................................................................................................2-3
GLOBAL SLB SITE LEVEL .....................................................................................................................2-3
GLOBAL SLB POLICY LEVEL .................................................................................................................2-3
URL SWITCHING POLICY LEVEL ............................................................................................................2-3
HTTP MATCHING LIST LEVEL ...............................................................................................................2-4
SERVER MONITOR LEVEL .....................................................................................................................2-4
ROUTING INFORMATION PROTOCOL (RIP) LEVEL ...................................................................................2-4
February 2002
iii
CHAPTER 3
COMMAND LIST .......................................................................................... 3-1
COMPLETE COMMAND LIST .........................................................................................................................3-1
COMMANDS LISTED BY CLI LEVEL .............................................................................................................3-16
USER EXEC LEVEL ...........................................................................................................................3-17
PRIVILEGED EXEC LEVEL ..................................................................................................................3-17
CONFIG C OMMANDS ........................................................................................................................3-20
CHAPTER 4
USER EXEC COMMANDS ............................................................................ 4-1
CHAPTER 5
PRIVILEGED EXEC COMMANDS................................................................... 5-1
CHAPTER 6
GLOBAL CONFIG COMMANDS.................................................................... 6-1
CHAPTER 7
REDUNDANT MANAGEMENT MODULE CONFIG COMMANDS ......................... 7-1
CHAPTER 8
INTERFACE COMMANDS............................................................................... 8-1
CHAPTER 9
VLAN COMMANDS ..................................................................................... 9-1
CHAPTER 10
REAL SERVER COMMANDS........................................................................ 10-1
CHAPTER 11
VIRTUAL SERVER COMMANDS ................................................................... 11-1
CHAPTER 12
CACHE GROUP COMMANDS ...................................................................... 12-1
iv
February 2002
CHAPTER 13
GSLB AFFINITY COMMANDS ..................................................................... 13-1
CHAPTER 14
GSLB DNS ZONE COMMANDS ................................................................. 14-1
CHAPTER 15
GSLB SITE COMMANDS ........................................................................... 15-1
CHAPTER 16
GSLB POLICY COMMANDS ....................................................................... 16-1
CHAPTER 17
URL SWITCHING COMMANDS .................................................................... 17-1
CHAPTER 18
HTTP MATCH LIST COMMANDS ................................................................ 18-1
CHAPTER 19
SERVER MONITOR COMMANDS .................................................................. 19-1
CHAPTER 20
ROUTING INFORMATION PROTOCOL (RIP) COMMANDS ............................... 20-1
CHAPTER 21
SHOW COMMANDS .................................................................................... 21-1
February 2002
vi
February 2002
Chapter 1
Getting Started
Introduction
This reference describes the Command Line Interface (CLI) for Foundry ServerIron switch products.
For step-by-step instructions on how to install key features of the system, see the Foundry ServerIron Installation
and Configuration Guide.
NOTE: Some commands are supported only on specific products. Where this is the case, the description for the
command states the products to which the command applies.
NOTE: This reference lists all the commands that appear at each command level for users with super-user
access. If you are logged on with port-configuration access or read-only access, some of these commands will
not be displayed and will not be available.
Audience
This manual is designed for system administrators with a working knowledge of Layer 2 and Layer 4 7
networking.
Nomenclature
This guide uses the following typographical conventions to show information:
Italic
highlights the title of another publication and occasionally emphasizes a word or phrase.
Bold
Bold Italic
Underline
Capitals
highlights field names and buttons that appear in the Web management interface.
February 2002
1-1
CAUTION:
A caution calls your attention to a possible hazard that can damage equipment.
Related Publications
The following Foundry Networks documents supplement the information in this guide.
Foundry ServerIron Application Guide provides setup procedures for the ServerIrons basic SLB and TCS
features.
Foundry ServerIron Installation and Configuration Guide provides installation instructions as well as
detailed feature descriptions, procedures, and application examples for Server Load Balancing (SLB), Global
SLB (GSLB), Transparent Cache Switching (TCS), and URL Switching.
Foundry ServerIron Firewall Load Balancing Guide provides detailed feature descriptions, procedures, and
application examples for Firewall Load Balancing (FWLB).
Call 1-877-TURBOCALL (887-2622) in the United States or 408.586.1881 outside the United States.
Web Access
The latest product information and technical tips are always available to our customers from the Foundry
Networks web site. You can access the web site at the following URL:
http://www.foundrynetworks.com
Email Access
Technical requests can also be sent to the following email address:
support@foundrynet.com
Telephone Access
408.586.1881
Warranty Coverage
Contact Foundry Networks using any of the methods listed above for information about the standard and
extended warranties.
1-2
February 2002
Chapter 2
Using the Command Line Interface
The CLI is a text-based interface for configuring and monitoring Foundry ServerIron products. You can access the
CLI can through either a direct serial connection to the device or through a Telnet session.
The commands in the CLI are organized into the following levels:
User EXEC Lets you display information and perform basic tasks such as pings and trace routes.
Privileged EXEC Lets you use the same commands as those at the User EXEC level plus configuration
commands that do not require saving the changes to the system-config file.
CONFIG Lets you make configuration changes to the device. To save the changes across reboots, you
need to save them to the system-config file. The CONFIG level contains sub-levels for individual ports, for
VLANs, and other configuration areas.
NOTE: By default, any user who can open a serial or Telnet connection to the Foundry device can access all
these CLI levels. To secure access, you can configure Enable passwords or local user accounts, or you can
configure the device to use Access Control Lists (ACLs), a RADIUS server, or a TACACS/TACACS+ server for
authentication. See the Foundry Security Guide.
To display a list of available commands or command options, enter ? or press Tab. If you have not entered part
of a command at the command prompt, all the commands supported at the current CLI level are listed. If you
enter part of a command, then enter ? or press Tab, the CLI lists the options you can enter at the point in the
command string.
The CLI supports command completion, so you do not need to enter the entire name of a command or option. As
long as you enter enough characters of the command or option name to avoid ambiguity with other commands or
options, the CLI understands what you are typing.
The CLI supports the following line editing commands. To enter a line-editing command, use the CTRL-key
combination for the command by pressing and holding the CTRL key, then pressing the letter associated with the
command.
Table 2.1: CLI Line-Editing Commands
Ctrl-Key Combination
Description
Ctrl-A
Ctrl-B
February 2002
2-1
Description
Ctrl-C
Ctrl-D
Ctrl-E
Ctrl-F
Ctrl-K
Ctrl-L; Ctrl-R
Ctrl-N
Ctrl-P
Ctrl-U; Ctrl-X
Ctrl-W
Ctrl-Z
EXEC Commands
There are two different levels of EXEC commands, the User Level and the Privileged Level. The User level
commands are at the top of the CLI hierarchy. These are the first commands that you have access to when
connected to the ServerIron through the CLI.
User Level
At the User EXEC level, you can view basic system information and verify connectivity but cannot make any
changes to the ServerIron configuration. To make changes to the configuration base, you must move to other
levels of the CLI hierarchy. This is accomplished by entering the enable command at initial log-on. Once entered
correctly, you have access to the Privileged Level.
Privileged Level
The Privileged Level EXEC commands primarily enable you to transfer and store ServerIron software images and
configuration files between the network and the system; and review its configuration. You reach this level by
entering enable <password> or enable <username> <password> at the user EXEC level.
CONFIG Commands
Global Level
The global level is the first level of the CONFIG command structure. The global CONFIG level allows you to
globally apply or modify parameters for ports on the ServerIron. You reach this level by entering configure
terminal at the privileged EXEC level.
2-2
February 2002
Redundancy Level
This redundancy level allows you to configure redundancy parameters for redundant management modules. You
reach this level by entering the redundancy command at the global CONFIG level.
NOTE: The redundancy commands apply only to a BigServerIron with redundant management modules.
Interface Level
The interface level allows you to assign or modify specific port parameters on a port-by-port basis. You reach this
level by entering interface ethernet <portnum> at the global level.
VLAN Level
Policy-based VLANs allow you to assign VLANs on a protocol (IP, IPX, Decnet, AppleTalk, NetBIOS, Others), subnet (IP sub-net and IPX network), port, or 802.1q tagged basis. You reach this level by entering the vlan <vlan-id>
by port command at the Global CONFIG Level for switches and vlan 1 for routers.
February 2002
2-3
ServerIron(config)#
You can then reach all other levels of the CONFIG command structure from this point.
The CLI prompt will change at each level of the CONFIG command structure, to easily identify the current level. A
summary of the look of each prompt is noted below:
2-4
ServerIron>
ServerIron#
ServerIron(config)#
BigServerIron(config-redundancy)#
ServerIron(config-gslb-dns-affinity)#
ServerIron(config-gslb-dns-zonename)#
ServerIron(config-gslb-policy)#
February 2002
ServerIron(config-gslb-site-sitename)#
ServerIron(config-if-portnum)#
ServerIron(config-vif-number)#
ServerIron(config-vlan-number)#
ServerIron(config-vlan-protocoltype)#
ServerIron(config-tc-cachename)#
ServerIron(config-tc-firewallname)#
ServerIron(config-rs-servername)#
ServerIron(config-url-policy)#
ServerIron(config-vs-servername)#
ServerIron(config-http-ml-listname)#
ServerIron(config-slb-mon)#
NOTE: The CLI prompt at the interface level includes the port speed. The speed is one of the following:
For simplicity, the port speeds sometimes are not shown in example Interface level prompts in this manual.
February 2002
2-5
ServerIron> ? <return>
enable
fastboot
You also can use the question mark (?) with an individual command to see all available options for that command
or to check context.
To view possible copy command options, enter the following:
ServerIron# copy ?
flash
running-config
startup-config
tftp
ServerIron# copy flash ?
tftp
Syntax Shortcuts
Commands and parameters can be abbreviated as long as enough text is entered to distinguish it from other
commands at that level. For example, given the possible commands copy tftp and config tftp, possible
shortcuts are cop tftp and con tftp respectively. In this case, co does not properly distinguish the two commands.
allows you to make configuration changes to the operating or running configuration of the ServerIron to
address a short-term requirement or validate a configuration without overwriting the permanent configuration
file, the startup configuration, that is saved in the system flash, and;
ensures that dependent or related configuration changes are all cut in at the same time.
In all cases, if you want to make the changes permanent, you need to save the changes to flash using the write
memory command. When you save the configuration changes to flash, this will become the configuration that is
initiated and run at system boot.
NOTE: The majority of configuration changes are dynamic in nature. Those changes that require a reset of the
system are highlighted in the specific configuration chapter and in the CLI commands of this appendix.
2-6
February 2002
Chapter 3
Command List
This chapter lists all the commands in the CLI. The commands are listed in two ways:
All commands are listed together in a single alphabetic list. See Complete Command List on page 3-1.
Commands are listed separately for each CLI level (for example, global CONFIG level, BGP4 level, and so
on). See Commands Listed by CLI Level on page 3-16.
In each list, the page numbers in this reference that describe the commands are listed.
6-1
aaa authorization
6-2
aaa accounting
6-3
access-list (standard)
6-3
access-list (extended)
6-5
acl-id
11-1, 12-1
active-management
7-1
all-client
6-7
always-active
9-1
append
5-1
arp
6-8
asymmetric
atalk-proto
10-1
6-8, 9-1
attrib
5-1
auto-gig
8-1
February 2002
3-1
6-9
banner incoming
6-9
banner motd
6-9
bind
11-1
5-2, 6-10
5-2, 6-10
5-3, 6-10
5-3
5-3, 6-11
broadcast filter
6-11
broadcast limit
6-12, 8-1
cache-enable
11-2
cache-group
8-1
cache-name
12-1
capacity
16-1
capacity threshold
16-1
cd
3-2
10-1
5-4
chassis name
6-12
chassis poll-time
6-13
chassis trap-log
6-13
chdir
5-4
clear arp
5-4
5-5
clear ip cache
5-5
clear ip nat
5-5
clear ip traffic
5-6
clear logging
5-6
clear mac-address
5-6
clear public-key
5-6
clear rmon
5-6
clear server
5-7
5-7
February 2002
Command List
5-8
clear statistics
5-8
5-8
clear web-connection
5-8
clock
5-8
clock summer-time
6-13
clock timezone
6-13
clone-server
10-2
configure terminal
5-9
confirm-port-up
6-14
console
6-14
5-9
5-9
5-10
5-10
5-10
5-11
5-11
5-11
5-12
5-12
5-13
5-13
5-13
5-14
5-14
5-14
crypto key
6-15
crypto random-number-seed
6-15
debug access-list
5-18
debug ip nat
5-16
decnet-proto
6-15, 9-2
default
February 2002
17-1, 18-1
3-3
6-16
delete
5-16
deny redistribute
20-1
dest-nat
12-2
dhcp-gateway-list
dir
disable
5-17
12-2, 8-2
dns active-only
16-2
dns check-interval
16-2
dns ttl
16-2
down compound
18-1
down simple
18-2
enable
3-4
6-16, 8-2
enable <password>
4-1
4-1
enable password-display
6-17
enable skip-page-display
6-17
6-18
6-18
6-18
6-18
end
6-18
5-18
5-18
erase startup-config
5-19
exceed-max-drop
10-2
exit
6-19
failover-acl
12-3
fastboot
4-2, 5-19
fast port-span
6-19
fast uplink-span
6-19
filter-match
10-3
flashback
16-3
February 2002
Command List
16-3
6-19, 8-3
format
5-19
fwall-info
12-3
fwall-zone
12-4
fw-exceed-max-drop
12-4
fw-group
8-3
fw-health-check icmp
12-4
12-5
fw-name
12-6
fw-predictor
12-6
geographic
16-4
geo-location
15-1
gig-default
6-20, 8-3
gslb affinity
6-20
gslb communication
6-21
6-21
gslb policy
6-22
gslb protocol
6-22
gslb site
6-23
hash-mask
12-6
hash-port-range
12-7
hash-ports
12-7
hd
5-20
healthck
6-23
6-26
16-4
history
19-1
history-group
10-3
host-info
14-1
hostname
6-32
February 2002
3-5
12-8
http match-list
6-32
httpredirect
11-3
interface ethernet
6-33
ip access-group
8-4
ip access-list
6-33
ip address (Layer 2)
6-34
ip address (Layer 3)
8-5
ip-address
10-4
ip default-gateway
6-34
ip dns domain-name
6-35
ip dns server-address
6-35
ip filter
6-35
ip forward
6-35
ipg10
8-9
ipg100
8-9
ipg1000
8-10
ip icmp burst
ip multicast
ip-multicast-disable
3-6
10-3, 11-3
6-36, 8-6
6-36
8-6
ip nat inside
6-36
ip nat pool
6-38
ip nat translation
6-38
ip policy
6-39
ip-policy
8-6
ip-proto
6-46, 9-2
ip rip
8-7
ip rip learn-default
8-7
ip rip poison-reverse
8-8
ip route
6-40
ip show-subnet-length
6-40
ip ssh authentication-retries
6-41
February 2002
Command List
6-41
ip ssh password-authentication
6-41
ip ssh permit-empty-passwd
6-41
ip ssh port
6-42
ip ssh pub-key-file
6-42
ip ssh rsa-authentication
6-43
ip ssh scp
6-43
ip ssh timeout
6-43
ip strict-acl-mode
6-43
ip-subnet
6-46, 9-3
ip tcp burst
6-44, 8-8
ip ttl
6-45
ipx-network
6-47, 9-4
ipx-proto
6-47, 9-4
kill
5-20
l2-fwall
12-8
locate
5-20
lock-address ethernet
6-48
logging
6-48
mac-age-time
6-49
mac filter
6-50
mac filter-group
8-10
6-52
match
17-2
max-conn
10-4
max-tcp-conn-rate
10-5
max-udp-conn-rate
10-5
md
5-21
method
17-2
metric-order
16-4
mirror-port
6-52
mkdir
5-21
module
6-52
February 2002
3-7
8-11
more
5-22
multicast filter
6-53
multicast limit
6-53, 8-11
5-22
5-23
5-23
5-24
5-24
5-24
5-25
5-25
5-26
5-26
5-26
5-26
5-27
5-27
5-28
neg-off
8-11
netbios-proto
6-54
no
6-54
no-group-failover
12-8
no-http-downgrade
12-9
num-session
16-6
num-session tolerance
16-6
other-ip
10-5
other-proto
page-display
3-8
6-54, 9-5
5-28
February 2002
Command List
6-54
perf-mode
6-56
permit redistribute
20-2
phy-mode
8-12
ping
4-2, 5-28
port
10-5, 11-3
port disable-all
10-8
port unbind-all
10-8
port-name
8-12
predictor
11-7
prefer
13-1
prefer-cnt
12-9
preference
16-7
prefer-router-cnt
12-9
priority
9-6
privilege
6-55
protocol
16-7
pvst-mode
8-12
pwd
5-29
qos-priority
8-13
quit
6-55
radius-server
6-56
rconsole
5-30
rconsole-exit
5-30
rd
5-30
redistribution
20-3
reload
5-31
rename
5-31
relative-utilization
6-56
response-time
10-9
rmdir
5-31
rmon alarm
6-57
rmon event
6-57
February 2002
3-9
6-58
round-trip-time
16-7
round-trip-time cache-interval
16-8
round-trip-time cache-prefix
16-8
round-trip-time explore-percentage
16-8
round-trip-time tolerance
16-9
router-interface
3 - 10
9-6
rshow
6-58
server active-active-port
6-59
server allow-sticky
6-59
server backup
6-60
server backup-group
6-60
server backup-port
6-60
server backup-preference
6-61
server backup-timer
6-61
server cache-group
6-61
server cache-name
6-62
server cache-router-offload
6-62
server cache-stateful
6-62
server clock-scale
6-62
server connection-log
6-63
server delay-symmetric
6-63
server force-delete
6-64
server fw-group
6-66
server fw-name
6-66
server fw-port
6-66
server fw-recv-stateful
6-66
server fw-slb
6-67
server fw-stateful
6-67
server fw-strict-sec
6-67
server fw-superzone
6-67
server icmp-message
6-68
server l4-check
6-68
February 2002
Command List
6-68
server max-url-switch
6-69
server monitor
6-69
server msl
6-69
server no-fast-bringup
6-69
server no-real-l3-check
6-70
server no-remote-l3-check
6-70
server no-slow-start
6-70
server partner-ports
6-71
server path-group
6-71
server peer-group
6-71
server ping-interval
6-72
server ping-retries
6-72
server policy-hash-acl
6-73
server port
6-73
server predictor
6-78
server real-name
6-78
server reassign-threshold
6-78
server remote-name
6-79
server reverse-nat
6-80
server response-time
6-79
server router-ports
6-81
server session-id-age
6-81
server session-limit
6-81
server slb-fw
6-81
server source-ip
6-82
server source-nat
6-82
server source-nat-ip
6-82
server source-standby-ip
6-83
server sticky-age
6-83
server sym-pdu-rate
6-83
server syn-def
6-84
server syn-limit
6-84
February 2002
3 - 11
3 - 12
server tcp-age
6-85
server transparent-vip
6-85
server udp-age
6-85
server use-simple-ssl-health-check
6-86
server virtual-name
6-86
server vpn-lb
6-86
server vpn-lb-inside
6-87
service password-encryption
6-87
show aaa
21-1
show arp
21-1
show cache-group
21-2
show chassis
21-2
show clock
21-3
show configuration
21-3
show default
21-3
show flash
21-4
show fw-group
21-4
show fw-hash
21-4
21-5
21-6
21-6
21-7
21-8
21-8
21-9
21-10
show healthck
21-11
21-12
21-12
show interfaces
21-12
show ip
21-13
show ip cache
21-13
show ip client-public-key
21-14
February 2002
Command List
21-14
show ip interface
21-14
show ip multicast
21-15
21-15
21-15
show ip policy
21-16
show ip route
21-16
show ip ssh
21-16
show ip static-arp
21-17
show ip traffic
21-17
show logging
21-18
show mac-address
21-20
21-21
show media
21-21
show module
21-22
show monitor
21-22
show policy-map
21-22
show relative-utilization
21-23
show reload
21-23
21-23
21-24
21-24
21-24
show running-config
21-25
21-25
21-25
21-26
21-26
21-26
21-27
21-27
21-27
21-28
February 2002
3 - 13
3 - 14
21-29
21-29
21-29
21-30
21-30
21-31
show span
21-32
21-32
show statistics
21-33
21-34
show tech-support
21-34
show telnet
21-34
show trunk
21-35
show users
21-35
show version
21-35
show vlans
21-36
show web-connection
21-36
show who
21-36
show wsm-map
21-36
show wsm-state
21-37
si-name
15-2
skip-page-display
5-32
snmp-client
6-88
snmp-server community
6-88
snmp-server contact
6-88
6-89
6-89
snmp-server host
6-89
snmp-server location
6-89
snmp-server pw-check
6-90
snmp-server trap-source
6-90
snmp-server view
6-90
sntp
5-32
February 2002
Command List
6-91
sntp server
6-91
source-nat
10-9, 12-10
source-sticky
11-7
spanning-tree
spanning-tree <parameter>
6-91
speed-duplex
8-14
spoof-support
12-10
static-mac-address
static-prefix
stop-traceroute
sym-active
sym-priority
sync-standby
6-92, 9-8
16-9
4-3, 5-32
11-8
11-8, 12-11
5-33, 7-2
system-max
6-94
tacacs-server
6-94
tagged
9-9
tag-type
6-95
tcp-port
17-3
5-33
telnet access-group
6-95
telnet client
6-95
telnet login-timeout
6-96
telnet server
6-96
6-96
telnet timeout
6-97
temperature shutdown
5-33
temperature warning
5-34
6-97
traceroute
4-3, 5-34
track
11-9
track-group
11-9
transparent-vip
11-9
February 2002
3 - 15
6-97
undebug access-list
5-34
undebug ip nat
5-35
undelete
5-35
unknown-unicast limit
untagged
6-98, 8-14
9-9
up compound
18-3
uplink-switch
9-10
up simple
18-3
url-host-id
12-11
url-map
12-11, 6-98
url-switch
12-11
username
6-98
virtual-ip
12-12
vlan
6-99
vlan-dynamic-discovery
6-99
vlan max-vlans
6-100
web access-group
6-100
web client
6-100
web-management
6-100
6-101
weight
10-10
whois
5-35
write memory
5-36
write terminal
5-36
wsm boot
6-101
5-36
5-36
wsm wsm-map
6-102
3 - 16
February 2002
Command List
4-1
enable <password>
4-1
4-1
fastboot
4-2
ping
4-2
rshow
4-3
show
4-3
stop-traceroute
4-3
traceroute
4-3
5-1
attrib
5-1
5-2
5-2
5-3
5-3
5-3
cd
5-4
chdir
5-4
clear arp
5-4
5-5
clear ip cache
5-5
February 2002
3 - 17
3 - 18
clear ip nat
5-5
clear ip traffic
5-6
clear logging
5-6
clear mac-address
5-6
clear public-key
5-6
clear rmon
5-6
clear server
5-7
5-7
clear snmp-server
5-8
clear statistics
5-8
5-8
clear web-connection
5-8
clock
5-8
configure terminal
5-9
5-9
5-9
5-10
5-10
5-10
5-11
5-11
5-11
5-12
5-12
5-13
5-13
5-13
5-14
5-14
5-14
debug access-list
5-18
debug ip nat
5-16
delete
5-16
February 2002
Command List
5-17
5-18
5-18
erase startup-config
5-19
exit
5-19
fastboot
5-19
format
5-19
hd
5-20
kill
5-20
locate
5-20
md
5-21
mkdir
5-21
more
5-22
5-22
5-23
5-23
5-24
5-24
5-24
5-25
5-25
5-26
5-26
5-26
5-26
5-27
5-27
5-28
page-display
5-28
February 2002
3 - 19
5-28
pwd
5-29
quit
5-30
rconsole
5-30
rconsole-exit
5-30
rd
5-30
reload
5-31
rename
5-31
rmdir
5-31
rshow
5-32
show
5-32
skip-page-display
5-32
sntp
5-32
stop-traceroute
5-32
sync-standby
5-33
5-33
temperature shutdown
5-33
temperature warning
5-34
traceroute
5-34
undebug access-list
5-34
undebug ip nat
5-35
undelete
5-35
whois
5-35
write memory
5-36
write terminal
5-36
5-36
5-36
CONFIG Commands
CONFIG commands modify the configuration of a Foundry ServerIron product. This reference describes the
following CONFIG CLI levels.
3 - 20
February 2002
Command List
Global Level
The global CONFIG level allows you to globally apply or modify parameters for ports on the switch or router. You
reach this level by entering configure terminal at the privileged EXEC level.
Table 3.4: Global CONFIG Commands
aaa authentication
6-1
aaa authorization
6-2
aaa accounting
6-3
access-list (standard)
6-3
access-list (extended)
6-5
all-client
6-7
arp
6-8
atalk-proto
6-8
banner exec
6-9
banner incoming
6-9
banner motd
6-9
6-10
6-10
6-10
6-11
broadcast filter
6-11
broadcast limit
6-12
chassis name
6-12
chassis poll-time
6-13
chassis trap-log
6-13
clear
6-13
clock summer-time
6-13
clock timezone
6-13
confirm-port-up
6-14
console
6-14
crypto key
6-15
crypto random-number-seed
6-15
decnet-proto
6-15
default-vlan-id
6-16
dhcp-gateway-list
6-16
February 2002
3 - 21
6-17
enable password-display
6-17
enable skip-page-display
6-17
6-18
6-18
6-18
6-18
end
6-18
exit
6-19
fast port-span
6-19
fast uplink-span
6-19
flow-control
6-19
gig-default
6-20
gslb affinity
6-20
gslb communication
6-21
6-21
gslb policy
6-22
gslb protocol
6-22
gslb site
6-23
healthck
6-23
6-26
3 - 22
hostname
6-32
http match-list
6-32
interface ethernet
6-33
ip access-list
6-33
ip address (Layer 2)
6-34
ip default-gateway
6-34
ip dns domain-name
6-35
ip dns server-address
6-35
ip filter
6-35
ip forward
6-35
February 2002
Command List
6-36
ip multicast
6-36
ip nat inside
6-36
ip nat pool
6-38
ip nat translation
6-38
ip policy
6-39
ip route
6-40
ip show-subnet-length
6-40
ip ssh authentication-retries
6-41
ip ssh key-size
6-41
ip ssh password-authentication
6-41
ip ssh permit-empty-passwd
6-41
ip ssh port
6-42
ip ssh pub-key-file
6-42
ip ssh rsa-authentication
6-43
ip ssh scp
6-43
ip ssh timeout
6-43
ip strict-acl-mode
6-43
ip tcp burst
6-44
ip tcp conn-rate
6-44
ip tcp conn-rate-change
6-45
ip tcp syn-proxy
6-45
ip ttl
6-45
ip-proto
6-46
ip-subnet
6-46
ipx-network
6-47
ipx-proto
6-47
lock-address ethernet
6-48
logging
6-48
mac-age-time
6-49
mac filter
6-50
6-52
mirror-port
6-52
February 2002
3 - 23
6-52
multicast filter
6-53
multicast limit
6-53
netbios-proto
6-54, 9-5
no
6-54
other-proto
6-54
password-change
6-54
perf-mode
6-56
privilege
6-55
quit
6-55
radius-server
6-56
relative-utilization
6-56
rmon alarm
6-57
rmon event
6-57
rmon history
6-58
router-interface
3 - 24
9-6
rshow
6-58
server active-active-port
6-59
server allow-sticky
6-59
server backup
6-60
server backup-group
6-60
server backup-port
6-60
server backup-preference
6-61
server backup-timer
6-61
server cache-group
6-61
server cache-name
6-62
server cache-router-offload
6-62
server cache-stateful
6-62
server clock-scale
6-62
server connection-log
6-63
server delay-symmetric
6-63
server force-delete
6-64
server fw-group
6-66
February 2002
Command List
6-66
server fw-port
6-66
server fw-recv-stateful
6-66
server fw-slb
6-67
server fw-stateful
6-67
server fw-strict-sec
6-67
server fw-superzone
6-67
server icmp-message
6-68
server l4-check
6-68
server max-conn-trap
6-68
server max-ssl-session-id
6-68
server max-url-switch
6-69
server monitor
6-69
server no-fast-bringup
6-69
server no-real-l3-check
6-70
server no-remote-l3-check
6-70
server no-slow-start
6-70
server partner-ports
6-71
server path-group
6-71
server peer-group
6-71
server ping-interval
6-72
server ping-retries
6-72
server policy-hash-acl
6-73
server port
6-73
server predictor
6-78
server real-name
6-78
server reassign-threshold
6-78
server remote-name
6-79
server response-time
6-79
server reverse-nat
6-80
server router-ports
6-81
server session-id-age
6-81
server session-limit
6-81
February 2002
3 - 25
3 - 26
server slb-fw
6-81
server source-ip
6-82
server source-nat
6-82
server source-nat-ip
6-82
server source-standby-ip
6-83
server sticky-age
6-83
server sym-pdu-rate
6-83
server syn-def
6-84
server syn-limit
6-84
server tcp-age
6-85
server transparent-vip
6-85
server udp-age
6-85
server use-simple-ssl-health-check
6-86
server virtual-name
6-86
server vpn-lb
6-86
server vpn-lb-inside
6-87
service password-encryption
6-87
show
6-88
snmp-client
6-88
snmp-server community
6-88
snmp-server contact
6-88
6-89
6-89
snmp-server host
6-89
snmp-server location
6-89
snmp-server pw-check
6-90
snmp-server trap-source
6-90
snmp-server view
6-90
sntp poll-interval
6-91
sntp server
6-91
spanning-tree
6-91
spanning-tree <parameter>
6-91
static-mac-address
6-92
February 2002
Command List
6-94
tacacs-server
6-94
tag-type
6-95
telnet access-group
6-95
telnet client
6-95
telnet login-timeout
6-96
telnet server
6-96
6-96
telnet timeout
6-97
6-97
trunk
6-97
unknown-unicast limit
6-98
url-map
6-98
username
6-98
vlan
6-99
vlan-dynamic-discovery
6-99
vlan max-vlans
6-100
web access-group
6-100
web client
6-100
web-management
6-100
6-101
write memory
6-101
write terminal
6-101
wsm boot
6-101
wsm wsm-map
6-102
February 2002
3 - 27
Redundancy Level
The redundancy CONFIG level allows you to configure parameters on redundant management modules. You
reach this level by entering redundancy at the global CONFIG level.
Table 3.5: Redundancy CONFIG Commands
active-management
7-1
end
7-2
exit
7-2
no
7-2
quit
7-2
show
7-2
sync-standby
7-2
write memory
7-3
write terminal
7-3
Interface Level
The interface level allows you to assign or modify specific port parameters on a port-by-port basis. You reach this
level by entering interface ethernet <portnum> or interface ve <num> at the global CONFIG level.
Table 3.6: Interface Commands
3 - 28
auto-gig
8-1
broadcast limit
8-1
cache-group
8-1
clear
8-2
dhcp-gateway-list
8-2
disable
8-2
enable
8-2
end
8-2
exit
8-3
flow-control
8-3
fw-group
8-3
gig-default
8-3
ip access-group
8-4
ip address (Layer 3)
8-5
ip icmp burst
8-6
ip-multicast-disable
8-6
ip-policy
8-6
February 2002
Command List
8-7
ip rip learn-default
8-7
ip rip poison-reverse
8-8
ip tcp burst
8-8
ip tcp syn-proxy
8-9
ipg10
8-9
ipg100
8-9
ipg1000
8-10
mac filter-group
8-10
monitor
8-11
multicast limit
8-11
neg-off
8-11
no
8-12
phy-mode
8-12
port-name
8-12
pvst-mode
8-12
qos-priority
8-13
quit
8-13
rshow
8-13
show
8-13
spanning-tree
8-13
speed-duplex
8-14
unknown-unicast limit
8-14
write memory
8-14
write terminal
8-14
VLAN Level
The VLAN level allows you to configure VLAN parameters. You reach this level by entering the vlan <vlan-id> by
port command at the Global CONFIG Level.
Table 3.7: VLAN Commands
always-active
9-1
atalk-proto
9-1
decnet-proto
9-2
end
9-2
February 2002
3 - 29
9-2
ip-proto
9-2
ip-subnet
9-3
ipx-network
9-4
ipx-proto
9-4
netbios-proto
9-5
no
9-5
other-proto
9-5
priority
9-6
quit
9-6
rshow
9-7
show
9-7
spanning-tree
9-7
static-mac-address
9-8
tagged
9-9
untagged
9-9
uplink-switch
9-10
write memory
9-10
write terminal
9-10
3 - 30
asymmetric
10-1
backup
10-1
clear
10-1
clone-server
10-2
description
10-2
end
10-2
exceed-max-drop
10-2
exit
10-3
filter-match
10-3
February 2002
Command List
Table 3.8: Real Server, Cache Server, and Firewall CONFIG Commands (Continued)
history-group
10-3
host-range
10-3
ip-address
10-4
max-conn
10-4
max-tcp-conn-rate
10-5
max-udp-conn-rate
10-5
no
10-5
other-ip
10-5
port
10-5
port disable-all
10-8
port unbind-all
10-8
quit
10-8
response-time
10-9
rshow
10-9
show
10-9
source-nat
10-9
weight
10-10
write memory
10-10
write terminal
10-11
11-1
bind
11-1
cache-enable
11-2
clear
11-2
end
11-2
exit
11-2
host-range
11-3
httpredirect
11-3
no
11-3
port
11-3
February 2002
3 - 31
11-7
quit
11-7
rshow
11-7
show
11-7
source-sticky
11-7
sym-active
11-8
sym-priority
11-8
track
11-9
track-group
11-9
transparent-vip
11-9
write memory
11-9
write terminal
11-10
3 - 32
acl-id
12-1
cache-name
12-1
clear
12-2
dest-nat
12-2
disable
12-2
end
12-2
exit
12-3
failover-acl
12-3
fwall-info
12-3
fwall-zone
12-4
fw-exceed-max-drop
12-4
fw-health-check icmp
12-4
12-5
fw-name
12-6
fw-predictor
12-6
hash-mask
12-6
February 2002
Command List
Table 3.10: Cache Group and Firewall Group CONFIG Commands (Continued)
hash-port-range
12-7
hash-ports
12-7
http-cache-control
12-8
l2-fwall
12-8
no
12-8
no-group-failover
12-8
no-http-downgrade
12-9
prefer-cnt
12-9
prefer-router-cnt
12-9
quit
12-10
rshow
12-10
show
12-10
source-nat
12-10
spoof-support
12-10
sym-priority
12-11
url-host-id
12-11
url-map
12-11
url-switch
12-11
virtual-ip
12-12
write memory
12-12
write terminal
12-12
13-1
exit
13-1
no
13-1
prefer
13-1
quit
13-2
rshow
13-2
show
13-2
write memory
13-2
February 2002
3 - 33
13-3
14-1
exit
14-1
host-info
14-1
no
14-2
quit
14-2
rshow
14-3
show
14-3
write memory
14-3
write terminal
14-3
3 - 34
end
15-1
exit
15-1
geo-location
15-1
no
15-2
quit
15-2
rshow
15-2
show
15-2
si-name
15-2
write memory
15-3
write terminal
15-3
February 2002
Command List
16-1
capacity threshold
16-1
dns active-only
16-2
dns check-interval
16-2
dns ttl
16-2
end
16-2
exit
16-3
flashback
16-3
16-3
geographic
16-4
health-check
16-4
metric-order
16-4
no
16-6
num-session
16-6
num-session tolerance
16-6
preference
16-7
protocol
16-7
quit
16-7
round-trip-time
16-7
round-trip-time cache-interval
16-8
round-trip-time cache-prefix
16-8
round-trip-time explore-percentage
16-8
round-trip-time tolerance
16-9
rshow
16-9
show
16-9
static-prefix
16-9
write memory
16-10
write terminal
16-10
February 2002
3 - 35
17-1
end
17-1
exit
17-1
match
17-2
method
17-2
no
17-2
quit
17-2
rshow
17-2
show
17-3
tcp-port
17-3
write memory
17-3
write terminal
17-3
3 - 36
default
18-1
down compound
18-1
down simple
18-2
end
18-2
exit
18-2
no
18-2
quit
18-2
rshow
18-3
show
18-3
up compound
18-3
up simple
18-3
write memory
18-3
write terminal
18-3
February 2002
Command List
19-1
exit
19-1
history
19-1
no
19-2
quit
19-2
rshow
19-2
show
19-2
write memory
19-2
write terminal
19-2
20-1
end
20-2
exit
20-2
no
20-2
permit redistribute
20-2
quit
20-3
redistribution
20-3
rshow
20-3
show
20-4
write memory
20-4
write terminal
20-4
Show Commands
The show commands display configuration information and statistics. You can enter these commands from any
level of the CLI.
Table 3.19: Show Commands
show aaa
21-1
show arp
21-1
February 2002
3 - 37
3 - 38
show cache-group
21-2
show chassis
21-2
show clock
21-3
show configuration
21-3
show default
21-3
show flash
21-4
show fw-group
21-4
show fw-hash
21-4
21-5
21-6
21-6
21-7
21-8
21-8
21-9
21-10
show healthck
21-11
21-12
21-12
show interfaces
21-12
show ip
21-13
show ip cache
21-13
show ip client-public-key
21-14
show ip filter-cache
21-14
show ip interface
21-14
show ip multicast
21-15
21-15
21-15
show ip policy
21-16
show ip route
21-16
show ip ssh
21-16
show ip static-arp
21-17
show ip traffic
21-17
February 2002
Command List
21-18
show mac-address
21-20
21-21
show media
21-21
show module
21-22
show monitor
21-22
show policy-map
21-22
show relative-utilization
21-23
show reload
21-23
21-23
21-24
21-24
21-24
show running-config
21-25
21-25
21-25
21-25
21-26
21-26
21-26
21-27
21-27
21-27
21-28
21-29
21-29
21-29
21-30
21-30
21-31
show span
21-32
21-32
show statistics
21-33
February 2002
3 - 39
3 - 40
21-34
show tech-support
21-34
show telnet
21-34
show trunk
21-35
show users
21-35
show version
21-35
show vlans
21-36
show web-connection
21-36
show who
21-36
show wsm-map
21-36
show wsm-state
21-37
February 2002
Chapter 4
User EXEC Commands
enable
At initial startup, you enter this command to access the privileged EXEC level of the CLI. You access subsequent
levels of the CLI using the proper launch commands.
You can assign a permanent password with the enable password command at the global level of the CONFIG
command structure. To reach the global level, enter configure terminal. Until a password is assigned, you have
access only to the user level.
NOTE: You also can configure the ServerIron to authenticate access using a RADIUS or TACACS/TACACS+
server or local user accounts. See the Foundry Security Guide.
EXAMPLE:
ServerIron> enable
Syntax: enable
Possible values: N/A
Default value: No system default
enable <password>
Once a password is defined for the ServerIron, you must enter this command along with the defined password to
access the privileged EXEC Level of the CLI.
Three levels of password access can be assigned at the global CONFIG level.
EXAMPLE:
ServerIron> enable whatever
ServerIron#
February 2002
4-1
ServerIron#
fastboot
By default, this option is turned off, to provide a three-second pause to allow you to break into the boot prompt, if
necessary. Use fastboot on to turn this option on and eliminate the three-second pause. To turn this feature off
later, enter the command, fastboot off. Fastboot changes will be saved automatically but will not become active
until after a system reset.
To execute an immediate reload of the boot code from the console without a three-second delay, enter the fast
reload command. The fast reload command is found at the privileged level.
EXAMPLE:
ServerIron> fastboot on
ping
Verifies connectivity to a Foundry device or another device. The command performs an ICMP echo test to confirm
connectivity to the specified device.
NOTE: If you address the ping to the IP broadcast address, the device lists the first four responses to the ping.
EXAMPLE:
ServerIron> ping 192.22.2.33
Syntax: ping <ip addr> | <hostname> [source <ip addr>] [count <num>] [timeout <msec>] [ttl <num>] [size <byte>]
[quiet] [numeric] [no-fragment] [verify] [data <1-to-4 byte hex>] [brief]
The only required parameter is the IP address or host name of the device.
NOTE: If the device is a Foundry Layer 2 or Layer 3 Switch, you can use the host name only if you have already
enabled the Domain Name Server (DNS) resolver feature on the device from which you are sending the ping. See
the Configuring Basic Features chapter of the Foundry Switch and Router Installation and Basic Configuration
Guide.
The source <ip addr> specifies an IP address to be used as the origin of the ping packets.
The count <num> parameter specifies how many ping packets the device sends. You can specify from 1
4294967296. The default is 1.
The timeout <msec> parameter specifies how many milliseconds the Foundry device waits for a reply from the
pinged device. You can specify a timeout from 1 4294967296 milliseconds. The default is 5000 (5 seconds).
The ttl <num> parameter specifies the maximum number of hops. You can specify a TTL from 1 255. The
default is 64.
The size <byte> parameter specifies the size of the ICMP data portion of the packet. This is the payload and does
not include the header. You can specify from 0 4000. The default is 16.
The no-fragment parameter turns on the dont fragment bit in the IP header of the ping packet. This option is
disabled by default.
The quiet parameter hides informational messages such as a summary of the ping parameters sent to the device
and instead only displays messages indicating the success or failure of the ping. This option is disabled by
default.
4-2
February 2002
The verify parameter verifies that the data in the echo packet (the reply packet) is the same as the data in the
echo request (the ping). By default the device does not verify the data.
The data <1 4 byte hex> parameter lets you specify a specific data pattern for the payload instead of the default
data pattern, abcd, in the packets data payload. The pattern repeats itself throughout the ICMP message
(payload) portion of the packet.
NOTE: For numeric parameter values, the CLI does not check that the value you enter is within the allowed
range. Instead, if you do exceed the range for a numeric value, the software rounds the value to the nearest valid
value.
The brief parameter causes ping test characters to be displayed. The following ping test characters are
supported:
!
Indicates that the network server timed out while waiting for a reply.
rshow
Displays the real and virtual server configuration information on a remote site ServerIron in the GSLB ServerIrons
CLI. The command also displays the session and CPU information used by the GSLB policy. You can view
detailed configuration information and statistics for the site ServerIron, from the GSLB ServerIrons management
console. For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry
ServerIron Installation and Configuration Guide.
show
Displays a variety of configuration and statistical information about the device. See Show Commands on
page 21-1.
stop-traceroute
Stops an initiated trace on a Foundry device.
EXAMPLE:
ServerIron> stop-traceroute
Syntax: stop-traceroute
Possible values: N/A
Default value: N/A
traceroute
Allows you to trace the path from the current Foundry device to a host address.
The CLI displays trace route information for each hop as soon as the information is received. Traceroute requests
display all responses to a given TTL. In addition, if there are multiple equal-cost routes to the destination, the
Foundry device displays up to three responses by default.
EXAMPLE:
ServerIron> traceroute 192.33.4.7 minttl 5 maxttl 5 timeout 5
Syntax: traceroute <host-ip-addr> [maxttl <value>] [minttl <value>] [numeric] [timeout <value>]
[source-ip <ip addr>]
February 2002
4-3
4-4
February 2002
Chapter 5
Privileged EXEC Commands
append
Appends a file on a PCMCIA flash card to the end of another file.
NOTE: This command applies only to a BigServerIron using a Management IV module.
EXAMPLE:
BigServerIron# append newacls.cfg startup-config.cfg
This command appends a file called newacls.cfg to the end of a file called startup-config.cfg file. This example
assumes that both files are present on the PCMCIA slot and in the subdirectory level that currently have the
management focus.
The following command appends a file in the current subdirectory to the end of a file in another subdirectory:
BigServerIron# append newacls.cfg \TEST\startup-config.cfg
attrib
Changes the read-write attribute of a file on a flash card in a Management IV modules PCMCIA slot.
NOTE: This command applies only to a BigServerIron using a Management IV module.
The read-write attribute specifies whether a file on a flash card can be changed or deleted.
Read-only You can display or copy the file but you cannot replace (copy over) or delete the file.
Read-write You can replace (copy over) or delete the file. This is the default.
February 2002
5-1
flash primary
flash secondary
TFTP
BootP
If the image does not load successfully from the above sources, you are prompted to enter alternative locations
from which to load an image:
EXAMPLE:
ServerIron# boot system bootp
5-2
February 2002
February 2002
5-3
cd
Another form of the chdir command. See chdir on page 5-4.
chdir
Switches the management focus from one flash card in a Management IV modules PCMCIA slot to the other slot.
NOTE: This command applies only to a BigServerIron using a Management IV module.
The effect of file management commands depends on the flash card that has the management focus. For
example, if you enter a command to delete a file, the software deletes the specified file from the flash card that
currently has the management focus.
EXAMPLE:
To switch the focus of the CLI from one flash card to the other, enter a command such as the following:
BigServerIron# cd slot2
BigServerIron#
clear arp
Removes all data from the ARP cache.
EXAMPLE:
ServerIron# clear arp
The following command clears all ARP entries for port 2 on the module in slot 3.
ServerIron# clear arp ethernet 3/2
Syntax: clear arp [ethernet <num> | mac-address <xxxx.xxxx.xxxx> [<mask>] | <ip-addr> [<ip-mask>]]
Specify the MAC address mask as fs and 0s, where fs are significant bits. Specify IP address masks in
standard decimal mask format (for example, 255.255.0.0).
Possible values: N/A
5-4
February 2002
clear ip cache
Removes all entries from the IP cache.
EXAMPLE:
ServerIron# clear ip cache
clear ip nat
Clears entries from the NAT table. The software provides the following clear options:
Clear an entry for a specific NAT entry based on the private and global IP addresses
Clear an entry for a specific NAT entry based on the IP addresses and the TCP or UDP port number. Use this
option when you are trying to clear specific entries created using the Port Address Translation feature.
NOTE: These commands are not supported on the ServerIron 400 or ServerIron 800.
EXAMPLE:
To clear all dynamic entries from the NAT translation table, enter the following command at the Privileged EXEC
level of the CLI:
ServerIron# clear ip nat all
February 2002
5-5
clear ip traffic
Clears the IP traffic statistics.
EXAMPLE:
ServerIron# clear ip traffic
clear logging
Removes all entries from the SNMP event log.
EXAMPLE:
ServerIron# clear logging
clear mac-address
Removes all static MAC address entries from the address table.
EXAMPLE:
ServerIron# clear mac-address
clear public-key
Clears the public keys from the active configuration.
EXAMPLE:
ServerIron# clear public-key
clear rmon
Clears packet statistics displayed by the show rmon statistics command. See show rmon statistics on
page 21-24.
EXAMPLE:
ServerIron# clear rmon
5-6
February 2002
State
----unbnd
unbnd
Range:1
State:await_delete
Resp-time Wt:0
Ms
-0
0
CurConn
------0
0
TotConn
------0
0
Rx-pkts
------0
0
Mac-addr: Unknown
Max-conn:1000000
Tx-pkts
------0
0
Server Total
0
0
0
0
ServerIron(config)# clear server session rs1
Rx-octet
-------0
0
Tx-octet
-------0
0
Reas
---0
0
The no server real command deletes real server "rs1". The show server real command displays the states of
the real servers. Notice that rs1 is still listed as a valid real server, and has the state "await_delete". If the no
server real command does not list the deleted server, the server has been completely deleted.
If the server continues to be listed with the "await_delete" state after several minutes, enter the clear server
session command to finish deleting the server. The clear server session command deletes the remaining
sessions for rs1, after which the ServerIron can finish deleting the server. You can enter this command
immediately after entering the no server real command. You do not need to wait for any sessions to end
normally.
February 2002
5-7
clear statistics
Clears packet statistics displayed by the show statistics command. See show statistics on page 21-33.
EXAMPLE:
ServerIron# clear statistics
clear web-connection
Clears all Web management interface sessions with the ServerIron. The sessions are immediately ended when
you enter the command.
EXAMPLE:
ServerIron# clear web-connection
clock
The system clock can be set for a ServerIron. This command allows you to set the time and date. The time zone
must be set using the clock timezone... command at the global CONFIG level.
NOTE: Clock settings are not saved over power cycles; however, you can configure the system to reference a
SNTP server at power up. This server will then automatically download the correct time reference for the network.
For more details on this capability, reference the sntp command at the privileged EXEC level and the sntp pollinterval and sntp server commands at the global CONFG level.
EXAMPLE:
ServerIron# clock set 10:15:05 10-15-98
5-8
February 2002
configure terminal
Launches you into the global CONFIG level.
EXAMPLE:
ServerIron# configure terminal
ServerIron(config)#
February 2002
5-9
5 - 10
February 2002
February 2002
5 - 11
NOTE: This feature allows you to preconfigure and load large sets of ACLs. If you accidentally try to load a
running-config file that contains other types of configuration information using this method, the software might
display error messages. This occurs when the devices parser encounters lines in the file that do not correspond
to valid configuration commands.
NOTE: This command does the same thing as the ncopy slot1 | slot2 <from-name> running command. See
ncopy slot1 | slot2 <from-name> running on page 5-24.
EXAMPLE:
To copy a running-config file from a flash card, enter a command such as the following:
BigServerIron# copy slot2 running runip.2
5 - 12
February 2002
February 2002
5 - 13
February 2002
February 2002
5 - 15
debug ip nat
Places the device in diagnostic mode for Network Address Translation (NAT).
NOTE: This command is not supported on the ServerIron 400 or ServerIron 800.
EXAMPLE:
ServerIron# debug ip nat icmp 0.0.0.0
NAT: icmp src 10.10.100.18 => trans 192.168.2.79 dst 204.71.202.127
NAT: 192.168.2.79 204.71.202.127 ID 35768 len 60 txfid 13 icmp (8/0/512/519)
NAT: 204.71.202.127 10.10.100.18 ID 11554 len 60 txfid 15 icmp (0/0/512/519)
ServerIron# debug ip nat tcp 0.0.0.0
NAT: tcp src 10.10.100.18:1473 => trans 192.168.2.78:8016 dst 192.168.2.158:53
NAT: 192.168.2.78:8016 192.168.2.158:53 flags S
ID 57970 len 44 txfid 13
NAT: 192.168.2.158:53 10.10.100.18:1473 flags S A ID 22762 len 44 txfid 15
NAT: 192.168.2.78:8016 192.168.2.158:53 flags
A ID 58226 len 40 txfid 13
NAT: 192.168.2.78:8016 192.168.2.158:53 flags
A ID 58482 len 77 txfid 13
NAT: 192.168.2.158:53 10.10.100.18:1473 flags
A ID 23018 len 42 txfid 15
NAT: 192.168.2.78:8016 192.168.2.158:53 flags
A ID 58738 len 40 txfid 13
NAT: 192.168.2.158:53 10.10.100.18:1473 flags
A ID 23274 len 131 txfid 15
NAT: 192.168.2.78:8016 192.168.2.158:53 flags
FA ID 58994 len 40 txfid 13
NAT: 192.168.2.158:53 10.10.100.18:1473 flags
A ID 23530 len 40 txfid 15
NAT: 192.168.2.158:53 10.10.100.18:1473 flags
FA ID 23786 len 40 txfid 15
NAT: 192.168.2.78:8016 192.168.2.158:53 flags
A ID 59250 len 40 txfid 13
ServerIron# debug ip nat udp 0.0.0.0
NAT: udp src 10.10.100.18:1561 => trans 192.168.2.79:65286 dst 192.168.3.11:53
NAT: 192.168.2.79:65286 192.168.3.11:53 ID 35512 len 58 txfid 13
NAT: 192.168.3.11:53 10.10.100.18:1560 ID 8453 len 346 txfid 15
ServerIron# debug ip nat transdata
NAT: icmp src 10.10.100.18:2048 => trans 192.168.2.79 dst 204.71.202.127
NAT: udp src 10.10.100.18:1561 => trans 192.168.2.79:65286 dst 192.168.3.11:53
NAT: tcp src 10.10.100.18:1473 => trans 192.168.2.78:8016 dst 192.168.2.158:53
delete
Deletes a file from a flash card. This command applies only to management modules with PCMCIA slots.
5 - 16
February 2002
The software does not have an undelete option. Make sure you really want to delete the file.
EXAMPLE:
To delete a file on the flash card that has the management focus, enter a command such as the following:
BigServerIron# delete cfg.cfg
If the command is successful, the CLI displays a new command prompt.
dir
List the files on a flash card in a Management IV modules PCMCIA slot.
NOTE: This command applies only to a BigServerIron using a Management IV module.
NOTE: By default, the software displays the contents of the flash card in the slot that has the management focus.
However, you do not need to change the focus to list the files on another flash card. You can specify the other
flash card when you display the files.
EXAMPLE:
To display a directory of all the files on the flash card that has the management focus, enter the following
command:
BigServerIron# dir
Volume in slot1 has no label
Volume Serial Number is 19ED-1725
Directory of slot1
01/01/2000
01/01/2000
01/01/2000
01/01/2000
01/01/2000
01/01/2000
01/01/2000
01/01/2000
01/01/2000
February 2002
00:00a
00:00a
00:00a
00:00a
00:00a
00:00a
00:00a
00:00a
00:00a
685935
2157693
184
254
256
1027230
184
1029838
687026
POS.BIN
M4R.BIN
A22.CFG
R CFG.CFG
STR.CFG
M5.BIN
A8.CFG
M4S.BIN
P3R.BIN
5 - 17
01/01/2000
00:00a
1029838
10 File(s)
MM.BIN
6618438 bytes
74180608 bytes free
00:00a
685935
00:00a
2157693
00:00a
1027230
00:00a
1029838
00:00a
687026
00:00a
1029838
6 File(s)
POS.BIN
M4R.BIN
M5.BIN
M4S.BIN
P3R.BIN
MM.BIN
6617560 bytes
74180608 bytes free
The command in this example lists all the image files on the flash card in the slot that has the management focus.
(More specifically, the command lists all the files that end with .bin.)
For information about the commands display, see the Displaying a Directory of the Files on a Flash Card section
in the Using Redundant Management Modules chapter of the Foundry Switching Router Installation and
Configuration Guide.
Possible values: See above.
Default value: Displays all files on the flash card that has the management focus.
debug access-list
Places the device in diagnostic mode for IP access lists. Use this diagnostic mode only if advised to do so by
Foundry Technical Support.
Possible values: N/A
Default value: Disabled
5 - 18
February 2002
erase startup-config
Erases the configuration stored in the startup-config file.
EXAMPLE:
ServerIron# erase startup-config
exit
Moves activity up one level from the current level. In this case, activity will be moved to the user level.
EXAMPLE:
To move from the privileged level, back to the user level, enter the following:
ServerIron# exit
ServerIron>
Syntax: exit
Possible values: N/A
Default value: N/A
fastboot
Provides a configurable option to speed up the system startup time. By default, this option is turned off, providing
a three-second pause to allow a user to break into the boot prompt, if necessary. Use fastboot on to turn this
option on and eliminate the three-second pause. To turn this feature off later, enter the command fastboot off.
Fastboot changes will be saved automatically but will not become active until after a system reset.
To execute an immediate reload from the console of the boot code without a three-second delay, you can enter the
fast reload command.
EXAMPLE:
ServerIron# fastboot on
format
Reformats a flash card in a Management IV modules PCMCIA slot.
NOTE: This command applies only to a BigServerIron using a Management IV module.
EXAMPLE:
To reformat a flash card, enter the following command:
BigServerIron# format slot2
Formatting Flash Card(256 clusters per dot) ....................................
................................................................................
......................................
Verifying Flash Card(256 clusters per dot) ....................................
................................................................................
......................................
80809984 bytes total card space.
80809984 bytes available on card.
February 2002
5 - 19
hd
Displays the data in a file on a flash card in hexadecimal format. This command applies only to management
modules with PCMCIA flash slots.
NOTE: This command applies only to a BigServerIron using a Management IV module.
EXAMPLE:
To display the data in a file in hexadecimal format, enter a command such as the following:
BigServerIron# hd cfg.cfg
The byte offset of the date that is displayed to the right of the offset
kill
Terminates the specified active CLI session and resets the CONFIG token. Once you know the session ID of a
Telnet connection (using the show who command), you can terminate it with the kill command. If the terminated
session was a console, the console is sent back into User EXEC mode. If the terminated CLI session was a Telnet
session, the Telnet connection is closed.
EXAMPLE:
ServerIron# kill telnet 1
locate
Displays or changes the save location for the startup-config file.
NOTE: This command applies only to a BigServerIron using a Management IV module.
5 - 20
February 2002
EXAMPLE:
BigServerIron# locate startup-config
md
Another form of the md command. See mkdir on page 5-21.
mkdir
Creates a subdirectory on a PCMCIA flash card.
NOTE: This command applies only to a BigServerIron using a Management IV module.
EXAMPLE:
BigServerIron# mkdir slot1 \TEST
To verify successful creation of the subdirectory, enter a command to change to the new subdirectory level:
BigServerIron# chdir \TEST
Current directory of slot1 is: \TEST
All digits
Spaces
February 2002
5 - 21
'
&
You can use spaces in a file or subdirectory name if you enclose the name in double quotes. For example, to
specify a subdirectory name that contains spaces, enter a string such as the following: a long subdirectory
name.
A subdirectory or file name can be a maximum of 256 characters long. A complete subdirectory path name
cannot contain more than 263 characters.
The name is not case sensitive. You can enter upper- or lowercase letters. The CLI displays the name using
uppercase letters.
Possible values: See above
Default value: N/A
more
Displays the data in a file on a flash card in a Management IV modules PCMCIA slot.
NOTE: This command applies only to a BigServerIron using a Management IV module.
EXAMPLE:
To display the contents of a file, enter a command such as the following:
BigServerIron# more cfg.cfg
5 - 22
February 2002
EXAMPLE:
To copy a file from flash memory to a flash card, enter a command such as the following:
BigServerIron# ncopy flash primary slot2 BIS07000.bin
Flash Card Write (128 KBytes per dot) .......
Write to slot2 BIS07000.bin succeeded
The command in this example copies a software image file from the primary area in flash memory onto the flash
card in slot 2.
If the copy does not succeed, the software lists messages to indicate the reason the copy did not work. For
example, the following messages indicate that the copy did not work because the slot specified for the copy does
not contain a flash card.
BigServerIron# ncopy flash secondary slot2 m4s.car
The system can not find the drive specified
Write to slot2 m4s.car failed
February 2002
5 - 23
5 - 24
February 2002
February 2002
5 - 25
February 2002
NOTE: This command does the same thing as the copy tftp flash <ip-addr> <filename> primary | secondary
command. See copy tftp flash on page 5-13.
EXAMPLE:
BigServerIron# ncopy tftp 192.22.33.4 test.img flash primary
To download into the secondary storage location, enter the command listed below instead:
ServerIron# ncopy tftp 192.22.33.4 test.img flash secondary
February 2002
5 - 27
page-display
Enables page-by-page display of the configuration file. When you display or save the file, one "page" (window-full)
of the file is displayed. The following line provides you with options to continue the display or to cancel:
--More--, next page: Space/Return key, quit: Control-c
If you disable the page-display mode, the CLI displays the entire file without interruption.
Page-display mode is enabled by default. To disable it, enter the skip-page-display command.
NOTE: This command is equivalent to the enable skip-page-display command at the global CONFIG level.
EXAMPLE:
ServerIron# page-display
Syntax: page-display
Possible values: N/A
Default value: N/A
ping
Verifies connectivity to a Foundry switch or Layer 3 Switch or other device. The command performs an ICMP
echo test to confirm connectivity to the specified device.
EXAMPLE:
ServerIron# ping 192.22.2.33
Syntax: ping <ip-addr> | <hostname> [count <num>] [timeout <msec>] [ttl <num>] [size <byte>] [no-fragment]
[quiet] [verify] [data <1 4 byte hex>] [brief]
The only required parameter is the IP address or host name of the device.
NOTE: If the device is a Foundry switch or Layer 3 Switch, you can use the host name only if you have already
enabled the Domain Name Server (DNS) resolver feature on the device from which you are sending the ping. See
ip dns domain-name on page 6-35 and ip dns server-address on page 6-35.
The count <num> parameter specifies how many ping packets the device sends. You can specify from
1 4294967296. The default is 1.
The timeout <msec> parameter specifies how many milliseconds the Foundry device waits for a reply from the
pinged device. You can specify a timeout from 1 4294967296 milliseconds. The default is 5000 (5 seconds).
The ttl <num> parameter specifies the maximum number of hops. You can specify a TTL from 1 255. The
default is 64.
5 - 28
February 2002
The size <byte> parameter specifies the size of the ICMP data portion of the packet. This is the payload and does
not include the header. You can specify from 0 4000. The default is 16.
The no-fragment parameter turns on the "dont fragment" bit in the IP header of the ping packet. This option is
disabled by default.
The quiet parameter hides informational messages such as a summary of the ping parameters sent to the device
and instead only displays messages indicating the success or failure of the ping. This option is disabled by
default.
The verify parameter verifies that the data in the echo packet (the reply packet) is the same as the data in the
echo request (the ping). By default the device does not verify the data.
The data <1 4 byte hex> parameter lets you specify a specific data pattern for the payload instead of the default
data pattern, "abcd", in the packets data payload. The pattern repeats itself throughout the ICMP message
(payload) portion of the packet.
NOTE: For numeric parameter values, the CLI does not check that the value you enter is within the allowed
range. Instead, if you do exceed the range for a numeric value, the software rounds the value to the nearest valid
value.
The brief parameter causes ping test characters to be displayed. The following ping test characters are
supported:
!
Indicates that the network server timed out while waiting for a reply.
pwd
Indicates which flash card in a Management IV modules PCMCIA slot has the management focus.
NOTE: This command applies only to a BigServerIron using a Management IV module.
The management focus determines the default flash card for a file management operation. For example, when
you list a directory of the files on a flash card, the PCMCIA slot parameter is optional. If you do not specify the
slot, the software displays the contents of the flash card in the slot that currently has the management focus. As
another example, the command for deleting a file from a flash card does not require that you specify the PCMCIA
slot. If you do not specify the slot, the command deletes the file from the flash card that has the management
focus.
When you power on or reload a device, if the management module contains only one flash card, the slot that
contains the flash card receives the management focus by default. If both slots contain flash cards, slot 1 receives
the management focus by default.
EXAMPLE:
To display which flash card currently has the management focus, enter the following command:
BigServerIron# pwd
slot1
Syntax: pwd
In this example, the flash card in slot 1 has the management focus.
Possible values: N/A
Default value: N/A
February 2002
5 - 29
quit
This command returns you from any level of the CLI to the User EXEC mode.
EXAMPLE:
ServerIron# quit
ServerIron>
Syntax: quit
Possible values: N/A
Default value: N/A
rconsole
Logs in to a WSM CPU on the Web Switching Management Module.
ServerIron# rconsole 2 1
ServerIron2/1 #
This command changes the management session from the MP to WSM CPU 1 on the Web Switching
Management Module in slot 2. Notice that the end of the command prompt changes to indicate the slot number
and WSM CPU number.
The <cpunum> parameter specifies the WSM CPU. The WSM CPUs are numbered from 1 3.
For more information, see the "Using the Web Switching Management Module" chapter in the Foundry ServerIron
Installation and Configuration Guide.
Possible values: See above.
Default value: Disabled
rconsole-exit
Logs out of a WSM CPU on the Web Switching Management Module.
EXAMPLE:
To log out from a management session with a WSM CPU, enter the following command at the WSM command
prompt:
ServerIron2/1 # rconsole-exit
ServerIron#
Syntax: rconsole-exit
NOTE: You must enter the entire command name (rconsole-exit). The CLI will not accept abbreviated forms of
the command.
Possible values: See above.
Default value: N/A
rd
Another form of the rmdir command. See rmdir on page 5-31.
5 - 30
February 2002
reload
Initiates a system reset. All configuration changes made since the last reset or start of the ServerIron will be
saved to the startup configuration file.
EXAMPLE:
ServerIron# reload
Syntax: reload [after <dd:hh:mm>] | [at <hh:mm:ss> <mm-dd-yy>] | [cancel] [primary | secondary]
Possible values:
after <dd:hh:mm> causes the system to reload after the specified amount of time has passed.
at <hh:mm:ss> <mm-dd-yy> causes the system to reload at exactly the specified time.
cancel cancels the scheduled reload
primary | secondary specifies whether the reload is to occur from the primary code flash module or the
secondary code flash module. The default is primary.
NOTE: The reload command must be typed in its entirety.
Default value: N/A
rename
Renames a file on a flash card in a Management IV modules PCMCIA slot.
NOTE: This command applies only to a BigServerIron using a Management IV module.
EXAMPLE:
To rename a file, enter a command such as the following:
ServerIron# rename oldname newname
rmdir
Removes a subdirectory from a PCMCIA flash card.
NOTE: This command applies only to a BigServerIron using a Management IV module.
EXAMPLE:
BigServerIron# rmdir \TEST
February 2002
5 - 31
rshow
Displays the real and virtual server configuration information on a remote site ServerIron in the GSLB ServerIrons
CLI. The command also displays the session and CPU information used by the GSLB policy. You can view
detailed configuration information and statistics for the site ServerIron, from the GSLB ServerIrons management
console. For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry
ServerIron Installation and Configuration Guide.
show
Displays a variety of configuration and statistical information about the ServerIron. To see a description of the
show commands, see Show Commands on page 21-1.
skip-page-display
Disables page-display mode. Page-display mode displays the file one page at a time and prompts you to continue
or cancel the display. When page-display mode is disabled, if you display or save the configuration file, the CLI
displays the entire file without interruption.
Page display mode is enabled by default.
NOTE: This command is equivalent to the no enable skip-page-display command at the global CONFIG level.
EXAMPLE:
ServerIron> skip-page-display
Syntax: skip-page-display
Possible values: N/A
Default value: Enabled
sntp sync
Synchronizes the devices system clock with the time supplied by the devices SNTP server.
You define the SNTP server using the sntp server... command at the global CONFIG level. You also can define
how often the clock references are validated between the ServerIron and the SNTP server by entering the
sntp poll-interval command at the global CONFIG level.
NOTE: Configure the clock timezone parameter before configuring an SNTP server.
EXAMPLE:
ServerIron# sntp sync
stop-traceroute
Stops an initiated trace on a ServerIron.
EXAMPLE:
ServerIron# stop-trace-route
Syntax: stop-trace-route
5 - 32
February 2002
sync-standby
Immediately synchronizes software between the active and standby management modules. When you
synchronize software, the active module copies the software you specify to the standby module, replacing the
software on the standby module.
NOTE: This command applies only to a BigServerIron with redundant management modules.
EXAMPLE:
To immediately synchronize the boot code on the standby module with the boot code on the active module, enter
the following command at the Privileged EXEC level of the CLI:
BigServerIron# sync-standby boot
telnet
Allows a Telnet connection to a remote ServerIron using the console. Up to five access Telnet sessions can be
supported on a ServerIron at one time. Write access through Telnet is limited to one session and only one
outgoing Telnet sessions is supported on a ServerIron at one time.
To see the number of open Telnet sessions at any time, enter the command show telnet.
EXAMPLE:
ServerIron# telnet 208.96.6.101
temperature shutdown
Changes the shutdown temperature of a module containing a temperature sensor. If the temperature matches or
exceeds the shutdown temperature, the software sends a Syslog message to the Syslog buffer and also to the
SyslogD server if configured. The software also sends an SNMP trap to the SNMP trap receiver, if you have
configured the device to use one.
February 2002
5 - 33
If the temperature equals or exceeds the shutdown temperature for five consecutive polls of the temperature by
the software, the software shuts down the module to prevent damage.
EXAMPLE:
To change the shutdown temperature from 55 to 57 degrees Celsius, enter the following command:
ServerIron# temperature shutdown 57
temperature warning
Changes the warning temperature of a module containing a temperature sensor. If the temperature of the module
reaches the warning value, the software sends a Syslog message to the Syslog buffer and also to the SyslogD
server, if configured. In addition, the software sends an SNMP trap to the SNMP trap receiver, if you have
configured the device to use one.
NOTE: You cannot set the warning temperature to a value higher than the shutdown temperature.
EXAMPLE:
To change the warning temperature from 45 to 47 degrees Celsius, enter the following command:
ServerIron# temperature warning 57
traceroute
Allows you to trace the path from the current ServerIron to a host address. This command is not available on
Foundry switches.
EXAMPLE:
ServerIron# traceroute 192.33.4.7 minttl 5 maxttl 5 timeout 5
Syntax: traceroute <host-ip-addr> [minttl <value>] [maxttl <value>] [timeout <value>] [numeric]
minttl minimum TTL (hops) value: Possible values are 1 255. Default value is 1 second.
maxttl maximum TTL (hops) value: Possible values are 1 255. Default value is 30 seconds.
timeout Possible values are 1 120. Default value is 2 seconds.
numeric Lets you change the display to list the devices by their IP addresses instead of their names.
Possible values: See above.
Default value: See above.
undebug access-list
Disables access-list diagnostic mode.
EXAMPLE:
ServerIron# undebug access-list 1
February 2002
undebug ip nat
Disables diagnostic mode for NAT.
NOTE: This command is not supported on the ServerIron 400 or ServerIron 800.
EXAMPLE:
To disable the NAT diagnostic mode, enter a command such as the following:
ServerIron# undebug ip nat tcp
undelete
Recovers a file deleted from a PCMCIA flash card.
NOTE: This command applies only to a BigServerIron using a Management IV module.
NOTE: When you delete a file from a flash card, the CLI leaves the file intact but removes the first letter in the file
name from the file directory. However, if you save file changes or new files that use part of the space occupied by
the deleted file, you cannot undelete the file. The undelete command lists only the files that can be undeleted.
EXAMPLE:
BigServerIron# undelete
Undelete file "?LD.CFG" ? (enter 'y' or 'n'): y
Input one character: O
File recovered successfully and named to OLD.CFG
The command in this example starts the undelete process for the flash card and subdirectory that currently have
the management focus. For each file that can be undeleted, the CLI displays the remaining name entry in the file
directory and prompts you for the first character of the file name. You can enter any valid file name character. You
do not need to enter the character that was used before in the deleted file name.
Once you enter a character and the CLI undeletes the file, the CLI continues with the next file that can be
undeleted. For each file, specify y or n, and specify a first character for the files that you select to undelete.
To end the undelete process, enter the CTRL + C key combination.
whois
Performs a whois lookup on a specified domain.
EXAMPLE:
ServerIron# whois boole.com
February 2002
5 - 35
write memory
Saves the running-time configuration into the startup-config file.
EXAMPLE:
ServerIron# write memory
write terminal
Displays the running-configuration on the terminal screen.
EXAMPLE:
ServerIron# write terminal
5 - 36
February 2002
Chapter 6
Global CONFIG Commands
aaa authentication
Defines an authentication-method list for access authentication. See the Foundry Security Guide for more
information.
EXAMPLE:
To configure an access method list, enter a command such as the following:
ServerIron(config)# aaa authentication web-server default local
This command configures the device to use the local user accounts to authenticate access to the device through
the Web management interface. If the device does not have a user account that matches the user name and
password entered by the user, the user is not granted access.
To configure the device to consult a RADIUS server first for Enable access, then consult the local user accounts if
the RADIUS server is unavailable, enter the following command:
ServerIron(config)# aaa authentication enable default radius local
Syntax: aaa authentication snmp-server | web-server | enable [implicit-user] | login default <method1>
[<method2>] [<method3>] [<method4>] [<method5>] [<method6>] [<method7>]
The snmp-server | web-server | enable [implicit-user] | login parameter specifies the type of access this
authentication-method list controls. You can configure one authentication-method list for each type of access.
The implicit-user parameter configures the device to prompt for only a password when a user attempts to access
the Privileged EXEC or CONFIG level of the CLI. By default, the device prompts for both a username and a
password. This parameter is valid only with the enable access type.
NOTE: TACACS/TACACS+ and RADIUS are supported only for enable and login.
February 2002
6-1
The <method1> parameter specifies the primary authentication method. The remaining optional <method>
parameters specify the secondary methods to try if an error occurs with the primary method. A method can be
one of the values listed in the Method Value column in the following table.
Table 0.1: Authentication Method Values
Method Value
Description
tacacs
or
tacacs+
radius
A RADIUS server. You also must identify the server to the device using
the radius-server command. See radius-server on page 6-56.
local
A local user name and password you configured on the device. Local
user names and passwords are configured using the username
command. See username on page 6-98.
line
The password you configured for Telnet access. The Telnet password is
configured using the enable telnet password command. See
enable telnet password on page 6-18.
enable
none
aaa authorization
Configures authorization for controlling access to management functions in the CLI. Foundry devices support
RADIUS and TACACS+ authorization.
When RADIUS authorization is enabled, the Foundry device consults the list of commands supplied by the
RADIUS server during authentication to determine whether a user can execute a command he or she has
entered.
Two kinds of TACACS+ authorization are supported: Exec authorization determines a users privilege level
when they are authenticated; Command authorization consults a TACACS+ server to get authorization for
commands entered by the user
EXAMPLE:
You enable command authorization by specifying a privilege level whose commands require authorization. For
example, to configure the Foundry device to perform RADIUS authorization for the commands available at the
Super User privilege level (that is; all commands on the device), enter the following command:
ServerIron(config)# aaa authorization commands 0 default radius
Syntax: [no] aaa authorization commands <privilege-level> default tacacs+ | radius | none
The <privilege-level> parameter can be one of the following:
6-2
0 Authorization is performed for commands available at the Super User level (all commands)
4 Authorization is performed for commands available at the Port Configuration level (port-config and readonly commands)
5 Authorization is performed for commands available at the Read Only level (read-only commands)
February 2002
NOTE: TACACS+ and RADIUS command authorization is performed only for commands entered from Telnet or
SSH sessions. No authorization is performed for commands entered at the console, the Web management
interface, or IronView.
NOTE: Since RADIUS authorization relies on the command list supplied by the RADIUS server during
authentication, you cannot perform RADIUS authorization without RADIUS authentication.
When TACACS+ exec authorization is configured, the Foundry device consults a TACACS+ server to determine
the privilege level for an authenticated user. To configure TACACS+ exec authorization, on the Foundry device,
enter the following command:
ServerIron(config)# aaa authorization exec default tacacs+
aaa accounting
Configures RADIUS or TACACS+ accounting for recording information about user activity and system events.
When you configure accounting on a Foundry device, information is sent to an accounting server when specified
events occur, such as when a user logs into the device or the system is rebooted.
EXAMPLE:
To send an Accounting Start packet to a TACACS+ accounting server when an authenticated user establishes a
Telnet or SSH session on the Foundry device, and an Accounting Stop packet when the user logs out:
ServerIron(config)# aaa accounting exec default start-stop tacacs+
Syntax: [no] aaa accounting exec default start-stop radius | tacacs+ | none
You can configure accounting for CLI commands by specifying a privilege level whose commands require
accounting. For example, to configure the Foundry device to perform RADIUS accounting for the commands
available at the Super User privilege level (that is; all commands on the device), enter the following command:
ServerIron(config)# aaa accounting commands 0 default start-stop radius
Syntax: [no] aaa accounting commands <privilege-level> default start-stop radius | tacacs+ | none
The <privilege-level> parameter can be one of the following:
4 Records commands available at the Port Configuration level (port-config and read-only commands)
You can configure accounting to record when system events occur on the Foundry device. System events include
rebooting and when changes to the active configuration are made.
The following command causes an Accounting Start packet to be sent to a TACACS+ accounting server when a
system event occurs, and a Accounting Stop packet to be sent when the system event is completed:
ServerIron(config)# aaa accounting system default start-stop tacacs+
Syntax: [no] aaa accounting system default start-stop radius | tacacs+ | none
Possible values: see above
Default value: N/A
access-list (standard)
Configures standard Access Control Lists (ACLs), which permit or deny packets based on source IP address (in
contrast to extended ACLs, which permit or deny packets based on source and destination IP address and also
based on IP protocol information). You can configure up to 99 standard ACLs. You can configure up to 1024
February 2002
6-3
individual ACL entries. There is no limit to the number of ACL entries an ACL can contain except for the systemwide limitation of 1024 total ACL entries.
EXAMPLE:
To configure a standard ACL and apply it to outgoing traffic on port 1, enter the following commands.
ServerIron(config)# access-list 1 deny host 209.157.22.26 log
ServerIron(config)# access-list 1 deny 209.157.29.12 log
ServerIron(config)# access-list 1 deny host IPHost1 log
ServerIron(config)# access-list 1 permit any
ServerIron(config)# int eth 1
ServerIron(config-if-1)# ip access-group 1 out
ServerIron(config-if-1)# write mem
The commands in this example configure an ACL to deny packets from three source IP addresses from being
forwarded on port 1. The last ACL entry in this ACL permits all packets that are not explicitly denied by the first
three ACL entries.
Syntax: [no] access-list <num> deny | permit <source-ip> | <hostname> <wildcard> [log]
Syntax: [no] access-list <num> deny | permit <source-ip>/<mask-bits> | <hostname> [log]
Syntax: [no] access-list <num> deny | permit host <source-ip> | <hostname> [log]
Syntax: [no] access-list <num> deny | permit any [log]
Syntax: [no] ip access-group <num> in | out
The <num> parameter is the access list number and can be from 1 99.
The deny | permit parameter indicates whether packets that match a policy in the access list are denied
(dropped) or permitted (forwarded).
The <source-ip> parameter specifies the source IP address. Alternatively, you can specify the host name.
NOTE: To specify the host name instead of the IP address, the host name must be configured using the Foundry
devices DNS resolver. To configure the DNS resolver name, use the ip dns server-address command at the
global CONFIG level of the CLI.
The <wildcard> parameter specifies the mask value to compare against the host address specified by the
<source-ip> parameter. The <wildcard> is a four-part value in dotted-decimal notation (IP address format)
consisting of ones and zeros. Zeros in the mask mean the packets source address must match the <source-ip>.
Ones mean any value matches. For example, the <source-ip> and <wildcard> values 209.157.22.26 0.0.0.255
mean that all hosts in the Class C sub-net 209.157.22.x match the policy.
If you prefer to specify the wildcard (mask value) in CIDR format, you can enter a forward slash after the IP
address, then enter the number of significant bits in the mask. For example, you can enter the CIDR equivalent of
209.157.22.26 0.0.0.255 as 209.157.22.26/24.
NOTE: When you save ACL policies to the startup-config file, the software changes your <source-ip> values if
appropriate to contain zeros where the packet value must match. For example, if you specify 209.157.22.26/24 or
209.157.22.26 255.255.255.0, then save the startup-config file, the values appear as 209.157.22.0/24 (if you have
enabled display of sub-net lengths) or 209.157.22.0 255.255.255.0 in the startup-config file.
If you enable the software to display IP sub-net masks in CIDR format, the mask is saved in the file in /<maskbits> format. To enable the software to display the CIDR masks, enter the ip show-subnet-length command at
the global CONFIG level of the CLI. You can use the CIDR format to configure the ACL entry regardless of
whether the software is configured to display the masks in CIDR format.
NOTE: If you use the CIDR format, the ACL entries appear in this format in the running-config and startup-config
files, but are shown with sub-net mask in the display produced by the show access-list and show ip access-list
commands.
6-4
February 2002
The host <source-ip> | <hostname> parameter lets you specify a host IP address or name. When you use this
parameter, you do not need to specify the mask. A mask of all zeros (0.0.0.0) is implied.
The any parameter configures the policy to match on all host addresses.
The log argument configures the device to generate Syslog entries and SNMP traps for packets that are permitted
or denied by the access policy.
The in | out parameter specifies whether the ACL applies to incoming traffic or outgoing traffic on the port to which
you apply the ACL.
Possible values: see above
Default value: N/A
access-list (extended)
Configures extended ACLs, which permit or deny packets based on the following information:
IP protocol
EXAMPLE:
To configure an extended ACL that blocks all Telnet traffic received on port 1 from IP host 209.157.22.26, enter the
following commands.
ServerIron(config)# access-list 101 deny tcp host 209.157.22.26 any eq telnet log
ServerIron(config)# access-list 101 permit ip any any
ServerIron(config)# int eth 1
ServerIron(config-if-1)# ip access-group 101 in
ServerIron(config)# write mem
Syntax: [no] access-list <num> deny | permit <ip-protocol> <source-ip> | <hostname> <wildcard> [<operator>
<source-tcp/udp-port>] <destination-ip> | <hostname> <wildcard>
[<operator> <destination-tcp/udp-port>] [log]
Syntax: [no] access-list <num> deny | permit host <ip-protocol> any any [log]
Syntax: [no] ip access-group <num> in | out
The <num> parameter indicates the ACL number and can be from 100 199 for an extended ACL.
The deny | permit parameter indicates whether packets that match the policy are dropped or forwarded.
The <ip-protocol> parameter indicates the type of IP packet you are filtering. You can specify one of the following:
icmp
igmp
igrp
ip
ospf
tcp
udp
The <source-ip> | <hostname> parameter specifies the source IP host for the policy. If you want the policy to
match on all source addresses, enter any.
February 2002
6-5
The <wildcard> parameter specifies the portion of the source IP host address to match against. The <wildcard> is
a four-part value in dotted-decimal notation (IP address format) consisting of ones and zeros. Zeros in the mask
mean the packets source address must match the <source-ip>. Ones mean any value matches. For example,
the <source-ip> and <wildcard> values 209.157.22.26 0.0.0.255 mean that all hosts in the Class C sub-net
209.157.22.x match the policy.
If you prefer to specify the wildcard (mask value) in Classless Interdomain Routing (CIDR) format, you can enter a
forward slash after the IP address, then enter the number of significant bits in the mask. For example, you can
enter the CIDR equivalent of 209.157.22.26 0.0.0.255 as 209.157.22.26/24.
NOTE: When you save ACL policies to the startup-config file, the software changes your IP address values if
appropriate to contain zeros where the packet value must match. For example, if you specify 209.157.22.26/24 or
209.157.22.26 255.255.255.0, then save the startup-config file, the values appear as 209.157.22.0/24 (if you have
enabled display of sub-net lengths) or 209.157.22.0 255.255.255.0 in the startup-config file.
If you enable the software to display IP sub-net masks in CIDR format, the mask is saved in the file in /<maskbits> format. To enable the software to display the CIDR masks, enter the ip show-subnet-length command at
the global CONFIG level of the CLI. You can use the CIDR format to configure the ACL entry regardless of
whether the software is configured to display the masks in CIDR format.
NOTE: If you use the CIDR format, the ACL entries appear in this format in the running-config and startup-config
files, but are shown with sub-net mask in the display produced by the show access-list and show ip access-list
commands.
The <destination-ip> | <hostname> parameter specifies the destination IP host for the policy. If you want the
policy to match on all destination addresses, enter any.
The <operator> parameter specifies a comparison operator for the TCP or UDP port number. This parameter
applies only when you specify tcp or udp as the IP protocol. For example, if you are configuring an entry for
HTTP, specify tcp eq http. You can enter one of the following operators:
eq The policy applies to the TCP or UDP port name or number you enter after eq.
gt The policy applies to TCP or UDP port numbers greater than the port number or the numeric equivalent
of the port name you enter after gt.
lt The policy applies to TCP or UDP port numbers that are less than the port number or the numeric
equivalent of the port name you enter after lt.
neq The policy applies to all TCP or UDP port numbers except the port number or port name you enter after
neq.
range The policy applies to all TCP or UDP port numbers that are between the first TCP or UDP port name
or number and the second one you enter following the range parameter. The range includes the port names
or numbers you enter. For example, to apply the policy to all ports between and including 23 (Telnet) and 53
(DNS), enter the following: range 23 53. The first port number in the range must be lower than the last
number in the range.
established This operator applies only to TCP packets. If you use this operator, the policy applies to TCP
packets that have the ACK (Acknowledgment) or RST (Reset) bits set on (set to "1") in the Control Bits field of
the TCP packet header. Thus, the policy applies only to established TCP sessions, not to new sessions. See
Section 3.1, "Header Format", in RFC 793 for information about this field.
NOTE: This operator applies only to destination TCP ports, not source TCP ports.
The <tcp/udp-port> parameter specifies the TCP or UDP port number or well-known name. The device
recognizes the following well-known names. For other ports, you must specify the port number.
NOTE: The following lists are organized alphabetically. In the CLI, these port names are listed according to
ascending port number.
6-6
February 2002
bgp
dns
ftp
http
imap4
ldap
mms
nntp
pop2
pop3
pnm
rtsp
smtp
ssl
telnet
bootps
bootpc
dns
ntp
radius
radius-old
rip
snmp
snmp-trap
tftp
The in | out parameter specifies whether the ACL applies to incoming traffic or outgoing traffic on the port to which
you apply the ACL.
Possible values: see above
Default value: N/A
all-client
Restricts management access to the Foundry device to the host whose IP address you specify. No other device
except the one with the specified IP address can access the Foundry device through Telnet (CLI), the Web (Web
management interface), or SNMP (IronView).
If you want to restrict access for some of the management platforms but not all of them, use one or two of the
following commands:
snmp-client restricts IronView access and all other SNMP access. See snmp-client on page 6-88.
telnet client restricts Telnet access. See telnet client on page 6-95.
February 2002
6-7
web client restricts web access. See web client on page 6-100.
EXAMPLE:
To restrict all management access to the Foundry device to the host with IP address 209.157.22.26, enter the
following command:
ServerIron(config)# all-client 209.157.22.26
arp
Adds a static ARP entry.
NOTE: This command applies only to IP forwarding (Layer 3).
EXAMPLE:
ServerIron(config)# arp 1 209.157.22.3 aaaa.bbbb.cccc ethernet 3
This command adds a static ARP entry that maps IP address 209.157.22.3 to MAC address aaaa.bbbb.cccc. The
entry is for a MAC address connected to ServerIron port 3.
Syntax: [no] arp <num> <ip-addr> <mac-addr> ethernet <portnum> [vlan <vlan-id>]
The <num> parameter specifies the entry number. You can specify a number from 1 up to the maximum number
of static entries allowed on the device. To determine the maximum number of entries, enter the show default
values command. To increase the maximum, use the system-max static-arp command.
The <ip-addr> command specifies the IP address of the device that has the MAC address of the entry.
The <mac-addr> parameter specifies the MAC address of the entry.
The ethernet <portnum> command specifies the port number attached to the device that has the MAC address of
the entry.
The vlan <vlan-id> parameter specifies the port-based VLAN the entry belongs to. Use this parameter when the
port is a member of more than one port-based VLAN and you want the ARP entry to apply only to a specific
VLAN.
NOTE: The clear arp command clears learned ARP entries but does not remove any static ARP entries.
Possible values: See above
Default value: None configured
atalk-proto
Creates an AppleTalk protocol VLAN on a Foundry switch or router. When first assigned, all ports are assumed by
default to be members of the VLAN. VLAN membership can be modified using the dynamic, static, or exclude
commands.
EXAMPLE:
To create an AppleTalk Protocol VLAN with permanent port membership of 9 and 13 and no dynamic ports, enter
the following commands.
ServerIron(config)# atalk-proto
ServerIron(config-atalk-proto)# static e9 e13
ServerIron(config-atalk-proto)# no dynamic
ServerIron(config-atalk-proto)# exit
6-8
February 2002
banner exec
Configures the Foundry device to display a message when a user enters the Privileged EXEC CLI level.
EXAMPLE:
ServerIron(config)# banner exec $ (Press Return)
Enter TEXT message, End with the character '$'.
You are entering Privileged EXEC level
Dont foul anything up! $
banner incoming
Configures the Foundry device to display a message on the Console when a user establishes a Telnet session.
This message indicates where the user is connecting from and displays a configurable text message.
EXAMPLE:
ServerIron(config)# banner incoming $ (Press Return)
Enter TEXT message, End with the character '$'.
Incoming Telnet Session!! $
When a user connects to the CLI using Telnet, the following message appears on the Console:
Telnet from 209.157.22.63
Incoming Telnet Session!!
banner motd
Configures the Foundry device to display a message on a users terminal when he or she establishes a Telnet CLI
session.
EXAMPLE:
To display the message Welcome to ServerIron! when a Telnet CLI session is established:
ServerIron(config)# banner motd $ (Press Return)
Enter TEXT message, End with the character '$'.
Welcome to ServerIron! $
February 2002
6-9
February 2002
broadcast filter
Configures a Layer 2 broadcast packet filter. You can filter on all broadcast traffic or on IP UDP broadcast traffic.
EXAMPLE:
To configure a Layer 2 broadcast filter to filter all types of broadcasts, then apply the filter to ports 1, 2, and 3, enter
the following commands:
ServerIron(config)# broadcast filter 1 any
ServerIron(config-bcast-filter-id-1)# exclude-ports ethernet 1 to 3
ServerIron(config-bcast-filter-id-1)# write mem
EXAMPLE:
To configure two filters, one to filter IP UDP traffic on ports 1 4, and the other to filter all broadcast traffic on port
6, enter the following commands:
ServerIron(config)# broadcast filter 1 ip udp
ServerIron(config-bcast-filter-id-1)# exclude-ports ethernet 1 to 4
ServerIron(config-bcast-filter-id-1)# exit
ServerIron(config)# broadcast filter 2 any
ServerIron(config-bcast-filter-id-2)# exclude-ports ethernet 6
ServerIron(config-bcast-filter-id-2)# write mem
EXAMPLE:
To configure an IP UDP broadcast filter and apply that applies only to port-based VLAN 10, then apply the filter to
two ports within the VLAN, enter the following commands:
ServerIron(config)# broadcast filter 4 ip udp vlan 10
February 2002
6 - 11
broadcast limit
Specifies the maximum number of broadcast packets the device can forward each second. By default the device
sends broadcasts and all other traffic at wire speed and is limited only by the capacities of the hardware. However,
if other devices in the network cannot handle unlimited broadcast traffic, this command allows you to relieve those
devices by throttling the broadcasts at the Foundry device.
NOTE: The broadcast limit does not affect multicast or unicast traffic. However, you can use the multicast limit
and unknown-unicast limit commands to control these types of traffic. See multicast limit on page 6-53 and
unknown-unicast limit on page 6-98.
EXAMPLE:
ServerIron(config)# broadcast limit 30000
chassis name
Assigns an administrative ID to the device.
NOTE: This command does not change the CLI prompt. To change the CLI prompt, use the hostname
command. See hostname on page 6-32.
EXAMPLE:
ServerIron(config)# chassis name routernyc
6 - 12
February 2002
chassis poll-time
Changes the number of seconds between polls of the power supply and fan status.
Use the show chassis command to display the hardware status.
EXAMPLE:
To change the hardware poll time from 60 seconds (the default) to 30 seconds:
ServerIron(config)# chassis poll-time 30
chassis trap-log
Disables or re-enables status polling for individual power supplies and fans. When you disable status polling, a
fault in the power supply does not generate a trap in the system log.
EXAMPLE:
To disable polling of power supply 2, enter the following command:
ServerIron(config)# no chassis trap-log ps2
clear
Clears statistics or clears entries from a cache or table. See the descriptions for the individual clear commands in
Privileged EXEC Commands on page 5-1.
clock summer-time
This command will automatically activate and deactivate daylight savings time for the relevant time zones.
EXAMPLE:
ServerIron(config)# clock summer-time
clock timezone
Allows you to define the time zone of the clock. This parameter is used in conjunction with the clock set
command or for timestamps obtained from a SNTP server. The clock set...command is configured at the
privileged EXEC level of the CLI.
NOTE: Use this clock command before all others to ensure accuracy of the clock settings.
NOTE: For those time zones that recognize daylight savings time, the clock summer-time command will also
need to be defined.
February 2002
6 - 13
NOTE: Clock settings are not saved over power cycles; however, you can configure the system to reference a
SNTP server at power up. This server will then automatically download the correct time reference for the network.
The local ServerIron will then adjust the time according to its time zone setting. For more details on setting up a
SNTP reference clock, refer to the sntp command at the privileged EXEC level and the sntp poll-interval and
sntp server commands at the global CONFIG level.
EXAMPLE:
ServerIron(config)# clock timezone us eastern
confirm-port-up
Reduces the number of up-status confirmations the software requires before bringing a port up for use. This
command is useful for network interface cards (NICs) that are designed to come up very quickly in certain
applications and are sensitive to the slight delay caused by the Foundry ports as they wait for the multiple status
indications before coming up. You can configure a Foundry device to reduce the number of status indications the
software requires before bringing up a 10/100Base-Tx port.
NOTE: Do not use this command unless advised to do so by Foundry technical support.
By default, Foundry devices wait for multiple indications that a port is good before bringing the port up. Specific
types of networking devices are sensitive to the very slight delay caused by the multiple status indications. In this
case, you can use one of the following methods to reduce the number of status indications the software requires
before bringing up a 10/100Base-Tx port. You can set the parameter globally for all 10/100 ports.
EXAMPLE:
By default, Stackable devices bring a 10/100 Base-Tx port up after receiving ten consecutive up-status indications
for the port. You can reduce this number to as few as one indication.
To reduce the up-status indications required to bring up 10/100 ports on a Stackable device, enter the following
commands:
ServerIron(config)# confirm-port-up 1
ServerIron(config)# write mem
console
Times out idle serial management sessions.
By default, a Foundry device does not time out serial CLI sessions. A serial session remains open indefinitely until
you close it. You can configure the device to time out serial CLI sessions if they remain idle for a specified number
of minutes. You can configure an idle timeout value from 0 240 minutes. The default is 0.
6 - 14
February 2002
NOTE: If a session times out, the device does not close the connection. Instead, the CLI changes to the User
EXEC mode (for example: ServerIron>).
EXAMPLE:
To configure the idle timeout for serial CLI sessions, enter a command such as the following:
ServerIron(config)# console timeout 20
This command configures the idle timeout value to 20 minutes.
crypto key
Configures a host RSA public and private key pair for SSH. The host RSA key pair is stored in the Foundry
devices system-config file. Only the public key is readable. The host RSA key pair is used to negotiate a session
key and encryption method with the SSH clients trying to connect to it.
EXAMPLE 1:
To generate a public and private host RSA key pair for the Foundry device:
ServerIron(config)# crypto key generate rsa
ServerIron(config)# wri mem
A host RSA key pair is stored in the system-config file, and SSH is enabled on the device.
EXAMPLE 2:
To delete the host RSA key pair from the system-config file:
ServerIron(config)# crypto key zeroize rsa
ServerIron(config)# wri mem
The host RSA key pair is deleted from the system-config file, and SSH is disabled on the device.
crypto random-number-seed
Creates a new seed for generating a random number that is used for generating the dynamically created server
RSA key pair for SSH.
EXAMPLE:
ServerIron(config)# crypto random-number-seed generate
decnet-proto
Creates a Decnet protocol VLAN on a Foundry switch or router. All ports will by default be assigned to the VLAN
when initially created. VLAN Membership can be modified using the dynamic, static, or exclude commands.
February 2002
6 - 15
EXAMPLE:
To create a Decnet protocol VLAN with permanent port membership of 15 and 16 with port 17 as a dynamic
member port (on module 1), enter the following commands.
ServerIron(config)# decnet-proto
ServerIron(config-decnet-proto)# static e 1/15 to 1/16
ServerIron(config-decnet-proto)# exclude e 1/1 to 1/14 e 1/18
Syntax: decnet-proto
Possible values: N/A
Default value: N/A
default-vlan-id
When you enable port-based VLAN operation, all ports are assigned to VLAN 1 by default. As you create
additional VLANs and assign ports to them, the ports are removed from the default VLAN. All ports that you do
not assign to other VLANs remain members of default VLAN 1. This behavior ensures that all ports are always
members of at least one VLAN.
You can change the VLAN ID for the default VLAN by entering the following command at the global CONFIG level
of the CLI:
ServerIron(config)# default-vlan-id 1001
You must specify a valid VLAN ID that is not already in use. For example, if you have already defined VLAN 10, do
not try to use "10" as the new VLAN ID for the default VLAN. Valid VLAN IDs are numbers from 1 4095.
NOTE: Changing the default VLAN name does not change the properties of the default VLAN. Changing the
name allows you to use the VLAN ID "1" as a configurable VLAN.
dhcp-gateway-list
This parameter must be defined when the feature, DHCP Assist, is enabled on a Foundry switch. A gateway
address must be defined for each sub-net that will be requesting addresses from a DHCP server. This allows the
stamping process to occur. Each gateway address defined on the switch corresponds to an IP address of the
ServerIron interface or other device involved.
Up to eight addresses can be defined for each gateway list in support of ports that are multi-homed. When
multiple IP addresses are configured for a gateway list, the switch inserts the addresses into the discovery packet
in a round robin fashion.
Up to 32 gateway lists can be defined for each switch.
NOTE: For more details on this command and the DHCP Assist feature, see the Foundry Switch and Router
Installation and Basic Configuration Guide.
EXAMPLE:
ServerIron(config)# dhcp-gateway-list 1 192.95.5.1
ServerIron(config)# int e 2
ServerIron(config-if-2)# dhcp-gateway-list 1
6 - 16
February 2002
enable
You can use the enable command to assign three levels of passwords to provide a range of access points for
various users within the network.
The three levels are:
Super user: This user has unlimited access to all levels of the CLI. This level is generally reserved for system
administration. The super user is also the only user that can assign a password access level to another user.
Configure Port: This user has the ability to configure interface parameters only. The user can also view any
show commands.
Read only: A user with this password level is only able to view show commands. No configuration is allowed
with this password access type.
NOTE: You also can secure access using a RADIUS or TACACS/TACACS+ server or local user accounts. See
the Foundry Security Guide.
EXAMPLE:
ServerIron(config)# enable super-user-password Alexis
ServerIron(config)# enable read-only-password Jim
ServerIron(config)# enable port-config-password Bill
enable password-display
By default, passwords are never visible, even in the configuration file. If you want passwords to be visible in the
configuration file, use the enable password-display command. The next time you display the configuration file,
the passwords will be visible along with the commands used to set them. This command takes effect immediately.
EXAMPLE:
ServerIron(config)# enable password-display
enable skip-page-display
Removes the stop page display characteristic for the write terminal command. For example, by default, when a
user enters the command write terminal the full configuration will generally involve more than a single page
display. You are prompted to enter the return key to view the next page of information. When this command is
enabled, this page-by-page prompting will be removed and the entire display will roll on the screen until the end is
reached.
To re-enable the stop page display characteristic, enter the no enable skip-page-display.
EXAMPLE:
To remove the page-by-page display of configuration information, enter the following:
ServerIron(config)# enable skip-page-display
February 2002
6 - 17
end
Moves activity to the privileged EXEC level from any level of the CLI, with the exception of the user level.
EXAMPLE:
ServerIron(config)# end
ServerIron#
Syntax: end
Possible values: N/A
6 - 18
February 2002
exit
Moves activity up one level from the current level. In this case, activity will be moved to the privileged level.
EXAMPLE:
To move from the global level, back to the privileged level, enter the following:
ServerIron(config)# exit
ServerIron#
Syntax: exit
Possible values: N/A
Default value: N/A
fast port-span
Configures the Fast Port Span feature, which allows faster STP convergence on ports that are attached to end
stations.
EXAMPLE:
To enable Fast Port Span:
ServerIron(config)# fast port-span
EXAMPLE:
To exclude a port from Fast Port Span, while leaving Fast Port Span enabled globally:
ServerIron(config)# fast port-span exclude ethernet 1
Syntax: [no] fast port-span [exclude ethernet <portnum> [ethernet <portnum> | to <portnum>]
Possible values: Valid port numbers
Default value: Enabled
fast uplink-span
Configures the Fast Uplink Span feature, which reduces the convergence time for uplink ports to another device to
just four seconds (two seconds for listening and two seconds for learning).
EXAMPLE:
To configure a group of ports for Fast Uplink Span, enter the following commands:
ServerIron(config)# fast uplink-span ethernet 1 to 4
flow-control
Allows you to turn flow control (802.3x) for full-duplex ports on or off (no). By default, flow control is on. To turn the
feature off, enter the command no flow-control.
EXAMPLE:
ServerIron(config)# no flow-control
To turn the feature back on later, enter the following command:
ServerIron(config)# flow-control
February 2002
6 - 19
Default value: on
gig-default
Changes the default negotiation mode for Gigabit ports on Chassis devices. You can configure the default Gigabit
negotiation mode to be one of the following:
Negotiate-full-auto The port first tries to perform a handshake with the other port to exchange capability
information. If the other port does not respond to the handshake attempt, the port uses the manually
configured configuration information (or the defaults if an administrator has not set the information). This is
the default for Chassis devices (including the TurboIron/8).
Auto-Gigabit The port tries to perform a handshake with the other port to exchange capability information.
This is still the default for Stackable devices.
Negotiation-off The port does not try to perform a handshake. Instead, the port uses configuration
information manually configured by an administrator.
See the Configuring Basic Features chapter of the Foundry Switch and Router Installation and Basic
Configuration Guide for more information.
NOTE: This command does not apply to Stackable devices. To change the negotiation mode for a Stackable
Gigabit Ethernet port, use the [no] auto-gig command at the Interface level. See auto-gig on page 8-1.
EXAMPLE:
To change the mode globally to negotiation-off, enter the following command:
ServerIron(config)# gig-default neg-off
To override the global default on an individual Gigabit port, see gig-default on page 8-3.
gslb affinity
Changes the CLI to the GSLB affinity configuration level. See GSLB Affinity Commands on page 13-1 for
information about the commands at this level.
EXAMPLE:
To configure an affinity definition, enter commands such as the following:
ServerIron(config)# gslb affinity
ServerIron(config-gslb-affinity)# prefer sunnyvale slb-1 for 0.0.0.0/0
ServerIron(config-gslb-affinity)# prefer atlanta slb-1 for 192.108.22.0/22
These commands configure a default affinity definition (using the 0.0.0.0/0) prefix and an affinity definition that
uses prefix 192.108.22.0/22. For clients that are not within the prefix in the second affinity definition, the
ServerIron uses the default affinity definition. The ServerIron sends clients whose IP addresses are within the
192.108.22.0/22 prefix to a VIP on slb-1 at the atlanta site, when available. The ServerIron sends all other
clients to a VIP on slb-1 at the sunnyvale site when available.
Syntax: [no] prefer <site-name> <si-name> | <si-ip-addr> for <ip-addr> <ip-mask> | <ip-addr>/<prefix-length>
You can refer to the ServerIron by its GSLB site name and ServerIron name or by its management IP address.
Use one of the following parameters:
The <site-name> and <si-name> parameters specify the remote site and a ServerIron at that site. If you use
this method, you must specify both parameters.
6 - 20
February 2002
NOTE: In either case, the running-config and the startup-config file refer to the ServerIron by its IP address.
The <ip-addr> <ip-mask> or <ip-addr>/<prefix-length> parameter specifies the prefix. You can specify a mask
from 0.0.0.0 255.255.255.254. If you instead specify a prefix length, you can specify from 0 31 bits.
If you specify 0.0.0.0 0.0.0.0 or 0.0.0.0/0, the ServerIron applies the affinity definition to all client addresses. As a
result, an address that does not match another affinity definition uses the zero affinity definition by default. If you
do not configure a default affinity definition, the ServerIron uses the standard GSLB policy for clients whose
addresses are not within a prefix in an affinity definition.
Possible values: see above
Default value: N/A
gslb communication
Changes the TCP port number used by the GSLB protocol. By default, a GSLB ServerIron uses TCP port 182 to
exchange GSLB information with other ServerIrons, including the site ServerIrons. You can change the GSLB
protocol port if needed. For example, if other devices in the network also use port 182, but for other applications,
you need to change the protocol on those devices or on the ServerIrons.
NOTE: If you change the GSLB protocol port number, you must save the change to the startup-config file and
reload the software to place the change into effect. Also, you must change the port to the same number on all
ServerIrons in the GSLB configuration. If the port number in two GSLB ServerIrons is not the same, those
ServerIrons are not able to properly perform GSLB.
EXAMPLE:
To change the GSLB protocol port number on a ServerIron, enter commands such as the following:
ServerIron(config)# gslb communication 1882
ServerIron(config)# write memory
ServerIron(config)# end
ServerIron# reload
The first command changes the TCP protocol port from 182 to the specified port number, in this example 1882.
The subsequent commands save the configuration change to the startup-config file and reload the software to
place the change into effect.
February 2002
6 - 21
FTP the well-known name for port 21. (Ports 20 and 21 both are FTP ports but on the ServerIron, the name
FTP corresponds to port 21.)
The <tcp/udp-portnum> parameter specifies a TCP/UDP port number instead of a well-known port. If the
application is not one of those listed above, you still can configure the GSLB ServerIron to perform the Layer 4
health check on the specified port.
NOTE: If the application number does not correspond to one of the well-known ports recognized by the
ServerIron, the GSLB ServerIron performs Layer 4 TCP or UDP health checks for the ports but does not perform
application-specific health checks.
Possible values: see above
Default value: N/A
gslb policy
Changes the CLI to the GSLB policy configuration level. See GSLB Policy Commands on page 16-1 for
information about the commands at this level.
EXAMPLE:
ServerIron(config)# gslb policy
ServerIron(config-gslb-policy)#
gslb protocol
Enables the GSLB protocol on a site ServerIron in a GSLB configuration. The GSLB protocol is enabled by default
on the GSLB ServerIron but is disabled by default on the site ServerIrons.
6 - 22
February 2002
NOTE: The ServerIron uses TCP port 182 for the GSLB protocol by default. You can change the port number if
needed. See gslb communication on page 6-21.
EXAMPLE:
ServerIron(config)# gslb protocol
gslb site
Changes the CLI to the GSLB site configuration level. See GSLB Site Commands on page 15-1 for information
about the commands at this level.
EXAMPLE:
To identify two server sites, each of which has two ServerIrons, enter the following commands:
ServerIron(config)# gslb site sunnyvale
ServerIron(config-gslb-site-sunnyvale)# si-name slb-1 209.157.22.209
ServerIron(config-gslb-site-sunnyvale)# si-name slb-2 209.157.22.210
ServerIron(config)# gslb site atlanta
ServerIron(config-gslb-site-atlanta)# si-name slb-1 192.108.22.111
ServerIron(config-gslb-site-atlanta)# si-name slb-2 192.108.22.112
These commands configure two GSLB sites. One of the sites is in Sunnyvale and the other is in Atlanta. Each
site contains two ServerIrons that load balance traffic across server farms. The GSLB ServerIron you are
configuring will use information provided by the other ServerIrons when it evaluates the servers listed in DNS
replies.
healthck (ServerIronXL)
Configures a health-check policy on the ServerIronXL. Health-check policies consist of element-action
expressions and logical operators.
Element-action expression In the case of Layer 3 health checks, an element-action expression consists of
the IP protocol to be used (ICMP) and the IP address to be checked.
Logical operator A logical operator is the Boolean operator OR or AND. To configure a health-check policy
that requires a reply from all IP addresses in the policy, use the operator AND. To create a policy that is
successful if at least one of the addresses replies, use OR.
February 2002
6 - 23
You can use the same element-action expressions in multiple logical expressions if desired. You can configure up
to 254 health-check policies. The default maximum number you can configure is 128. You can change the
maximum to a number from 64 254.
To use a health-check policy:
Configure the health-check policy using element-action expressions and the logical operator AND or OR.
Bind logical expressions to application ports on specific VIPs. A health check policy does not take effect until
you bind it to an application port on a VIP.
EXAMPLE:
Here is an example of how to configure and apply a Layer 3 health-check policy.
ServerIron(config)# healthck Rtr2-ck1 icmp
ServerIron(config-hc-Rtr2-ck1)# dest-ip 10.168.2.56
ServerIron(config-hc-Rtr2-ck1)# healthck Rtr2-ck2 icmp
ServerIron(config-hc-Rtr2-ck2)# dest-ip 10.168.2.57
ServerIron(config)# healthck Router2 boolean
ServerIron(config-hc-Router2)# and Rtr2-ck1 Rtr2-ck2
ServerIron(config)# server virtual-name VIP1 1.1.1.1
ServerIron(config-vs-VIP1)# port http healthck Router2
These commands configure two element-action expressions, "Rtr2-ck1" and "Rtr2-ck2", and use them in a healthcheck policy called "Router2". The last two commands apply the health-check policy to the HTTP port on VIP1.
For more information, see the following sections.
For Layer 3 health-check policies, an element-action expression contains an IP address. To configure an elementaction expression, enter commands such as the following:
ServerIron(config)# healthck Rtr2-ck1 icmp
ServerIron(config-hc-Rtr2-ck1)# dest-ip 10.168.2.56
ServerIron(config-hc-Rtr2-ck1)# healthck Rtr2-ck2 icmp
ServerIron(config-hc-Rtr2-ck2)# dest-ip 10.168.2.57
The commands in this example configure two element-action expressions.
6 - 24
February 2002
Syntax: <element-name>
Or
You can specify an element-action without also specifying a logical operator (AND or OR). In this case, the
policy checks the health of the specified element (IP address) and has a true result (the health check is
successful) if the element replies to the health check.
You can enter two element-action expressions along with the logical operator and or or.
If you specify and, the policy evaluates to true only if all elements (IP addresses) respond to the health
check.
If you specify or, the policy is true if at least one of the elements responds to the health check.
If you want to use a single health-check policy to test more than two IP addresses, configure health-check policies
for all the IP addresses, and use them in another health-check policy. For example, to create a health-check policy
that tests four IP addresses, enter commands such as the following:
ServerIron(config)# healthck
ServerIron(config-hc-nest1)#
ServerIron(config-hc-nest1)#
ServerIron(config-hc-nest2)#
ServerIron(config-hc-nest2)#
ServerIron(config-hc-nest3)#
ServerIron(config-hc-nest3)#
ServerIron(config-hc-nest4)#
nest1 icmp
dest-ip 1.1.1.10
healthck nest2 icmp
dest-ip 1.1.1.20
healthck nest3 icmp
dest-ip 1.1.1.30
healthck nest4 icmp
dest-ip 1.1.1.40
The commands above configure four element-action expressions, one for each IP address. The following
commands configure two health-check policies, each of which contains two of the IP addresses.
ServerIron(config-hc-nest4)# healthck nested1 boolean
ServerIron(config-hc-nested1)# or nest1 nest2
ServerIron(config-hc-nested1)# healthck nested2 boolean
ServerIron(config-hc-nested2)# or nest3 nest4
The following command creates a health-check policy that contains the two policies configured above. The result
is a single health-check policy for all four IP addresses.
ServerIron(config-hc-nested2)# healthck check1 boolean
ServerIron(config-hc-check1)# or nested1 nested2
In this example, the OR logical operator is used in all the policies. Thus, the "check1" health check is successful if
at least one of the four IP addresses responds. To create more restrictive policies, you can use the AND logical
operator. For example, if the AND operator is used in this configuration instead of OR, the health check is
successful only if all four IP addresses respond.
You also can combine policies that use AND with policies that use OR in nested health-check policies.
After you configure logical expressions, you can bind them to application ports on VIPs. A health-check policy
does not take effect until you bind the policy to an application port on a VIP.
To bind a health-check policy to an application port on a VIP, enter commands such as the following:
ServerIron(config)# server virtual-name VIP1 1.1.1.1
ServerIron(config-vs-VIP1)# port http healthck Router2
This command configures virtual IP address VIP1 to use the heath-check policy named "Router2" to check the
health of HTTP (port 80) for the VIP.
February 2002
6 - 25
The <tcp/udp-portnum> parameter specifies a TCP or UDP application port. The <policy-name> parameter
specifies the health-check policy you want to use to check the Layer 3 health of a device associated with the
application port.
Possible values: See above
Default value: None configured
Any one of the servers fails its health check (individual health checks combined using AND condition) In this
case, all servers in the policy must pass their health checks. Otherwise, the ServerIron considers all of the
servers to have failed the health checks and brings down the application on all servers that are checked by
the policy.
All of the servers fail their health checks (individual health checks combined using OR condition) In this
case, an application port remains up as long as at least one of the servers checked by the policy passes its
health check.
Element-action expression An element-action expression consists of the IP address of the server, the Layer
4 protocol (TCP or UDP), and the application port on the server. For some applications, the element-action
expression can also include Layer 7 application-specific health check information.
Logical expression A logical expression is a set of element-action expressions joined by the Boolean
operators OR and AND.
To create a health-check policy that is successful if at least one of the applications passes its health
check, use OR.
To configure a health-check policy that is successful only if the ServerIron receives a successful reply
from all servers and application ports in the policy, use the operator AND.
You can use the same element-action expressions in multiple logical expressions if desired. You can configure up
to 254 health-check policies.
To use a health-check policy:
Configure the health-check policy using element-action expressions and logical expressions joined by the
operators AND or OR.
Attach logical expressions to application ports on specific real servers. A health check policy does not take
effect until you attach it to an application port on a server.
6 - 26
February 2002
NOTE: A health-check policy does not take effect (begin sending health check packets) until you attach the
policy to an application port on a real server.
EXAMPLE:
Configuring an Element-Action Expression
To configure an element-action expression, enter commands such as the following. The commands in this
example specify the IP address of the real server and the application port on the server.
ServerIron(config)# healthck check1 tcp
ServerIron(config-hc-check1)# dest-ip 10.10.10.50
ServerIron(config-hc-check1)# port http
These commands change the CLI to the configuration level for an element-action expression, then specify the IP
address of the real server and the application port on the server. Since the specified application is well-known to
the ServerIron, the ServerIron automatically associates the default health check parameters for the port with the
element-action expression. In this example, the port is HTTP (80), so the ServerIron associates the default HTTP
health check parameters with the element-action expression. By default, the ServerIron sends a HEAD request
for the default page, 1.0.
NOTE: If you do not specify the server IP address and the application port, the ServerIron will list the status of
the health check as FALSE (failed).
To configure an element-action expression for a port number that is not well-known to the ServerIron, enter
commands such as the following:
ServerIron(config)# healthck check1 tcp
ServerIron(config-hc-check1)# dest-ip 10.10.10.50
ServerIron(config-hc-check1)# port 8080
ServerIron(config-hc-check1)# protocol http
These commands configure an element-action expression for unknown port 8080 and associate the default health
check parameters for port 80 with the unknown port. To customize the Layer 7 health check parameters for a port,
add the information with the protocol command, as in the following example:
ServerIron(config)# healthck check1 tcp
ServerIron(config-hc-check1)# dest-ip 10.10.10.50
ServerIron(config-hc-check1)# port 8080
ServerIron(config-hc-check1)# protocol http url "GET/sales.html"
The protocol command in this example changes the Layer 7 health check parameters for this HTTP port to a GET
request for a page named "sales.html".
dns port 53
February 2002
6 - 27
ftp port 21. (Ports 20 and 21 both are FTP ports but in the ServerIron, the name ftp corresponds to port
21.)
http port 80
radius-old the ServerIron name for UDP port 1645, which is used in some older RADIUS implementations
instead of port 1812
smtp port 25
telnet port 23
tftp port 69
NOTE: If you enter the no port <tcp/udp-port> command to remove the port, the ServerIron also removes the
protocol <tcp/udp-port> command (see below) if the port is well-known to the ServerIron. This is because the
ServerIron automatically uses the protocol that matches the well-known port. Otherwise, the ServerIron does not
remove the protocol. You must remove it separately.
6 - 28
February 2002
This command changes one of the following HTTP health-check parameters. To change more than one of these
parameters, enter a separate protocol http or protocol 80 command for each parameter.
url [GET | HEAD] [/]<URL-page-name> This parameter specifies whether the HTTP health check
performs a GET request or a HEAD request. For GET requests, you can specify the page that is requested.
By default, a GET request asks for page 1.0.
port http status_code <range> [<range>[<range>[<range>]]] This parameter changes the HTTP status
codes that the ServerIron will accept as valid responses. Each <range> specifies the low number and high
number in a range of status codes. You can specify up to four ranges (total of eight values). To specify a
single message code for a range, enter the code twice. For example to specify 200 only, enter the following
command: port http status_code 200 200. For SLB, the default status code range is 200 299. If the
servers reply to the health check contains a status code within this range, the ServerIron considers the HTTP
application to be healthy.
content-match <matching-list-name> This parameter attaches a match list for an HTTP content verification
health check to the real server. An HTTP content verification health check is a type of Layer 7 health check in
which the ServerIron examines text in an HTML file sent by a real server in response to an HTTP keepalive
request. The ServerIron searches the text in the HTML file for user-specified selection criteria and
determines whether the HTTP port on the real server is alive based on what it finds. The selection criteria
used in HTTP content verification is contained in a matching list that is attached to one or more real servers.
The following is an example of the commands used to set up a matching list. For information on how to
configure the match lists, see the "Configuring HTTP Content Matching Lists" section in the "Configuring Port
and Health Check Parameters" chapter of the Foundry ServerIron Installation and Configuration Guide.
addr_query "<name>" This parameter specifies a domain name to be requested from the real server by
the ServerIron. If the server successfully responds with the IP address for the domain name, the server
passes the health check. There is no default.
zone <zone-name> This parameter specifies a DNS zone name. The ServerIron sends a Source-ofAuthority (SOA) request for the zone name. If the server is authoritative for the zone and successfully
responds to the SOA request, the server passes the health check. There is no default.
NOTE: If you do not configure one of these parameters, the DNS port will fail the health check.
Syntax: [no] protocol radius | 1812 [username <string>] | [password <string>] | [key <string>]
This command changes one of the following RADIUS health-check parameters. The health check requests values
that are configured on the RADIOS server. To change more than one of these parameters, enter a separate
protocol radius or protocol 1812 command for each parameter.
February 2002
6 - 29
NOTE: The number of retries is the total number of attempts the ServerIron will make. Thus, if you use the
default interval and retries values, the ServerIron will send up to three health-check packets, at 5-second intervals.
If a server does not respond within 15 seconds of the time the ServerIron sent the first health-check packet, the
server fails the health check and the ServerIron concludes that the server is not available.
To change the interval for a health check, enter a command such as the following at the configuration level for the
element-action expression that contains the health check:
ServerIron(config-hc-check1)# interval 30
FTP port 21. (Ports 20 and 21 both are FTP ports but on the ServerIron, the name FTP corresponds
to port 21.)
HTTP port 80
SMTP port 25
TELNET port 23
The port is not well-known to the ServerIron but you used the protocol command to specify the protocol of
one of the well-known ports. By specifying the protocol, you configure the ServerIron to use the protocols
Layer 7 health-check method for the port.
If the TCP port is not one of the ports above or you did not specify a Layer 7 health-check method (using the
protocol command), the ServerIron uses the Layer 4 health check for TCP.
6 - 30
February 2002
NOTE: Changing the health-check type for UDP application ports has no effect. If the application port is
RADIUS (1812) or DNS (53) or uses the health-check method of one of these ports, the ServerIron uses a Layer 7
health check. Otherwise, the ServerIron uses the Layer 4 health check for UDP.
The Layer 7 health-check methods differ depending on the application, and are described in the "Health Check
Summary" section of the "Configuring Port and Health Check Parameters" chapter of the Foundry ServerIron
Installation and Configuration Guide. The Layer 4 health checks are as follows:
TCP The ServerIron attempts to engage in a normal three-way TCP handshake with the port on the real
server:
The ServerIron sends a TCP SYN packet to the port on the real server.
The ServerIron expects the real server to respond with a SYN ACK.
If the ServerIron receives the SYN ACK, the ServerIron sends a TCP RESET, satisfied that the TCP port
is alive.
UDP The ServerIron sends a UDP packet with garbage (meaningless) data to the UDP port.
If the server responds with an ICMP Port Unreachable message, the ServerIron concludes that the port
is not alive.
If the server does not respond at all, the ServerIron assumes that the port is alive and received the
garbage data. Since UDP is a connectionless protocol, the ServerIron and other clients do not expect
replies to data sent to a UDP port. Thus, lack of a response is a good outcome.
ServerIron(config-hc-check1)# l4-check
The command in this example configures the ServerIron to use the Layer 4 health check for the application port in
the element-action expression. Since the application port in this element-action expression is HTTP, the
ServerIron will use the Layer 4 health check for TCP.
6 - 31
These commands configure a health-check policy that uses the element-action expressions "check1" and
"check2". Since the AND operator is used, the real servers in both "check1" and "check2" must reply successfully
for the health check to be successful. If only one of the servers replies, the health check is unsuccessful and the
ServerIron stops using all the server application ports in the health-check policy "httpsrvr".
If you specify and, the policy evaluates to true only if all elements (IP addresses) respond to the health check.
If you specify or, the policy is true if at least one of the elements responds to the health check.
hostname
Changes the hostname field to more easily identify the ServerIron within the network. By default, a ServerIron will
be identified as ServerIron in the CLI command prompt.
EXAMPLE:
To change the hostname to TCSserver1 from the ServerIron default, enter the following:
ServerIron(config)# hostname TCSserver1
TCSserver1(config)#
http match-list
This command is used in conjunction with the HTTP content verification health check feature on the ServerIron.
This command assigns a name to an HTTP matching list and enters the HTTP matching list CONFIG level.
EXAMPLE:
To create an HTTP matching list name named m1:
ServerIron(config)# http match-list m1
6 - 32
February 2002
interface ethernet
Accesses the interface CONFIG level of the CLI. You can define a physical or virtual interface (ve) at this level.
EXAMPLE:
To change the configuration for port 1 on a Stackable device, enter the following:
ServerIron(config)# inter e 1
ServerIron(config-if-1)#
NOTE: To change the port for a Chassis device, you also need to enter the slot number of the module on which
the port resides.
EXAMPLE:
To change the configuration for port 1 on slot 4 of a Chassis device, enter the following:
ServerIron(config)# inter e 4/1
ServerIron(config-if-4/1)#
ip access-list
Configures a named IP ACL. The commands for configuring named ACL entries are different from the commands
for configuring numbered ACL entries. The command to configure a numbered ACL is access-list. The
command for configuring a named ACL is ip access-list. In addition, when you configure a numbered ACL entry,
you specify all the command parameters on the same command. When you configure a named ACL, you specify
the ACL type (standard or extended) and the ACL number with one command, which places you in the
configuration level for that ACL. Once you enter the configuration level for the ACL, the command syntax is the
same as the syntax for numbered ACLs.
EXAMPLE:
To configure a named standard ACL entry:
ServerIron(config)# ip access-list standard Net1
ServerIron(config-std-nac1)# deny host 209.157.22.26 log
ServerIron(config-std-nac1)# deny 209.157.29.12 log
ServerIron(config-std-nac1)# deny host IPHost1 log
ServerIron(config-std-nac1)# permit any
ServerIron(config-std-nac1)# exit
ServerIron(config)# int eth 1/1
ServerIron(config-if-1)# ip access-group Net1 out
The commands in this example configure a standard ACL named Net1. The entries in this ACL deny packets
from three source IP addresses from being forwarded on port 1. Since the implicit action for an ACL is deny, the
last ACL entry in this ACL permits all packets that are not explicitly denied by the first three ACL entries. For an
example of how to configure the same entries in a numbered ACL, see the Configuring Standard ACLs section of
the Using Access Control Lists (ACLs) chapter in the Foundry Switch and Router Installation and Basic
Configuration Guide.
Notice that the command prompt changes after you enter the ACL type and name. The std in the command
prompt indicates that you are configuring entries for a standard ACL. For an extended ACL, this part of the
command prompt is ext. The nacl indicates that are configuring a named ACL.
EXAMPLE:
To configure a named extended ACL entry:
ServerIron(config)# ip access-list extended block Telnet
ServerIron(config-ext-nac1)# deny tcp host 209.157.22.26 any eq telnet log
February 2002
6 - 33
ip address
Assigns an IP address and mask to a switch to support Telnet and SNMP management. Foundry devices support
both classical IP network masks (Class A, B, and C sub-net masks, and so on) and prefix masks.
To enter a classical network mask, enter the mask in IP address format. For example, enter
"209.157.22.99 255.255.255.0" for an IP address with a Class-C sub-net mask.
To enter a network mask using prefix addressing, enter a forward slash ( / ) and the number of bits in the
mask immediately after the IP address. For example, enter "209.157.22.99/24" for an IP address that has a
network mask with 24 significant ("mask") bits.
NOTE: If you need to add an additional IP address for network address translation (NAT), use the server
source-ip command. See server source-ip on page 6-82.
EXAMPLE:
ServerIron(config)# ip address 192.22.3.44 255.255.255.0
ip default-gateway
Assigns an IP address and mask to a switch to support Telnet and SNMP management.
NOTE: This command is not available on Foundry routers.
EXAMPLE:
ServerIron(config)# ip default-gateway 192.22.33.100
6 - 34
February 2002
ip dns domain-name
This command is used to define a domain name for a range of addresses on the ServerIron. This will eliminate
the need for a user to type in the domain name. It will automatically be appended to the hostname.
EXAMPLE:
ServerIron(config)# ip dns domain-name newyork.com
ip dns server-address
Up to four DNS servers can be defined for each DNS entry. The first entry serves as the primary default address
(207.95.6.199). If a query to the primary address fails to be resolved after three attempts, the next gateway
address will be queried for three times as well. This process will continue for each defined gateway address until
a query is resolved. The order in which the default gateway addresses are polled is tied to the order in which they
are entered when initially defined as shown in the example.
EXAMPLE:
ServerIron(config)# ip dns server-address 207.95.6.199 205.96.7.1 208.95.7.25
201.98.7.15
ip filter
This command allows you to define layer 4 TCP/UDP filters for switches. Up to 1024 TCP/UDP filters can be
defined on a switch.
NOTE: Foundry plans to remove this command in a later software release and therefore recommends that you
do not use the command. Instead, always use Access Control Lists (ACLs). For ACL configuration information,
see the "Using Access Control Lists (ACLs)" chapter of the Foundry Switch and Router Installation and Basic
Configuration Guide.
Syntax: ip filter <index> permit | deny <src-ip-addr> | any <src-mask> | any <dst-ip-addr> | any <dst-mask> | any
<protocol> [established <operator> <port range>] [log]
Possible values: The <protocol> parameter can be ICMP, TCP, UDP, or a protocol number.
Default value: N/A
ip forward
Enables IP forwarding (Layer 3).
For complete configuration information, see the "Configuring IP Forwarding" chapter in the Foundry ServerIron
Installation and Configuration Guide.
EXAMPLE:
ServerIron(config)# ip forward
February 2002
6 - 35
ip icmp burst
Causes the Foundry device to drop ICMP packets when excessive numbers are encountered, as is the case when
the device is the victim of a Smurf attack. This command allows you to set threshold values for ICMP packets
targeted at the router and drop them when the thresholds are exceeded.
EXAMPLE:
In the following example, if the number of ICMP packets received per second exceeds 5,000, the excess packets
are dropped. If the number of ICMP packets received per second exceeds 10,000, the device drops all ICMP
packets for the next 300 seconds (five minutes).
ServerIron(config)# ip icmp burst-normal 5000 burst-max 10000 lockup 300
If the number of ICMP packets exceeds the burst-normal value, the excess ICMP packets are dropped.
If the number of ICMP packets exceeds the burst-max value, all ICMP packets are dropped for the number of
seconds specified by the lockup value. When the lockup period expires, the packet counter is reset and
measurement is restarted.
Possible values: The burst-normal and burst-max values can be between 1 100000 packets. The burstnormal value must be smaller than the burst-max value. The lockup value can be between 1 10000 seconds.
Default value: N/A
ip multicast
Enables IP Multicast Traffic Reduction on a Foundry switch. A switch can operate in either an active or passive IP
multicast mode. You must save changes to flash and reset (reload) the switch for the configuration changes to
become active. For more details on this feature, see the Foundry Switch and Router Installation and Basic
Configuration Guide.
If configured to be active, the switch will actively send out host queries to identify IP Multicast groups on the
network and insert this information in the IGMP packet. Routers in the network generally handle this operation
If configured to be passive, the switch will only identify the packet as an IGMP packet and forward it accordingly.
EXAMPLE:
ServerIron(config)# ip multicast passive
ServerIron(config)# write memory
ServerIron(config)# end
ServerIron# reload
ip nat inside
Configures and enables Network Address Translation (NAT).
You can use this command to configure static NAT entries and dynamic NAT entries (by referring to an ACL and a
pool), and enable NAT.
6 - 36
February 2002
EXAMPLE:
To configure static NAT for an IP address, enter commands such as the following:
ServerIron(config)# ip nat inside source static 10.10.10.69 209.157.1.69
The commands in this example statically map the private address 10.10.10.69 to the Internet address
209.157.1.69.
Syntax: [no] ip nat pool <pool-name> <start-ip> <end-ip> netmask <ip-mask> | prefix-length <length>
This command configures the address pool.
The <pool-name> parameter specifies the pool name. The name can be up to 255 characters long and can
contain special characters and internal blanks. If you use internal blanks, you must use quotation marks around
the entire name.
The <start-ip> parameter specifies the IP address at the beginning of the pool range. Specify the lowestnumbered IP address in the range.
The <end-ip> parameter specifies the IP address at the end of the pool range. Specify the highest-numbered IP
address in the range.
NOTE: The address range cannot contain any gaps. Make sure you own all the IP addresses in the range. If the
range contains gaps, you must create separate pools containing only the addresses you own.
The netmask <ip-mask> | prefix-length <length> parameter specifies a classical sub-net mask (example:
netmask 255.255.255.0) or the length of a Classless Interdomain Routing prefix (example: prefix-length 24).
The ServerIron supports up to 255 global IP addresses.
Syntax: [no] ip nat inside source list <acl-name-or-num> pool <pool-name> [overload]
This command associates a private address range with a pool of Internet addresses and optionally enables the
Port Address Translation feature.
The inside source parameter specifies that the translation applies to private addresses sending traffic to the
Internet (inside source).
The list <acl-name-or-num> parameter specifies a standard or extended ACL. You can specify a numbered or
named ACL.
February 2002
6 - 37
NOTE: For complete standard and extended ACL syntax, see the Using Access Control Lists (ACLs) chapter of
the Foundry Switch and Router Installation and Basic Configuration Guide.
The pool <pool-name> parameter specifies the pool. You must create the pool before you can use it with this
command.
The overload parameter enables the Port Address Translation feature. Use this parameter if the IP address pool
does not contain enough addresses to ensure NAT for each private address. The Port Address Translation feature
conserves Internet addresses by mapping the same Internet address to more than one private address and using
a TCP or UDP port number to distinguish among the private hosts. The ServerIron supports up to 50 IP
addresses with this feature enabled.
EXAMPLE:
To enable NAT on the ServerIron, enter the following command at the global CONFIG level of the CLI:
ServerIron(config)# ip policy 1 cache tcp 0 global
ServerIron(config)# ip policy 2 cache udp 0 global
ServerIron(config)# ip nat inside
ip nat pool
Configures an address pool for dynamic NAT. See ip nat inside on page 6-36 for syntax information and a
configuration example.
ip nat translation
Changes the age timer for the specified type of NAT translation entry.
The NAT translation table contains all the currently active NAT translation entries on the device. An active entry is
one that the ServerIron created for a private address when that client at that address sent traffic to the Internet.
NAT performs the following steps to provide an address translation for a source IP address:
The feature looks in the NAT translation table for an active NAT entry for the translation. If the table contains
an active entry for the session, the ServerIron uses that entry.
If NAT does not find an active entry in the NAT translation table, NAT creates an entry and places the entry in
the table. The entry remains in the table until the entry times out.
Each NAT entry remains in the NAT translation table until the entry ages out. NAT translation table entries have
different default timeouts depending on the entry type.
Dynamic timeout This age timer applies to all entries (static and dynamic) that do not use Port Address
Translation. The default is 120 seconds.
UDP timeout This age timer applies to entries that use Port Address Translation based on UDP port
numbers. The default is 120 seconds.
TCP timeout This age timer applies to entries that use Port Address Translation based on TCP port
numbers. The default is 120 seconds.
6 - 38
February 2002
NOTE: This timer applies only to TCP sessions that do not end gracefully, with a TCP FIN or TCP RST.
TCP FIN/RST timeout This age timer applies to TCP FIN (finish) and RST (reset) packets, which normally
terminate TCP connections. The default is 120 seconds.
NOTE: This timer is not related to the TCP timeout. The TCP timeout applies to packets to or from a host
address that is mapped to an global IP address and a TCP port number (Port Address Translation feature).
The TCP FIN/RST timeout applies to packets that terminate a TCP session, regardless of the host address or
whether Port Address Translation is used.
DNS timeout This age timer applies to connections to a Domain Name Server (DNS). The default is 120
seconds.
EXAMPLE:
To change the age timeout for all entries that do not use Port Address Translation to 1800 seconds (one half hour),
enter a command such as the following at the global CONFIG level of the CLI:
ServerIron(config)# ip nat timeout 1800
Syntax: [no] ip nat translation timeout | udp-timeout | tcp-timeout | finrst-timeout | dns-timeout <secs>
Use one of the following parameters to specify the dynamic entry type:
timeout All entries that do not use Port Address Translation. The default is 120 seconds.
udp-timeout Dynamic entries that use Port Address Translation based on UDP port numbers. The default
is 120 seconds.
tcp-timeout Dynamic entries that use Port Address Translation based on TCP port numbers. The default is
120 seconds.
finrst-timeout TCP FIN (finish) and RST (reset) packets, which normally terminate TCP connections. The
default is 120 seconds.
dns-timeout Connections to a Domain Name Server (DNS). The default is 120 seconds.
The <secs> parameter specifies the number of seconds. For each entry type, you can enter a value from 1
3600.
Possible values: 1 3600 seconds
Default value: 120 seconds
ip policy
Enables TCS or firewall load balancing. You can enable these features globally or on individual ports. If you want
to enable them on individual ports, you must also use the ip-policy command at the interface level.
See ip-policy on page 8-6.
EXAMPLE:
To globally enable TCS, enter the following command:
ServerIron(config)# ip policy 1 cache tcp 80 global
EXAMPLE:
To locally enable firewall load balancing on port 9, enter the following commands:
ServerIron(config)# ip policy 1 fw tcp 0 local
ServerIron(config)# ip policy 2 fw udp 0 local
ServerIron(config)# int e 9
ServerIron(config-if-9)# ip-policy 1
ServerIron(config-if-9)# ip-policy 2
February 2002
6 - 39
Syntax: ip policy <index> cache | fw | high | normal tcp | udp <tcp/udp-portnum> global | local
NOTE: When enabling firewall load balancing, you must specify "0" for the <tcp/udp-portnum> parameter. This
value allows all ports of the specified type (TCP or UDP).
Possible values: N/A
Default value: Disabled
ip route
Configures a static IP route for IP forwarding.
NOTE: This command applies only to IP forwarding (Layer 3 IP). To add a default gateway address if you are not
using IP forwarding, see ip default-gateway on page 6-34.
NOTE: The software places the static route in the IP route table only if the virtual routing interface is up.
EXAMPLE:
ServerIron(config)# ip route 209.157.2.0 255.255.255.0 192.168.2.1
This commands adds a static IP route to the 209.157.2.x/24 sub-net.
ip show-subnet-length
Changes display of network mask information from class-based notation (xxx.xxx.xxx.xxx) to Classless
Interdomain Routing (CIDR) notation. By default the ServerIron displays network mask information in class-based
notation.
EXAMPLE:
ServerIron(config)# ip show-subnet-length
6 - 40
February 2002
ip ssh authentication-retries
Sets the number of SSH authentication retries.
EXAMPLE:
The following command changes the number of authentication retries to 5:
ServerIron(config)# ip ssh authentication-retries 5
ip ssh key-size
Sets the SSH key size.
EXAMPLE:
The following command changes the server RSA key size to 896 bits:
ServerIron(config)# ip ssh key-size 896
ip ssh password-authentication
Disables SSH password authentication.
After the SSH server on the Foundry device negotiates a session key and encryption method with the connecting
client, user authentication takes place. Of the methods of user authentication available in SSH, Foundrys
implementation of SSH supports password authentication only.
With password authentication, users are prompted for a password when they attempt to log into the device (unless
empty password logins are not allowed; see ip ssh permit-empty-passwd). If there is no user account that
matches the user name and password supplied by the user, the user is not granted access.
You can deactivate password authentication for SSH. However, since password authentication is the only user
authentication method supported for SSH, this means that no user authentication is performed at all. Deactivating
password authentication essentially disables the SSH server entirely.
EXAMPLE:
To deactivate password authentication:
ServerIron(config)# ip ssh password-authentication no
ip ssh permit-empty-passwd
Enables empty password SSH logins. By default, empty password logins are not allowed. This means that users
with an SSH client are always prompted for a password when they log into the device. To gain access to the
device, each user must have a user name and password. Without a user name and password, a user is not
February 2002
6 - 41
granted access. See the Foundry Switch and Router Installation and Basic Configuration Guide for information on
setting up user names and passwords on Foundry devices.
If you enable empty password logins, users are not prompted for a password when they log in. Any user with an
SSH client can log in without being prompted for a password.
EXAMPLE:
To enable empty password logins:
ServerIron(config)# ip ssh permit-empty-passwd yes
ip ssh port
Changes the TCP port used for SSH. By default, SSH traffic occurs on TCP port 22. You can change this port
number.
EXAMPLE:
The following command changes the SSH port number to 2200:
ServerIron(config)# ip ssh port 2200
Note that if you change the default SSH port number, you must configure SSH clients to connect to the new port.
Also, you should be careful not to assign SSH to a port that is used by another service. If you change the SSH
port number, Foundry recommends that you change it to a port number greater than 1024.
ip ssh pub-key-file
Causes a public key file to be loaded onto the Foundry device.
EXAMPLE:
To cause a public key file called pkeys.txt to be loaded from the Management IV modules PCMCIA flash card
each time the Foundry device is booted, enter the following command:
ServerIron(config)# ip ssh pub-key-file slot1 pkeys.txt
6 - 42
February 2002
ip ssh rsa-authentication
Disables or re-enables RSA challenge-response authentication.
EXAMPLE:
To disable RSA challenge-response authentication:
ServerIron(config)# ip ssh rsa-authentication no
ip ssh scp
Disables or re-enables Secure Copy (SCP).
EXAMPLE:
To disable SCP:
ServerIron(config)# ip ssh scp disable
ip ssh timeout
Changes the SSH timeout value. When the SSH server attempts to negotiate a session key and encryption
method with a connecting client, it waits a maximum of 120 seconds for a response from the client. If there is no
response from the client after 120 seconds, the SSH server disconnects.
EXAMPLE:
ServerIron(config)# ip ssh timeout 60
ip strict-acl-mode
Enables the strict ACL TCP mode.
By default, when you use ACLs to filter TCP traffic, the Foundry device does not compare all TCP packets against
the ACLs. Instead, the device compares TCP control packets against the ACLs, but not data packets. Control
packets include packet types such as SYN (Synchronization) packets, FIN (Finish) packets, and RST (Reset)
packets.
In normal TCP operation, TCP data packets are present only if a TCP control session for the packets also is
established. For example, data packets for a session never occur if the TCP SYN for that session is dropped.
Therefore, by filtering the control packets, the Foundry device also implicitly filters the data packets associated
with the control packets. This mode of filtering optimizes forwarding performance for TCP traffic by forwarding
data packets without examining them. Since the data packets are present in normal TCP traffic only if a
corresponding TCP control session is established, comparing the packets for the control session to the ACLs is
sufficient for filtering the entire session including the data.
However, it is possible to generate TCP data packets without corresponding control packets, in test or research
situations for example. In this case, the default ACL mode does not filter the data packets, since there is no
February 2002
6 - 43
corresponding control session to filter. To filter this type of TCP traffic, use the strict ACL TCP mode. This mode
compares all TCP packets to the configured ACLs, regardless of whether the packets are control packets or data
packets.
Regardless of whether the strict mode is enabled or disabled, the device always compares TCP control packets
against the configured ACLs.
NOTE: If the device's configuration currently has ACLs associated with interfaces, remove the ACLs from the
interfaces before changing the ACL mode.
EXAMPLE:
To enable the strict ACL TCP mode, enter the following command at the global CONFIG level of the CLI:
ServerIron(config)# ip strict-acl-mode
ip tcp burst
Causes the Foundry device to drop TCP SYN packets when excessive numbers are encountered, as is the case
when the device is the victim of a TCP SYN attack. This command allows you to set threshold values for TCP
SYN packets targeted at the router and drop them when the thresholds are exceeded.
EXAMPLE:
In the following example, if the number of TCP SYN packets received per second exceeds 10, the excess packets
are dropped. If the number of TCP SYN packets received per second exceeds 100, the device drops all TCP SYN
packets for the next 300 seconds (five minutes).
ServerIron(config)# ip tcp burst-normal 10 burst-max 100 lockup 300
If the number of TCP SYN packets exceeds the burst-normal value, the excess TCP SYN packets are
dropped.
If the number of TCP SYN packets exceeds the burst-max value, all TCP SYN packets are dropped for the
number of seconds specified by the lockup value. When the lockup period expires, the packet counter is
reset and measurement is restarted.
Possible values: The burst-normal and burst-max values can be between 1 100000 packets. The burstnormal value must be smaller than the burst-max value. The lockup value can be between 1 10000 seconds.
Default value: N/A
ip tcp conn-rate
Configures the ServerIron 400 or ServerIron 800 to log information about the TCP connection rate and attack rate
on the device.
6 - 44
February 2002
EXAMPLE:
ServerIron(config)# ip tcp conn-rate conn-rate 10000 attack-rate 10000
If the connection rate or attack rate on the ServerIron reaches 80% of the configured threshold.
If the connection rate or attack rate is still between 80% and 100% of the configured threshold 6 minutes after
the last message.
If the connection rate or attack rate exceeds 100% of the configured threshold.
If the connection rate or attack rate exceeds 100% of the configured threshold, and has gone up by the
configured rate change percentage.
One minute after the last message indicating that the connection rate or attack rate still exceeds 100% of the
configured threshold, and has gone up by the configured rate change percentage.
Three minutes after the last message, if the connection rate or attack rate is still between 80% and 100% of
the configured threshold, and has gone up by the configured rate change percentage.
ip tcp conn-rate-change
Configures thresholds for the TCP connection rate and attack rate change, used in conjunction with the ip tcp
conn-rate command on the ServerIron 400 or ServerIron 800.
EXAMPLE:
ServerIron(config)# ip tcp conn-rate-change conn-rate 50 attack-rate 100
ip tcp syn-proxy
Activates the SYN-Guard feature, which completes the TCP three-way handshake on behalf of a connecting
client, and sets the amount of time the ServerIron 400 or ServerIron 800 waits for the client to send an ACK.
EXAMPLE:
ServerIron(config)# ip tcp syn-proxy 12
ip ttl
Sets the maximum time that a packet will live on the network.
EXAMPLE:
ServerIron(config)# ip ttl 25
February 2002
6 - 45
ip-proto
This command creates an IP protocol VLAN on a switch or router.
When creating an IP protocol VLAN on a switch, all ports are dynamically assigned to the VLAN.
On a router, no ports are dynamically assigned to an IP protocol VLAN. VLAN port membership must be assigned
using the static command, as shown in the example below. Because no dynamic port assignment is made for IP
Protocol VLANs on a router, there is no need to exclude any ports, only specify membership with the static
command.
An IP protocol and IP sub-net VLAN cannot operate simultaneously on a Foundry switch or router. This restriction
is also true for IPX and IPX network VLANs. If you have previously defined an IP sub-net VLAN on the system,
you need to delete it before an IP protocol VLAN can be created.
EXAMPLE:
To assign ports 1, 2, 6 and 8 to an IP protocol VLAN, enter the following:
ServerIron(config)# ip-proto
ServerIron(config-ip-proto)# static e1 to 2 e6 e8
Syntax: ip-proto
Possible values: N/A
Default value: N/A
ip-subnet
Creates an IP sub-net protocol VLAN on a switch or router. This allows you to provide additional granularity than
that of an IP protocol VLAN, by allowing broadcast domains to be partitioned by sub-net. As with the IP protocol
VLAN, port membership can be modified using the static commands. In creating an IP sub-net VLAN, an IP
address is used as an identifier.
When creating an IP sub-net VLAN on a switch, all ports are dynamically assigned to the VLAN.
On a router, no ports are dynamically assigned to an IP sub-net VLAN. VLAN port membership must be assigned
using the static command, as shown in the example below. Because no dynamic port assignment is made for IP
sub-net VLANs on a router, there is no need to exclude any ports, only specify membership with the static
command.
NOTE: An IP Protocol and IP sub-net VLAN cannot operate simultaneously on a Foundry switch or router. This
restriction is also true for IPX and IPX network VLANs. If you have previously defined an IP protocol VLAN on the
system, you need to delete it before an IP sub-net VLAN can be created.
EXAMPLE:
To create an IP sub-net of IP address 192.75.3.0 with permanent port membership of 1 and 2, enter the following
commands.
ServerIron(config)# ip-subnet 192.75.3.0 255.255.255.0
ServerIron(config-ip-subnet)# static e1 to 2
ServerIron(config-ip-subnet)# exit
6 - 46
February 2002
ipx-network
Creates an IPX network protocol VLAN on a switch or router. This allows you to provide additional granularity than
that of the IPX protocol VLAN, by partitioning the broadcast domains by IPX network number. The frame type
must also be specified when creating the IPX network VLAN.
When creating an IPX network VLAN on a switch, all ports are dynamically assigned to the VLAN.
On a router, no ports are dynamically assigned to an IPX network VLAN. VLAN port membership must be
assigned using the static command, as shown in the example below. Because no dynamic port assignment is
made for IPX network VLANs on a router, there is no need to exclude any ports, only specify membership with the
static command.
NOTE: An IPX protocol and IPX network VLAN cannot operate simultaneously on a Foundry switch or router.
This restriction is also true for IP and IP sub-net VLANs. If you have previously defined an IPX protocol VLAN on
the system, you need to delete it before an IPX network VLAN can be created.
EXAMPLE:
To create an IPX network VLAN with a network number of 500 and frame type of 802.2 with permanent port
membership of 10 and 14, enter the following commands.
ServerIron(config)# ipx-network 500 ethernet_802.2
ServerIron(config-ipx-proto)# static e10 e14
ServerIron(config-ipx-proto)# exit
ipx-proto
This command creates an IPX protocol VLAN on a switch or router.
When creating an IPX protocol VLAN on a switch, all ports are dynamically assigned to the VLAN.
On a router, no ports are dynamically assigned to an IPX protocol VLAN. VLAN port membership must be
assigned using the static command, as shown in the example below. Because no dynamic port assignment is
made for IPX protocol VLANs on a router, there is no need to exclude any ports, only specify membership with the
static command.
NOTE: An IPX protocol and IPX network VLAN cannot operate simultaneously on a Foundry switch or router.
This restriction is also true for IP and IP sub-net VLANs. If you have previously defined an IPX network VLAN on
the system, you need to deleted it before an IPX protocol VLAN can be created.
EXAMPLE:
To assign ports 1, 2, 6 and 8 to an IPX protocol, enter the following:
ServerIron(config)# ipx-proto
ServerIron(config-ipx-proto)# static e1 to 2 e6 e8
ServerIron(config-ipx-proto)# exit
Syntax: ipx-proto
Possible values: N/A
Default value: N/A
February 2002
6 - 47
lock-address ethernet
Allows you to limit the number of devices that have access to a specific port. Access violations are reported by
SNMP traps.
EXAMPLE:
ServerIron(config)# lock e2 addr 15
ServerIron(config-if)# end
ServerIron# write memory
logging
The logging commands enable or disable logging, configure the size of the local log buffer, and specify a SyslogD
server.
EXAMPLE:
To disable logging of SNMP traps to a locally saved event log, enter the following command:
ServerIron(config)# no logging on
To re-enable logging, enter the following command:
ServerIron(config)# logging on
6 - 48
February 2002
mac-age-time
Sets the aging period for all address entries in the switch or router address table.
EXAMPLE:
ServerIron(config)# mac-age 600
February 2002
6 - 49
mac filter
Allows you to define filters for Layer 2 filtering on MAC addresses. After you define the filters, you can apply them
to individual interfaces using the mac filter-group command. See mac filter-group on page 8-10.
NOTE: You cannot use Layer 2 filters to filter Layer 4 information. To filter Layer 4 information, use ACLs. See
the "Using Access Control Lists (ACLs)" chapter in the Foundry Switch and Router Installation and Basic
Configuration Guide. The standard and extended ACLs described in that chapter are supported on the
ServerIron.
EXAMPLE:
To configure and apply a MAC filter, enter commands such as the following:
ServerIron(config)# mac filter 1 deny 3565.3475.3676 ffff.0000.0000 any etype eq 806
ServerIron(config)# mac filter 1024 permit any any
ServerIron(config)# int e 1/1
ServerIron(config-if-1/1)# mac filter-group 1
These commands configure a filter to deny ARP traffic with a source MAC address that begins with 3565 to any
destination. The second filter permits all traffic that is not denied by another filter.
NOTE: Once you define a MAC filter, the device drops Layer 2 traffic that does not match a MAC permit filter.
Syntax: mac filter <filter-num> permit | deny <src-mac> <mask> | any <dest-mac> <mask> | any
etype | IIc | snap eq | gt | lt | neq <frame-type>
Possible values:
The <filter-num> is 1 64 (64 is the default system-max setting). If you use the system-max mac-filter-sys
command, you can increase the maximum number of MAC filters support to 128 for global filter definitions.
The permit | deny argument determines the action the software takes when a match occurs.
The <src-mac> <mask> | any parameter specifies the source MAC address. You can enter a specific address
value and a comparison mask or the keyword any to filter on all MAC addresses. Specify the mask using fs
(ones) and zeros. For example, to match on the first two bytes of the address aabb.ccdd.eeff, use the mask
ffff.0000.0000. In this case, the filter matches on all MAC addresses that contain "aabb" as the first two bytes.
The filter accepts any value for the remaining bytes of the MAC address. If you specify any, do not specify a mask.
In this case, the filter matches on all MAC addresses.
The <dest-mac> <mask> | any parameter specifies the destination MAC address. The syntax rules are the same
as those for the <src-mac> <mask> | any parameter.
Use the etype | llc | snap argument if you want to filter on information beyond the source and destination address.
The MAC filter allows for you to filter on the following encapsulation types:
etype (Ethertype) a two byte field indicating the protocol type of the frame. This can range from 0x0600 to
0xFFFF.
llc (IEEE 802.3 LLC1 SSAP and DSAP) a two byte sequence providing similar function as the EtherType
but for an IEEE 802.3 frame.
To determine which type of frame is used on your network, use a protocol analyzer. If byte 12 of an Ethernet
packet is equal to or greater than 0600 (hex), it is an Ethernet framed packet. Any number below this indicates an
IEEE 802.3 frame (byte 12 will now indicate the length of the data field). Some well-known Ethernet types are
0800 (TCP/IP), 0600 (XNS), and 8137 (Novell Netware). Refer to RFC 1042 for a complete listing of EtherTypes.
For IEEE 802.3 frame, you can further distinguish the SSAP and DSAP of LLC header. Some well-known SAPs
include: FE (OSI), F0 (NetBIOS), 42 (Spanning Tree BPDU), and AA (SNAP). Usually the DSAP and SSAP are
the same.
6 - 50
February 2002
NOTE: You must type in both bytes, otherwise the software will fill the field, left justified with a 00. Refer to RFC
1042 for a complete listing of SAP numbers.
SNAP is defined as an IEEE 802.3 frame with the SSAP, DSAP, and control field set to AA, AA, and 03.
Immediately following these is a five-byte SNAP header. The first three bytes in this header are not used by the
MAC filters. However, the next two bytes usually are set to the EtherType, so you can define the EtherType inside
the SNAP header that you want to filter on.
The eq | gt | lt | neq argument specifies the possible operator: eq (equal), gt (greater than), lt (less than) and neq
(not equal).
The <frame-type> argument is a hexadecimal number for the frame type. For example, the hex number for ARP is
806.
Default value: N/A
February 2002
6 - 51
This command expands to the following: mac filter 2 deny any any llc eq 00f0
If you want to filter on both the SSAP and DSAP, then the following example shows this:
ServerIron(config)# mac filter 4 deny any 0020.0010.1000 ffff.ffff.0000 llc eq e0e0
mac-age-time
Sets the aging period for all address entries in the ServerIron address table.
EXAMPLE:
ServerIron(config)# mac-age 600
mirror-port
Enables and assigns a specific port to operate as a mirror port for other ports on a ServerIron. Once enabled, you
can connect an external traffic analyzer to the port for traffic analysis.
You also need to enable the monitor command on a port for it to be mirrored by this port.
EXAMPLE:
To assign port 1 as the mirror port and port 5 as the port to be monitored, enter the following:
ServerIron(config)# mirror-port e 1
ServerIron(config)# interface e 5
ServerIron(config-if)# monitor on
To define a mirror port on a Chassis device, define a slot number in addition to the port number as seen in the
syntax below.
module
Adds a hardware module to a Foundry Chassis device.
EXAMPLE:
To add an 8-port Gigabit Ethernet management module to slot 3 in a ServerIron 800, enter the following
command:
ServerIron(config)# module 3 bi-8-port-gig-management-module
6 - 52
February 2002
The <module-type> parameter specifies the module. For a list of the valid module types, enter
module <slot-num> ? at the CLI prompt.
Possible values: see above
Default value: N/A
multicast filter
Configures a Layer 2 filter for multicast packets. You can filter on all multicast packets or on specific multicast
groups.
EXAMPLE:
To configure a Layer 2 multicast filter to filter all multicast groups, then apply the filter to ports 2/4, 2/5, and 2/8,
enter the following commands:
ServerIron(config)# multicast filter 1 any
ServerIron(config-mcast-filter-id-1)# exclude-ports ethernet 2/4 to 2/5 ethernet 2/8
ServerIron(config-mcast-filter-id-1)# write mem
EXAMPLE:
To configure a multicast filter to block all multicast traffic destined for multicast addresses 0100.5e00.5200
0100.5e00.52ff on port 4/8, enter the following commands:
ServerIron(config)# multicast filter 2 any 0100.5e00.5200 ffff.ffff.ff00
ServerIron(config-mcast-filter-id-2)# exclude-ports ethernet 4/8
ServerIron(config-mcast-filter-id-2)# write mem
The software calculates the range by combining the mask with the multicast address. In this example, all but the
last two bits in the mask are significant bits (ones). The last two bits are zeros and thus match on any value.
Syntax: [no] multicast filter <filter-id> any | ip udp mac <multicast-address> | any [mask <ip-mask>] [vlan <vlanid>]
The parameter values are the same as the for the broadcast filter command. In addition, the multicast filter
command requires the mac <multicast-address> | any parameter, which specifies the multicast address. Enter
mac any to filter on all multicast addresses. Enter mac followed by a specific multicast address to filter only on
that multicast address.
To filter on a range of multicast addresses, use the mask <ip-mask> parameter. For example, to filter on multicast
groups 0100.5e00.5200 0100.5e00.52ff, use mask ffff.ffff.ff00. The default mask matches all bits (is all Fs).
You can leave the mask off if you want the filter to match on all bits in the multicast address.
Possible values: see above
Default value: N/A
multicast limit
Specifies the maximum number of multicast packets the device can forward each second. By default the device
sends multicasts and all other traffic at wire speed and is limited only by the capacities of the hardware. However,
if other devices in the network cannot handle unlimited multicast traffic, this command allows you to relieve those
devices by throttling the multicasts at the Foundry device.
NOTE: The multicast limit does not affect broadcast or unicast traffic. However, you can use the broadcast limit
and unknown-unicast limit commands to control these types of traffic. See broadcast limit on page 6-12 and
unknown-unicast limit on page 6-98.
February 2002
6 - 53
EXAMPLE:
ServerIron(config)# multicast limit 30000
netbios-proto
This command creates a NetBIOS protocol VLAN on a Foundry switch or router. All ports of the system are
assumed, by default, to be members of the VLAN when initially created. VLAN Membership can be modified
using the dynamic, static, or exclude commands.
EXAMPLE:
To create a NetBIOS Protocol VLAN on an 18 port device with permanent port membership of 4 and 5 and ports 8
through 12 as dynamic member ports, enter the following commands.
ServerIron(config)# netbios-proto
ServerIron(config-netbios-proto)# static e4 e5
ServerIron(config-netbios-proto)# exclude e1 to 3 e6 e7 e13 to 18
ServerIron(config-netbios-proto)# exit
no
This command is used to disable many commands. To do so, place the word no before the command.
other-proto
Creates an Other protocol VLAN on the system. All ports of the switch are by default dynamically assigned to the
newly created VLAN. VLAN Membership can be modified using the dynamic, static, or exclude commands.
You can use this option to define a protocol-based VLAN for protocols that are not specified as supported protocol
VLANs on a switch or router, or do not require dedicated, separate broadcast domains.
EXAMPLE:
On a 16 port ServerIron, ports 13 through 16 represent protocols Decnet and AppleTalk. You do not need to
separate traffic by protocol into separate broadcast domains. Instead, create an Other Protocol VLAN with just
those ports as members.
ServerIron(config)# other-proto
ServerIron(config-other-proto)# static e13 to 16
ServerIron(config-other-proto)# exclude e1 to 12
ServerIron(config-other-proto)# exit
password-change
This command allows you to define those access points from which the system password can be defined. Options
are serial-port-only, telnet-only, or any. Any would allow the password to be modified from a serial port, telnet
session or through IronView.
6 - 54
February 2002
EXAMPLE:
To allow password changes from a serial port connection only, enter the following command:
ServerIron(config)# password-change cli
privilege
This command augments the default access privileges for an access level. When you configure a user account,
you can give the account one of three privilege levels: full access, port-configuration access, and read-only
access. Each privilege level provides access to specific areas of the CLI by default:
The User EXEC and Privileged EXEC levels, and the port-specific parts of the CONFIG level
EXAMPLE:
To enhance the port-configuration privilege level so users also can enter ip commands at the global CONFIG level
(useful for adding IP addresses for multinetting), enter the following command:
ServerIron(config)# privilege configure level 4 ip
In this command, configure specifies that the enhanced access is for a command at the global CONFIG level of
the CLI. The level 4 parameter indicates that the enhanced access is for privilege level 4 (port-configuration). All
users with port-configuration privileges will have the enhanced access. The ip parameter indicates that the
enhanced access is for the IP commands. Users who log in with valid port-configuration level user names and
passwords can enter commands that begin with "ip" at the global CONFIG level.
4 Port-configuration access
5 Read-only access
The <command-string> parameter specifies the command you are allowing users with the specified privilege level
to enter. To display a list of the commands at a CLI level, enter "?" at that level's command prompt and press
Return.
quit
This command returns you from any level of the CLI to the User EXEC mode.
February 2002
6 - 55
EXAMPLE:
ServerIron(config) quit
ServerIron>
Syntax: quit
Possible values: N/A
Default value: N/A
perf-mode
Allows you to define the performance mode as 'high' to allow flow control to activate at an earlier stage, when
heavy congestion exists on the network. This feature must be saved to memory and the system reset before it
becomes active.
EXAMPLE:
ServerIron(config)# perf-mode hi
radius-server
Identifies a RADIUS server and sets other RADIUS parameters.
EXAMPLE:
ServerIron(config)# radius-server host 209.157.22.99
Syntax: radius-server [key <key-string>] [timeout <number>] [retransmit <number>] [dead-time <number>]
The key <key-string> parameter is the encryption key; valid key string length is from 1 16.
The timeout <number> is how many seconds to wait before declaring a RADIUS server timeout for the
authentication request. The default timeout is 3 seconds. The range of possible timeout values is from 1 15.
The retransmit <number> is the maximum number of retransmission attempts. When an authentication request
timeout, the Foundry software will retransmit the request up to the maximum number of retransmissions
configured. The default retransmit value is 3 seconds. The possible retransmit value is from 1 5.
The dead-time parameter is not used in this software release. When the software allows multiple authentication
servers, this parameter will specify how long the Foundry device waist for the primary authentication server to
reply before deciding the server is dead and trying to authenticate using the next server. The dead-time value can
be from 1 5 seconds. The default is 3.
Possible values: see above
Default value: see above
relative-utilization
Allows you to configure uplink utilization lists that display the percentage of a given uplink ports bandwidth that is
used by a specific list of downlink ports. The percentages are based on 30-second intervals of RMON packet
statistics for the ports. Both transmit and receive traffic is counted in each percentage.
6 - 56
February 2002
NOTE: This feature is intended for ISP or collocation environments in which downlink ports are dedicated to
various customers traffic and are isolated from one another. If traffic regularly passes between the downlink
ports, the information displayed by the utilization lists does not provide a clear depiction of traffic exchanged by the
downlink ports and the uplink port.
Each uplink utilization list consists of the following:
Each list displays the uplink port and the percentage of that ports bandwidth that was utilized by the downlink
ports over the most recent 30-second interval. You can configure up to four bandwidth utilization lists.
EXAMPLE:
To configure a link utilization list with port 1 as the uplink port and ports 2 and 3 as the downlink ports:
ServerIron(config)# relative-utilization 1 uplink eth 1 downlink eth 2 to 3
Syntax: [no] relative-utilization <num> uplink ethernet <portnum> [to <portnum> | <portnum>]
downlink ethernet <portnum> [to <portnum> | <portnum>]
Possible values: The <num> parameter specifies the list number. You can configure up to four lists. Specify a
number from 1 4.
The uplink ethernet parameters and the port number(s) you specify after the parameters indicate the uplink
port(s).
The downlink ethernet parameters and the port number(s) you specify after the parameters indicate the downlink
port(s).
Default value: N/A
rmon alarm
The RMON alarm command defines what MIB objects are monitored, the type of thresholds will be monitored
(falling, rising or both), the value of those thresholds, and the sample type (absolute or delta).
An alarm event will be reported each time that a threshold is exceeded. The alarm entry also defines the action
(event) to take should the threshold be exceeded.
A sample CLI alarm entry and its syntax is shown below:
EXAMPLE:
ServerIron(config)# rmon alarm 1 ifInOctets.6 10 delta rising-threshold 100 1
falling threshold 50 1 owner nyc02
rmon event
There are two elements to the RMON event group 9, the event control table and the event log table.
The event control table defines the action to be taken when an alarm is reported. Defined events can be found by
entering the CLI command, show event.
The event log table collects and stores reported events for retrieval by an RMON application.
February 2002
6 - 57
EXAMPLE:
ServerIron(config)# rmon event 1 description testing a longer string log-and-trap
public owner nyc02
Syntax: rmon event <event-entry> description <text-string> log | trap | log-and-trap owner <rmon-station>
Possible values: N/A
Default value: N/A
rmon history
All active ServerIron ports by default will generate two RMON history (group 2) control data entries. If a port
becomes inactive, then the two entries will automatically be deleted.
Two history entries are generated for each switch by default:
You can modify how many of these historical entries are saved in an event log (buckets) as well as how often these
intervals are taken. The station (owner) that collects these entries can also be defined.
To review the control data entry for each port or interface, enter the show rmon history command.
EXAMPLE:
ServerIron(config)# rmon history 1 interface 1 buckets 10 interval 10 owner nyc02
Syntax: rmon history <entry-number> interface <portnum> buckets <number> interval <sampling-interval> owner
<text-string>
Possible values: Buckets: 1 50 entries.
Default value: N/A
router rip
Enables the Routing Information Protocol (RIP).
NOTE: This command applies only to IP forwarding (Layer 3 IP).
NOTE: You also must enable RIP locally on the virtual routing interface. See ip rip on page 8-7.
EXAMPLE:
To enable RIP globally, enter the following command:
ServerIron(config)# router rip
ServerIron(config-rip-router)#
Notice that the command also changes the CLI to RIP configuration level. See Routing Information Protocol
(RIP) Commands on page 20-1.
rshow
Displays the real and virtual server configuration information on a remote site ServerIron in the GSLB ServerIrons
CLI. The command also displays the session and CPU information used by the GSLB policy. You can view
detailed configuration information and statistics for the site ServerIron, from the GSLB ServerIrons management
console. For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry
ServerIron Installation and Configuration Guide.
6 - 58
February 2002
server active-active-port
Provides redundancy for NAT or the SYN-Guard feature when not used with FWLB or SLB. This command
specifies the ServerIron port connected to the other ServerIron in the configuration.
EXAMPLE:
ServerIron(config)# server active-active-port ethernet 4/5
This command configures the active-active link on port 4/5.
ServerIron(config)# server active-active-port ethernet 4/5 300
This command configures the active-active link on port 4/5 on VLAN 300 only. The active-active traffic is not
forwarded to the other VLANs that port 3/5 is in.
server allow-sticky
Accepts new connections on a real server whose sticky port has been unbound.
When you unbind an application port from a server, the ServerIron temporarily places the port in the aw_unbnd
(awaiting unbind) state. If you delete an application port, the ServerIron temporarily places the port in the aw_del
(awaiting delete) state. These temporary states allow open sessions on the port to be completed before the port
is unbound or removed.
By default, when the ServerIron receives a new request associated with a sticky port in the aw_unbnd state, the
ServerIron establishes the session on another real server, not the real server from which you are unbinding the
port.
This command configures the ServerIron to accept new sessions for the same real server for a sticky port, even
under the following conditions:
EXAMPLE:
ServerIron(config)# server allow-sticky
February 2002
6 - 59
sticky port, the ServerIron resets the age time for the session to five minutes. Each time the ServerIron receives
another connection request associated with the sticky session, the ServerIron resets the session age again.
Possible values: See above
Default value: Disabled
server backup
The server backup command sets up the server load balancing redundancy on ServerIron switches. The two
switches used in the configuration must be configured with the same MAC address. The MAC address used for
the two switches can be any MAC address supported on either of the switches.
EXAMPLE:
ServerIron(config)# server backup ethernet 13 00e0.5201.0c72
server backup-group
Configures a hot-standby group ID. Use the group ID when you are configuring more than one pair of ServerIrons
for SLB hot standby within the same Layer 2 broadcast domain.
Configure a backup group ID on each of the ServerIrons, so that both ServerIrons in a given pair have the same
ID. The backup group ID uniquely identifies the pair.
When you configure a backup group ID, both ServerIrons in a hot-standby pair use the ID when exchanging
backup information. If a ServerIron receives a backup information packet but the packets backup group ID does
not match the ServerIrons backup group ID, the ServerIron discards the packet.
If the broadcast domain contains multiple hot-standby pairs, you must configure backup group IDs on all pairs. If
the broadcast domain contains only one hot-standby pair, you do not need to configure a backup group ID.
EXAMPLE:
ServerIron(config)# server backup-group 1
server backup-port
Configures the active-active (synchronization) port for SSLB. The active-active port connects the ServerIron to its
SSLB partner.
EXAMPLE:
ServerIron(config)# server backup-port ethernet 3/5
This command configures the active-active link on port 3/5.
ServerIron(config)# server backup-port ethernet 3/5 200
This command configures the active-active link on port 3/5 on VLAN 200 only. The active-active traffic is not
forwarded to the other VLANs that port 3/5 is in.
6 - 60
February 2002
NOTE: The VLAN you specify must be used only for synchronization traffic. Do not specify a VLAN that also will
carry data traffic.
Possible values: See above
Default value: N/A
server backup-preference
Configures a ServerIron in an active-standby pair to always be the active ServerIron. Without the backup
preference, ServerIrons in a hot-standby pair elect the active ServerIron based on a random timer on each
ServerIron.
NOTE: This command does not apply to FWLB.
EXAMPLE:
To configure a ServerIron in an active-standby pair to always be the active ServerIron, enter the following
command at the global CONFIG level of the CLI:
ServerIron(config)# server backup-preference 5
server backup-timer
Changes the backup timer on a ServerIron in an active-standby pair. The timer specifies how long a backup
ServerIron will wait for a Hello message or synchronization data from the active ServerIron before assuming the
active ServerIron is no longer available, and then taking over the active role.
NOTE: This command does not apply to FWLB.
EXAMPLE:
ServerIron(config)# server backup-timer 50
This command sets the backup timer to 5 seconds (50 * 100 milliseconds).
server cache-group
TCS requires that all cache servers be assigned to a cache-group. By default, all cache servers are assigned to
cache group 1. To assign cache servers to a different cache group, use this command.
EXAMPLE:
To assign cache servers server1 and server2 to cache group 2, enter the following:
ServerIron(config)# server cache-group 1
ServerIron(config-tc-1)# cache-name server1
February 2002
6 - 61
server cache-name
This command is used to assign a name and IP address to a cache server.
EXAMPLE:
To identify a cache-server with an IP address of 207.95.5.19 as web2, enter the following:
ServerIron(config)# server cache-name web2 207.95.5.19
server cache-router-offload
This command enables the ServerIron Cache Route Optimization feature, which redirects HTTP traffic from a
cache server directly toward the clients. Use this command when the ServerIron sits between a remote access
server (RAS) and a border access router (BAR) and the cache servers default gateway is the BAR.
For more information, see the "Configuring Transparent Cache Switching" chapter in the Foundry ServerIron
Installation and Configuration Guide.
EXAMPLE:
To enable Cache Route Optimization on a switch operating with TCS, enter the following:
ServerIron(config)# server cache-router-offload
server cache-stateful
Disables stateful TCS. In stateful TCS, the ServerIron creates session table entries for the client connections
redirected to cache servers. If you disable stateful TCS, the ServerIron does not create session table entries for
the load-balanced traffic, but instead uses hash-based redirection on a packet by packet basis. In addition, the
ServerIron uses the return traffic as one means to assess the health of a cache server. If you disable stateful
TCS, the ServerIron does not monitor the return traffic.
NOTE: Stateful TCS provides more benefit than stateless TCS in almost all TCS configurations. Do not disable
stateful TCS unless advised to do so by Foundry Networks Technical Support.
EXAMPLE:
To disable stateful TCS, enter the following command:
ServerIron(config)# no server cache-stateful
server clock-scale
Provides a clock multiplier for the TCP age and UDP age timers, which are used to age out the entries in the
session table. This command is useful for configurations that require TCP or UDP timeouts longer than the
6 - 62
February 2002
maximum configurable value (60 minutes). For example, if you set the clock scale to 2, the TCP and UDP age
timer values are multiplied by 2. Thus, a TCP age of 60 would then be equivalent to 120 minutes instead of 60
minutes.
EXAMPLE:
ServerIron(config)# server clock-scale 2
server connection-log
Enables TCP/UDP session logging. When TCP/UDP session logging is enabled, the ServerIron sends a
message to the external Syslog servers when the software creates a session table entry.
EXAMPLE:
To enable session logging for all TCP and UDP ports, enter a command such as the following:
ServerIron(config)# server connection-log all
The command in this example enables logging for all new session table entries. To enable logging only for new
sessions that are used for Source NAT, enter the following command:
ServerIron(config)# server connection-log src-nat
server delay-symmetric
Delays reactivation of a failed ServerIron in an SSLB configuration following the ServerIrons recovery. By
delaying reactivation of a recovered ServerIron, you provide time for sessions created by the standby ServerIron to
terminate normally.
NOTE: This command applies only to active-standby SSLB in software release 07.1.x. Software 07.2.x uses
active-active SSLB instead. See the "Active-Standby SSLB" section in the "Configuring Symmetric SLB and
SwitchBack" chapter of the Foundry ServerIron Installation and Configuration Guide.
When you enable session synchronization in a ServerIronXL SSLB configuration, the active ServerIron for a VIP
sends session synchronization information to the standby ServerIron. If the VIPs active ServerIron becomes
February 2002
6 - 63
unavailable, the open sessions for the VIP fail over to the other ServerIron, which provides uninterrupted service
for the sessions.
The active ServerIron sends session synchronization information to a VIPs standby ServerIron when the session
is created. Following a failover, when the standby ServerIron for a VIP has taken over, the standby ServerIron can
create new sessions for the VIP. However, because the ServerIron with the higher priority for the VIP is
unavailable, the standby ServerIron cannot send synchronization information for the newly created sessions. As a
result, when the other ServerIron becomes available again, it resumes service for the VIP but cannot continue the
sessions that were created by the standby ServerIron.
EXAMPLE:
To enable reactivation delay following recovery of a ServerIron, enter the following command at the global
CONFIG level of the CLI:
ServerIron(config)# server delay-symmetric
server force-delete
This command allows you to force termination of existing server load balancing connections when the supporting
server or service is disabled or deleted.
By default, when a service is disabled or deleted, the ServerIron does not send new connections the real servers
for that service. However, the ServerIron does allow existing connections to complete normally, however long that
may take.
You can use the server force-delete command to force the existing connections to be terminated within two
minutes.
NOTE: If you disable or delete a service, do not enter an additional command to reverse the command you used
to disable or delete the service, while the server is in graceful shutdown.
NOTE: For important information about shutting down services or servers, see the "Configuring Server Load
Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.
EXAMPLE:
To force the shutdown of all deleted servers on a ServerIron, enter the following:
ServerIron(config)# server force-delete
NOTE: Once enabled, this feature controls all future deletions. To see whether force delete is active, enter the
show configuration command. If active, this option will appear in the summary of global parameters. Because
the server force-delete command is a global command, there is no need to specify real server 15. It will
automatically end the connections of all servers or services awaiting deletion.
NOTE: To display active sessions for a specific server, enter the show sessions real server <number>
command and a display as seen below will appear. Notice that the display below shows the Telnet connection on
server 15 as awaiting unbinding. Without the server force-delete command, this feature will stay in this state until
the session ends naturally.
6 - 64
February 2002
IP: 207.95.18.15
CurConn TotConns
Tx-pkts
Wt: 1
Max-conn: 1000000
Port
State
http
active
1711509
1206
82402
ftp
active
telnet aw_unbnd
388
default unbnd
Server
1711511
Total
Rx-pkts
State: 6
374
23618
22452 0
388
1580
23618
104854
Because the binding is awaiting deletion, it will also still be seen as an active binding, if you enter the show
session bind command, as seen below:
ServerIron(config-vs-building)# show server bind
Virtual Server Name: building,
IP: 207.95.5.130
http -------> s21: 207.95.18.21, http
s15: 207.95.18.15, http
s50: 207.95.18.50, http
ftp -------> s50: 207.95.18.50, ftp
s21: 207.95.18.21, ftp
s15: 207.95.18.15, ftp
telnet -------> s15: 207.95.18.15, telnet
s21: 207.95.18.21, telnet
s50: 207.95.18.50, telnet
Once force delete is enabled, the unbinding will occur within two minutes and the show session real server s15
will show that connection as unbound, as seen below:
ServerIron(config)# show session real s15
Real Servers Info
Server State - 1:enabled, 2:failed, 3:test, 4:suspect, 5:grace_dn, 6:active
Name: s15
IP: 207.95.18.15
Port
State
CurConn
http
active
1711509
ftp
active
unbnd
default unbnd
Server
telnet
Total
TotConns
1711511
Rx-pkts
State: 6
Tx-pkts
1206
Wt: 1
Max-conn: 1000000
82402
406
385
24700
23112
406
1591
105514
24700
NOTE: The binding for the real server will also be eliminated from the show server bind display.
February 2002
6 - 65
server fw-group
Changes the CLI to the Firewall Group level. At this level, you can configure parameters for firewall load
balancing. For information about this feature, see the Foundry ServerIron Firewall Load Balancing Guide.
The default firewall group is 2. This is the only firewall group supported. All ServerIron ports are in this firewall
group by default.
EXAMPLE:
To change the CLI to the Firewall Group level for firewall group 2, enter the following command:
ServerIron(config)# server fw-group 2
ServerIron(config-tc-2)#
server fw-name
Adds a firewall for firewall load balancing.
EXAMPLE:
To define a firewall called FW1, enter the following command:
ServerIron(config)# server fw-name FW1 209.157.22.3
server fw-port
If you are configuring the ServerIron for IronClad Firewall Load Balancing, this command identifies the port that
connects this ServerIron to its partner. If you configure a trunk group for the link between the two partners, specify
the first port (the primary port for the group) in the trunk group. On the 8-port, 16-port, and 24-port ServerIrons,
you can configure a trunk group with two or four members and the lead ports are the odd-numbered ports.
EXAMPLE:
ServerIron(config)# server fw-port 5
server fw-recv-stateful
Enables receive stateful FWLB for application traffic coming from the firewalls to the ServerIron. For information,
see the Foundry ServerIron Firewall Load Balancing Guide.
EXAMPLE:
ServerIron(config)# server fw-recv-stateful
6 - 66
February 2002
server fw-slb
Enables FWLB-to-SLB. For information, see the Foundry ServerIron Firewall Load Balancing Guide.
EXAMPLE:
ServerIronB(config)# server fw-slb
server fw-stateful
Enables stateful FWLB for application traffic coming from the ServerIron to the firewalls. For information, see the
Foundry ServerIron Firewall Load Balancing Guide.
EXAMPLE:
ServerIron(config)# server fw-stateful
server fw-strict-sec
Configures the ServerIron to forward a TCP data packet only if the ServerIron has already received a TCP SYN for
the packet's traffic flow (source and destination addresses). This command provides tighter security. For
example, with the tighter security enabled, the ServerIron does not forward a TCP data packet to 1.1.1.1 unless
the ServerIron has already received a TCP SYN for the session between the packet's source and 1.1.1.1.
By default, the ServerIron sends a properly addressed TCP data packet to a firewall regardless of whether the
ServerIron has received a TCP SYN for the traffic flow. For example, if the ServerIron receives a TCP packet
addressed to TCP port 8080 on IP address 1.1.1.1, the ServerIron forwards the packet to firewall connected to
1,1.1.1 regardless of whether the ServerIron has received a TCP SYN for the session between the packet's
source and 1.1.1.1.
EXAMPLE:
ServerIron(config)# server fw-strict-sec
server fw-superzone
Enables the superzone FWLB feature.
NOTE: This command does not enable FWLB. The command only enables superzone support.
EXAMPLE:
ServerIron(config)# server fw-superzone
February 2002
6 - 67
server icmp-message
Enables the ICMP message feature. This feature configures the ServerIron to send ICMP Destination
Unreachable messages to clients who request HTTP ports that are unavailable. Generally, a port is unavailable if
all the real servers that contain the port are busy or are down, or the port is not configured on the servers.
EXAMPLE:
To enable the ICMP message feature, enter the following command:
ServerIron(config)# server icmp-message
server l4-check
Globally disables or re-enables Layer 4 TCP or UDP health checks for servers. The Layer 4 health checks are
enabled by default.
If you are configuring the ServerIron to load balance traffic to multiple servers on the other side of routers and you
want to load-balance the traffic according to TCP or UDP application, use the no server l4-check command to
disable the Layer 4 health checks. If you do not disable the health checks in this type of configuration, the routers
will fail the health checks (because the target applications for the health checks are not on the routers themselves)
and the ServerIron will stop forwarding traffic to those servers.
NOTE: If you are using the ServerIron to load-balance TCP and UDP traffic through routers, you also must add
each router as a real server and disable the HTTP port on each of the real servers. HTTP is enabled by default on
all real servers.
NOTE: This command also disables all Boolean health-check policies when entered on a ServerIron 400 or
ServerIron 800.
EXAMPLE:
To disable the Layer 4 TCP and UDP health checks, enter the following command:
ServerIron(config)# no server l4-check
server max-conn-trap
Specifies the number of seconds that elapse between traps for logging information about the TCP connection rate
and attack rate on the device.
EXAMPLE:
ServerIron(config)# server max-conn-trap 30
server max-ssl-session-id
Changes the number of entries associating a session_id with a real server that the ServerIron can store in its
database.
6 - 68
February 2002
EXAMPLE:
To change the maximum number of database entries from 8,192 to 64,000:
ServerIron(config)# server max-ssl-session-id 64000
server max-url-switch
Changes the maximum number of concurrent web switching connections.
EXAMPLE:
To change the maximum number of concurrent web switching connections from 100,000 to 160,000:
ServerIron(config)# server max-url-switch 160000
server monitor
Enters the Layer 4 monitor CLI level.
EXAMPLE:
ServerIron(config)# server monitor
server msl
Sets the amount of time sessions for ports configured with the udp-fast-age command stay in the delete queue
before being deleted.
EXAMPLE:
ServerIron(config)# server msl 2
server no-fast-bringup
Enables the health-checking procedure for application ports used in releases prior to 7.1.05.
In releases prior to 7.1.05, the ServerIron performed a Layer 4 health check on a port on a real server,
followed by a Layer 7 health check, if one was enabled on the port. If the port passed both health checks, it
was then marked ACTIVE.
Starting with release 7.1.05, by default when a port passes a Layer 4 health check, it is then marked ACTIVE.
The ServerIron then performs a Layer 7 health check, if one is enabled on the port. Based on the result of the
Layer 7 health check (if enabled), the port is then marked ACTIVE or FAILED.
February 2002
6 - 69
This change was made so that ports could be brought up more quickly. You can optionally change the default
behavior so that a port is not marked ACTIVE until it passes both the Layer 4 and (if one is enabled) Layer 7 health
checks.
EXAMPLE:
To enable the health-checking procedure that existed in releases prior to 7.1.05:
ServerIron(config)# server no-fast-bringup
server no-real-l3-check
Globally disables the initial Layer 3 health check for local real servers. When you disable the health check, the
ServerIron sends an ARP request for the default gateway and makes the servers state ACTIVE as long as the
ARP entry is present in the ServerIrons ARP cache.
By default, when you add a real server configuration to the ServerIron, the ServerIron uses a Layer 3 health check
(IP ping) to determine the servers reachability. If the real server responds to the ping, the ServerIron changes the
servers state to ACTIVE and begins using the server for client requests.
NOTE: This command applies only to local real servers (servers added using the server real-name command).
EXAMPLE:
ServerIron(config)# server no-real-l3-check
server no-remote-l3-check
Globally disables the initial Layer 3 health check for remote real servers. When you disable the health check, the
ServerIron sends an ARP request for the default gateway and makes the remote servers state ACTIVE as long as
the ARP entry is present in the ServerIrons ARP cache.
By default, when you add a real server configuration to the ServerIron, the ServerIron uses a Layer 3 health check
(IP ping) to determine the servers reachability. If the real server responds to the ping, the ServerIron changes the
servers state to ACTIVE and begins using the server for client requests.
NOTE: This command applies only to remote servers (servers added using the server remote-name
command).
EXAMPLE:
ServerIron(config)# server no-remote-l3-check
server no-slow-start
Globally disables the slow-start mechanism. When you disable the slow-start mechanism, the ServerIron can
immediately send up to the maximum number of connections specified for the real server when the server comes
up. Disabling slow-start does not remove the slow-start configuration information from the real servers. To
reactive slow-start, globally re-enable the feature.
6 - 70
February 2002
EXAMPLE:
ServerIron(config)# server no-slow-start
server partner-ports
Enables the standby ServerIron in an IronClad FWLB configuration that uses the always-active feature to learn the
MAC addresses of hosts whose packets pass through the active ServerIron to reach the standby ServerIron.
For more information about the use of this command, see the "Preventing Unnecessary Broadcasts in an AlwaysActive IronClad Configuration" section in the "Using the Always-Active Feature for Simplified Topologies" appendix
of the Foundry ServerIron Firewall Load Balancing Guide.
NOTE: This command applies only to IronClad FWLB configurations that use the always-active option.
EXAMPLE:
ServerIron(config)# server partner-ports 5
On the ServerIronXL, ServerIron 400, and ServerIron 800 you can specify up to eight ports on the same
command line. Use a space after each port number to separate them.
On the ServerIronXL/G, you can specify one port on the same command line. However, you can enter the
command multiple times for multiple ports.
server path-group
This command is for a specific configuration. Do not use this command unless advised to do so by Foundry
Networks technical staff.
server peer-group
Configures stateless health checking. Use stateless health checking when you configure multiple ServerIrons to
load balance for a common set of TCP or UDP application ports. For example, a transparent VIP configuration
that uses stateless application ports can benefit from stateless health checking. A stateless application port is one
for which the ServerIron does not create session table entries.
EXAMPLE:
To configure a stateless health check group, enter a command such as the following on each ServerIron in the
group.
ServerIronA(config)# server peer-group 1 192.168.3.9 192.168.4.9
This command configures group 1 to contain two ServerIrons.
February 2002
6 - 71
The <ip-addr>... parameter specifies a list of ServerIron management IP addresses. You can specify up to four
addresses with the command. Separate each address with a space. You can configure up to 16 ServerIron
management IP addresses. To do so, enter the command four times and specify different addresses each time.
NOTE: Make sure you add the management IP address for each of the other ServerIrons in the group. Do not
include the ServerIrons own management address in the list.
To configure a ServerIrons stateless health check priority, enter a command such as the following on each
ServerIron in the stateless health check group.
NOTE: If you do not set the stateless health check priority on a ServerIron, that ServerIron does not participate
in stateless health checking. If you set the same priority on all the ServerIrons, their priorities are based on their
management IP addresses instead. In this case, a higher management IP address has more priority than a lower
management IP address.
ServerIronA(config)# server peer-group 1 self-priority 16
This command sets the stateless health check priority on ServerIron A to 16, the highest priority.
server ping-interval
In a client server environment, if a server does not respond within five seconds to active traffic, then that server will
be marked suspect and the switch will send out a ping to the server. The number of times the server is pinged by
the switch is defined by the server ping-retries command. The interval between the pings is defined by this
command, the server ping-interval.
This command is used in conjunction with the feature server load balancing on the ServerIron switch.
EXAMPLE:
To modify the interval between ping retries to 8 seconds from the default value of 2 seconds, enter the following
command:
ServerIron(config)# server ping-interval 8
server ping-retries
This command configures how often the server is pinged before placing the server in a failed state. Possible
values are between 2 and 10 with a default value of 4.
This command is used in conjunction with the feature server load balancing on the ServerIron switch.
EXAMPLE:
To modify how often a switch pings a server before declaring the server down to a value of 7 from the default
value of 4, enter the following command:
6 - 72
February 2002
server policy-hash-acl
Overrides the global hash mask for all traffic that matches the source and destination information in the specified
ACL.
EXAMPLE:
ServerIron(config)# access-list 100 permit ip any 192.168.1.16 0.0.0.15
ServerIron(config)# access-list 100 permit ip any 192.168.2.0 0.0.0.255
ServerIron(config)# access-list 100 permit ip any 192.168.3.192 0.0.0.63
ServerIron(config)# access-list 100 permit ip any 192.168.4.0 0.0.0.255
ServerIron(config)# access-list 100 permit ip any 192.168.3.160 0.0.0.31
ServerIron(config)# access-list 100 permit ip any 192.168.3.0 0.0.0.127
ServerIron(config)# access-list 100 permit ip any 64.129.1.0 0.0.0.255
ServerIron(config)# server fw-group-2
ServerIron(config-tc-2)# hash-mask 255.255.255.255 0.0.0.0
ServerIron(config-tc-2)# policy-hash-acl 100 255.255.255.255 255.255.255.255
In this example, FWLB will use the hash mask 255.255.255.255 0.0.0.0 for all traffic except the traffic that
matches ACL 100.
server port
Configures a port profile for a TCP/UDP port. The port profile globally defines the following attributes for the port.
NOTE: For additional information, see the "Configuring a Port Profile" section in the "Configuring Port and Health
Check Parameters" chapter of the Foundry ServerIron Installation and Configuration Guide.
Description
This attribute applies only to ports for which the ServerIron does not already
know the type. For example, if a real server uses port 8080 for HTTP (a TCP
port), you can globally identify 8080 as a TCP port. The ServerIron assumes that
ports for which it does not know the type are UDP ports.
Note: To display a list of the ports for the ServerIron already knows the type,
enter the server port ? command at the global CONFIG level of the CLI.
February 2002
6 - 73
Description
The number of seconds between health checks and the number of times the
ServerIron re-attempts a health check to which the server does not respond. You
can specify from 2 120 seconds for the interval. You can specify from 1 5
retries.
Keepalive state
Whether the ServerIrons health check for the port is enabled or disabled.
Recurring Layer 4 and Layer 7 health checks are disabled by default. When you
configure a port profile, the software automatically globally enables the health
check for the application. You also can explicitly disable or re-enable the
keepalive health check at this level.
Note: If you are configuring a port profile for a port that is known to the
ServerIron, the keepalive parameters affect Layer 7 health checks. For other
ports, the keepalive parameters affect Layer 4 health checks.
Keepalive port
By default, the ServerIron bases the health of an application port on the port
itself. You can specify a different application port for the health check. In this
case, the ServerIron bases the health of an application port on the health of the
other port you specify.
Note: You cannot base the health of a port well-known to the ServerIron on the
health of another port, whether the port is well-known or not well-known.
The number of minutes a TCP or UDP session table entry can remain inactive
before the ServerIron times out the entry. This parameter is set globally for all
TCP or UDP ports but you can override the global setting for an individual port by
changing that ports profile. You can set the TCP or UDP age from 2 60
minutes. The default TCP age is 30 minutes. The default UDP age is five
minutes.
Note: Since UDP is a connectionless protocol, the ServerIron does not remove a
UDP session from its session table until the session times out. TCP is a
connection-based protocol. Thus, for TCP sessions, the ServerIron removes the
session as soon as the client or server closes the session.
Session
synchronization
Connection logging
You can enable logging for session table entries created for this port.
Slow start
Smooth factor
If you plan to use server response time as a load-balancing method, you can
adjust the amount of preference the ServerIron gives the most recent response
time compared to the previous response time.
EXAMPLE:
To add port 8080 and specify that it is a TCP port, enter the following command:
6 - 74
February 2002
February 2002
6 - 75
FTP the well-known name for port 21. (Ports 20 and 21 both are FTP ports but on the ServerIron, the name
FTP corresponds to port 21.)
To base a ports health on the health of another port, enter a command such as the following:
ServerIron(config-port-1234)# tcp keepalive port 80
ftp or 21
imap4 or 143
ldap or 389
pop3 or 110
smtp or 25
telnet or 23
EXAMPLE:
To configure an unknown UDP port to use a DNS Layer 7 health check, enter commands such as the following:
ServerIron(config)# server port 999
ServerIron(config-port-999)# udp keepalive protocol dns
6 - 76
February 2002
EXAMPLE:
You can globally disable a Layer 4 port on the ServerIron. The port can be disabled for all real servers, all virtual
servers or all real and virtual servers. After you disable a port globally, you can enable the port on individual real
or virtual servers as necessary. By default, all real and virtual ports are enabled.
When the ServerIron is booted, if the command to globally disable a real or virtual port exists in the startup-config
file, the specified port is disabled at startup. When a real or virtual port is created, and the port has been disabled
globally, the real or virtual port is disabled as well. You must enable the port explicitly.
To disable all real HTTP ports:
ServerIron(config)# server port 80
ServerIron(config-port-http)# disable real
ServerIron(config-port-http)#
To disable all virtual HTTP ports:
ServerIron(config)# server port 80
ServerIron(config-port-http)# disable virtual
ServerIron(config-port-http)#
To disable all real and virtual HTTP ports:
ServerIron(config)# server port 80
ServerIron(config-port-http)# disable
ServerIron(config-port-http)#
February 2002
6 - 77
When you enable this feature, the ServerIron does one of the following in addition to redirecting future requests
away from the real server:
UDP For an unavailable UDP application, the ServerIron terminates the connection.
TCP For an unavailable TCP application, the ServerIron resets the connection.
server predictor
This command is used to select the load-balancing method. By default, the least connections method is enabled.
EXAMPLE:
To change the server load-balancing method from the default value of least connections to the round-robin
method, enter the following:
ServerIron(config)# server predictor round-robin
server real-name
This command assigns a name and IP address to the real server. The server name is used to bind the server IP
address, so that the real server name can be used to represent the server. The server name can be any
alphanumeric string of up to 32 characters.
This command is used in conjunction with the server load balancing feature on the ServerIron switch.
NOTE: Use this command only if the server is attached to the ServerIron at Layer 2. If the server is attached
through one or more router hops, use the server remote-name command instead. See server remote-name on
page 6-79.
EXAMPLE:
ServerIron(config)# server real-name Wolalak_Wuwanich 192.168.1.159
server reassign-threshold
This command modifies the number of contiguous unacknowledged TCP SYN ACKs the ServerIron allows to
accumulate for a real server, before determining that the server is down and marking it FAILED.
If the server responds to a TCP SYN, the counter returns to zero.
EXAMPLE:
ServerIron(config)# server reassign-threshold 215
6 - 78
February 2002
server remote-name
This command assigns a name and IP address to a remote real server. When you add a real server using the
server remote-name command instead of the server real-name command, the ServerIron does not include the
server in the predictor (load-balancing method). Instead, the ServerIron sends traffic to the remote server only if
all local real servers (added using the server real-name command) are unavailable.
The server name is used to bind the server IP address, so that the real server name can be used to represent the
server. The server name can be any alphanumeric string of up to 32 characters.
This command is used in conjunction with the Server Load Balancing feature on the ServerIron switch.
NOTE: Use this command only if the server is attached through one or more router hops. If the server is
attached to the ServerIron at Layer 2, use the server real-name command instead. See server real-name on
page 6-78.
EXAMPLE:
ServerIron(config)# server remote-name webfailover 209.157.22.37
server response-time
Globally configures response-time warning and shutdown thresholds for all real servers.
You can specify a warning threshold and a shutdown threshold:
Warning If an applications average response time is longer than the number of milliseconds of the warning
threshold, the software generates a Syslog message and an SNMP trap.
Shutdown If an applications average response time is longer than the number of milliseconds of the
shutdown threshold, the software generates a Syslog message and an SNMP trap and also shuts down the
application port on the real server. Other application ports on the real server are not affected.
By default, a real server does not have a warning threshold or a shutdown threshold. For each threshold, you can
specify a threshold value from 0 (disabled) 65535 milliseconds (65 seconds).
You can configure one or both thresholds globally or on an individual real server basis. The thresholds configured
on an individual real server override the globally configured thresholds. After bringing down the application port,
the ServerIron periodically attempts to reach the port and brings the port back up once the port responds. For
information, see the "Application Port States" section in the "Configuring Port and Health Check Parameters"
chapter of the Foundry ServerIron Installation and Configuration Guide.
NOTE: This feature requires the Layer 4 and Layer 7 health checks to enabled. If the health checks are not
enabled, the ServerIron does not apply the response thresholds you configure.
NOTE: This feature applies only to TCP ports.
EXAMPLE:
ServerIron(config)# server response-time 200 300
The command in this example configures the ServerIron to generate a warning message for an application port if
its average response time is longer than 200 milliseconds. The command also configures the ServerIron to shut
down a port if its average response time is longer than 300 milliseconds.
February 2002
6 - 79
The <shutdown-threshold> parameter specifies the average number of milliseconds within which an application
port must respond to avoid being shut down. You can specify from 0 65535 milliseconds (65 seconds). There is
no default. If you specify 0, the shutdown threshold is disabled.
If you want the ServerIron to generate a warning message but you do not want the ServerIron to shut down an
application port, configure the warning threshold but not the shutdown threshold. Here is an example:
ServerIron(config)# server response-time 100
To set the shutdown threshold without also setting a warning threshold, enter 0 for the warning threshold, as
shown in the following example:
ServerIron(config)# server response-time 0 300
Possible values: 0 65535 milliseconds (65 seconds)
Default value: not configured
server reverse-nat
This command enables Reverse NAT. Reverse NAT allows the ServerIron to change the source IP address of
some traffic initiated by a real server. Specifically, the feature causes the ServerIron to change the source IP
address for traffic that the real server initiates on TCP or UDP ports that are bound to a VIP.
By default, the ServerIron does not perform address translation for any traffic initiated by the real server. However,
if you enable Reverse NAT, the ServerIron does perform address translation for connections that the server
initiates on ports that are bound to a VIP on the ServerIron.
Reverse NAT works with any port number you use for binding the real server to the VIP. However, TCP and UDP
traffic initiated by a real server usually uses a port that is chosen by the server when the traffic is sent. As a result,
it is not easy to predict the port numbers the real server will use. You can ensure that the ServerIron translates the
source address of the traffic by binding the real server to a VIP using the default port. For example, if you
configure VIP1 and bind it to real server RS1 using the default port, the ServerIron translates the source IP
address in all TCP and UDP traffic initiated by RS1 from the real servers IP address into the VIP address.
Even when Reverse NAT is enabled, the ServerIron does not translate the source address for traffic that the real
server initiates over ports that are not bound to a VIP.
If you bind a real server to more than one VIP, the ServerIron will use the address of the VIP that is bound to the
server using the default port. For example, if you bind a real server to VIP1 using TCP port 80 and bind the same
server to VIP2 using the default port, the ServerIron always uses VIP2 for Reverse NAT.
NOTE: Reverse NAT does not affect reply traffic from the server. The feature applies only to traffic initiated by
the server. In addition, the feature applies only to traffic on the TCP and UDP ports that are used to bind the real
server to a VIP configured on the ServerIron. If the real server and VIP are bound using the default port, Reverse
NAT applies to all TCP and UDP traffic initiated by the server.
Reverse NAT is disabled by default. If you need to enable reverse NAT, use one of the following methods.
EXAMPLE:
ServerIron(config)# server real-name R1 10.10.10.1
ServerIron(config-rs-RS1)# port http
ServerIron(config-rs-RS1)# exit
ServerIron(config)# server virtual-name VIP1 192.168.1.10
ServerIron(config-vs-VIP1)# bind http RS1 http
ServerIron(config-rs-RS1)# exit
ServerIron(config)# server virtual-name VIP2 192.168.1.69
ServerIron(config-vs-VIP1)# bind default RS1 default
ServerIron(config)# server reverse-nat
The commands in this example create real server R1 and VIPs VIP1 and VIP2. VIP1 is bound to RS1 using TCP
port 80 (HTTP). VIP2 is bound to RS1 using the default port. When RS1 initiates TCP or UDP traffic, the
ServerIron translates the source IP address from 10.10.10.1 to 192.168.1.69. The ServerIron uses VIP2s IP
address instead of VIP1s IP address for Reverse NAT because VIP2 is bound using the default port.
6 - 80
February 2002
server router-ports
This command is used to identify ports on a ServerIron switch that are connected to a router. Use this command
when multiple ports on the switch are attached to routers.
This command is used in conjunction with the SLB feature on the ServerIron switch.
NOTE: The command is not supported on Foundry Layer 3 Switchs.
EXAMPLE:
ServerIron(config)# server router-ports 8
server session-id-age
This command is used in conjunction with the SSL session ID switching feature on the ServerIron. By default, the
ServerIron keeps the entry associating an SSL session ID with a real server in its database for 30 minutes. After
30 minutes, the entry ages out of the database. Use this command to change the length of time the ServerIron
keeps the entry in the database.
EXAMPLE:
To change the aging period to 10 minutes:
ServerIron(config)# server session-id-age 10
server session-limit
This command is used to limit the maximum number of active sessions allowed on a ServerIron. An active
session is a session entry in the ServerIrons session table. Thus, a UDP or TCP session that has become idle
but has not yet timed out (according to the UDP or TCP age timer) is an active session in this table.
NOTE: This command applies only to SLB and is not supported on Foundry Layer 3 Switches.
EXAMPLE:
ServerIron(config)# server session-limit 550000
server slb-fw
Enables SLB-to-FWLB. For information, see the Foundry ServerIron Firewall Load Balancing Guide.
EXAMPLE:
ServerIronB(config)# server slb-fw
February 2002
6 - 81
server source-ip
Adds an IP address to the ServerIron for use by the real servers as their default gateway address. Source IP
addresses, when used with the source NAT feature, enable you to place the ServerIron in a multinetted
environment.
You can configure up to 64 source IP addresses on a ServerIronXL running software release 07.3.00 or later. You
can configure up to 40 source IP addresses on other models running 07.1.x or 07.2.x software.
NOTE: If you are configuring a pair of ServerIrons for hot-standby (active-standby) and you want to use the same
source IP address as the real servers default gateway on each ServerIron, use the server source-standby-ip
command instead. See server source-standby-ip.
EXAMPLE:
ServerIron(config)# server source-ip 209.157.22.28 255.255.255.0 209.157.22.1
server source-nat
Enables the ServerIron to change the source IP address for traffic the ServerIron forwards to a real server. When
source NAT is enabled, the ServerIron translates the source IP address from the clients into a source IP address
you have configured.
Source NAT is disabled by default.
NOTE: If you are configuring a pair of ServerIrons for hot-standby (active-standby) and you want to use the same
source IP address on each ServerIron, use the server source-nat-ip command instead. See server source-natip.
EXAMPLE:
ServerIron(config)# server source-nat
server source-nat-ip
In a hot-standby (active-standby) SLB configuration, configures a shared source IP address for NAT. Enter the
same command with the same source IP address on each of the ServerIrons. The address is active only on one
ServerIron (the ServerIron that is currently active) at a time.
NOTE: This command applies only to hot-standby (active-standby) configurations.
NOTE: If you are configuring a shared source IP address for use by the real servers as their default gateway, use
the server source-standby-ip address instead. See server source-standby-ip.
6 - 82
February 2002
EXAMPLE:
Enter the following command on each ServerIron in the active-standby pair.
ServerIron(config)# server source-nat-ip 10.10.10.5 255.255.255.0 0.0.0.0
server source-standby-ip
In a hot-standby (active-standby) SLB configuration, configures a shared source IP address for use by the real
servers as their default gateway. Enter the same command with the same source IP address on each of the
ServerIrons. The address is active only on one ServerIron (the ServerIron that is currently active) at a time.
NOTE: This command applies only to hot-standby (active-standby) configurations.
NOTE: If you are configuring a shared source IP address for NAT, use the server source-nat-ip command
instead. See server source-nat-ip.
EXAMPLE:
Enter the following command on each ServerIron in the active-standby pair.
ServerIron(config)# server source-standby-ip 10.10.10.5 255.255.255.0 0.0.0.0
server sticky-age
This command is used in conjunction with the SLB on the ServerIron switch. It allows you to modify the aging out
parameter for inactive sticky server connections.
Sticky connections are defined on the virtual server port of a ServerIron for those instances when sequential TCP/
UDP port connections must be service by the same server.
EXAMPLE:
To set a sticky age of 25 minutes, enter the following:
ServerIron(config)# server sticky-age 25
server sym-pdu-rate
Changes the interval and wait time for SSLB discovery packets.
A ServerIron in an SSLB configuration uses SSLB discovery packets to request SSLB information from the other
ServerIrons. SSLB discovery packets are proprietary Layer 2 broadcast packets and are sent on all ports in all
port-based VLANs.
February 2002
6 - 83
By default, a ServerIron in an SSLB configuration sends SSLB discovery packets at 200-millisecond intervals.
The ServerIron will wait up to 20 equivalent intervals to receive an SSLB discovery packet from another
ServerIron. If the ServerIron does not receive an SSLB discovery packet from the other ServerIron within the 20
intervals, the ServerIron concludes that its partner ServerIron is unavailable and assumes control of the VIPs
being managed by that ServerIron. For example, if the interval for sending SSLB discovery packets is 200
milliseconds (the default), the ServerIron will wait 20 x 200 milliseconds (four seconds) to receive an SSLB
discovery packet from another ServerIron.
You can change the discovery interval multiplier and the wait time multiplier.
The discovery interval is equal to 200 milliseconds multiplied by the discovery interval multiplier. The default
discovery interval multiplier is 1, so the default discovery interval is 200 milliseconds. You can specify a
multiplier from 1 60.
The wait time interval is equal to the discovery interval multiplied by the wait time multiplier. The default wait
time multiplier is 20. Assuming the discovery interval is 200 milliseconds (the default), the default wait time is
four seconds (20 x 200 milliseconds).
NOTE: The SSLB timer affects the rate at which the ServerIron sends SSLB protocol packets to its SSLB
partners. The timer does not affect client or server traffic to or from a VIP.
NOTE: All the ServerIrons in your configuration must use the same SSLB discovery interval and wait time. If you
change the interval and wait time on one ServerIron, make the same change on all the other ServerIrons in the
SSLB configuration.
EXAMPLE:
To change the SSLB discovery interval multiplier and wait time multiplier, enter a command such as the following:
ServerIron(config)# server sym-pdu-rate 2 30
This command changes the interval at which the ServerIron sends SSLB discovery packets to once every 400
milliseconds, and changes the maximum amount of time the ServerIron will wait for an SSLB discovery packet
from another ServerIron to 12 seconds (30 x 400 milliseconds).
server syn-def
Protects against TCP SYN attacks by setting a threshold for the amount of time it takes for a connecting host to
send back an ACK packet. If this threshold is exceeded, the ServerIron removes the entry for the connection from
its session table, and a TCP RESET packet is sent to the destination real server, causing it to remove the entry
from its session table as well.
EXAMPLE:
To configure the ServerIron to remove an entry from its session table if the connection remains incomplete for 6 or
more seconds:
ServerIron(config)# server syn-def 6
server syn-limit
This command is used to limit the maximum number of TCP SYN requests on a per-second basis per server.
6 - 84
February 2002
NOTE: This command applies only to SLB and is not supported on Foundry Layer 3 Switchs.
EXAMPLE:
ServerIron(config)# server syn-limit 2000
server tcp-age
This command allows you to modify the aging out parameter for inactive TCP server connections.
If you change the TCP age, the change affects only new TCP sessions that start after you make the change. The
maximum age for sessions that are already in the session table does not change.
EXAMPLE:
To modify the server TCP age to 20 minutes from the default value of 30 minutes, enter the following command:
ServerIron(config)# server tcp-age 20
server transparent-vip
Enables the transparent VIP feature.
NOTE: After you enabling the ServerIron for transparent VIP, you still must enable individual VIPs for the feature.
See transparent-vip on page 11-9.
EXAMPLE:
ServerIron(config)# server transparent-vip
ServerIron(config)# ip policy 1 cache tcp 80 local
ServerIron(config)# interface ethernet 1
ServerIron(config-if-1)# ip-policy 1
These commands enable transparent VIP globally for TCP port 80 (HTTP), then configure a cache redirection
policy and apply it locally to the ServerIron port(s) connected to the clients. The cache redirection policy identifies
the application port(s) on the VIP that you want to load balance.
server udp-age
This command allows you to modify the aging out parameter for inactive UDP server connections. Possible values
are between 2 and 60 minutes with a default value of 5 minutes.
EXAMPLE:
To modify the server UDP age to 20 minutes from the default value of 5 minutes, enter the following command:
ServerIron(config)# server udp-age 20
February 2002
6 - 85
server use-simple-ssl-health-check
Configures the ServerIronXL to use the SSL health check method from software releases earlier than 07.1.18.
By default, the ServerIronXL uses the following method for SSL health checks.
The ServerIron initiates an SSL connection with the server on TCP port 443, a secure link is negotiated, and
encrypted data is transferred across it. After the SSL connection is established, the ServerIron sends the SSL
server an HTTP GET or HEAD request. The GET or HEAD request specifies a page containing the URL of a
page on the server. By default, the ServerIron sends a HEAD request for the default page, 1.0, although this can
be changed with the port ssl url command.
If the server responds with an acceptable status code, the ServerIron resets the connection and marks the
port ACTIVE.
If the server does not respond, the ServerIron retries the health check up to the number of times configured
(the default is two retries). If the server still does not respond, the ServerIron marks the server port FAILED
and removes the server from the load-balancing rotation for SSL service.
All other ServerIron models use the following health check method.
The ServerIron sends an SSL client hello with the SSL SID set to 0:
If the server responds, then the ServerIron resets the connection and marks the port ACTIVE.
If the server does not respond, the ServerIron retries the health check up to the number of times configured
(the default is two retries). If the server still does not respond, the ServerIron marks the server port FAILED
and removes the server from the load-balancing rotation for SSL service.
The server use-simple-ssl-health-check command configures the ServerIronXL to also use this method.
EXAMPLE:
ServerIron(config)# server use-simple-ssl-health-check
server virtual-name
This command is used to define the virtual server name and IP address. The virtual server name can be any
alphanumeric text string of up to 32 characters.
This command is used in conjunction with the feature server load balancing on the ServerIron switch.
EXAMPLE:
ServerIron(config)# server virtual-name noi 192.168.1.10
server vpn-lb
Configures the ServerIron to provide FWLB for a VPN firewall such as the Check Point VPN-1 Gateway/FireWall1. Use this command to enable VPN load balancing on the ServerIron that is on the Internet side of the firewalls.
NOTE: This commands optional parameters apply only to site-to-site VPN, not to SecureRemote-to-site VPN.
From the ServerIrons perspective, the difference between these two types of VPN is as follows:
Site-to-site VPN All Internet Security Association and Key Management Protocol (ISAKMP) packets are
addressed to the Cluster IP address. ISAKMP is used by Check Point firewalls and is described in RFC 2408.
SecureRemote-to-site VPN Only the first ISAKMP packet is addressed to the Cluster IP address.
Subsequent ISAKMP packets are to a firewall.
6 - 86
February 2002
EXAMPLE:
ServerIron(config)# server vpn-lb
round-robin Encrypted VPN traffic is load balanced in round robin fashion, regardless of source or
destination IP address. You can use this method if the firewalls are synchronized.
NOTE: When this load balancing method is used, the ServerIron does not maintain sessions for the traffic.
A session would associate a given pair of source and destination IP addresses with a specific firewall, but the
round robin method does not associate the traffics addresses with a specific firewall.
source-ip Encrypted VPN traffic to the firewalls is load balanced based on the source IP address of the
traffic. Once the software selects a firewall for the first packet from a given IP address, all subsequent packets
from the same address go to the same firewall. This is the default.
NOTE: In a site-to-site VPN load balancing configuration, this load balancing method can result in all the
VPN traffic going to the same firewall, since all the traffic from a given site has the same source IP address.
spi Encrypted VPN traffic to the firewalls is load balanced based on the Security Parameter Index (SPI) of
the traffic. The SPI is a unique value associated with the tunnel between each pair of source and destination
sites or hosts. You can configure the Check Point firewalls to establish multiple tunnels to exchange traffic. If
you configure the firewalls this way, the spi option enables the ServerIron to load balance the tunnels across
multiple firewalls even though the tunnels appear to be originated by the same source IP address.
server vpn-lb-inside
Configures the ServerIron to provide FWLB for a VPN firewall such as the Check Point VPN-1 Gateway/FireWall1. Use this command to enable VPN load balancing on the ServerIron that is on the private side of the firewalls.
EXAMPLE:
ServerIron(config)# server vpn-lb-inside
service password-encryption
This command enables password encryption. When encryption is enabled, users cannot learn the devices
passwords by viewing the configuration file. Password encryption is enabled by default.
NOTE: Password encryption does not encrypt the password in Telnet packets sent to the device. This feature
applies only to the configuration file.
EXAMPLE:
ServerIron(config)# no service password-encryption
February 2002
6 - 87
show
Displays a variety of configuration and statistical information about the ServerIron. To see a description of the
show commands, see Show Commands on page 21-1.
snmp-client
Restricts SNMP management access to the Foundry device to the host whose IP address you specify. No other
device except the one with the specified IP address can access the Foundry device through IronView or any other
SNMP application.
If you want to restrict access from Telnet or the Web, use one or two of the following commands:
telnet client restricts Telnet access. See telnet client on page 6-95.
web client restricts Web access. See web client on page 6-100.
If you want to restrict all management access, you can use the commands above and the snmp-client command
or you can use the following command: all-client. See all-client on page 6-7.
EXAMPLE:
To restrict SNMP access (which includes IronView) to the Foundry device to the host with IP address
209.157.22.26, enter the following command:
ServerIron(config)# snmp-client 209.157.22.26
snmp-server community
Assigns a SNMP community string for the system. It will register to the configuration file, a user-specified network
community string and an access type of either:
read-only (public)
read-write (private)
EXAMPLE:
ServerIron(config)# snmp-server community planet1 ro
snmp-server contact
Identifies a system contact. You can designate a contact name for the ServerIron and save it in the configuration
file for later reference. You can later access contact information using the show snmp server command.
EXAMPLE:
ServerIron(config)# snmp-server contact Noi Lampa
6 - 88
February 2002
snmp-server host
Assigns or removes a station as SNMP trap receiver. To assign the trap receiver, use the command:
snmp-server host. To later remove the trap receiver feature, enter no snmp-server host.
EXAMPLE:
To disable a station as a SNMP trap receiver, enter the following:
ServerIron(config)# no snmp-server host 192.22.3.33 public
snmp-server location
Identifies a system location for the ServerIron. This information is saved in the configuration file for later reference.
You can later access system location information using the show snmp server command.
EXAMPLE:
ServerIron(config)# snmp-server location pulchritude_lane
February 2002
6 - 89
snmp-server pw-check
Disables password checking for SNMP set requests. If a third-party SNMP management application does not add
a password to the password field when it sends SNMP set requests to a Foundry device, by default the Foundry
device rejects the request. You can disable this password checking with the no snmp-server pw-check
command.
EXAMPLE:
ServerIron(config)# no snmp-server pw-check
snmp-server trap-source
Specifies a port or virtual interface whose first configured IP address the Foundry device must use as the source
for all SNMP traps sent by the device.
EXAMPLE:
ServerIron(config)# snmp trap-source ethernet 4
snmp-server view
Configures an SNMP view. You can use an SNMP view as an argument with other commands.
SNMP views are named groups of MIB objects that can be associated with user accounts to allow limited access
for viewing and modification of SNMP statistics and system configuration. SNMP views can also be used with
other commands that take SNMP views as an argument. SNMP views reference MIB objects using object names,
numbers, wildcards, or a combination of the three. The numbers represent the hierarchical location of the object
in the MIB tree. You can reference individual objects in the MIB tree or a subset of objects from the MIB tree.
NOTE: The snmp-server view command supports the MIB objects as defined in RFC 1445.
EXAMPLE:
To add an SNMP view, use the following CLI method:
ServerIron(config)#
ServerIron(config)#
ServerIron(config)#
ServerIron(config)#
6 - 90
February 2002
sntp poll-interval
This parameter sets how often clock updates are requested from a SNTP server.
EXAMPLE:
To configure the ServerIron to poll for clock updates from a SNTP server every 15 minutes, enter the following:
ServerIron(config)# sntp poll-interval 900
sntp server
This command allows you to define the SNTP server that will be used for clock synchronization for the ServerIron.
You can either enter the SNTP servers IP address or its hostname.
Up to three SNTP server entries can be defined.
EXAMPLE:
To define the SNTP server (IP address 192.1.4.69) that will be polled by the ServerIron for time updates, enter:
ServerIron(config)# sntp server 192.1.4.69
spanning-tree
Enables or disables (no) Spanning Tree on the switch. This change can be viewed by the show spanning tree
command.
For switches, this feature is enabled by default.
For routers, this feature is disabled by default.
To disable this feature, enter no spanning-tree. To later re-enable spanning tree on the router, enter spanningtree.
EXAMPLE:
To disable spanning tree, enter the following:
ServerIron(config)# no spanning-tree
EXAMPLE:
To enable spanning tree, enter the following:
ServerIron(config)# spanning-tree
spanning-tree <parameter>
Spanning Tree bridge and port parameters are configurable using one CLI command. When no port-based
VLANs are active on the system, spanning tree parameters are set at the Global CONFIG Level.
February 2002
6 - 91
When port-based VLANs are active on the system, spanning tree protocol bridge and port parameters can be
configured globally at the VLAN Level. Additionally, you can disable or enable STP on an interface basis.
NOTE: If VLANs are active on a switch or router, spanning-tree will not be seen as an option at the Global
CONFIG Level of the CLI but will be an option of the VLAN Level.
All bridge and port parameters have default values and do not need to be modified unless required to match
network needs. Additionally, all values will be globally applied to the switch or router. By default this feature is
enabled on switches and disabled on routers.
You can modify the following STP Parameters:
1.
Modify bridge parametersforward delay, maximum age, hello time and priority
2.
EXAMPLE:
Suppose you want to enable spanning tree on a system in which no port-based VLANs are active and change the
hello-time from the default value of 2 to 8 seconds. Additionally, suppose you want to change the path and priority
costs for port 5 only. To do so, enter the following commands.
ServerIron(config)# span hello-time 8
ServerIron(config)# span ethernet 5 path-cost 15 priority 64
Syntax: span [ethernet <portnum> path-cost <value> priority <value>] forward-delay <value> hello-time <value>
maximum-age <time> priority <value>
Possible values: see below
Bridge Parameters:
Priority: Possible values: 1 65,535. Default is 32,768. A higher numerical value means a lower priority;
thus, the highest priority is 0.
Port Parameters:
NOTE: The default value Auto means that the port will adjust the default value automatically based on the port
speed. The default value is based on the following formula:
Priority: possible values are 0-255. Default is 128. A higher numerical value means a lower priority; thus, the
highest priority is 0.
static-mac-address
Defines a static MAC addresses on an individual switch or switching port to ensure it is not aged out. The
parameter option, router-type or host-type, is not available for the FastIron Workgroup switch or Stackable Layer 3
Switchs.
NOTE: If you enter the command at the global CONFIG level, the static MAC entry applies to the default portbased VLAN (VLAN 1). If you enter the command at the configuration level for a specific port-based VLAN, the
entry applies to that VLAN and not to the default VLAN.
6 - 92
February 2002
NOTE: If you want to include a trunk group when you configure a static MAC entry that has multiple ports,
include only the primary port of the trunk group. If you include all the trunk groups ports, the ServerIron uses all
the ports to forward traffic for the MAC address instead of using only the active trunk port.
EXAMPLE:
ServerIron(config)# static-mac-address 1145.5563.67FF e12 7 router-type
The syntax for adding static MAC entries differs depending on whether you are using a stackable or chassis
ServerIron.
Syntax for chassis devices:
February 2002
6 - 93
system-max
Allows you to modify the default settings for parameters that use system memory. The configurable parameters
and their defaults and maximums differ depending on the device. To display the configurable parameters, their
defaults, and the maximum configurable values for each, enter the following command at any level of the CLI:
show default values. See show default on page 21-3.
EXAMPLE:
To increase the number of real servers available on the ServerIron:
ServerIron(config)# system-max l4-real 2048
tacacs-server
Identifies a TACACS or TACACS+ server and sets other TACACS/TACACS+ parameters for authenticating access
to the Foundry device.
EXAMPLE:
ServerIron(config)# tacacs-server host 209.157.22.99
6 - 94
February 2002
Syntax: tacacs-server [key <key-string>] [timeout <number>] [retransmit <number>] [dead-time <number>]
The key parameter specifies the value that the Foundry device sends to the server when trying to authenticate
user access. The TACACS/TACACS+ server uses the key to determine whether the Foundry device has authority
to request authentication from the server. The key can be from 1 16 characters in length.
The timeout parameter specifies how many seconds the Foundry device waits for a response from the TACACS/
TACACS+ server before either retrying the authentication request or determining that the TACACS/TACACS+
server is unavailable and moving on to the next authentication method in the authentication-method list. The
timeout can be from 1 15 seconds. The default is 3 seconds.
The retransmit parameter specifies how many times the Foundry device will re-send an authentication request
when the TACACS/TACACS+ server does not respond. The retransmit value can be from 1 5 times. The default
is 3 times.
The dead-time parameter is not used in this software release. When the software allows multiple authentication
servers, this parameter will specify how long the Foundry device waits for the primary authentication server to
reply before deciding the server is dead and trying to authenticate using the next server. The dead-time value can
be from 1 5 seconds. The default is 3.
Possible values: see above
Default value: see above
tag-type
This parameter defines the value that will be sent out on a packet to indicate it as tagged VLAN port. The 802.1q
standard recognizes the value of 8100 for this purpose. Other values can be assigned to this parameter but are
not recommended.
EXAMPLE:
ServerIron(config)# tag-type 8100
telnet access-group
Applies an ACL to control Telnet access to the device.
EXAMPLE:
The following commands configure ACL 10, then apply the ACL as the access list for Telnet access. The device
will allow Telnet access to all IP addresses except those listed in ACL 10.
ServerIron(config)#
ServerIron(config)#
ServerIron(config)#
ServerIron(config)#
ServerIron(config)#
ServerIron(config)#
ServerIron(config)#
telnet client
Restricts Telnet management access to the Foundry device to the host whose IP address you specify. No other
device except the one with the specified IP address can access the Foundry devices CLI through Telnet.
If you want to restrict access from SNMP or the Web, use one or two of the following commands:
February 2002
6 - 95
snmp-client restricts SNMP access (including IronView). See snmp-client on page 6-88.
web client restricts web access. See web client on page 6-100.
If you want to restrict all management access, you can use the commands above and the telnet client command
or you can use the following command: all-client. See all-client on page 6-7.
EXAMPLE:
To restrict Telnet access (which includes IronView) to the Foundry device to the host with IP address
209.157.22.26, enter the following command:
ServerIron(config)# telnet client 209.157.22.26
telnet login-timeout
Changes the login timeout period for Telnet sessions.
EXAMPLE:
To change the login timeout period for Telnet sessions to 5 minutes:
ServerIron(config)# telnet login-timeout 5
telnet server
This command enables or disables Telnet access to a ServerIron. By default, Telnet access is allowed on a
system.
EXAMPLE:
To disable Telnet access to a switch, enter the following:
ServerIron(config)# no telnet server
6 - 96
February 2002
telnet timeout
This parameter defines how long a Telnet session can remain idle before it is timed out. By default, Telnet
sessions do not time out.
EXAMPLE:
ServerIron(config)# telnet timeout 120
The trunk type must be "switch" on the ServerIron 400 and ServerIron 800, and "server" on all other models.
Trunk group port assignment should always start with the lead port, i.e. 1, 5, 9, 13 or 17. (1, 3 or 5 for a
TurboIron).
Ports cannot be assigned across multiple trunk group boundaries; for example, ports 4 and 5 cannot be in the
same trunk group.
All of the trunk group member properties must match the lead port of the trunk group with respect to the
following parameters:
February 2002
6 - 97
QoS priority
unknown-unicast limit
Specifies the maximum number of unknown-unicast packets the device can forward each second. By default the
device sends unknown unicasts and all other traffic at wire speed and is limited only by the capacities of the
hardware. However, if other devices in the network cannot handle unlimited unknown-unicast traffic, this
command allows you to relieve those devices by throttling the unknown unicasts at the Foundry device.
NOTE: The unknown-unicast limit does not affect broadcast or multicast traffic. However, you can use the
broadcast limit and multicast limit commands to control these types of traffic. See broadcast limit on page 612 and multicast limit on page 6-53.
EXAMPLE:
ServerIron(config)# unknown-unicast limit 30000
url-map
This command is used in conjunction with the URL switching feature on the ServerIron. This command assigns a
name to a URL switching policy and enters the URL switching policy CONFIG level.
EXAMPLE:
To create a URL switching policy named p1:
ServerIron(config)# url-map p1
username
This command configures a local user account. For each user account, you specify the user name. You also can
specify the following parameters:
A password
Port-configuration access
Read-only access
EXAMPLE:
To configure a user account, enter a command such as the following at the global CONFIG level of the CLI.
ServerIron(config)# username wonka password willy
This command adds a user account for a super-user with the user name "wonka" and the password "willy", with
privilege level super-user. This user has full access to all configuration and display features.
6 - 98
February 2002
NOTE: If you configure user accounts, you must add a user account for super-user access before you can add
accounts for other access levels. You will need the super-user account to make further administrative changes.
ServerIron(config)# username waldo privilege 5 password whereis
This command adds a user account for user name "waldo", password "whereis", with privilege level read-only.
Waldo can look for information but cannot make configuration changes.
4 Port-configuration access
5 Read-only access
The default privilege level is 0. If you want to assign full access to the user account, you can enter the command
without "privilege 0", as shown in the command example above.
The password | nopassword parameter indicates whether the user must enter a password. If you specify
password, enter the string for the user's password.
NOTE: You must be logged on with super-user access (privilege level 0, or with a valid Enable password for
super-user access) to add user accounts or configure other access parameters.
vlan
Creates or changes the CLI focus to a port-based VLAN.
EXAMPLE:
ServerIron(config)# vlan 200 by port
ServerIron(config)# vlan 200 name WebMgr
vlan-dynamic-discovery
Disables or re-enables dynamic discovery of protocol VLANs on switch-to-switch links. This feature enables
switch-to-switch links to be automatically included in protocol VLANs that have dynamic port membership.
EXAMPLE:
To disable the feature, enter the following command:
ServerIron(config)# no vlan-dynamic-discovery
February 2002
6 - 99
vlan max-vlans
Allows you to assign a set number of VLANs to be supported on a ServerIron. This allows you to set a smaller
value than the default to preserve memory on the system.
EXAMPLE:
ServerIron(config)# vlan max-vlans 200
web access-group
Applies an ACL to control Web access to the device.
EXAMPLE:
The following commands configure ACL 10, then apply the ACL as the access list for Web access. The device will
allow Web access to all IP addresses except those listed in ACL 10.
ServerIron(config)#
ServerIron(config)#
ServerIron(config)#
ServerIron(config)#
ServerIron(config)#
ServerIron(config)#
ServerIron(config)#
web client
Restricts Web management access to the Foundry device to the host whose IP address you specify. No other
device except the one with the specified IP address can access the Foundry devices Web management interface.
If you want to restrict access from SNMP or Telnet, use one or two of the following commands:
snmp-client restricts SNMP access (including IronView). See snmp-client on page 6-88.
telnet client restricts Telnet access to the CLI. See telnet client on page 6-95.
If you want to restrict all management access, you can use the commands above and the web client command or
you can use the following command: all-client. See all-client on page 6-7.
EXAMPLE:
To restrict Web access to the Foundry device to the host with IP address 209.157.22.26, enter the following
command:
ServerIron(config)# web client 209.157.22.26
web-management
This command enables or disables the Web management interface on a ServerIron. By default this feature is
enabled on a system.
6 - 100
February 2002
EXAMPLE:
ServerIron(config)# no web-management
write memory
Saves the running-time configuration into the startup-config file.
EXAMPLE:
ServerIron(config)# write memory
write terminal
Displays the running-configuration of the ServerIron on the terminal screen.
EXAMPLE:
ServerIron(config)# write terminal
wsm boot
Changes the default boot source for the Web Switching Management Module.
By default, the Web Switching Management Modules processors boot from the primary flash areas on the
module. Each processor boots from its own primary flash. The MP boots first, then the WSM CPUs boot.
You can change the default boot source to one of the following:
Secondary flash
Interactive
The interactive option pauses during bootup of the WSM CPUs to allow you to select the boot source for the WSM
CPUs. You must use this method if you want to boot the WSM CPUs from a TFTP server. Otherwise, this method
is used for troubleshooting.
February 2002
6 - 101
EXAMPLE:
To change the default boot source, enter commands such as the following at the global CONFIG level of the CLI:
ServerIron(config)# wsm boot secondary
ServerIron(config)# write memory
This command configures the module to boot from the secondary flash by default.
NOTE: The write memory command saves the change to the startup-config file. You must save the
configuration change for the change to remain in effect after you reboot.
wsm wsm-map
Remaps processing for a forwarding module to a specific WSM CPU.
NOTE: Foundry recommends that you change slot allocations only if Foundry technical support advises the
change or the documentation for a feature states that the change is required.
EXAMPLE:
ServerIron(config)# wsm wsm-map slot 3 wsm-slot 2 wsm-cpu 1
This command remaps processing for the forwarding module in slot 3 to WSM CPU 1 on the Web Switching
Management Module in slot 2.
6 - 102
February 2002
Chapter 7
Redundant Management Module
CONFIG Commands
active-management
In chassis containing redundant management modules, changes the default assignment of the active
management module. By default, the redundant management module in the lower slot number becomes the
active redundant management module. You must use this command to override the default and make the
redundant management module in the higher slot number the default active module.
NOTE: This command applies only to devices containing redundant management modules.
NOTE: The change does not take effect until you reload the system. If you save the change to the active
module's system-config file before reloading, the change persists across system reloads. Otherwise, the change
affects only the next system reload.
EXAMPLE:
To override the default and specify the active redundant management module, enter the following commands:
BigServerIron(config)# redundancy
BigServerIron(config-redundancy)# active-management 5
This command overrides the default and makes the redundant management module in slot 5 the active module
following the next reload. The change affects only the next reload and does not remain in effect for future reloads.
To make the change permanent across future reloads, enter the write memory command to save the change to
the startup-config file, as shown in the following example:
BigServerIron(config)# redundancy
BigServerIron(config-redundancy)# active-management 5
BigServerIron(config-redundancy)# write memory
NOTE: If you do not save the change to the startup-config file, the change affects only the next reload.
February 2002
7-1
end
Moves activity to the privileged EXEC level from any level of the CLI, with the exception of the user level.
EXAMPLE:
To move to the privileged level, enter the following from any level of the CLI.
BigServerIron(config-redundancy)# end
BigServerIron#
Syntax: end
Possible values: N/A
Default value: N/A
exit
Moves activity up one level from the current level. In this case, activity will be moved to the privileged level.
EXAMPLE:
To move from the global level, back to the privileged level, enter the following:
BigServerIron(config-redundancy)# exit
BigServerIron#
Syntax: exit
Possible values: N/A
Default value: N/A
no
Disables other commands. To disable a command, place the word no before the command.
quit
Returns you from any level of the CLI to the User EXEC mode.
EXAMPLE:
BigServerIron(config-redundancy)# quit
BigServerIron>
Syntax: quit
Possible values: N/A
Default value: N/A
show
Displays a variety of configuration and statistical information about the switch or router. See Show Commands
on page 21-1.
sync-standby
Automates synchronization of software between active and standby redundant management modules.
EXAMPLE:
To change the automatic synchronization setting, use one of the following commands:
7-2
February 2002
To disable automatic synchronization of the boot code, flash code, or startup-config file, enter no in front of the
command.
The <num> parameter with the sync-standby running-config command specifies the synchronization interval.
You can specify from 4 20 seconds. The default is 10 seconds. To disable automatic synchronization of the
running-config, set the synchronization interval (the <num> parameter) to 0.
Possible values: See above
Default value: Automatic synchronization of the flash code, running-config, and system-config file is enabled by
default. Automatic synchronization of the boot code is disabled by default. The default synchronization interval for
the running-config is 10 seconds.
write memory
Saves the running configuration into the startup-config file.
EXAMPLE:
BigServerIron(config-redundancy)# write memory
write terminal
Displays the running configuration of the Foundry switch or router on the terminal screen.
NOTE: This command is equivalent to the show running-config command.
EXAMPLE:
BigServerIron(config-redundancy)# write terminal
February 2002
7-3
7-4
February 2002
Chapter 8
Interface Commands
auto-gig
Enables auto-negotiating on a gigabit interface in accordance with the flow control specification 802.3x. Both
sides of the circuit need to be configured with this feature.
EXAMPLE:
ServerIron(config)# int e 1
ServerIron(config-if-1)# auto-gig
broadcast limit
Specifies the maximum number of broadcast packets the device can forward each second. By default the device
sends broadcasts and all other traffic at wire speed and is limited only by the capacities of the hardware. However,
if other devices in the network cannot handle unlimited broadcast traffic, this command allows you to relieve those
devices by throttling the broadcasts at the Foundry device.
NOTE: The broadcast limit does not affect multicast or unicast traffic. However, you can use the multicast limit
and unknown-unicast limit commands to control these types of traffic. See multicast limit on page 8-11 and
unknown-unicast limit on page 8-14.
EXAMPLE:
ServerIron(config)# int e 6
ServerIron(config-if-6)# broadcast limit 30000
cache-group
Applies the port to a TCS cache group. The ports membership in a cache group allows client traffic received on
the port to be redirected to the cache servers in the cache group.
EXAMPLE:
ServerIron(config)# int e 6
ServerIron(config-if-6)# cache-group 1
February 2002
8-1
Syntax: cache-group 1
Possible values: 1
Default value: 1
clear
Clears statistics or clears entries from a cache or table. See the descriptions for the individual clear commands in
Privileged EXEC Commands on page 5-1.
dhcp-gateway-list
This parameter assigns a defined DHCP gateway list to a specific interface on a Foundry switch. DHCP gateway
lists must be defined at the Global Level and the DHCP Assist feature enabled to support assignment of this
feature on switches.
NOTE: This feature is not supported on Foundry routers.
NOTE: For more details on this command and the DHCP Assist feature, see the Foundry Switch and Router
Installation and Basic Configuration Guide.
EXAMPLE:
To assign a defined DHCP gateway list (1) to interface 2/5, enter the following:
ServerIron(config)# int e 2
ServerIron(config-if-2)# dhcp-gateway-list 1
disable
Disables a specific port.
EXAMPLE:
ServerIron(config)# interface e 1
ServerIron(config-if-1)# disable
Syntax: disable
Possible values: N/A
Default value: N/A
enable
Enables a specific port. All ports are enabled at initial startup. This command is only necessary if a port has been
disabled, as all ports are by default enabled at system startup.
EXAMPLE:
ServerIron(config)# interface e 1
ServerIron(config-if-1)# enable
Syntax: enable
Possible values: N/A
Default value: All ports are enabled at system startup.
end
Moves activity to the privileged level from any level of the CLI with the exception of the User level.
8-2
February 2002
Interface Commands
EXAMPLE:
To move to the privileged level, enter the following:
ServerIron(config-if-5)# end
ServerIron#
Syntax: end
Possible values: N/A
Default value: N/A
exit
Moves activity up one level from the current level of the CLI. This command is available at all levels.
EXAMPLE:
To move from the interface level, back to the global level, enter the following:
ServerIron(config-if-4)# exit
ServerIron(config)#
Syntax: exit
Possible values: N/A
Default value: N/A
flow-control
Allows you to turn flow control (802.3x) for full-duplex ports on or off (no). Flow control is configured on, by default.
EXAMPLE:
To turn the feature off, enter the following:
ServerIron(config)# int e5
ServerIron(config-if-5)# no flow control
To turn the feature on after being turned off, enter the following:
ServerIron(config-if-5)# flow-control
fw-group
Assigns a port to a firewall group.
EXAMPLE:
To assign port 5 to firewall group 2:
ServerIron(config)# int e 5
ServerIron(config-if-5)# fw-group 2
Syntax: fw-group 2
Possible values: 2
Default value: All ports are assigned to firewall group 2 by default.
gig-default
Overrides the global default setting for Gigabit negotiation mode. You can configure the Gigabit negotiation mode
for a port to be one of the following:
Default The port uses the negotiation mode that was set at the global level.
February 2002
8-3
Negotiate-full-auto The port first tries to perform a handshake with the other port to exchange capability
information. If the other port does not respond to the handshake attempt, the port uses the manually
configured configuration information (or the defaults if an administrator has not set the information). This is
the default for Chassis devices (including the TurboIron/8).
Auto-Gigabit The port tries to perform a handshake with the other port to exchange capability information.
This is still the default for Stackable devices.
Negotiation-off The port does not try to perform a handshake. Instead, the port uses configuration
information manually configured by an administrator.
See the Configuring Basic features chapter of the Foundry Switch and Router Installation and Basic
Configuration Guide for more information.
NOTE: This command does not apply to Stackable devices. To change the negotiation mode for a Stackable
Gigabit Ethernet port, use the [no] auto-gig command at the Interface level. See auto-gig on page 8-1.
EXAMPLE:
To override the global setting and set the negotiation mode to auto-Gigabit for ports 4/1 4/4, enter the following
commands:
ServerIron(config)# int ethernet 4/1 to 4/4
ServerIron(config-mif-4/1-4/4)# gig-default auto-gig
ip access-group
Applies an ACL to an interface.
EXAMPLE:
To configure a standard ACL and apply it to outgoing traffic on port 1, enter the following commands.
ServerIron(config)# access-list 1 deny host 209.157.22.26 log
ServerIron(config)# access-list 1 deny 209.157.29.12 log
ServerIron(config)# access-list 1 deny host IPHost1 log
ServerIron(config)# access-list 1 permit any
ServerIron(config)# int eth 1
ServerIron(config-if-1)# ip access-group 1 out
ServerIron(config)# write memory
The commands in this example configure an ACL to deny packets from three source IP addresses from being
forwarded on port 1. The last ACL entry in this ACL permits all packets that are not explicitly denied by the first
three ACL entries.
February 2002
Interface Commands
ip address
Configures an IP interface for use with IP forwarding. You must configure the IP interface on a virtual routing
interface. You cannot configure the interface on a physical port. See router-interface on page 9-6.
NOTE: This command applies only to Layer 3 IP interfaces for use with IP forwarding. To configure the
ServerIrons management IP address, see ip address on page 6-34.
EXAMPLE:
To add an IP interface, enter commands such as the following:
ServerIron(config)# interface ve 1
ServerIron(config-vif-1)# ip address 10.10.10.1 255.255.255.0
The interface ve 1 command changes the CLI to the configuration level for virtual routing interface 1. The ip
address command adds an IP interface.
The address parameter adds a standard IP interface. This option is applicable in most cases.
The nat-address parameter applies to active-standby configurations. This parameter configures a shared IP
interface for use with SLB source NAT. Enter the same command with the same IP address on each of the
ServerIrons in the active-standby configuration. The address is active only on one ServerIron (the ServerIron
that is currently active) at a time.
NOTE: SLB source NAT is different from standard Network Address Translation (NAT).
The standby-address parameter applies to active-standby configurations and allows both ServerIrons to
share the same router interface. One of the ServerIrons actively supports the interface while the other
ServerIron provides failover for the interface if the first ServerIron becomes unavailable. Real servers can
use the shared interface as their default gateway. Enter the same command with the same IP address on
each of the ServerIrons in the active-standby configuration. The address is active only on one ServerIron (the
ServerIron that is currently active) at a time.
ip address 10.10.10.1/24
February 2002
8-5
ip icmp burst
Causes the Foundry device to drop ICMP packets when excessive numbers are encountered, as is the case when
the device is the victim of a Smurf attack. This command allows you to set threshold values for ICMP packets
targeted at the router and drop them when the thresholds are exceeded.
EXAMPLE:
In the following example, if the number of ICMP packets received per second exceeds 5,000, the excess packets
are dropped. If the number of ICMP packets received per second exceeds 10,000, the device drops all ICMP
packets for the next 300 seconds (five minutes).
ServerIron(config-if-e100-1)# ip icmp burst-normal 5000 burst-max 10000 lockup 300
If the number of ICMP packets exceeds the burst-normal value, the excess ICMP packets are dropped.
If the number of ICMP packets exceeds the burst-max value, all ICMP packets are dropped for the number of
seconds specified by the lockup value. When the lockup period expires, the packet counter is reset and
measurement is restarted.
Possible values: The burst-normal and burst-max values can be between 1 100000 packets. The burstnormal value must be smaller than the burst-max value. The lockup value can be between 1 10000 seconds.
Default value: N/A
ip-multicast-disable
Disables disable Internet Group Membership Protocol (IGMP) queries from being sent or received on the port.
EXAMPLE:
To disable IGMP queries on an interface, enter commands such as the following:
ServerIron(config)# int e5
ServerIron(config-if-5)# ip-multicast-disable
To re-enable the IGMP queries on the interface, enter the following command:
ServerIron(config-if-5)# no ip-multicast-disable
ip-policy
Locally enables TCS or firewall load balancing on the interface. Use this command if you did not enable TCS or
firewall load balancing globally. See ip policy on page 6-39.
NOTE: You must use the ip policy command to configure the policy before using the ip-policy command.
See ip policy on page 6-39.
8-6
February 2002
Interface Commands
NOTE: This command does not configure permit and deny filters. To configure this type of filter, see ip filter
on page 6-35.
See the following for more information:
The "Configuring Transparent Cache Switching" chapter of the Foundry ServerIron Installation and
Configuration Guide
EXAMPLE:
To enable transparent cache switching of HTTP traffic for port 18 only, as opposed to globally on all of the ports,
enter the following commands:
ServerIron(config)# ip policy 2 cache tcp 80 local
ServerIron(config)# int e 18
ServerIron(config-if-18)# ip-policy 2
EXAMPLE:
To enable firewall load balancing on port 9, enter the following commands:
ServerIron(config)# ip policy 3 fw
ServerIron(config)# ip policy 4 fw
ServerIron(config)# int e 9
ServerIron(config-if-9)# ip-policy
ServerIron(config-if-9)# ip-policy
tcp 0 local
udp 0 local
3
4
Syntax: ip policy <index> cache | fw | high | normal tcp | udp <tcp/udp-portnum> global | local
Syntax: ip-policy <index>
NOTE: When enabling firewall load balancing, you must specify "0" for the <tcp/udp-portnum> parameter of the
ip policy command. This value allows all ports of the specified type (TCP or UDP).
Possible values: See above
Default value: N/A
ip rip
Enables the Routing Information Protocol (RIP) version on a virtual routing interface.
NOTE: This command applies only to IP forwarding (Layer 3 IP).
EXAMPLE:
ServerIron(config-rip-router)# interface ve 1
ServerIron(config-vif-1)# ip rip v1-only
This command changes the CLI to the configuration level for virtual routing interface 1 and enables RIP version 1
on the interface. You must specify the version.
ip rip learn-default
Enables the ServerIron to learn RIP default routes.
NOTE: This command applies only to IP forwarding (Layer 3 IP).
February 2002
8-7
EXAMPLE:
ServerIron(config)# interface ve 1
ServerIron(config-vif-1)# ip rip learn-default
ip rip poison-reverse
Changes the method of loop prevention that RIP uses.
NOTE: This command applies only to IP forwarding (Layer 3 IP).
RIP can use one of the following loop-prevention methods:
Split horizon The ServerIron does not advertise a route on the same interface as the one on which the
ServerIron learned the route.
Poison reverse The ServerIron assigns a cost of 16 (infinite or unreachable) to a route before advertising
it on the same interface as the one on which the ServerIron learned the route. This is the default.
NOTE: These methods are in addition to RIPs maximum valid route cost of 15.
EXAMPLE:
To enable split horizon, enter commands such as the following:
ServerIron(config)# interface ve 1
ServerIron(config-vif-1)# no ip rip poison-reverse
ip tcp burst
Causes the Foundry device to drop TCP SYN packets when excessive numbers are encountered, as is the case
when the device is the victim of a TCP SYN attack. This command allows you to set threshold values for TCP
SYN packets targeted at the router and drop them when the thresholds are exceeded.
EXAMPLE:
In the following example, if the number of TCP SYN packets received per second exceeds 10, the excess packets
are dropped. If the number of TCP SYN packets received per second exceeds 100, the device drops all TCP SYN
packets for the next 300 seconds (five minutes).
ServerIron(config)# int e 1
ServerIron(config-if-e100-1)# ip tcp burst-normal 10 burst-max 100 lockup 300
8-8
If the number of TCP SYN packets exceeds the burst-normal value, the excess TCP SYN packets are
dropped.
February 2002
Interface Commands
If the number of TCP SYN packets exceeds the burst-max value, all TCP SYN packets are dropped for the
number of seconds specified by the lockup value. When the lockup period expires, the packet counter is
reset and measurement is restarted.
Possible values: The burst-normal and burst-max values can be between 1 100000 packets. The burstnormal value must be smaller than the burst-max value. The lockup value can be between 1 10000 seconds.
Default value: N/A
ip tcp syn-proxy
Enables the SYN-Guard feature on individual ports on the ServerIron 400 or ServerIron 800. This feature can be
applied to inbound SYN requests (for Web site traffic) and/or outbound SYN requests (for ISP and institution
outgoing traffic).
EXAMPLE:
To use the SYN-Guard feature for inbound SYN requests on interface 3/1:
ServerIron(config)# interface e 3/1
ServerIron(config-if-3/1)# ip tcp syn-proxy in
iipg10
This command allows you to modify the inter-packet gap (delay) between packets on a 10Mbps Ethernet segment.
By default, the delay between packets will be 12 bytes or 9.6 microseconds.
Use this command only to adjust the inter-packet gap to match older adapters that do not meet the default IPG
requirements for Ethernet.
In determining the value to enter in the CLI command, note that one byte equals.8 microseconds for packets on a
10Mbps segment, so the following equation can be used:
IPG10 = 9.6 microseconds + (value *.8), where value is the number of bytes by which you want to increase the
inter-packet gap.
EXAMPLE:
To increase the delay between packets by 3.2 microseconds, enter the port to be modified and then enter the
value of 4 (4*.8 =3.2 microseconds).
ServerIron(config)# int e 4
ServerIron(config-if-4)# ipg10 4
ipg100
This command allows you to modify the inter-packet gap (delay) between packets on a 100Mbps Ethernet
segment on a port-by-port basis. By default, the delay between packets will be 12 bytes or 0.96 microseconds.
February 2002
8-9
Use this command only to adjust the inter-packet gap to match that of older adapters that do not meet the default
IPG requirements for Fast Ethernet.
In determining the value to enter in the CLI command, note that one byte equals.08 microseconds for packets on a
100Mbps segment, so the following equation can be used:
IPG100 = 0.96 microseconds + (value *.08), where value is the number of bytes by which you want to increase the
inter-packet gap.
EXAMPLE:
To increase the delay between packets by 3.2 microseconds, enter the port to be modified and then enter the
value of 40(40*.08 =3.2 microseconds)
ServerIron(config)# int e 3
ServerIron(config-if-3)# ipg100 40
ipg1000
This command allows you to modify the inter-packet gap (delay) between packets on a 1000Mbps Gigabit
Ethernet segment on a port-by-port basis. By default, the delay between packets will be 12 bytes or.096
microseconds.
Use this command only to adjust the inter-packet gap to match that of older adapters that do not meet the default
IPG requirements for Gigabit Ethernet.
In determining the value to enter in the CLI command, note that one byte equals.008 microseconds for packets on
a 1000Mbps segment, so the following equation can be used:
IPG1000 =.096 microseconds + (value *.008), where value is the number of bytes by which you want to increase
the inter-packet gap.
EXAMPLE:
To increase the delay between packets by.32 microseconds, first enter the port to be modified and then enter the
value of 40(40*.008 =.32 microseconds)
ServerIron(config)# int e 3
ServerIron(config-if-3)# ipg1000 40
mac filter-group
Applies a group of MAC filters to an interface. You can configure one filter group on each interface.
NOTE: You must define the filters at the global CONFIG level using the mac filter command (see mac filter on
page 6-50) before you can apply them in a filter group.
NOTE: The filters must be applied as a group. For example, if you want to apply four filters to an interface, they
must all appear on the same command line.
NOTE: You cannot add or remove individual filters in the group. To add or remove a filter on an interface, apply
the filter group again containing all the filters you want to apply to the port.
8 - 10
February 2002
Interface Commands
NOTE: If you apply a filter group to a port that already has a filter group applied, the older filter group is replaced
by the new filter group.
EXAMPLE:
To apply MAC filters 1, 2, 3, and 1024 to interface 6, enter the following command:
ServerIron(config)# int e 6
ServerIron(config-if-6)# mac filter-group 1 2 3 1024
monitor
This allows you to select a port to be diagnosed by a designated mirror port. You can configure incoming,
outgoing or both incoming and outgoing traffic to be monitored on the port.
EXAMPLE:
To monitor both incoming and outgoing traffic on interface 5:
ServerIron(config)# interface e5
ServerIron(config-if-5)# monitor both
multicast limit
Specifies the maximum number of multicast packets the device can forward each second. By default the device
sends multicasts and all other traffic at wire speed and is limited only by the capacities of the hardware. However,
if other devices in the network cannot handle unlimited multicast traffic, this command allows you to relieve those
devices by throttling the multicasts at the Foundry device.
NOTE: The multicast limit does not affect broadcast or unicast traffic. However, you can use the broadcast limit
and unknown-unicast limit commands to control these types of traffic. See broadcast limit on page 8-1 and
unknown-unicast limit on page 8-14.
EXAMPLE:
ServerIron(config)# interface e5
ServerIron(config-if-5)# multicast limit 30000
neg-off
Overrides the default negotiation mode for a Gigabit port on Chassis devices. When you invoke this command,
the port does not try to perform a handshake. Instead, the port uses configuration information manually
configured by an administrator.
EXAMPLE:
To change the negotiation mode for the port to negotiation-off:
ServerIron(config)# int e3
ServerIron(config-if-3)# neg-off
Syntax: neg-off
February 2002
8 - 11
no
This command disables other commands. To disable a command, place the word no before the command.
phy-mode
If a port on a ServerIron is to be attached to a Bay Networks 28000 switch, enter this command at the Interface
Level as shown below.
This command helps the ServerIron to adjust to interoperability requirements of the 28000.
EXAMPLE:
ServerIron(config)# int e3
ServerIron(config-if-3)# phy-mode 28k
port-name
Assignment of a name to an interface provides additional identification for a segment on the network.
EXAMPLE:
ServerIron(config)# interface e 1
ServerIron(config-if-1)# port-name marketing-funk
pvst-mode
Statically enables support for Cisco Systems Per VLAN Spanning Tree (PVST).
PVST/PVST+ support is automatically enabled on a port if the port receives a BPDU in PVST/PVST+ format.
However, you can statically enable PVST/PVST+ support on a port if desired. In this case, the support is enabled
immediately and support for Foundry tagged BPDUs is disabled at the same time.
NOTE: When PVST/PVST+ support is enabled on a port, support for Foundry BPDUs is disabled.
For more information, see the "Configuring Spanning Tree Protocol (STP) and IronSpan" chapter in the Foundry
Switch and Router Installation and Basic Configuration Guide.
EXAMPLE:
To enable PVST/PVST+ support on a port, enter commands such as the following:
ServerIron(config)# interface ethernet 1/1
ServerIron(config-if-1/1)# pvst-mode
8 - 12
February 2002
Interface Commands
qos-priority
Sets the Quality-of-Service (QoS) priority level for a port, VLAN, static MAC address, or Layer 4 session. You can
select the normal queue or the high-priority queue. All traffic is in the normal queue by default. When you allocate
a port, VLAN, static MAC address, or Layer 4 session to the high-priority queue, all traffic queued up for that item
is processed before any traffic in the normal queue for the same item is processed.
QoS applies to outbound traffic only.
EXAMPLE:
To allocate port 6 traffic to the high-priority queue, enter the following command:
ServerIron(config)# interface e 6
ServerIron(config-if-6)# qos-priority high
quit
This command returns you from any level of the CLI to the User EXEC mode.
EXAMPLE:
ServerIron(config-if-6)# quit
ServerIron>
Syntax: quit
Possible values: N/A
Default value: N/A
rshow
Displays the real and virtual server configuration information on a remote site ServerIron in the GSLB ServerIrons
CLI. The command also displays the session and CPU information used by the GSLB policy. You can view
detailed configuration information and statistics for the site ServerIron, from the GSLB ServerIrons management
console. For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry
ServerIron Installation and Configuration Guide.
show
Displays a variety of configuration and statistical information about the ServerIron. To see a description of the
show commands, see Show Commands on page 21-1.
spanning-tree
Spanning tree can be disabled or enabled on an interface basis.
EXAMPLE:
To disable spanning tree on physical port 4 of a system with no VLANs operating, enter the following:
ServerIron(config)# interface ethernet 4
ServerIron(config-if-4) no spanning-tree
EXAMPLE:
To disable spanning tree on physical port 4 of a system within VLAN 2, enter the following:
ServerIron(config)# vlan 2
ServerIron(config-vlan-2) no spanning-tree
Syntax: spanning-tree
Possible values: N/A
Default value: Disabled
February 2002
8 - 13
speed-duplex
Modifies port speed and duplex. It defines the speed and duplex mode for a 10BaseT and 100BaseTx ports.
Gigabit (1000BaseSx and 1000BaseLx) and 100BaseFx ports operate at a fixed speed and mode (full-duplex)
and cannot be modified.
EXAMPLE:
ServerIron(config)# interface e8
ServerIron(config-if-8)# speed-duplex 10-full
unknown-unicast limit
Specifies the maximum number of unknown-unicast packets the device can forward each second. By default the
device sends unknown unicasts and all other traffic at wire speed and is limited only by the capacities of the
hardware. However, if other devices in the network cannot handle unlimited unknown-unicast traffic, this
command allows you to relieve those devices by throttling the unknown unicasts at the Foundry device.
NOTE: The unknown-unicast limit does not affect broadcast or multicast traffic. However, you can use the
broadcast limit and multicast limit commands to control these types of traffic. See broadcast limit on page 81 and multicast limit on page 8-11.
EXAMPLE:
ServerIron(config)# interface e8
ServerIron(config-if-8)# unknown-unicast limit 30000
write memory
Saves the running-time configuration into the startup-config file.
EXAMPLE:
ServerIron(config-if-8)# write memory
write terminal
Displays the running-configuration of the ServerIron on the terminal screen.
EXAMPLE:
ServerIron(config-if-8)# write terminal
8 - 14
February 2002
Chapter 9
VLAN Commands
always-active
Configures a link between active and standby ServerIrons in some FWLB configurations to forward Layer 2 traffic
without causing loops. See the Foundry ServerIron Firewall Load Balancing Guide.
atalk-proto
This command creates an AppleTalk protocol VLAN within a ServerIron port-based VLAN when entered at the
VLAN Level. All ports are assumed by default to be members of the VLAN when initially created. Protocol VLAN
membership can be modified using the dynamic, static, or exclude commands.
EXAMPLE:
To create an AppleTalk Protocol VLAN with permanent port membership of 9 and 13 and no dynamic ports within
an already defined port-based VLAN 2, enter the following commands.
ServerIron(config)# vlan 2
ServerIron(config-vlan-2)# atalk-proto
ServerIron(config-vlan-atalk-proto)# static e 9 e 13
ServerIron(config-vlan-atalk-proto)# no dynamic
NOTE: If configuring this on a switch, enter vlan 2 by port at the CONFIG Level versus vlan 2, as shown in the
example above.
February 2002
9-1
decnet-proto
This command creates a Decnet protocol VLAN within a ServerIron port-based VLAN, when entered at the VLAN
Level. All ports are assumed by default to be members of the VLAN when initially created. Protocol VLAN
membership can be modified using the dynamic, static, or exclude commands.
EXAMPLE:
To create a Decnet protocol VLAN with permanent port membership of 15 and 16 with port 17 as dynamic
member port, within VLAN 5, enter the following commands.
ServerIron(config)# vlan 5
ServerIron(config-vlan-5)# decnet-proto
ServerIron(config-vlan-decnet-proto)# exclude e 1 to 14 e18
NOTE: If configuring this on a switch, enter vlan 5 by port at the CONFIG Level versus vlan 5, as shown in the
example above.
end
Moves activity to the privileged EXEC level from any level of the CLI, with the exception of the user level.
EXAMPLE:
To move to the privileged level, enter the following from any level of the CLI.
ServerIron(config-vlan-decnet-proto)# end
ServerIron#
Syntax: end
Possible values: N/A
Default value: N/A
exit
Moves activity up one level from the current level. In this case, activity will be moved to the port-based VLAN level
if configuring a protocol VLAN. If configuring a poet-based VLAN, activity would be moved to the global level.
EXAMPLE:
ServerIron(config-vlan-decnet-proto)# exit
ServerIron(config)#
Syntax: exit
Possible values: N/A
Default value: N/A
ip-proto
This command creates an IP protocol VLAN on a ServerIron within a port-based VLAN, when entered at the VLAN
Level.
9-2
February 2002
VLAN Commands
When configuring on a switch, all ports are dynamically allocated to the VLAN. You can modify port membership
by using the static or exclude commands.
NOTE: If configuring on a Foundry router, ports must be added to the VLAN with the static command. Ports are
not dynamically allocated to IP protocol VLANs.
EXAMPLE:
To assign ports 1, 2, 6 and 8 to an IP protocol VLAN within VLAN 7, enter the following:
ServerIron(config)# vlan 7
ServerIron(config-vlan-7)# ip-proto
ServerIron(config-vlan-ip-proto)# static e 1 to 2 e 6 e 8
NOTE: If configuring this on a switch, enter vlan 7 by port at the CONFIG Level versus vlan 7, as shown in the
example above.
NOTE: An IP protocol and IP sub-net VLAN cannot both be configured to operate on a ServerIron at the same
time. This restriction is also true for IPX and IPX network VLANs.
ip-subnet
This command creates an IP sub-net protocol VLAN on a ServerIron within a port-based VLAN, when entered at
the VLAN Level. This allows you to define additional granularity than that of an IP protocol VLAN, by partitioning
the broadcast domains by sub-net. In creating an IP sub-net VLAN, an IP address is used as identifier.
When configuring on a switch, all ports are dynamically allocated to the VLAN. You can modify port membership
by using the static or exclude commands.
NOTE: When configuring on a Foundry router, ports must be added to the VLAN with the static command.
Ports are not dynamically allocated to IP sub-net VLANs.
EXAMPLE:
To create an IP sub-net of IP address 192.75.3.0 with permanent port membership of 1 and 2 (module 2), within
VLAN 10, enter the following commands.
ServerIron(config)# vlan 10
ServerIron(config-vlan-10)# ip-subnet 192.75.3.0 255.255.255.0
ServerIron(config-vlan-ip-subnet)# static e 1 to 2
NOTE: If configuring this on a switch, enter vlan 10 by port at the CONFIG Level versus vlan 10, as shown in
the example above.
NOTE: An IP protocol and IP sub-net VLAN cannot both be configured to operate simultaneously on a Foundry
switch or router. This restriction is also true for IPX and IPX Network VLANs.
February 2002
9-3
To specify a VLAN name, use the name keyword followed by a string. The name keyword and string are the last
arguments in the command. The name can contain blank spaces if you use double quotation marks before and
after the name.
Possible values: N/A
Default value: N/A
ipx-network
This command creates an IPX network VLAN on a ServerIron within a port-based VLAN, when entered at the
VLAN Level. This allows you to define additional granularity than that of the IPX protocol VLAN, by partitioning the
broadcast domains by IPX network number. In creating an IPX network VLAN, an IPX network number is used as
identifier. The frame type must also be specified.
When configuring on a switch, all ports are dynamically allocated to the VLAN. You can modify port membership
by using the static or exclude commands.
NOTE: When configuring on a Foundry router, ports must be added to the VLAN with the static command.
Ports are not dynamically allocated to IPX network VLANs.
EXAMPLE:
To create an IPX network VLAN with a network number of 500 and frame type of 802.2 with permanent port
membership of 10 and 14 within port-based VLAN 15, enter the following commands.
ServerIron(config)# vlan 15
ServerIron(config-vlan-15)# ipx-network 500 ethernet_802.2
ServerIron(config-vlan-ipx-proto)# static e 10 e 14
ipx-proto
This command creates an IPX protocol VLAN on a ServerIron within a port-based VLAN, when entered at the
VLAN Level.
When configuring on a switch, all ports are dynamically allocated to the VLAN. You can modify port membership
by using the static or exclude commands.
NOTE: If configuring on a Foundry router, ports must be added to the VLAN with the static command. Ports are
not dynamically allocated to IPX protocol VLANs.
EXAMPLE:
To assign ports 1, 2, 6 and 8 to an IPX protocol VLAN within port-based VLAN 22, enter the following:
ServerIron(config)# vlan 22
ServerIron(config-vlan-22)# ipx-proto
ServerIron(config-vlan-ipx-proto)# static e 1 to 2 e 6 e 8
9-4
February 2002
VLAN Commands
NOTE: If configuring this on a switch, enter vlan 22 by port at the CONFIG Level versus vlan 22, as shown in
the example above.
NOTE: An IPX protocol and IPX network VLAN cannot both be configured to operate simultaneously on a
Foundry switch or router. This restriction is also true for IP and IP sub-net VLANs.
netbios-proto
This command creates a NetBIOS protocol VLAN on a ServerIron within a port-based VLAN, when entered at the
VLAN Level.
All ports are dynamically allocated to a NetBIOS VLAN when it is created. VLAN Membership can be modified
using the dynamic, static, or exclude commands.
EXAMPLE:
To create a NetBIOS Protocol VLAN with permanent port membership of 4 and 5 and ports 8 through 12 as
dynamic member ports, within port-based VLAN 25, enter the following commands.
ServerIron(config)# vlan 25
ServerIron(config-vlan-25)# netbios-proto
ServerIron(config-vlan-netbios-proto)# static e 2 e 2
ServerIron(config-vlan-netbios-proto)# exclude e 2 to 2 e 2 e 2 e 2 to 2
NOTE: If configuring this on a switch, enter vlan 25 by port at the CONFIG Level versus vlan 25, as shown in
the example above.
no
This command is used to disable other commands. To do so, place the word no before the command.
other-proto
This command creates an other-protocol VLAN on a ServerIron within a port-based VLAN, when entered at the
VLAN Level.
All ports of the ServerIron are by default dynamically assigned to a newly created other protocol VLAN. VLAN
Membership can be modified using the dynamic, static, or exclude commands.
February 2002
9-5
You can use this option to define a protocol-based VLAN for protocols that do not require a singular protocol
broadcast domain or are not currently supported on the ServerIron.
EXAMPLE:
On a 16 port switch ports 13 through 16 represent protocols Decnet and AppleTalk. You do not need to separate
traffic by protocol into separate broadcast domains. Instead, create an other-protocol VLAN, with just those ports
as members, within port-based VLAN 50.
ServerIron(config)# vlan 50
ServerIron(config-vlan-50)# other-proto
ServerIron(config-vlan-other-proto)# static e13 to 16
ServerIron(config-vlan-other-proto)# exclude e1 to 12
NOTE: If configuring this on a switch, enter vlan 50 by port at the CONFIG Level versus vlan 50, as shown in
the example above.
priority
This assigns a higher priority to a VLAN so that in times of congestion, it will receive precedence over other
transmissions. Up to eight levels of priority can be assigned to a VLAN.
EXAMPLE:
ServerIron(config)# vlan 25
ServerIron(config-vlan-25)# priority high
quit
This command returns you from any level of the CLI to the User EXEC mode.
EXAMPLE:
ServerIron(config-vlan-6)# quit
ServerIron>
Syntax: quit
Possible values: N/A
Default value: N/A
router-interface
Configures a virtual routing interface for use with IP forwarding. After you add the virtual routing interface, you can
configure IP addresses on the routing interface.
EXAMPLE:
ServerIron(config)# vlan 1
9-6
February 2002
VLAN Commands
ServerIron(config-vlan-1)# router-interface ve 1
The vlan 1 command changes the CLI to the configuration level for VLAN 1. The router-interface ve 1 command
adds virtual routing interface 1.
rshow
Displays the real and virtual server configuration information on a remote site ServerIron in the GSLB ServerIrons
CLI. The command also displays the session and CPU information used by the GSLB policy. You can view
detailed configuration information and statistics for the site ServerIron, from the GSLB ServerIrons management
console. For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry
ServerIron Installation and Configuration Guide.
show
Displays a variety of configuration and statistical information about the ServerIron. To see a description of the
show commands, see Show Commands on page 21-1.
spanning-tree
Spanning Tree bridge and port parameters are configurable using one command set at the global level for VLANs.
NOTE: When port-based VLANs are not operating on the system, spanning tree is set on a system level at the
Global CONFIG Level.
EXAMPLE:
Suppose you want to change the hello-time value of VLAN 3 from the default value. Additionally, you want to
change the path and priority costs for port 5, a member of VLAN 3. Enter the following commands:
ServerIron(config)# vlan 3
ServerIron(config-vlan-3)# span hello-time 8
ServerIron(config-vlan-3)# span ethernet 5 path-cost 15 priority 64
NOTE: You do not need to configure values for the spanning tree parameters. All parameters have default
values as noted below. Additionally, all values will be globally applied to all ports on the system or port-based
VLAN for which they are defined.
To configure a specific path-cost or priority value for a given Ethernet port, enter those values using the key words
found in the brackets [ ] shown in the syntax summary below. If you do not want to specify any specific values for
any given Ethernet port, this portion of the command is not required.
Syntax: spanning-tree [ethernet <portnum> path-cost <value> priority <value>] forward-delay <value>
hello-time <value> maximum-age <time> priority <value>
Forward Delay: the period of time a bridge will wait (the listen and learn period) before forwarding data
packets. Possible values: 4 30 seconds. Default is 15.
Maximum Age: the interval a bridge will wait for receipt of a hello packet before initiating a topology change.
Possible values: 6 40 seconds. Default is 20.
Hello Time: the interval of time between each configuration BPDU sent by the root bridge.
Possible values: 1 10 seconds. Default is 2.
Priority: a parameter used to identify the root bridge in a network. The bridge with the lowest value has the
highest priority and is the root. Possible values: 0 255. Default is 128.
February 2002
9-7
Path Cost: a parameter used to assign a higher or lower path cost to a port. Possible values: 1 65535.
Default is (1000/Port Speed) for Half-Duplex ports and is (1000/Port Speed)/2 for Full-Duplex ports.
Priority: value determines when a port will be rerouted in relation to other ports. Possible values: 0 255.
Default is 128.
static-mac-address
This command allows you to define a static MAC addresses for a port on a ServerIron to ensure the device is not
aged out. When defining the MAC address entry, you can also define the ports priority and whether or not it is a
router-type or host-type.
NOTE: If you enter the command at the global CONFIG level, the static MAC entry applies to the default portbased VLAN (VLAN 1). If you enter the command at the configuration level for a specific port-based VLAN, the
entry applies to that VLAN and not to the default VLAN.
NOTE: If you want to include a trunk group when you configure a static MAC entry that has multiple ports,
include only the primary port of the trunk group. If you include all the trunk groups ports, the ServerIron uses all
the ports to forward traffic for the MAC address instead of using only the active trunk port.
EXAMPLE:
To enter a static MAC address entry for port 5, that is also resident in port-based VLAN 4, enter the following:
ServerIron(config)# vlan 4
ServerIron(config-vlan-4)# static-mac-address 023.876.735 ethernet 5 high-priority
router-type
The syntax for adding static MAC entries differs depending on whether you are using a stackable or chassis
ServerIron.
Syntax for chassis devices:
9-8
February 2002
VLAN Commands
NOTE: If you enter the command at the global CONFIG level, the static MAC entry applies to the default portbased VLAN (VLAN 1). If you enter the command at the configuration level for a specific port-based VLAN, the
entry applies to that VLAN and not to the default VLAN.
Foundry recommends that you configure a static ARP entry to match the static MAC entry. In fact, the software
automatically creates a static MAC entry when you create a static ARP entry.
NOTE: When a static MAC entry has a corresponding static ARP entry, you cannot delete the static MAC entry
unless you first delete the static ARP entry.
To create a static ARP entry for a static MAC entry, enter a command such as the following:
ServerIron(config-vlan-4)# arp 1 192.53.4.2 aaaa.bbbb.cccc ethernet 1
NOTE: The arp command allows you to specify only one port number. To create a static ARP entry for a static
MAC entry that is associated with multiple ports, specify the first (lowest-numbered) port associated with the static
MAC entry.
Possible values: See above.
Default value: See above.
tagged
Once a port-based VLAN is created, port membership for that VLAN must be defined. To assign a port to a portbased VLAN, either the tagged or untagged command is used. When a port is tagged, it can be a member of
multiple port-based VLANs.
When a port is tagged, it allows communication among the different VLANs to which it is assigned. A common
use for this might be to place an email server that multiple groups may need access to on a tagged port, that in
turn, is resident in all VLANs that members need access to the server.
EXAMPLE:
Suppose you want to make port 5 (module 5), a member of port-based VLAN 4, a tagged port, enter the following:
ServerIron(config)# vlan 4
ServerIron(config-vlan-4)# tagged ethernet 3/5
untagged
Once a port-based VLAN is created, port membership for that VLAN must be defined. To assign a port to a portbased VLAN, either the tagged or untagged command is used. When a port is untagged it can only be a
member of one VLAN.
EXAMPLE:
Suppose you want to assign all ports on a 16-port ServerIron except port 5 (module 3) as untagged to a VLAN. To
assign ports 1-4 and 6-16 to VLAN 4, enter the following:
ServerIron(config)# vlan 4
ServerIron(config-vlan-4)# untagged ethernet 3/1 to 3/4 e 3/6 to 3/16
February 2002
9-9
uplink-switch
Configures a set of ports within a port-based VLAN as uplink ports for the VLAN. All broadcast and unknownunicast traffic goes only to the uplink ports, not to the other ports in the VLAN.
For more information, see the "Configuring Virtual LANs (VLANs)" chapter in the Foundry Switch and Router
Installation and Basic Configuration Guide.
EXAMPLE:
To configure a port-based VLAN containing uplink ports, enter commands such as the following:
ServerIron(config)# vlan 10
ServerIron(config-vlan-10)#
ServerIron(config-vlan-10)#
ServerIron(config-vlan-10)#
by port
untag ethernet 1/1 to 1/24
untag ethernet 2/1 to 2/2
uplink-switch ethernet 2/1 to 2/2
write memory
Saves the running-time configuration into the startup-config file.
EXAMPLE:
ServerIron(config-vlan-4)# write memory
write terminal
Displays the running-configuration of the ServerIron on the terminal screen.
EXAMPLE:
ServerIron(config-vlan-4)# write terminal
9 - 10
February 2002
Chapter 10
Real Server Commands
asymmetric
Overrides the ServerIrons default mechanism for checking the health of cache servers. Normally, the ServerIron
uses cache responses forwarded back though the ServerIron as indications of a cache servers health. However,
in some topologies, the cache responses do not pass through the ServerIron.
EXAMPLE:
ServerIron(config-rs-realserver1)# asymmetric
Syntax: asymmetric
Possible values: N/A
Default value: Disabled
backup
Designates a real server to be a backup server.
By default, the virtual server uses the locally attached real servers (added using the server real-name command)
as the primary load-balancing servers and uses the remotely attached servers (added using the server remotename command) as backups.
NOTE: This command applies only to the ServerIron 400 or ServerIron 800 running software release 07.2.23 or
later.
EXAMPLE:
ServerIron(config-rs-R3)# backup
clear
Clears statistics or clears entries from a cache or table. See the descriptions for the individual clear commands in
Privileged EXEC Commands on page 5-1.
February 2002
10 - 1
clone-server
Makes a copy ("clone") of a real servers configuration. When you clone a real server, you make a copy of the real
servers configuration information under a new name. The copy includes the port bindings to the virtual server.
EXAMPLE:
ServerIron(config)# server real rs1 1.2.3.4
ServerIron(config-rs-rs1)# clone-server rs2 5.6.7.8
The first command changes the CLI to the configuration level for the real server you want to copy. The second
command creates a clone of real server rs1. The clone is named "rs2" and has IP address 5.6.7.8.
description
Adds a description to a real server, virtual server, firewall, or cache. The description appears in the output of
show commands and in the running-config and startup-config files.
EXAMPLE:
ServerIron(config)# server real RS20 1.2.3.4
ServerIron(config-rs-RS20)# description "Real Server # 20"
end
Moves activity to the privileged EXEC level from any level of the CLI, with the exception of the user level.
EXAMPLE:
To move to the privileged level, enter the following from any level of the CLI.
ServerIron(config-rs-webland)# end
ServerIron#
Syntax: end
Possible values: N/A
Default value: N/A
exceed-max-drop
Drops HTTP requests when all the real servers in a server group have reached their maximum number of
connections.
EXAMPLE:
ServerIron(config)# server real-name server1 207.95.7.1
ServerIron(config-rs-server1)# exceed-max-drop
ServerIron(config-rs-server1)# exit
Syntax: exceed-max-drop
10 - 2
February 2002
exit
Moves activity up one level from the current level. In this case, activity will be moved to the global level.
EXAMPLE:
ServerIron(config-rs-webland)# exit
ServerIron(config)#
Syntax: exit
Possible values: N/A
Default value: N/A
filter-match
This command enables policy-based caching, which selectively caches web sites on specific cache servers. For
example, an ISP can use a ServerIron configured for policy-based caching to redirect HTTP traffic to a series of
web cache servers made by different vendors with different caching criteria.
To take advantage of policy-based caching, you also need to define IP access policy filters.
EXAMPLE:
ServerIron(config-rs-fixedcontent)# filter-match
Syntax: filter-match
Possible values: N/A
Default value: N/A
history-group
This command is used with the Layer 4 statistics monitoring function on the ServerIron. This command binds a
history list to a real server. You can bind up to 8 history lists to a real server or port on a real server.
EXAMPLE:
To bind history list 1 to port 80 (HTTP) on real server aaa:
ServerIron(config)# server real aaa
ServerIron(config-rs-aaa)# port http history-group 1
host-range
Creates a range of contiguous virtual IP addresses (VIPs) based on the VIP address of the virtual server. The
ServerIron creates the range by creating the number of VIPs that you specify with this command. You do not
specify a range; you specify the number of hosts in the range. The beginning address in the range is always the
VIP.
NOTE: The IP addresses must be contiguous on the real server.
EXAMPLE:
To define a range of 500 contiguous VIPs, enter the following commands:
ServerIron(config)# server real-name r1 10.4.4.4
ServerIron(config-rs-r1)# host-range 500
February 2002
10 - 3
ServerIron(config-rs-r1)# exit
ServerIron(config)# server real-name r2 10.4.4.5
ServerIron(config-rs-r2)# host-range 500
ServerIron(config-rs-r2)# exit
ServerIron(config)# server virtual-name lotsofhosts 209.157.22.99
ServerIron(config-vs-lotsofhosts)# host-range 500
ServerIron(config-vs-lotsofhosts)# exit
ip-address
Changes a real servers IP address.
You can change the IP address even when the real server is active. This capability is useful when you want to
perform some maintenance on the real server (either the server itself or the servers configuration on the
ServerIron) or when the network topology has changed.
By default, when you change a servers IP address, the ServerIron performs the change gracefully, as follows:
Existing connections are allowed to continue on the old IP address until they terminate normally.
Optionally, you can force all existing connections to be reset instead of waiting for them to terminate normally.
When you force the connections to be reset, the ServerIron immediately resets a connection when it receives
client data for the connection.
EXAMPLE:
ServerIron(config)# server real rs1
ServerIron(config-rs-rs1)# ip-address 5.6.7.8
max-conn
Allows you to specify the maximum number of sessions the ServerIron will maintain in its session table for a
specific real server.
NOTE: The configured value cannot exceed the maximum value configured for active sessions using the server
session-limit command at the global level.
EXAMPLE:
ServerIron(config)# server real-name web2
ServerIron(config-rs-web2)# max-conn 1000
10 - 4
February 2002
max-tcp-conn-rate
Configures Connection Rate Limiting (CRL) for a TCP application port on a real server, cache server, or firewall.
EXAMPLE:
ServerIron(config-rs-FW1)# max-tcp-conn-rate 1000
The command in this example specifies a maximum TCP connection rate of 1000 connections per second on
firewall FW1.
max-udp-conn-rate
Configures Connection Rate Limiting (CRL) for a UDP application port on a real server, cache server, or firewall.
EXAMPLE:
ServerIron(config-rs-FW1)# max-udp-conn-rate 800
The command in this example specifies a maximum UDP connection rate of 800 connections per second on
firewall FW1.
no
This command is used to disable other commands. To do so, place the word no before the command.
other-ip
Configures a second IP address for certain multihomed devices. This command can be used in some FWLB
configurations where a pair of ServerIrons is configured as an active-standby pair and the firewalls are
multihomed. In this type of configuration, the other-ip command identifies the IP address of the firewall interface
connected to the other ServerIron in the pair.
port
Allows you to override global port attributes set in the ports profile. In addition, this command allows you to
configure application-specific health check parameters for HTTP, DNS, and RADIUS ports.
EXAMPLE:
To disable a port, enter commands such as the following:
ServerIron(config)# server real-name web2
ServerIron(config-rs-web2)# port http disable
February 2002
10 - 5
ftp the well-known name for port 21. (Ports 20 and 21 both are FTP ports but in the ServerIron, the name
ftp corresponds to port 21.)
<number>
NOTE: Specify the port number if the port is not one of the well-known names listed above.
EXAMPLE:
To configure the HTTP keepalive request to send a HEAD request for sales.html, enter the following commands:
ServerIron(config)# server real Jet 207.96.3.251
ServerIron(config-rs-jet)# port http url "/sales.html"
ServerIron(config-rs-jet)# exit
ServerIron(config)# server virtual NiceServer 207.96.4.250
ServerIron(config-vs-NiceServer)# port http
ServerIron(config-vs-NiceServer)# bind http Jet http
10 - 6
February 2002
GET or HEAD is an optional parameter that specifies the request type. By default, HTTP keepalive uses HEAD to
retrieve the URL page. You can override the default and configure the ServerIron to use GET to retrieve the URL
page.
The slash ( / ) is an optional parameter. If you do not set the GET or HEAD parameter, and the slash is not in the
configured URL page, then ServerIron automatically inserts a slash before retrieving the URL page.
EXAMPLE:
To configure the domain name for address-based DNS health checking, enter the following command:
ServerIron(config-rs-jet)# port dns addr_query "abc.zone1.com"
February 2002
10 - 7
port disable-all
Disables all the application ports on a real server.
NOTE: This command applies only to the ServerIron 400 and ServerIron 800.
EXAMPLE:
ServerIron(config-rs-R1)# port disable-all
To re-enable all the application ports, enter the following command:
ServerIron(config-rs-R1)# no port disable-all
port unbind-all
Unbinds all of a real servers application ports from all virtual servers.
NOTE: This command applies only to the ServerIron 400 and ServerIron 800.
EXAMPLE:
To unbind a real servers application ports, enter the following command at the configuration level for the server:
ServerIron(config-rs-R1)# port unbind-all
quit
This command returns you from any level of the CLI to the User EXEC mode.
10 - 8
February 2002
EXAMPLE:
ServerIron(config-rs-test)# quit
ServerIron>
Syntax: quit
Possible values: N/A
Default value: N/A
response-time
Configures server response-time warning and shutdown thresholds for an individual server.
For information about response-time thresholds, see server response-time on page 6-79.
EXAMPLE:
ServerIron(config-rs-R1)# response-time 50 75
This command sets the warning threshold to 50 milliseconds and the shutdown threshold to 75 milliseconds, for
this real server only.
NOTE: The threshold values you configure on an individual real server override the globally configured
thresholds.
rshow
Displays the real and virtual server configuration information on a remote site ServerIron in the GSLB ServerIrons
CLI. The command also displays the session and CPU information used by the GSLB policy. You can view
detailed configuration information and statistics for the site ServerIron, from the GSLB ServerIrons management
console. For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry
ServerIron Installation and Configuration Guide.
show
Displays a variety of configuration and statistical information about the ServerIron. To see a description of the
show commands, see Show Commands on page 21-1.
source-nat
In an SLB configuration, configures the ServerIron to translate the source address of client requests the
ServerIron forwards to real servers. The ServerIron changes the address to a source IP address you have
configured on the ServerIron.
February 2002
10 - 9
Add source IP addresses and enable source NAT if the ServerIron and real server are in different sub-nets. See
the "Configuring Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.
EXAMPLE:
ServerIron(config-rs-june)# source-nat
weight
Allows you to assign a performance weight to each server. Servers assigned a larger or higher weight receive a
larger percentage of connections.
EXAMPLE:
To set the weight for a server to 5 from the default value of 1, enter the following command:
ServerIron(config)# server real web5
ServerIron(config-rs-web5)# weight 5
write memory
Saves the running-time configuration into the startup-config file.
EXAMPLE:
ServerIron(config-rs-web5)# write memory
10 - 10
February 2002
write terminal
Displays the running-configuration of the ServerIron on the terminal screen.
EXAMPLE:
ServerIron(config-rs-web5)# write terminal
February 2002
10 - 11
10 - 12
February 2002
Chapter 11
Virtual Server Commands
acl-id
Contact Foundry engineering for information about using this command as part of a virtual server configuration.
bind
Allows you to bind virtual server service to real server services. A virtual server service can bind one or more realserver services.
EXAMPLE:
To bind a virtual server to HTTP services on real servers web1 and web2, enter the following:
ServerIron(config)# server virtual www.foundrynet.com 207.95.5.1
ServerIron(config-vs-www.foundrynet.com)# bind http web1 http web2 http
ftp the well-known name for port 21. (Ports 20 and 21 both are ftp ports but on the ServerIron, the
name ftp corresponds to port 21.)
February 2002
11 - 1
cache-enable
Enables the Active Cache feature, which configures the ServerIron to try resolving a client request using a cache
server first, then using a load balanced server if the cache does not contain the requested content. For an
example of how to use this feature, see the "Configuring Server Load Balancing" chapter in the Foundry
ServerIron Installation and Configuration Guide.
NOTE: By default, this command enables combined TCS and SLB service only for the HTTP port (port 80). To
enable combined TCS and SLB service for other ports, you must specify the port name or number.
EXAMPLE:
To enable Active Cache for VIP Foundry, enter the following command:
ServerIron(config-vs-Foundry)# cache-enable
To enable Active Cache for the SSL port (port 443) on VIP Foundry, enter the following command:
ServerIron(config-vs-Foundry)# port ssl cache-enable
clear
Clears statistics or clears entries from a cache or table. See the descriptions for the individual clear commands in
Privileged EXEC Commands on page 5-1.
end
Moves activity to the privileged EXEC level from any level of the CLI, with the exception of the user level.
EXAMPLE:
To move to the privileged level, enter the following from any level of the CLI.
ServerIron(config-vs-www.rumors.com)# end
ServerIron#
Syntax: end
Possible values: N/A
Default value: N/A
exit
Moves activity up one level from the current level. In this case, activity will be moved to the global level.
EXAMPLE:
ServerIron(config-vs-www.rumors.com)# exit
ServerIron(config)#
Syntax: exit
11 - 2
February 2002
host-range
Enables you to define a range of virtual IP addresses (VIPs) simply by defining a base VIP and the number of
hosts in the range.
NOTE: The VIPs must be contiguous and must map to a contiguous range of real IP addresses on the real
server.
EXAMPLE:
To define a range of 500 contiguous VIPs, enter the following commands:
ServerIron(config)# server virtual-name lotsofhosts 209.157.22.99
ServerIron(config-vs-lotsofhosts)# host-range 500
ServerIron(config-vs-lotsofhosts)# exit
ServerIron(config)# server virtual-name cache1 10.4.4.4
ServerIron(config-rs-cache1)# host-range 500
ServerIron(config-rs-cache1)# exit
httpredirect
In configurations that use remote failover servers, the remote server sends replies back to the ServerIron or
directly to the client:
If you configure a source IP address and enable source NAT, the remote server sends the response back to
the ServerIron.
If you do not use source NAT (whether you have configured a source IP address or not), the remote real
server sends the response directly to the client. In this case, the client refuses the connection request
because the client believes it is talking to the virtual IP address, not the real server IP address. In this case,
you can configure the ServerIron to send an HTTP redirect message to the client so that the client redirects
its HTTP connection to the real servers IP address instead of the VIP.
EXAMPLE:
To enable HTTP redirect, enter the following command:
ServerIron(config-vs-lotsofhosts)# httpredirect
Syntax: httpredirect
Possible values: N/A
Default value: Disabled
no
This command is used to disable other commands. To do so, place the word no before the command.
port
Allows you to add a TCP/UDP port to a VIP. If you are using the SwitchBack feature, you can use the dsr
parameter to enable SwitchBack for the port.
NOTE: SwitchBack also requires that you configure a loopback interface on each real server. The loopback
interface must have the same address as the VIP. See the "Configuring Symmetric SLB and SwitchBack" chapter
of the Foundry ServerIron Installation and Configuration Guide for more information about this feature.
February 2002
11 - 3
NOTE: For servers that use passive FTP, configure the FTP ports to be both sticky and concurrent.
EXAMPLE:
To add port 80 (HTTP) to a VIP called Web1, enter the following command:
ServerIron(config-vs-Web1)# port http
EXAMPLE:
To add port 80 (HTTP) to a VIP called Web69 and enable SwitchBack for the port, enter the following command:
ServerIron(config-vs-Web69)# port http dsr
11 - 4
February 2002
ServerIron(config-vs-mysite)#
ServerIron(config-vs-mysite)#
ServerIron(config-vs-mysite)#
ServerIron(config-vs-mysite)#
ServerIron(config-vs-mysite)#
port
bind
bind
bind
exit
http
http
http
http
url-switch
rs1 http
rs2 http
rs3 http
Syntax: [no] access-list <num> deny | permit <source-ip> | <hostname> <wildcard> [log]
or
February 2002
11 - 5
The <tcp/udp-port> parameter specifies the application port you want to make stateless.
EXAMPLE:
By default, stateless SLB uses a hashing algorithm to select a real server. The ServerIron calculates a hash value
for a given client request based on the requests source IP address and source TCP/UDP port. The request is
sent to a real server corresponding to this hash value.
For UDP connections consisting of one client packet and one server response packet, you can disable the
stateless SLB hashing algorithm. When the stateless SLB hashing algorithm is disabled for UDP ports, the
ServerIron uses the round-robin load balancing method to select a real server for the request. In this case, the
ServerIron load balances UDP packets destined for the VIP without creating a session and without calculating
hash values based on UDP port number and source IP address.
DNS is an example of a UDP port where this feature can be used. The advantage of disabling the stateless SLB
hashing algorithm is that a new real server can be selected immediately after it is brought up.
For example, to disable the stateless SLB hashing algorithm for the DNS port (UDP port 53):
ServerIron(config)# server virtual Stateless 192.168.4.69
ServerIron(config-vs-Stateless)# port dns stateless no-hash
11 - 6
February 2002
To enable a VIP to use the servers designated as backups only as backups, and use the other servers as the
primary load-balancing servers, enter the following command at the configuration level for the VIP:
ServerIron(config-vs-VIP1)# port http lb-pri-servers
This command enables VIP1 to use the backup and primary servers for application port HTTP.
To configure the VIP and application port to continue using the backup servers even after the primary servers
become available again, use the backup-stay-active parameter, as in the following example:
ServerIron(config-vs-VIP1)# port http lb-pri-servers backup-stay-active
predictor
This command is used to select the session's distribution algorithm that will be used on the specified virtual server.
This command will override any globally configured value for a virtual server. By default, the least connections
method is enabled.
EXAMPLE:
To change the virtual server predictor method from the default value of least connections to the round-robin
method, enter the following:
ServerIron(config)# server virtual www.foundrynet.com 207.95.5.1
ServerIron(config-vs-www.foundrynet.com)# predictor round-robin
quit
This command returns you from any level of the CLI to the User EXEC mode.
EXAMPLE:
ServerIron(config-vs-Foundry)# quit
ServerIron>
Syntax: quit
Possible values: N/A
Default value: N/A
rshow
Displays the real and virtual server configuration information on a remote site ServerIron in the GSLB ServerIrons
CLI. The command also displays the session and CPU information used by the GSLB policy. You can view
detailed configuration information and statistics for the site ServerIron, from the GSLB ServerIrons management
console. For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry
ServerIron Installation and Configuration Guide.
show
Displays a variety of configuration and statistical information about the ServerIron. To see a description of the
show commands, see Show Commands on page 21-1.
source-sticky
Allows you to disable or re-enable this feature. Use this command only if advised to do so by Foundry technical
support.
February 2002
11 - 7
sym-active
Enables active-active Symmetric SLB on a VIP.
EXAMPLE:
ServerIronA(config)# server virtual-name VIP1 1.1.1.1
ServerIronA(config-vs-VIP1)# port 80
ServerIronA(config-vs-VIP1)# sym-priority 69
ServerIronA(config-vs-VIP1)# sym-active
This example configures VIP1 by adding port 80, enabling SSLB, then enabling active-active SSLB. The sympriority command enables SSLB. The command requires a number from 1 255 to enable SSLB. Once you
enter the sym-active command to enable active-active SSLB, the software ignores the priority value you
specified.
sym-priority
Assigns a Symmetric SLB priority to a virtual IP address (VIP). The priority determines which ServerIron in a
Symmetric SLB configuration is the default active ServerIron for the VIP. The priority can be from 0 (disabled)
255 (highest priority).
NOTE: Foundry recommends that you specify 2 (instead of 1) as a low priority or 254 (instead of 255) as a high
priority. This way, you can easily force failover of the high priority ServerIron to the low priority ServerIron by
changing the priority on just one of the ServerIrons. For example, you can force a failover by changing the priority
on the high priority ServerIron from 254 to 1. Since the priority on the low priority ServerIron is 2, the low priority
ServerIron takes over for the VIP. Likewise, you can force the low priority ServerIron to take over by changing its
priority to 255, since the priority on the high priority ServerIron is only 254.
See the "Configuring Symmetric SLB and SwitchBack" chapter of the Foundry ServerIron Installation and
Configuration Guide for more information about this feature.
EXAMPLE:
To configure VIPs V1 and V2 on two ServerIrons for Symmetric SLB, enter the following commands. After you
enter these commands, the first ServerIron is the active ServerIron for VIP V1 (1.1.1.1) and is the backup
ServerIron for VIP2 (2.2.2.2). The second ServerIron is the active ServerIron for VIP V2 (2.2.2.2) and the backup
ServerIron for VIP1 (1.1.1.1).
Commands for the first ServerIron:
ServerIron(config)# server virtual-name V1 1.1.1.1
ServerIron(config-vs-V1)# sym-priority 2
ServerIron(config-vs-V1)# exit
ServerIron(config)# server virtual-name V2 2.2.2.2
ServerIron(config-vs-V2)# sym-priority 254
ServerIron(config-vs-V2)# write mem
Commands for the second ServerIron:
ServerIron(config)# server virtual-name V1 1.1.1.1
ServerIron(config-vs-V1)# sym-priority 254
ServerIron(config-vs-V1)# exit
ServerIron(config)# server virtual-name V2 2.2.2.2
ServerIron(config-vs-V2)# sym-priority 2
ServerIron(config-vs-V2)# write mem
11 - 8
February 2002
track
Configures up to four TCP/UDP ports to track another, primary TCP/UDP port. This feature enables the
ServerIron to group applications. After the ServerIron sends a request for the master TCP/UDP port to a real
server, requests from the same client for the ports that track the master port also go to the same real server.
For more information about the feature, see the "Configuring Server Load Balancing" chapter in the Foundry
ServerIron Installation and Configuration Guide.
EXAMPLE:
To configure TCP/UDP ports 8080 and 9090 to track port 80, enter the following command
ServerIron(config-vs-Foundry)# track 80 8080 9090
track-group
Causes the ServerIron to use the same server for applications associated with a set of grouped ports, as long as
the all the ports in the group are active. After the ServerIron sends a client to a real server for any of the grouped
ports, subsequent requests from that client for any of the grouped ports go to the same real server.
EXAMPLE:
To group the HTTP port (80), Telnet port (23), and TFTP port (69) together:
ServerIron(config-vs-v1)# track-group 80 69 23
Whenever a client attempts to connect to a port within the group, the ServerIron ensures all ports in the group are
active before granting the connection.
NOTE: The sticky parameter makes the TCP/UDP ports sticky. The sticky parameter must be set for all ports in
the group.
Possible values: a TCP or UDP port number. Up to eight ports can be grouped together using the track group
function. A port can be part of only one group. The track-group and track commands for a port are mutually
exclusive.
Default value: N/A
transparent-vip
Enables an individual VIP for transparent VIP. Transparent VIP applies only to the VIPs on which you enable it.
NOTE: You must globally enable transparent VIP support in addition to enabling the feature on individual VIPs.
See server transparent-vip on page 6-85.
EXAMPLE:
ServerIron(config-vs-TransVIP)# transparent-vip
write memory
Saves the running-time configuration into the startup-config file.
EXAMPLE:
ServerIron(config-vs-Foundry)# write memory
February 2002
11 - 9
write terminal
Displays the running-configuration of the ServerIron on the terminal screen.
EXAMPLE:
ServerIron(config-vs-Foundry)# write terminal
11 - 10
February 2002
Chapter 12
Cache Group Commands
acl-id
Identifies an IP ACL for use with your configuration. For example, you can use the command to identify an ACL for
denying FWLB for a specific TCP or UDP application port.
EXAMPLE:
To deny FWLB for TCP port 80 (HTTP) but allow FWLB for all other TCP and UDP application ports, enter
commands such as the following:
ServerIronA(config)# access-list 101
ServerIronA(config)# access-list 101
ServerIronA(config)# access-list 101
ServerIronA(config)# server fw-group
ServerIronA(config-tc-2)# acl-id 101
The first three commands configure three ACL entries. The first entry denies FWLB for packets addressed to TCP
port 80 (HTTP). The second ACL permits FWLB for all TCP applications. Packets that do not match the first ACL
entry match the second ACL entry and are provided with FWLB. The third ACL permits FWLB for all UDP
applications. The last two commands change the CLI level to the firewall group configuration level and apply ACL
101 to the firewall group.
Syntax: [no] access-list <num> deny | permit <ip-protocol> <source-ip> | <hostname> <wildcard> [<operator>
<source-tcp/udp-port>] <destination-ip> | <hostname> <wildcard> [<operator> <destination-tcp/udp-port>]
[precedence <name> | <num>] [tos <name> | <num>] [log]
Syntax: [no] acl-id <num>
For detailed information about the ACL syntax, see the Using Access Control Lists (ACLs) chapter in the
Foundry Switch and Router Installation and Basic Configuration Guide.
Possible values: The ID of a configured IP ACL.
Default value: N/A
cache-name
This command assigns a cache server to the cache group. The cache server must already be configured. (See
server cache-name on page 6-62.)
NOTE: A cache server can be in only one cache group. If you add a cache server to a cache group, the
ServerIron automatically removes the cache server from the cache group the cache server was already in.
February 2002
12 - 1
EXAMPLE:
To assign a cache server named web2 to cache group 2, enter the following:
ServerIron(config)# server cache-group 2
ServerIron(config-tc-2)# cache-name web2
clear
Clears statistics or clears entries from a cache or table. See the descriptions for the individual clear commands in
Privileged EXEC Commands on page 5-1.
dest-nat
This command enables destination NAT for TCS.
By default, the ServerIron translates the destination MAC address of a client request into the MAC address of the
cache server. However, the ServerIron does not translate the IP address of the request to the cache servers IP
address. Instead, the ServerIron leaves the destination IP address untranslated.
This behavior assumes that the cache server is operating in promiscuous mode, which allows the cache server to
receive requests for any IP address so long as the MAC address in the request is the cache servers. This
behavior works well in most caching environments. However, if your cache server requires that the client traffic
arrive in directed IP unicast packets, you can enable destination NAT.
Destination NAT is disabled by default.
NOTE: This option is rarely used. If your cache server operates in promiscuous mode, you probably do not need
to enable destination NAT. Otherwise, enable destination NAT. Consult your cache server documentation if you
are unsure whether you need to enable destination NAT.
EXAMPLE:
To enable destination NAT for cache group 1, enter the following command:
ServerIron(config)# server cache-group 1
ServerIron(config-tc-1)# dest-nat
Syntax: dest-nat
disable
This command disables the cache group.
EXAMPLE:
To disable cache group 2, enter the following command.
ServerIron(config-tc-1)# disable
end
Moves activity to the privileged EXEC level from any level of the CLI, with the exception of the user level.
EXAMPLE:
To move to the privileged level, enter the following from any level of the CLI.
ServerIron(config-tc-1)# end
12 - 2
February 2002
ServerIron#
Syntax: end
Possible values: N/A
Default value: N/A
exit
Moves activity up one level from the current level. In this case, activity will be moved to the global level.
EXAMPLE:
ServerIron(config-tc-1)# exit
ServerIron(config)#
Syntax: exit
Possible values: N/A
Default value: N/A
failover-acl
Contact Foundry engineering for information about this command.
fwall-info
Configures a path for firewall load balancing.
EXAMPLE:
To configure paths for two firewalls, enter the following commands. See the Foundry ServerIron Firewall Load
Balancing Guide for complete configuration examples.
ServerIron(config)# server fw-group 2
ServerIron(config-tc-2)# fwall-info 1 3 209.157.23.3 209.157.22.3
ServerIron(config-tc-2)# fwall-info 2 5 209.157.23.3 209.157.22.4
On the external ServerIrons, specify the internal ServerIrons management addresses for the trusted zone but
specify the source IP addresses for the other zones.
On the internal ServerIrons, specify the external ServerIrons management addresses for the non-trusted
zone, which is the only zone on the external ServerIrons.
The <next-hop-ip> parameter specifies the IP address of the next hop in the path. For firewall paths, specify the IP
address of the firewall interface connected to this ServerIron. For router paths, specify the routers IP interface
with the ServerIron.
The path-group-id <num> parameter specifies the number that indicates the firewall through which the paths go.
NOTE: Router paths do not use path IDs.
February 2002
12 - 3
The remote-id <num> parameter is a number (1 or 2) representing the ServerIron at the remote end of the path in
a superzone FWLB configuration. Specify 1 for a basic configuration. Specify 1 and 2 for the two ServerIrons in a
high-availability configuration.
NOTE: The remote-id <num> parameter applies only to superzone FWLB. See the "Configuring Superzone
FWLB" chapter in the Foundry ServerIron Firewall Load Balancing Guide.
Possible values: See above
Default value: N/A
fwall-zone
Configures a firewall zone. Use this command when configuring multi-zone FWLB. For a complete configuration
example, see the Foundry ServerIron Firewall Load Balancing Guide.
EXAMPLE:
To configure an ACL and a firewall zone that uses the ACL, enter commands such as the following:
Zone1-SI(config)# access-list 2 permit 209.157.25.0 0.0.0.255
Zone1-SI(config)# server fw-group 2
Zone1-SI(config-tc-2)# fwall-zone Zone2 2 2
fw-exceed-max-drop
Configures the ServerIron to drop the traffic instead of load balancing it using the hashing mechanism.
By default, if the ServerIron receives traffic that it needs to forward to a firewall, but the firewall already has the
maximum number of sessions open or has exceeded its maximum connection rate, the ServerIron uses a hashing
mechanism to select another firewall. The hashing mechanism selects another firewall based on the source and
destination IP addresses and application port numbers in the packet.
The ServerIron drops traffic only until the firewall again has available sessions.
EXAMPLE:
ServerIron(config-tc-2)# fw-exceed-max-drop
fw-health-check icmp
Changes the number of times the ServerIron attempts a Layer 3 health check of an FWLB path before concluding
that the path is unhealthy.
By default, the ServerIron checks the health of each firewall and router path by sending an ICMP ping on the path
every 400 milliseconds.
If the ServerIron receives one or more responses within 1.2 seconds, the ServerIron concludes that the path
is healthy.
Otherwise, the ServerIron reattempts the health check by sending another ping. By default, the ServerIron
reattempts an unanswered path health check up to three times before concluding that the path is unhealthy.
12 - 4
February 2002
You can change the maximum number of retries to a value from 3 31 (ServerIron 400 and ServerIron 800) or 8
31 (all other ServerIron models).
EXAMPLE:
ServerIron(config-tc-2)# fw-health-check icmp 20
UDP The ServerIron sends and listens for path health check packets on the port you specify. If you do not
specify a port, the ServerIron uses port 7777 by default. The port number is used as both the source and
destination UDP port number in the health check packets.
TCP The ServerIron listens for path health check packets on the port you specify, but sends them using a
randomly generated port number. If you do not specify a port, the ServerIron uses port 999 as the destination
port by default.
NOTE: You must configure the same Layer 4 health check parameters on all the ServerIrons in the FWLB
configuration. Otherwise, the paths will fail the health checks.
EXAMPLE:
ServerIron(config-tc-2)# fw-health-check udp
The command in this example enables Layer 4 health checks on UDP port 7777. This ServerIron sends firewall
path health checks to UDP port 7777 and listens for health checks on UDP port 7777.
12 - 5
fw-name
Adds a firewall to the firewall group for firewall load balancing.
EXAMPLE:
To add a firewall named FW99 to firewall group 2, enter the following commands:
ServerIron(config)# server fw-group 2
ServerIron(config-tc-2)# fw-name FW99
NOTE: The command prompt looks the same for cache groups and the firewall group. Make sure you enter the
fw-group 2 command instead of the cache-group <num> command to reach the CLI prompt shown in this
example.
fw-predictor
Configures the ServerIron to load balance based on the lowest number of connections for the traffic flows
application. By default, the ServerIron load balances firewall traffic flows by selecting the firewall with the lowest
number of total connections.
For example, suppose a configuration has two firewalls (FW1 and FW2), and each firewall has two application
ports defined (HTTP and SMTP). Also assume the following:
Using the default load balancing method, traffic for a new flow is load balanced to FW2, since this firewall has
fewer total connections. This is true regardless of the application in the traffic. However, using the load balancing
by application method, a new traffic flow carrying HTTP traffic is load balanced to FW1 instead of FW2, because
FW1 has fewer HTTP connections. A new traffic flow for SMTP is load balanced to FW2, since FW2 has fewer
SMTP connections.
EXAMPLE:
ServerIron(config-tc-2)# fw-predictor per-service-least-conn
hash-mask
This command defines how requests are distributed among multiple web cache servers or firewalls within a cache
group or firewall group.
EXAMPLE:
To direct all web queries destined for the same web site (such as www.rumors.com) to the same cache server for
processing, enter the following hash-mask command:
ServerIron(config-tc-1)# hash-mask 255.255.255.255 0.0.0.0
12 - 6
February 2002
NOTE: This is useful for networks that have many users accessing the same web site locations. It may be more
useful to use only the first three octets of the Destination IP address (255.255.255.0) for web sites that may return
multiple web server addresses (for example www.rumors1.com and "www.rumors2.com") in response to
www.rumors.com queries.
EXAMPLE:
To direct all users from the same Class B sub-net (255.255.0.0) to either server1 or server2 and to direct all
redundant requests destined to the same web site (255.255.255.0) to the same web cache server, enter the
following hash-mask command:
ServerIron(config-tc-1)# hash-mask 255.255.255.0 255.255.0.0
EXAMPLE:
To configure a hash mask for firewall load balancing, enter the following command:
ServerIron(config-tc-1)# hash-mask 255.255.255.255 255.255.255.255
NOTE: The command prompt looks the same for cache groups and the firewall group. Make sure you enter the
fw-group 2 command instead of the cache-group <num> command to reach the CLI prompt shown in this
example.
hash-port-range
Specifies a range of TCP or UDP application port numbers for use in FWLB hashing calculations. This is useful in
environments where the same source-and-destination pairs generate a lot of traffic and you want to load balance
the traffic across more than one firewall.
By default, the FWLB hashing algorithm uses the source and destination IP addresses of a packet for hashing but
disregards the source and destination TCP or UDP application port numbers.
NOTE: You also can specify a list of ports, in which case the software hashes based on the combined set of
ports from the list and the range. If you specify both a list and a range of ports, the software uses the source and
destination application ports of a packet to hash, if the packets source or destination application port is one of the
ports in the specified list or the specified range.
EXAMPLE:
To specify a range of application ports, enter a command such as the following at the firewall group configuration
level of the CLI:
ServerIron(config-tc-2)# hash-port-range 69 80
hash-ports
Specifies a list of TCP or UDP application port numbers for use in FWLB hashing calculations. This is useful in
environments where the same source-and-destination pairs generate a lot of traffic and you want to load balance
the traffic across more than one firewall.
February 2002
12 - 7
By default, the FWLB hashing algorithm uses the source and destination IP addresses of a packet for hashing but
disregards the source and destination TCP or UDP application port numbers.
NOTE: You also can specify a range of ports, in which case the software hashes based on the combined set of
ports from the list and the range. If you specify both a list and a range of ports, the software uses the source and
destination application ports of a packet to hash, if the packets source or destination application port is one of the
ports in the specified list or the specified range.
EXAMPLE:
To specify a list TCP/UDP ports to include in the hash calculations for firewall load balancing:
ServerIron(config)# server fw-group 2
ServerIron(config-tc-2)# hash-ports 69 80
http-cache-control
This command is used in conjunction with the Content Aware Cache Switching feature on the ServerIron. This
command ensures that HTTP 1.0 requests that have a pragma:no-cache header and HTTP 1.1 requests that have
a Cache-Control header containing a no-cache directive are sent to the Internet. This is the default behavior. You
can use the no form of this command to configure the ServerIron to ignore the pragma:no-cache or Cache-Control
header in an HTTP request.
EXAMPLE:
To configure the ServerIron to ignore the pragma:no-cache or Cache-Control header in an HTTP request:
ServerIron(config-tc-1)# no http-cache-control
l2-fwall
Enables Layer 2 FWLB for Layer 2 firewalls and for static route configurations.
EXAMPLE:
To enable the L2-fwall option on a ServerIron, enter the following commands:
ServerIron(config)# server fw-group 2
ServerIron(config-tc-2)# l2-fwall
Syntax: l2-fwall
Possible values: N/A
Default value: Disabled
no
This command is used to disable other commands. To do so, place the word no before the command.
no-group-failover
Causes requests to be dropped if a URL switching policy directs the requests to a server group, but none of the
cache servers in the server group are available. Without this command, if none of the cache servers in a server
group are available, the requests are directed to one of the other server groups configured on the device.
12 - 8
February 2002
EXAMPLE:
ServerIron(config)# server cache-group 1
ServerIron(config-tc-1)# no-group-failover
ServerIron(config-tc-1)# exit
Syntax: no-group-failover
Possible values: N/A
Default value: N/A
no-http-downgrade
Prevents the ServerIron from downgrading the HTTP version in a request to 1.0.
In a content aware cache switching configuration, when the ServerIron receives an HTTP request from a client, it
determines to which cache server it should send the request. The ServerIron then establishes a TCP connection
with the selected cache server and sends it the request.
If the request sent from the client to the ServerIron uses HTTP version 1.1, the ServerIron downgrades the HTTP
version to 1.0 when it sends the request to the cache server. If you want to use HTTP 1.1 for the connection
between the ServerIron and the cache servers, you can prevent the ServerIron from downgrading the HTTP
version to 1.0.
EXAMPLE:
ServerIron(config)# server cache-group 1
ServerIron(config-vs-tc-1)# no-http-downgrade
ServerIron(config-vs-tc-1)# exit
Syntax: no-http-downgrade
Possible values: N/A
Default value: N/A
prefer-cnt
Specifies a path link tolerance for firewall paths. The default failover tolerance for firewall paths is one half the
configured firewall paths.
NOTE: The minimum number of required paths must match on each ServerIron in an active-standby pair. For
example, if you specify one router path and three firewall paths as the minimum on the active ServerIron, you must
configure the same minimums on the standby ServerIron.
EXAMPLE:
To specify the minimum number of paths required on a ServerIron:
ServerIron(config)# server fw-group 2
ServerIron(config-tc-2)# prefer-cnt 3
This example specifies that a minimum of three firewall paths must be available for the ServerIron to remain active.
Thus, if the ServerIron has three firewall paths, one path can be unavailable and the ServerIron will remain the
active ServerIron.
prefer-router-cnt
Specifies a path link tolerance for router paths. The default tolerance for router ports is one half the configured
router ports.
February 2002
12 - 9
NOTE: The minimum number of required paths must match on each ServerIron in an active-standby pair. For
example, if you specify one router path and three firewall paths as the minimum on the active ServerIron, you must
configure the same minimums on the standby ServerIron.
EXAMPLE:
To specify the minimum number of paths required on a ServerIron:
ServerIron(config)# server fw-group 2
ServerIron(config-tc-2)# prefer-router-cnt 3
This example specifies that a minimum of three router paths must be available for the ServerIron to remain active.
Thus, if the ServerIron has three router paths, one path can be unavailable and the ServerIron will remain the
active ServerIron.
quit
This command returns you from any level of the CLI to the User EXEC mode.
EXAMPLE:
ServerIron(config-tc-1)# quit
ServerIron>
Syntax: quit
Possible values: N/A
Default value: N/A
rshow
Displays the real and virtual server configuration information on a remote site ServerIron in the GSLB ServerIrons
CLI. The command also displays the session and CPU information used by the GSLB policy. You can view
detailed configuration information and statistics for the site ServerIron, from the GSLB ServerIrons management
console. For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry
ServerIron Installation and Configuration Guide.
show
Displays a variety of configuration and statistical information about the ServerIron. To see a description of the
show commands, see Show Commands on page 21-1.
spoof-support
Configures the ServerIron to support TCS using cache servers that send requests to the Internet using the
requesting client's IP address as the source (known as cache server spoofing).
EXAMPLE:
ServerIron(config)# server cache-group 1
ServerIron(config-tc-1)# spoof-support
source-nat
Configures the ServerIron to translate the source address of client requests the ServerIron forwards to cache
servers. The ServerIron changes the address to a source IP address you have configured on the ServerIron.
12 - 10
February 2002
Add source IP addresses and enable source NAT if the ServerIron and cache server are in different sub-nets. For
information, see the "Configuring Network Address Translation" chapter of the Foundry ServerIron Installation and
Configuration Guide.
EXAMPLE:
ServerIron(config-tc-1)# source-nat
sym-priority
Specifies the priority of this ServerIron with respect to the other ServerIron for the firewalls in the firewall group.
The ServerIron with the higher priority is the default active ServerIron for the firewalls within the group.
EXAMPLE:
SI-ActiveA(config)# server fw-group 2
SI-ActiveA(config-tc-2)# sym-priority 254
url-host-id
This command is used in conjunction with the Content Aware Cache Switching feature on the ServerIron. This
command causes HTTP requests for a specified host to be evaluated by a specified URL switching policy.
EXAMPLE:
To cause HTTP requests for www.mysite.com to be evaluated by policyA.
ServerIron(config-tc-1)# url-host-id www.mysite.com policyA
url-map
This command is used in conjunction with the Content Aware Cache Switching feature on the ServerIron. This
command specifies a URL switching policy to be active for this cache group. If you configure more than one URL
switching policy, the policies must be linked together.
EXAMPLE:
To specify a URL switching policy to be active for a cache group:
ServerIron(config-tc-1)# url-map p1
url-switch
Activates Content Aware Cache Switching for this cache group. You must have already defined the URL switching
policies before entering this command.
EXAMPLE:
To activate Content Aware Cache Switching for a cache group:
February 2002
12 - 11
ServerIron(config-tc-1)# url-switch
Syntax: url-switch
Possible values: N/A
Default value: N/A
virtual-ip
This command configures the ServerIron for either of the following features:
Policy-based Cache Failover. See the "Configuring Transparent Cache Switching" chapter in the Foundry
ServerIron Installation and Configuration Guide.
FWLB for VPN firewalls. See the Foundry ServerIron Firewall Load Balancing Guide.
EXAMPLE:
To add virtual IP address 209.157.22.26 to cache group 1, enter the following command:
ServerIron(config-tc-1)# virtual-ip 209.157.22.26
EXAMPLE:
To enable the VPN Load Balancing feature and specify the FireWall-1 Cluster IP address, enter the following
commands. These commands apply to the ServerIron that is connected to the Internet side of the firewalls.
ServerIron(config)# server vpn-lb
ServerIron(config)# server fw-group 2
ServerIron(config-tc-2)# virtual-ip 10.10.1.10
write memory
Saves the running-time configuration into the startup-config file.
EXAMPLE:
ServerIron(config-tc-1)# write memory
write terminal
Displays the running-configuration of the ServerIron on the terminal screen.
EXAMPLE:
ServerIron(config-tc-1)# write terminal
12 - 12
February 2002
Chapter 13
GSLB Affinity Commands
end
Moves activity to the privileged EXEC level from any level of the CLI, with the exception of the user level.
EXAMPLE:
To move to the privileged level, enter the following from any level of the CLI.
ServerIron(config-gslb-affinity)# end
ServerIron#
Syntax: end
Possible values: N/A
Default value: N/A
exit
Moves activity up one level from the current level. In this case, activity will be moved to the global level.
EXAMPLE:
ServerIron(config-gslb-affinity)# exit
ServerIron(config)#
Syntax: exit
Possible values: N/A
Default value: N/A
no
This command is used to disable other commands. To do so, place the word no before the command.
prefer
Configures a GSLB affinity definition. The GSLB Affinity feature configures the GSLB ServerIron to always prefer
a specific site ServerIron for queries from clients whose addresses are within a given IP prefix. For more
information, see the "Configuring Global Server Load Balancing" chapter in the Foundry ServerIron Installation
and Configuration Guide.
EXAMPLE:
To configure an affinity definition, enter commands such as the following:
ServerIron(config)# gslb affinity
February 2002
13 - 1
Syntax: [no] prefer <site-name> <si-name> | <si-ip-addr> for <ip-addr> <ip-mask> | <ip-addr>/<prefix-length>
You can refer to the ServerIron by its GSLB site name and ServerIron name or by its management IP address.
Use one of the following parameters:
The <site-name> and <si-name> parameters specify the remote site and a ServerIron at that site. If you use
this method, you must specify both parameters.
NOTE: In either case, the running-config and the startup-config file refer to the ServerIron by its IP address.
The <ip-addr> <ip-mask> or <ip-addr>/<prefix-length> parameter specifies the prefix. You can specify a mask
from 0.0.0.0 255.255.255.254. If you instead specify a prefix length, you can specify from 0 31 bits.
If you specify 0.0.0.0 0.0.0.0 or 0.0.0.0/0, the ServerIron applies the affinity definition to all client addresses. As a
result, an address that does not match another affinity definition uses the zero affinity definition by default. If you
do not configure a default affinity definition, the ServerIron uses the standard GSLB policy for clients whose
addresses are not within a prefix in an affinity definition.
Possible values: See above.
Default value: N/A
quit
This command returns you from any level of the CLI to the User EXEC mode.
EXAMPLE:
ServerIron(config-gslb-affinity)# quit
ServerIron>
Syntax: quit
Possible values: N/A
Default value: N/A
rshow
Displays the real and virtual server configuration information on a remote site ServerIron in the GSLB ServerIrons
CLI. The command also displays the session and CPU information used by the GSLB policy. You can view
detailed configuration information and statistics for the site ServerIron, from the GSLB ServerIrons management
console. For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry
ServerIron Installation and Configuration Guide.
show
Displays a variety of configuration and statistical information about the ServerIron. To see a description of the
show commands, see Show Commands on page 21-1.
write memory
Saves the running-time configuration into the startup-config file.
13 - 2
February 2002
EXAMPLE:
ServerIron(config-gslb-affinity)# write memory
write terminal
Displays the running-configuration of the ServerIron on the terminal screen.
EXAMPLE:
ServerIron(config-gslb-affinity)# write terminal
February 2002
13 - 3
Chapter 14
GSLB DNS Zone Commands
end
Moves activity to the privileged EXEC level from any level of the CLI, with the exception of the user level.
EXAMPLE:
To move to the privileged level, enter the following from any level of the CLI.
ServerIron(config-gslb-dns-foundrynet.com)# end
ServerIron#
Syntax: end
Possible values: N/A
Default value: N/A
exit
Moves activity up one level from the current level. In this case, activity will be moved to the global level.
EXAMPLE:
ServerIron(config-gslb-dns-foundrynet.com)# exit
ServerIron(config)#
Syntax: exit
Possible values: N/A
Default value: N/A
host-info
Configures DNS zone and host information for GSLB.
EXAMPLE:
To specify the foundrynet.com zone and two host names, each of which is associated with an application, enter
the following commands:
ServerIron(config)# gslb dns zone-name foundrynet.com
ServerIron(config-gslb-dns-foundrynet.com)# host-info www http
ServerIron(config-gslb-dns-foundrynet.com)# host-info ftp ftp
The commands in this example add the zone foundrynet.com and add two hosts within that zone: www and ftp.
The GSLB ServerIron will provide global SLB for these two hosts within the zone.
February 2002
14 - 1
FTP the well-known name for port 21. (Ports 20 and 21 both are FTP ports but on the ServerIron, the name
FTP corresponds to port 21.)
The <tcp/udp-portnum> parameter specifies a TCP/UDP port number instead of a well-known port. If the
application is not one of those listed above, you still can configure the GSLB ServerIron to perform the Layer 4
health check on the specified port.
NOTE: If the application number does not correspond to one of the well-known ports recognized by the
ServerIron, the GSLB ServerIron performs Layer 4 TCP or UDP health checks for the ports but does not perform
application-specific health checks.
Possible values: see above
Default value: N/A
no
This command is used to disable other commands. To do so, place the word no before the command.
quit
This command returns you from any level of the CLI to the User EXEC mode.
EXAMPLE:
ServerIron(config-gslb-dns-foundrynet.com)# quit
ServerIron>
Syntax: quit
Possible values: N/A
Default value: N/A
February 2002
14 - 2
rshow
Displays the real and virtual server configuration information on a remote site ServerIron in the GSLB ServerIrons
CLI. The command also displays the session and CPU information used by the GSLB policy. You can view
detailed configuration information and statistics for the site ServerIron, from the GSLB ServerIrons management
console. For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry
ServerIron Installation and Configuration Guide.
show
Displays a variety of configuration and statistical information about the ServerIron. To see a description of the
show commands, see Show Commands on page 21-1.
write memory
Saves the running-time configuration into the startup-config file.
EXAMPLE:
ServerIron(config-gslb-dns-foundrynet.com)# write memory
write terminal
Displays the running-configuration of the ServerIron on the terminal screen.
EXAMPLE:
ServerIron(config-gslb-dns-foundrynet.com)# write terminal
14 - 3
February 2002
Chapter 15
GSLB Site Commands
end
Moves activity to the privileged EXEC level from any level of the CLI, with the exception of the user level.
EXAMPLE:
To move to the privileged level, enter the following from any level of the CLI.
ServerIron(config-gslb-site-sunnyvale)# end
ServerIron#
Syntax: end
Possible values: N/A
Default value: N/A
exit
Moves activity up one level from the current level. In this case, activity will be moved to the global level.
EXAMPLE:
ServerIron(config-gslb-site-sunnyvale)# exit
ServerIron(config)#
Syntax: exit
Possible values: N/A
Default value: N/A
geo-location
Explicitly identifies the geographic location of a GSLB site. By default, the GSLB ServerIron uses a sites IP
address to determine its geographic location.
EXAMPLE:
To explicitly identify Sunnyvales geographic location as North America, enter the following commands:
ServerIron(config)# gslb site sunnyvale
ServerIron(config-gslb-site-sunnyvale)# geo-location n-america
February 2002
15 - 1
no
This command is used to disable other commands. To do so, place the word no before the command.
quit
This command returns you from any level of the CLI to the User EXEC mode.
EXAMPLE:
ServerIron(config-gslb-site-sunnyvale)# quit
ServerIron>
Syntax: quit
Possible values: N/A
Default value: N/A
rshow
Displays the real and virtual server configuration information on a remote site ServerIron in the GSLB ServerIrons
CLI. The command also displays the session and CPU information used by the GSLB policy. You can view
detailed configuration information and statistics for the site ServerIron, from the GSLB ServerIrons management
console. For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry
ServerIron Installation and Configuration Guide.
show
Displays a variety of configuration and statistical information about the ServerIron. To see a description of the
show commands, see Show Commands on page 21-1.
si-name
Specifies the remote ServerIrons in a GSLB site.
EXAMPLE:
To identify two server sites, each containing two ServerIrons, enter the following commands:
ServerIron(config)# gslb site sunnyvale
ServerIron(config-gslb-site-sunnyvale)# si-name slb-1 209.157.22.209
ServerIron(config-gslb-site-sunnyvale)# si-name slb-2 209.157.22.210
ServerIron(config)# gslb site atlanta
ServerIron(config-gslb-site-atlanta)# si-name slb-1 192.108.22.111
ServerIron(config-gslb-site-atlanta)# si-name slb-2 192.108.22.112
These commands configure two GSLB sites. One of the sites is in Sunnyvale and the other is in Atlanta. Each
site contains two ServerIrons that load balance traffic across server farms. The GSLB ServerIron you are
configuring will use information provided by the other ServerIrons when it evaluates the servers listed in DNS
replies.
15 - 2
February 2002
For example, to set the administrative preference for a site ServerIron to 255, enter a command such as the
following:
ServerIron(config-gslb-site-sunnyvale)# si-name slb-1 209.157.22.20 255
To change the preference for a site ServerIron you have already configured, use the same command syntax. You
do not need to reconfigure other site parameters when you change the preference. For example, to change the
preference for a site ServerIron from the default (128) to 200, enter a command such as the following:
ServerIron(config-gslb-site-sunnyvale)# si-name slb-2 209.157.22.210 200
NOTE: The administrative preference metric is disabled by default, which means it is not used by the GSLB
policy. The GSLB policy uses the preference values only if you enable this metric.
By default, the GSLB ServerIron uses a sites IP address to determine its geographic location. Alternatively, you
can explicitly identify the location. To do so, use the following command.
write memory
Saves the running-time configuration into the startup-config file.
EXAMPLE:
ServerIron(config-gslb-site-sunnyvale)# write memory
write terminal
Displays the running-configuration of the ServerIron on the terminal screen.
EXAMPLE:
ServerIron(config-gslb-site-sunnyvale)# write terminal
February 2002
15 - 3
15 - 4
February 2002
Chapter 16
GSLB Policy Commands
capacity
Disables or re-enables the capacity threshold GSLB metric. This metric represents a site ServerIrons available
TCP/UDP session capacity. This metric is enabled by default, which means the GSLB ServerIron uses this metric
when evaluating the sites in a DNS reply to choose the best site.
EXAMPLE:
To disable this metric, enter the following command:
ServerIron(config-gslb-policy)# no capacity
To re-enable this metric, enter the following command:
ServerIron(config-gslb-policy)# capacity
capacity threshold
Specifies how close to the maximum session capacity the site ServerIron(remote ServerIron) can be and still be
eligible as the best site for the client. This mechanism provides a way to shift load away from a site before the site
becomes congested. The default value for the threshold is 90%. Thus a site ServerIron is eligible to be the best
site only if its session utilization is below 90%.
EXAMPLE:
To change the session-table capacity metric, enter commands such as the following:
ServerIron(config)# gslb policy
ServerIron(config-gslb-policy)# capacity threshold 99
February 2002
16 - 1
dns active-only
Configures the ServerIron to remove IP addresses from DNS replies when those addresses fail a health check.
The ServerIron removes the addresses that fail the check so long as the DNS query still contains at least one
address that passes the health check.
NOTE: A site must pass all applicable health checks (Layer 4 and Layer 7) to avoid being removed.
EXAMPLE:
To configure the ServerIron to remove IP addresses from DNS replies when those addresses fail a health check,
enter the following commands.
ServerIron(config)# gslb policy
ServerIron(config-gslb-policy)# dns active-only
dns check-interval
Changes the refresh interval for DNS queries to refresh verify zone and host information. The GSLB ServerIron
sends the queries to the DNS for which it is configured to be a proxy.
EXAMPLE:
To change the refresh interval, enter commands such as the following:
ServerIron(config)# gslb policy
ServerIron(config-gslb-policy)# dns check-interval 50
dns ttl
Specifies the value to which the GSLB ServerIron changes the TTL of each DNS record contained in DNS replies
received from the DNS for which the ServerIron is a proxy.
EXAMPLE:
To change the TTL, enter commands such as the following:
ServerIron(config)# gslb policy
ServerIron(config-gslb-policy)# dns ttl 45
end
Moves activity to the privileged EXEC level from any level of the CLI, with the exception of the user level.
EXAMPLE:
To move to the privileged level, enter the following from any level of the CLI.
16 - 2
February 2002
ServerIron(config-gslb-policy)# end
ServerIron#
Syntax: end
Possible values: N/A
Default value: N/A
exit
Moves activity up one level from the current level. In this case, activity will be moved to the global level.
EXAMPLE:
ServerIron(config-gslb-policy)# exit
ServerIron(config)#
Syntax: exit
Possible values: N/A
Default value: N/A
flashback
Disables or re-enables the FlashBack GSLB metric. This metric indicates how quickly the GSLB ServerIron
receives Layer 4-7 health check results. This metric is enabled by default, which means the GSLB ServerIron
uses this metric when evaluating the sites in a DNS reply to choose the best site.
EXAMPLE:
To disable this metric, enter the following command:
ServerIron(config-gslb-policy)# no flashback
To re-enable this metric, enter the following command:
ServerIron(config-gslb-policy)# flashback
Application tolerance
TCP tolerance
The GSLB ServerIron uses a tolerance value when comparing the FlashBack speeds of different sites. The
tolerance value specifies the percentage by which the FlashBack speeds of the two sites must differ in order for
the ServerIron to choose one over the other. The default FlashBack tolerance is 10%. Thus, if the FlashBack
speeds of two sites are within 10% of one another, the ServerIron considers the sites to be equal. However, if the
speeds differ by more than 10%, the ServerIron prefers the site with the lower FlashBack speed.
FlashBack speeds are measured at Layer 4 for all TCP/UDP ports. For the application ports known to the
ServerIron, the FlashBack speed of the application is also measured.
When the ServerIron compares the FlashBack speeds, it compares the Layer 7 (application-level) FlashBack
speeds first, if applicable. If the application has a Layer 7 health check and if the FlashBack speeds are not equal,
the ServerIron is through comparing the FlashBack speeds. However, if only the Layer 4 health check applies to
the application, or if further tie-breaking is needed, the ServerIron then compares the Layer 4 FlashBack speeds.
February 2002
16 - 3
EXAMPLE:
To change the tolerances for the response times of TCP and application health checks, when used as a metric for
selecting a site, enter commands such as the following:
ServerIron(config)# gslb policy
ServerIron(config-gslb-policy)# flashback application tolerance 30
ServerIron(config-gslb-policy)# flashback tcp tolerance 50
geographic
Disables or re-enables the geographic GSLB metric. This metric indicates the geographic location of a site. This
metric is enabled by default, which means the GSLB ServerIron uses this metric when evaluating the sites in a
DNS reply to choose the best site.
EXAMPLE:
To disable this metric, enter the following command:
ServerIron(config-gslb-policy)# no geographic
To re-enable this metric, enter the following command:
ServerIron(config-gslb-policy)# geographic
health-check
Disables or re-enables the health-check GSLB metric. This metric indicates whether the site has passed the
Layer 4 and (if applicable) Layer 7 health checks. The GSLB ServerIron uses this metric when evaluating the sites
in a DNS reply to choose the best site.
EXAMPLE:
To disable this metric, enter the following command:
ServerIron(config-gslb-policy)# no health-check
To re-enable this metric, enter the following command:
ServerIron(config-gslb-policy)# health-check
metric-order
Changes the order in which the GSLB ServerIron applies the policy metrics. To change the order, specify the
metrics in the desired order.
16 - 4
February 2002
NOTE: Foundry Networks recommends that you always use the health check as the first metric. Otherwise, it is
possible that the GSLB policy will not select a "best choice, and thus send the DNS reply unchanged. For
example, if the first metric is geographic location, and the DNS reply contains two sites, one in North America and
the other in South America, for clients in South America the GSLB policy favors the South American site after the
first comparison. However, if that site is down, the GSLB policy will find that none of the sites in the reply is the
best one, and thus send the reply unchanged.
You cannot disable or change the position of the Least Response Selection metric. The GSLB ServerIron uses
this metric as a tie-breaker if the other comparisons do not result is selection of a best site.
EXAMPLE:
To specify a new GSLB policy order, enter a command such as the following:
ServerIron(config)# gslb policy
ServerIron(config-gslb-policy)# metric-order set round-trip-time capacity
num-session flashback
This command changes the GSLB policy to the following:
The round-trip time between the remote ServerIron and the DNS client
The site ServerIrons FlashBack speed (how quickly the GSLB receives the health check results)
The Least Response selection (the site ServerIron that has been selected less often than others)
Two of the metrics, server health and geographic location, are not specified. As a result, these metrics are not
used when evaluating site IP addresses in the DNS responses.
To display the GSLB policy after you change it, enter the show gslb policy command. For more information, see
the "Configuring Global Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration
Guide.
flashback The site ServerIrons FlashBack speed (how quickly the GSLB receives the health check results)
round-trip-time The round-trip time between the remote ServerIron and the DNS client
There is no parameter for the Least Response Selection. This metric is always enabled and is always the last one
in the policy.
To reset the order of the GSLB policy metrics to the default (and also re-enable all disabled metrics), enter the
following command:
ServerIron(config-gslb-policy)# metric-order default
16 - 5
health-check
num-session
round-trip-time
geographic
capacity
flashback
least-response (this metric is a tie-breaker and is always enabled and always last; you cannot disable or reorder this metric)
no
This command is used to disable other commands. To do so, place the word no before the command.
num-session
Disables or re-enables the GSLB metric for the site ServerIrons session capacity threshold. The capacity
threshold specifies how close to the maximum session capacity the site ServerIron(remote ServerIron) can be
and still be eligible as the best site for the client. This mechanism provides a way to shift load away from a site
before the site becomes congested. The GSLB ServerIron uses this metric when evaluating the sites in a DNS
reply to choose the best site.
EXAMPLE:
To disable this metric, enter the following command:
ServerIron(config-gslb-policy)# no num-session
To re-enable this metric, enter the following command:
ServerIron(config-gslb-policy)# num-session
num-session tolerance
Specifies the percentage by which the number of available sessions on the site ServerIron can differ from the
number of available sessions on another site ServerIron and still be considered an equally good site.
EXAMPLE:
To change the session-table tolerance metric, enter commands such as the following:
ServerIron(config)# gslb policy
ServerIron(config-gslb-policy)# num-session tolerance 20
16 - 6
February 2002
preference
Enables the administrative preference GSLB metric.
To assign preference values for individual site ServerIrons, see si-name on page 15-2.
EXAMPLE:
ServerIron(config)# gslb policy
ServerIron(config-gslb-policy)# preference
Possible values: N/A
Default value: Disabled
protocol
Enables the GSLB protocol on a site ServerIron.
For security, remote ServerIrons do not listen to TCP port 182 (the GSLB protocol port) by default. This means
the GSLB protocol is disabled on remote site ServerIrons by default. For a remote ServerIron to use the protocol,
you must enable the protocol on the remote ServerIron.
NOTE: Enter this command on the site ServerIron, not on the GSLB ServerIron.
NOTE: You also can secure access to a ServerIron by configuring Access Control Lists (ACLs). For example,
you can configure ACLs to control access to the device on TCP port 182. See the Using Access Control Lists
(ACLs) chapter in the Foundry Switch and Router Installation and Basic Configuration Guide.
EXAMPLE:
To enable a remote ServerIron to use the GSLB protocol, enter the following command:
ServerIron(config)# gslb protocol
quit
This command returns you from any level of the CLI to the User EXEC mode.
EXAMPLE:
ServerIron(config-gslb-policy)# quit
ServerIron>
Syntax: quit
Possible values: N/A
Default value: N/A
round-trip-time
Disables or re-enables the GSLB metric for the round-trip time between the remote ServerIron and the DNS client.
The Round-trip time (RTT) is the amount of time that passes between when the remote site initiates a TCP
connection (sends a TCP SYN) to the client and when the remote site receives the clients acknowledgment of the
connection request (sends a TCP ACK). The GSLB ServerIron learns the RTT information from the site
ServerIrons through the Foundry GSLB protocol and uses the information as a metric when comparing site IP
addresses. The GSLB ServerIron uses this metric when evaluating the sites in a DNS reply to choose the best
site.
EXAMPLE:
To disable this metric, enter the following command:
February 2002
16 - 7
ServerIron(config-gslb-policy)# no round-trip-time
To re-enable this metric, enter the following command:
ServerIron(config-gslb-policy)# round-trip-time
round-trip-time cache-interval
Changes the RTT cache interval, which specifies how often the site ServerIrons use the Foundry GSLB protocol
to send RTT information to the GSLB ServerIron. The GSLB ServerIron stores this information in a cache. The
GSLB ServerIron uses the entries in the cache when using the RTT metric to evaluate IP addresses in a DNS
reply.
EXAMPLE:
To change the RTT cache interval, enter commands such as the following:
ServerIron(config)# gslb policy
ServerIron(config-gslb-policy)# round-trip-time cache-interval 30
The command in this example changes the RTT cache interval from 10 seconds to 30 seconds.
round-trip-time cache-prefix
Changes the RTT cache prefix, which specifies the level of aggregation that occurs in the GSLB ServerIrons RTT
cache. The entries in the RTT cache include IP address information for the clients. To avoid overflowing the
cache, cache entries are aggregated based on the IP information. For example, if the GSLB ServerIron receives
RTT information for clients at 192.21.4.69 and 192.21.4.18, and the cache prefix is 31 bits, both addresses go in
as separate entries. However, if the prefix is 16 bits, the GSLB ServerIron aggregates the addresses. In this case,
only one entry, 192.21.x.x goes in the cache.
EXAMPLE:
To change the RTT cache prefix, enter commands such as the following:
ServerIron(config)# gslb policy
ServerIron(config-gslb-policy)# round-trip-time cache-prefix 16
The command in this example changes the RTT cache prefix from 20 bits to 16 bits.
round-trip-time explore-percentage
Changes the RTT explore percentage, which prevents the GSLB ServerIron from unfairly biasing selection of the
best site based on previous RTT responses.
Site ServerIrons send RTT information only for the sessions that clients open with them. These are clients
referred to the site ServerIron by the GSLB ServerIron. If the metrics that come before this one (based on the
GSLB policy order) do not select a best site, the ServerIron selects a site based on RTT.
16 - 8
February 2002
Since the only RTT information received by the GSLB ServerIron comes from the site ServerIrons to which the
GSLB ServerIron has referred clients, it is possible for the GSLB ServerIron to continually bias its selection toward
the first site ServerIron that sent RTT information. To prevent this from occurring, the GSLB ServerIron
intentionally ignores the RTT metric for a specified percentage of the requests from a given client network. You
can specify an RTT explore percentage from 0 100. The default is 5. By default, the GSLB ServerIron ignores
the RTT for 5% of the client requests from a given network.
EXAMPLE:
To change the RTT explore percentage, enter commands such as the following:
ServerIron(config)# gslb policy
ServerIron(config-gslb-policy)# round-trip-time explore-percentage 10
The command in this example changes the RTT explore percentage from 5% to 10%.
round-trip-time tolerance
Changes the RTT tolerance. When the GSLB ServerIron compares two site IP addresses based on RTT, the
GSLB ServerIron favors one site over the other only if the difference between the RTT values is greater than the
specified percentage. This percentage is the RTT tolerance. You can set the RTT tolerance to a value from
0 100. The default is 10%.
EXAMPLE:
To change the RTT tolerance, enter commands such as the following:
ServerIron(config)# gslb policy
ServerIron(config-gslb-policy)# round-trip-time tolerance 70
The command in this example changes the RTT tolerance from 10% to 70%.
rshow
Displays the real and virtual server configuration information on a remote site ServerIron in the GSLB ServerIrons
CLI. The command also displays the session and CPU information used by the GSLB policy. You can view
detailed configuration information and statistics for the site ServerIron, from the GSLB ServerIrons management
console. For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry
ServerIron Installation and Configuration Guide.
show
Displays a variety of configuration and statistical information about the ServerIron. To see a description of the
show commands, see Show Commands on page 21-1.
static-prefix
Adds static prefix information to the cache. For example, you can add static cache entries with longer prefix
information than the dynamic cache entries to ensure that RTT information is stored under the static entries
instead of dynamic cache entries with shorter prefixes. This is useful when you want to ensure that certain
prefixes are always present in the cache regardless of how often the GSLB ServerIron receives RTT data for
them. Static prefixes do not age out.
February 2002
16 - 9
NOTE: The GSLB ServerIron uses the most exact match when more than one prefix entry can apply to the same
site address. To ensure that the GSLB ServerIron uses a static entry instead of certain dynamic entries for a given
address, make sure prefix of the static entry is longer than the prefix for dynamic entries.
NOTE: Since RTT information is stored under individual domain names that are queried, the RTT information
reported from remote ServerIrons are not recorded under the static records until the GSLB ServerIron receives
the first DNS query or response.
EXAMPLE:
To add a static prefix cache entry, enter commands such as the following:
ServerIron(config)# gslb policy
ServerIron(config-gslb-policy)# static-prefix 61.1.1.1/20
write memory
Saves the running-time configuration into the startup-config file.
EXAMPLE:
ServerIron(config-gslb-policy)# write memory
write terminal
Displays the running-configuration of the ServerIron on the terminal screen.
EXAMPLE:
ServerIron(config-gslb-policy)# write terminal
16 - 10
February 2002
Chapter 17
URL Switching Commands
default
Specifies what happens when the URL string does not meet any of the selection criteria in a URL switching
policys match command(s).
EXAMPLE:
The following commands define a URL switching policy called p1.
ServerIron(config)# url-map p1
ServerIron(config-url-p1)# method prefix
ServerIron(config-url-p1)# match "/home" 1
ServerIron(config-url-p1)# default p2
ServerIron(config-url-p1)# exit
end
Moves activity to the privileged EXEC level from any level of the CLI, with the exception of the user level.
EXAMPLE:
To move to the privileged level, enter the following from any level of the CLI.
ServerIron(config-url-p1)# end
ServerIron#
Syntax: end
Possible values: N/A
Default value: N/A
exit
Moves activity up one level from the current level. In this case, activity will be moved to the global level.
EXAMPLE:
ServerIron(config-url-p1)# exit
ServerIron(config)#
Syntax: exit
February 2002
17 - 1
match
Specifies the selection criteria in a URL switching policy and indicates what to do when the URL string matches
the selection criteria.
EXAMPLE:
ServerIron(config-url-p1)# match "/home" 1
method
Specifies what kind of matching the URL switching policy does on the selection criteria.
EXAMPLE:
ServerIron(config-url-p1)# method prefix
no
This command is used to disable other commands. To do so, place the word no before the command.
quit
This command returns you from any level of the CLI to the User EXEC mode.
EXAMPLE:
ServerIron(config-url-p1)# quit
ServerIron>
Syntax: quit
Possible values: N/A
Default value: N/A
rshow
Displays the real and virtual server configuration information on a remote site ServerIron in the GSLB ServerIrons
CLI. The command also displays the session and CPU information used by the GSLB policy. You can view
17 - 2
February 2002
detailed configuration information and statistics for the site ServerIron, from the GSLB ServerIrons management
console. For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry
ServerIron Installation and Configuration Guide.
show
Displays a variety of configuration and statistical information about the ServerIron. To see a description of the
show commands, see Show Commands on page 21-1.
tcp-port
Specifies a TCP port where HTTP requests evaluated by the URL switching policy are sent.
EXAMPLE:
ServerIron(config-url-urlmap3)# tcp-port 8081
write memory
Saves the running-time configuration into the startup-config file.
EXAMPLE:
ServerIron(config-url-p1)# write memory
write terminal
Displays the running-configuration of the ServerIron on the terminal screen.
EXAMPLE:
ServerIron(config-url-p1)# write terminal
February 2002
17 - 3
17 - 4
February 2002
Chapter 18
HTTP Match List Commands
default
Specifies what happens if none of the HTML text in the HTTP response message meets the selection criteria in
the matching list: either mark port 80 on the real server FAILED or ACTIVE.
EXAMPLE:
To cause port 80 on the real server to be marked FAILED if none of the selection criteria are found in the HTTP
response message:
ServerIron(config)# http match-list m4
ServerIron(config-http-ml-m4)# up compound "monkey see" "monkey do" log
ServerIron(config-http-ml-m4)# down compound "500" "Internal Server Error" log
ServerIron(config-http-ml-m4)# default down
ServerIron(config-http-ml-m4)# exit
down compound
Specifies the beginning and ending parts of a set of selection criteria. Text that begins with the first part and ends
with the second part meets the selection criteria. If the selection criteria is met, port 80 on the real server is
marked FAILED.
EXAMPLE:
To specify that if the HTML file contains a text string that begins with 500 and ends with Internal Server Error,
the port is marked FAILED:
ServerIron(config)# http match-list m4
ServerIron(config-http-ml-m4)# down compound "500" "Internal Server Error" log
ServerIron(config-http-ml-m4)# exit
February 2002
18 - 1
down simple
Specifies the selection criteria in a matching list. If the selection criteria is met, port 80 on the real server is
marked FAILED.
EXAMPLE:
To specify that if the HTML file contains the text File Not Found, the port is marked FAILED:
ServerIron(config)# http match-list m1
ServerIron(config-http-ml-m1)# down simple "File Not Found"
ServerIron(config-http-ml-m1)# exit
end
Moves activity to the privileged EXEC level from any level of the CLI, with the exception of the user level.
EXAMPLE:
To move to the privileged level, enter the following from any level of the CLI.
ServerIron(config-http-ml-listname)# end
ServerIron#
Syntax: end
Possible values: N/A
Default value: N/A
exit
Moves activity up one level from the current level. In this case, activity will be moved to the global level.
EXAMPLE:
ServerIron(config-http-ml-listname)# exit
ServerIron(config)#
Syntax: exit
Possible values: N/A
Default value: N/A
no
This command is used to disable other commands. To do so, place the word no before the command.
quit
This command returns you from any level of the CLI to the User EXEC mode.
EXAMPLE:
ServerIron(config-http-ml-listname)# quit
ServerIron>
Syntax: quit
Possible values: N/A
Default value: N/A
18 - 2
February 2002
rshow
Displays the real and virtual server configuration information on a remote site ServerIron in the GSLB ServerIrons
CLI. The command also displays the session and CPU information used by the GSLB policy. You can view
detailed configuration information and statistics for the site ServerIron, from the GSLB ServerIrons management
console. For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry
ServerIron Installation and Configuration Guide.
show
Displays a variety of configuration and statistical information about the ServerIron. To see a description of the
show commands, see Show Commands on page 21-1.
up compound
Specifies the beginning and ending parts of a set of selection criteria. Text that begins with the first part and ends
with the second part meets the selection criteria. If the selection criteria is met, port 80 on the real server is
marked ACTIVE.
EXAMPLE:
To specify that if the HTML file contains a text string that begins with monkey see and ends with monkey do, the
port is marked ACTIVE:
ServerIron(config)# http match-list m4
ServerIron(config-http-ml-m4)# up compound "monkey see" "monkey do" log
ServerIron(config-http-ml-m4)# exit
up simple
Specifies the selection criteria in a matching list. If the selection criteria is met, port 80 on the real server is
marked ACTIVE.
EXAMPLE:
To specify that if the HTML file contains the text File Not Found, the port is marked FAILED:
ServerIron(config)# http match-list m1
ServerIron(config-http-ml-m1)# up simple "elephant"
ServerIron(config-http-ml-m1)# exit
write memory
Saves the running-time configuration into the startup-config file.
EXAMPLE:
ServerIron(config-http-ml-listname)# write memory
write terminal
Displays the running-configuration of the ServerIron on the terminal screen.
February 2002
18 - 3
EXAMPLE:
ServerIron(config-http-ml-listname)# write terminal
18 - 4
February 2002
Chapter 19
Server Monitor Commands
end
Moves activity to the privileged EXEC level from any level of the CLI, with the exception of the user level.
EXAMPLE:
To move to the privileged level, enter the following from any level of the CLI.
ServerIron(config-slb-mon)# end
ServerIron#
Syntax: end
Possible values: N/A
Default value: N/A
exit
Moves activity up one level from the current level. In this case, activity will be moved to the global level.
EXAMPLE:
ServerIron(config-slb-mon)# exit
ServerIron(config)#
Syntax: exit
Possible values: N/A
Default value: N/A
history
Configures a history list for the Layer 4 statistics monitoring function.
EXAMPLE:
ServerIron(config)# server monitor
ServerIron(config-slb-mon)# history 1 buckets 5 interval 30 owner rkwong
February 2002
Is the index number for the history list. This can be a number from 1 100.
19 - 1
buckets <number>
Is the number of rows allocated to a data table for this history list. This can be a
number from 1 65535. This number of samples are stored in the data table. For
example, if you specify 10 buckets, the most recent 10 samples are stored in the
data table.
interval <sampling-interval> Is the sampling interval in seconds. The sampling interval can be from 1 3600
seconds.
owner <text-string>
no
This command is used to disable other commands. To do so, place the word no before the command.
quit
This command returns you from any level of the CLI to the User EXEC mode.
EXAMPLE:
ServerIron(config-slb-mon)# quit
ServerIron>
Syntax: quit
Possible values: N/A
Default value: N/A
rshow
Displays the real and virtual server configuration information on a remote site ServerIron in the GSLB ServerIrons
CLI. The command also displays the session and CPU information used by the GSLB policy. You can view
detailed configuration information and statistics for the site ServerIron, from the GSLB ServerIrons management
console. For more information, see the Configuring Global Server Load Balancing chapter in the Foundry
ServerIron Installation and Configuration Guide.
show
Displays a variety of configuration and statistical information about the ServerIron. To see a description of the
show commands, see Show Commands on page 21-1.
write memory
Saves the running-time configuration into the startup-config file.
EXAMPLE:
ServerIron(config-slb-mon)# write memory
write terminal
Displays the running-configuration of the ServerIron on the terminal screen.
EXAMPLE:
ServerIron(config-slb-mon)# write terminal
19 - 2
February 2002
Chapter 20
Routing Information Protocol (RIP) Commands
NOTE: The RIP configuration level applies only to IP forwarding (Layer 3 IP).
deny redistribute
Configures a redistribution filter to deny redistribution for specific routes.
When you enable redistribution, all IP static routes are redistributed by default. If you want to deny certain routes
from being redistributed into RIP, configure deny filters for those routes before you enable redistribution. You can
configure up to 64 RIP redistribution filters. They are applied in ascending numerical order.
NOTE: The default redistribution action is still permit, even after you configure and apply redistribution filters to
the virtual routing interface. If you want to tightly control redistribution, apply a filter to deny all routes as the last
filter (filter ID 64), then apply filters with lower filter IDs to allow specific routes.
EXAMPLE:
To configure a redistribution filter, enter a command such as the following:
ServerIron(config-rip-router)# deny redistribute 1 static address 207.92.0.0
255.255.0.0
This command denies redistribution of all 207.92.x.x IP static routes.
February 2002
20 - 1
end
Moves activity to the privileged EXEC level from any level of the CLI, with the exception of the user level.
EXAMPLE:
To move to the privileged level, enter the following from any level of the CLI.
ServerIron(config-rip-router)# end
ServerIron#
Syntax: end
Possible values: N/A
Default value: N/A
exit
Moves activity up one level from the current level. In this case, activity will be moved to the global level.
EXAMPLE:
ServerIron(config-rip-router)# exit
ServerIron(config)#
Syntax: exit
Possible values: N/A
Default value: N/A
no
This command is used to disable other commands. To do so, place the word no before the command.
permit redistribute
Configures a redistribution filter to permit redistribution for specific routes.
When you enable redistribution, all IP static routes are redistributed by default. If you want to permit certain routes
to be redistributed into RIP, configure permit filters for those routes before you enable redistribution. You can
configure up to 64 RIP redistribution filters. They are applied in ascending numerical order.
NOTE: The default redistribution action is permit, even after you configure and apply redistribution filters to the
virtual routing interface. If you want to tightly control redistribution, apply a filter to deny all routes as the last filter
(filter ID 64), then apply filters with lower filter IDs to allow specific routes.
EXAMPLE:
To configure a redistribution filter, enter a command such as the following:
ServerIron(config-rip-router)# permit redistribute 1 static address 207.92.0.0
255.255.0.0
20 - 2
February 2002
quit
This command returns you from any level of the CLI to the User EXEC mode.
EXAMPLE:
ServerIron(config-rip-router)# quit
ServerIron>
Syntax: quit
Possible values: N/A
Default value: N/A
redistribution
Enables redistribution of routes into RIP.
NOTE: When you enable redistribution, all routes are redistributed by default. To control redistribution, configure
redistribution filters first, then enable redistribution. See deny redistribute on page 20-1 and permit redistribute
on page 20-2.
EXAMPLE:
To enable RIP redistribution, enter the following command:
ServerIron(config-rip-router)# redistribution
rshow
Displays the real and virtual server configuration information on a remote site ServerIron in the GSLB ServerIrons
CLI. The command also displays the session and CPU information used by the GSLB policy. You can view
detailed configuration information and statistics for the site ServerIron, from the GSLB ServerIrons management
console. For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry
ServerIron Installation and Configuration Guide.
February 2002
20 - 3
show
Displays a variety of configuration and statistical information about the ServerIron. To see a description of the
show commands, see Show Commands on page 21-1.
write memory
Saves the running-time configuration into the startup-config file.
EXAMPLE:
ServerIron(config-rip-router)# write memory
write terminal
Displays the running-configuration of the ServerIron on the terminal screen.
EXAMPLE:
ServerIron(config-rip-router)# write terminal
20 - 4
February 2002
Chapter 21
Show Commands
The following commands are found at all levels of the CLI for the ServerIron, except where noted. For simplicity,
they are summarized in this section as well in the individual sections.
show aaa
Displays information about all TACACS+ and RADIUS servers identified on the device.
EXAMPLE:
ServerIron# show aaa
Tacacs+ key: foundry
Tacacs+ retries: 1
Tacacs+ timeout: 15 seconds
Tacacs+ dead-time: 3 minutes
Tacacs+ Server: 207.95.6.90 Port:49:
opens=6 closes=3 timeouts=3 errors=0
packets in=4 packets out=4
no connection
Radius
Radius
Radius
Radius
Radius
key: networks
retries: 3
timeout: 3 seconds
dead-time: 3 minutes
Server: 207.95.6.90 Auth Port=1645 Acct Port=1646:
opens=2 closes=1 timeouts=1 errors=0
packets in=1 packets out=4
no connection
show arp
Displays the ARP cache of the ServerIron. For switches, the show arp command will not display the 'type'
column, but will display a VLAN ID column.
EXAMPLE:
ServerIron(config)# show arp
IP
Mac
10.10.10.10
February 2002
00d0.0958.9b07
Type
Static
21 - 1
192.168.2.14
0050.04bb.81fa
192.168.2.1
00e0.5205.9056
192.168.2.157
00e0.2972.2ab5
192.168.2.15
0010.5ad1.3701
192.168.2.77
00e0.5202.de72
Total Arp Entries : 6
Static
Static
Dynamic
Dynamic
Dynamic
15
15
15
15
15
0
0
0
0
0
1
1
1
1
1
Syntax: show arp [<ip-addr> [<ip-mask>] | ethernet <portnum> mac-address <xxxx.xxxx.xxxx> [<mask>]]
The <ip-addr> and <ip-mask> parameters let you restrict the display to entries for a specific IP address and
network mask. Specify the IP address masks in standard decimal mask format (for example, 255.255.0.0).
NOTE: The <ip-mask> parameter and <mask> parameter perform different operations. The <ip-mask>
parameter specifies the network mask for a specific IP address, whereas the <mask> parameter provides a filter
for displaying multiple MAC addresses that have specific values in common.
Specify the MAC address mask as fs and 0s, where fs are significant bits. Specify IP address masks in
standard decimal mask format (for example, 255.255.0.0).
The ethernet <portnum> parameter lets you restrict the display to entries for a specific port.
The mac-address <xxxx.xxxx.xxxx> parameter lets you restrict the display to entries for a specific MAC address.
The <mask> parameter lets you specify a mask for the mac-address <xxxx.xxxx.xxxx> parameter, to display
entries for multiple MAC addresses. Specify the MAC address mask as fs and 0s, where fs are significant
bits.
Here are some examples of how to use these commands.
The following command displays all ARP entries for MAC addresses that begin with abcd:
ServerIron# show arp mac-address a.b.c.d ffff.0000.0000
The following command displays all IP address entries for IP addresses that begin with "209.157":
ServerIron# show arp 209.157.0.0 255.255.0.0
Possible values: See above
Default value: N/A
show cache-group
Displays configuration information for the TCS cache groups.
EXAMPLE:
ServerIron# show cache-group 1
Cache-group 1 has 1 members Admin-status = Enabledi Active = 0
Hash_info: Dest_mask = 255.255.255.0 Src_mask = 0.0.0.0
Cache Server Name
HTTP Traffic
Admin-status Hash-distribution
From <-> to
Name: aa
Web-Caches
IP: 1.2.3.4
State: 1
Groups =
show chassis
Displays the presence and status of power supplies and fans in the chassis.
21 - 2
February 2002
Show Commands
EXAMPLE:
ServerIron# show chassis
power supply 1 ok
power supply 2 not present
fan 1 ok
fan 2 ok
show clock
Displays the current settings for the on-board time counter and Simple Network Time Protocol (SNTP) clock, if
configured.
EXAMPLE:
ServerIron# show clock
show configuration
Lists the operating configuration of a ServerIron. This command allows you to check configuration changes before
saving them to flash.
EXAMPLE:
ServerIron# show configuration
show default
Displays the defaults for system parameters.
If you specify "default" but not the optional "values", the default states for parameters that can either be enabled or
disabled are displayed. If you also specify "values", the default values for parameters that take a numeric value are
displayed.
EXAMPLE:
ServerIron# show default
snmp ro community public
auto sense port speed
no username assigned
system traps enabled
ip multicast disabled
EXAMPLE:
ServerIron# show default values
sys log buffers:50
mac age time:300 sec
telnet sessions:5
System Parameters
l4-real-server
February 2002
Default
1024
Maximum
2048
mac entries:8K
Current
1024
21 - 3
l4-virtual-server
l4-server-port
256
2048
512
4096
256
2048
show flash
Displays the version of the software image saved in the primary and secondary flash of a ServerIron.
EXAMPLE:
ServerIron# show flash
show fw-group
Displays To display configuration information, state information, and traffic statistics for the firewall group. See the
Foundry ServerIron Firewall Load Balancing Guide for information about the fields in this display.
EXAMPLE:
ServerIron(config)# show fw-group
Firewall-group 2 has 2 members Admin-status = Enabled
Hash_info: Dest_mask = 255.255.255.255 Src_mask = 255.255.255.255
Firewall Server Name
fw1
fw2
Admin-st
1
6
Hash-distribution
0
0
Firewall
Total
IP: 10.10.0.1
Name: fw2
Firewall
Total
State: 1
Host->Firewall
Packets
Octets
0
0
0
0
IP: 10.10.0.2
Groups =
State: 6
Firewall->Host
Packets
Octets
0
0
0
0
Groups =
Host->Firewall
Packets
Octets
0
0
0
0
Firewall->Host
Packets
Octets
0
0
0
0
show fw-hash
Displays the firewall that the hashing algorithm selected for a given pair of source and destination addresses.
EXAMPLE:
ServerIron# show fw-hash 1.1.1.1 2.2.2.2 2
fw3
21 - 4
February 2002
Show Commands
In this example, the command output indicates that the FWLB hashing algorithm selected firewall "fw3" for traffic
to IP address 1.1.1.1 from IP address 2.2.2.2.
6 TCP
17 UDP
The <dst-tcp/udp-port> specifies the destination TCP or UDP application port number.
The <src-tcp/udp-port> specifies the source TCP or UDP application port number.
If you configured the ServerIron to hash based on source and destination TCP or UDP application ports as well as
IP addresses, the ServerIron might select more than one firewall for the same pair of source and destination IP
addresses, when the traffic uses different pairs of source and destination application ports. Use the optional
parameters to ensure that the commands output distinguishes among the selected firewalls based on the
application ports. Here is an example:
ServerIron# show fw-hash 1.1.1.1 2.2.2.2 2 6 80 8080
fw2
ServerIron# show fw-hash 1.1.1.1 2.2.2.2 2 6 80 9000
fw3
Possible values: See above
Default value: N/A
21 - 5
For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry ServerIron
Installation and Configuration Guide.
Possible values: N/A
Default value: N/A
21 - 6
DNS resp.
selection
percentage
(%)
40
February 2002
Show Commands
* 209.157.22.228: dns
v-ip
ACTIVE N-AM.
3
30
60
site: atlanta, SI: slb-1 (192.108.22.111)
session util:
10%, avail. sessions: 414269
preference: 128
* 210.224.100.5: dns
real-ip DOWN
ASIA
--0
* 201.100.100.6: dns
real-ip DOWN
S-AM.
--0
* 213.34.100.4:
dns
real-ip DOWN
EUROPE
--0
HOST: ftp:
Flashback
delay
(x100us)
TCP APP
* 209.157.22.103: dns
v-ip
ACTIVE N-AM.
6
60
site: sunnyvale, SI: slb-2 (209.157.22.210)
session util:
7%, avail. sessions: 414287
preference: 128
* 209.157.22.104: dns
v-ip
ACTIVE N-AM.
3
30
site: atlanta, SI: slb-2 (192.108.22.112)
session util:
14%, avail. sessions: 324269
preference: 128
* 210.224.100.7: dns
real-ip DOWN
ASIA
--* 201.100.100.8: dns
real-ip DOWN
S-AM.
--* 213.34.100.9:
dns
real-ip DOWN
EUROPE
---
DNS resp.
selection
percentage
(%)
40
60
0
0
0
For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry ServerIron
Installation and Configuration Guide.
209.157.22.100:
209.157.22.101:
210.224.100.5:
201.100.100.6:
213.34.100.4:
dns
dns
dns
dns
dns
v-ip
v-ip
real-ip
real-ip
real-ip
ACTIVE
ACTIVE
DOWN
DOWN
DOWN
N-AM.
N-AM.
ASIA
S-AM.
EUROPE
Flashback
delay
(x100us)
TCP APP
6
60
3
30
-------
DNS resp.
selection
percentage
(%)
40
60
0
0
0
N-AM.
N-AM.
ASIA
S-AM.
EUROPE
Flashback
delay
(x100us)
TCP APP
6
60
3
30
-------
DNS resp.
selection
percentage
(%)
40
60
0
0
0
HOST: ftp:
209.157.22.103:
209.157.22.104:
210.224.100.7:
201.100.100.8:
213.34.100.9:
February 2002
dns
dns
dns
dns
dns
v-ip
v-ip
real-ip
real-ip
real-ip
ACTIVE
ACTIVE
DOWN
DOWN
DOWN
21 - 7
10
Direct response
21 - 8
February 2002
Show Commands
February 2002
resources
Maximum
100
200
2000
200
400
600
2000
50
21 - 9
static prefixes
prefix cache
RTT entries
4
104
1
250
5050
10000
The values in the Current column indicate how many of each GSLB configuration or data item are currently on the
GSLB ServerIron. The values in the Maximum column list the maximum number of each item the GSLB
ServerIron can hold.
For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry ServerIron
Installation and Configuration Guide.
Possible values: N/A
Default value: N/A
Session
util(%)
50
CPU load
(%)
35
Virtual IPs:
209.157.22.227(A)
Preference
Location
128
N-AM
209.157.22.103(A)
Session
util(%)
0
CPU load
(%)
16
Preference
Location
128
N-AM
Preference
Location
128
N-AM
Virtual IPs:
209.157.22.227(S)
SITE: atlanta
SI: slb-1 192.108.22.111:
state: CONNECTION ESTABLISHED
Current num.
sessions
750000
Session
util(%)
75
CPU load
(%)
41
Virtual IPs:
209.157.22.227(A)
209.157.22.104(A)
Session
util(%)
0
CPU load
(%)
16
Preference
Location
128
N-AM
Virtual IPs:
209.157.22.227(S)
21 - 10
February 2002
Show Commands
To display information about the GSLB site called sunnyvale and the ServerIrons providing SLB within those
sites, enter the following command:
ServerIron(config)# show gslb site sunnyvale
SITE: sunnyvale
SI: slb-1 209.157.22.209:
state: CONNECTION ESTABLISHED
Current num.
sessions
500000
Session
util(%)
50
CPU load
(%)
35
Location
N-AM
Virtual IPs:
209.157.22.227(A)
SI: slb-2 209.157.22.210:
state: CONNECTION ESTABLISHED
Current num.
sessions
1
Session
util(%)
0
CPU load
(%)
16
Location
N-AM
Virtual IPs:
209.157.22.227(B)
For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry ServerIron
Installation and Configuration Guide.
Possible values: N/A
Default value: N/A
show healthck
Displays a list of the configured health-check policies and their current status. For information about the fields in
this display, see one of the following:
ServerIronXL the "Configuring Boolean Health-Check Policies (ServerIronXL)" section in the "Configuring
Port and Health Check Parameters" chapter of the Foundry ServerIron Installation and Configuration Guide.
ServerIron 400 and ServerIron 800 the "Configuring Boolean Health-Check Policies (ServerIron 400 and
ServerIron 800)" section in the "Configuring Port and Health Check Parameters" chapter of the Foundry
ServerIron Installation and Configuration Guide.
EXAMPLE:
Here is an example for the ServerIronXL.
ServerIron(config)# show healthck
Total nodes: 4; Max nodes: 128
Name
Value
Type
--------------------------------------------Rtr1-ck1
N/B
icmp 10.168.2.46
Rtr1-ck2
N/B
icmp 10.168.2.47
Router1
N/B
or Rtr1-ck1 Rtr1-ck2
Rtr2-ck1
TRUE
icmp 10.168.2.56
Rtr2-ck2
TRUE
icmp 10.168.2.57
Router2
TRUE
and Rtr2-ck1 Rtr2-ck2
Rtr3-ck1
FALSE
icmp 10.168.2.66
Rtr3-ck2
TRUE
icmp 10.168.2.67
Router3
FALSE
and Rtr3-ck1 Rtr3-ck2
EXAMPLE:
Here is an example for the ServerIron 400 or ServerIron 800.
ServerIron(config-hc-check1)# show healthck
February 2002
21 - 11
show interfaces
Displays all port interfaces of the ServerIron and their state, duplex mode, STP state, priority and MAC address.
EXAMPLE:
ServerIron# show interfaces e 1
21 - 12
February 2002
Show Commands
FastEthernet1 is down
Hardware is FastEthernet, address is 00e0.5202.8bc6 (bia 00e0.5202.8bc6)
Configured speed auto, actual unknown, configured duplex fdx, actual unknown
Member of L2 VLAN ID 1, port is untagged, port state is BLOCKING
STP configured to ON, priority is high, flow control enabled
mirror disabled, monitor disabled
Not member of any active trunks
Member of configured trunk ports 1-3, primary port
No port name
5 minute input rate: 0 bits/sec, 0 packets/sec, 0.00% utilization
5 minute output rate: 0 bits/sec, 0 packets/sec, 0.00% utilization
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 ignored
0 multicast
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions
show ip
Displays IP configuration information.
EXAMPLE:
ServerIron(config)# show ip
Disabled : IP_Forwarding
Disabled : RIP
RIP-Redist
192.168.2.1
None
None
None
For information about the fields in this display, see the "Displaying the IP Forwarding State" section in the
"Configuring IP Forwarding" chapter of the Foundry ServerIron Installation and Configuration Guide.
Syntax: show ip
Possible values: N/A
Default value: N/A
show ip cache
Displays the IP host table showing indexes to MAC addresses and the IP address of the next hop for ServerIrons
configured to operate in a multinetted environment.
EXAMPLE:
ServerIron#[ 1] sh ip cache
IP
Mac
209.157.20.1
February 2002
0000.0000.0000
3144
Cam CamF
0
Hw FCnt
0
21 - 13
show ip client-public-key
Displays the currently loaded public keys.
EXAMPLE:
ServerIron# show ip client-public-key
1024 65537 162566050678380006149460550286514061230306797782065166110686648548574
94957339232259963157379681924847634614532742178652767231995746941441604714682680
00644536790333304202912490569077182886541839656556769025432881477252978135927821
67540629478392662275128774861815448523997023618173312328476660721888873946758201
user@csp_client
1024 35 152676199889856769693556155614587291553826312328095300428421494164360924
76207475545234679268443233762295312979418833525975695775705101805212541008074877
26586119857422702897004112168852145074087969840642408451742714558592361693705908
74837875599405503479603024287131312793895007927438074972787423695977635251943 ro
ot@unix_machine
There are 2 authorized client public keys configured
show ip filter-cache
Displays all active IP filter definitions for a Foundry switch operating with Layer 3 switching.
EXAMPLE:
ServerIron# show ip filter-cache
show ip interface
Displays information about the IP interfaces configured on virtual routing interfaces.
NOTE: This command applies only to IP forwarding (Layer 3).
EXAMPLE:
ServerIron(config)# show ip interface
Interface
IP-Address
OK? Method
Ve 1
192.168.2.1
YES manual
Ve 1
10.10.10.1
YES manual
Ve 1
20.20.20.1
YES manual
Ve 10
120.120.120.1
YES manual
Ve 10
130.130.130.1
YES manual
Status
up
up
up
down
down
Protocol
up
up
up
up
up
21 - 14
February 2002
Show Commands
show ip multicast
Indicates if IP multicast is active on a Foundry switch or not, and notes its operating modeactive or passive.
EXAMPLE:
ServerIron# show ip multicast
Outside global
207.195.2.12
207.195.4.69
February 2002
21 - 15
show ip policy
Displays the configured global and local session policies defined via the ip policy command.
EXAMPLE:
Index
1
2
Priority
high
high
Protocol
tcp
udp
Socket
pop3
dns
Type
global
global
show ip route
Displays the IP route table.
NOTE: This command applies only to IP forwarding (Layer 3).
EXAMPLE:
ServerIron(config)# show ip route
Total number of IP routes: 9
Start index: 1 D:Connected S:Static *:Candidate default
Destination
NetMask
Gateway
1
10.10.10.0
255.255.255.0
0.0.0.0
2
20.20.20.0
255.255.255.0
0.0.0.0
3
50.50.50.0
255.255.255.0
20.20.20.10
4
60.60.60.0
255.255.255.0
20.20.20.10
5
70.70.70.0
255.255.255.0
120.120.120.10
6
120.120.120.0
255.255.255.0
0.0.0.0
7
130.130.130.0
255.255.255.0
0.0.0.0
8
192.168.2.0
255.255.255.0
0.0.0.0
9
0.0.0.0
0.0.0.0
192.168.2.1
Port
ve1
ve1
ve1
ve1
ve1
ve1
ve1
ve1
ve1
Cost
1
1
1
1
1
1
1
1
1
Type
D
D
S
S
S
D
D
D
S
show ip ssh
Displays information about the SSH management sessions in effect on the device. Up to five SSH connections
can be active on the Foundry device. For information about this display and about using SSH, see the
Configuring Secure Shell chapter.
EXAMPLE:
ServerIron#show ip ssh
Connection
Version
1
1.5
2
1.5
3
1.5
4
1.5
5
1.5
Encryption
ARCFOUR
IDEA
3DES
none
none
State
0x82
0x82
0x82
0x00
0x00
Username
neville
lynval
terry
21 - 16
February 2002
Show Commands
show ip static-arp
Displays the static ARP entries.
NOTE: This command applies only to IP forwarding (Layer 3).
EXAMPLE:
ServerIron(config)# show ip static-arp
Static ARP table size: 64, configurable from 64 to 128
Index
IP Address
MAC Address
Port
1
10.10.10.10
00d0.0958.9b07
9
2
192.168.2.1
00e0.5205.9056
15
3
192.168.2.157
00e0.2972.2ab5
15
4
192.168.2.14
0050.04bb.81fa
15
5
192.168.2.15
0010.5ad1.3701
15
The <ip-addr> and <ip-mask> parameters let you restrict the display to entries for a specific IP address and
network mask. Specify the IP address masks in standard decimal mask format (for example, 255.255.0.0).
NOTE: The <ip-mask> parameter and <mask> parameter perform different operations. The <ip-mask>
parameter specifies the network mask for a specific IP address, whereas the <mask> parameter provides a filter
for displaying multiple MAC addresses that have specific values in common.
Specify the MAC address mask as fs and 0s, where fs are significant bits. Specify IP address masks in
standard decimal mask format (for example, 255.255.0.0).
The ethernet <portnum> parameter lets you restrict the display to entries for a specific port.
The mac-address <xxxx.xxxx.xxxx> parameter lets you restrict the display to entries for a specific MAC address.
The <mask> parameter lets you specify a mask for the mac-address <xxxx.xxxx.xxxx> parameter, to display
entries for multiple MAC addresses. Specify the MAC address mask as fs and 0s, where fs are significant
bits.
Possible values: See above
Default value: N/A
show ip traffic
Displays IP (ICMP, UDP, TCP, and RIP) traffic statistics for a ServerIron.
EXAMPLE:
ServerIron# show ip traffic
IP Statistics
587 received, 593 sent, 14 forwarded
0 fragmented, 0 reassembled, 0 bad header
489 no route, 0 unknown proto, 0 no buffer, 9 other errors
ICMP Statistics
Received:
0 total, 0 errors, 0 unreachable, 0 time exceed
0 parameter, 0 source sequence, 0 redirect, 0 echo,
0 echo reply, 0 timestamp, 0 timestamp rely, 0 addr mask
0 addr mask reply, 0 irdp advertisement, 0 irdp solicitation
Sent:
54 total, 0 errors, 0 unreachable, 0 time exceed
0 parameter, 0 source sequence, 0 redirect, 0 echo,
0 echo reply, 0 timestamp, 0 timestamp rely, 0 addr mask
0 addr mask reply, 54 irdp advertisement, 0 irdp solicitation
February 2002
21 - 17
show logging
Displays the SNMP event log.
EXAMPLE:
This example shows some common Syslog messages.
ServerIron# show logging
Syslog logging: enabled (0 messages dropped, 0
Buffer logging: level ACDMEINW, 7 messages
level code: A=alert C=critical D=debugging
I=informational N=notification
flushes, 0 overruns)
logged
M=emergency E=error
W=warning
21 - 18
February 2002
Show Commands
EXAMPLE:
Here are some examples of log entries for packets denied by Access Control Lists (ACLs).
NOTE: On devices that also use Layer 2 MAC filters, both types of log entries can appear in the same log. Only
ACL log entries are shown in this example.
ServerIron(config)# show log
Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
Buffer logging: level ACDMEINW, 38 messages logged
level code: A=alert C=critical D=debugging M=emergency E=error
I=informational N=notification W=warning
Log Buffer (50 entries):
21d07h02m40s:warning:list 101 denied tcp 209.157.22.191(0)(Ethernet 4/18
0010.5a1f.77ed) -> 198.99.4.69(http), 2 packets
00d07h03m30s:warning:list 101 denied tcp 209.157.22.26(0)(Ethernet 4/18
0010.5a1f.77ed) -> 198.99.4.69(http), 2 packets
00d06h58m30s:warning:list 101 denied tcp 209.157.22.198(0)(Ethernet 4/18
0010.5a1f.77ed) -> 198.99.4.69(http), 1 packets
The first time an entry in an ACL denies a packet and logging is enabled for that entry, the software generates a
Syslog message and an SNMP trap. Messages for packets denied by ACLs are at the warning level of the Syslog.
When the first Syslog entry for a packet denied by an ACL is generated, the software starts a five-minute ACL
timer. After this, the software sends Syslog messages every five minutes. The messages list the number of
packets denied by each ACL during the previous five-minute interval. If an ACL entry does not deny any packets
during the five-minute interval, the software does not generate a Syslog entry for that ACL entry.
NOTE: For an ACL entry to be eligible to generate a Syslog entry for denied packets, logging must be enabled
for the entry. The Syslog contains entries only for the ACL entries that deny packets and have logging enabled.
February 2002
21 - 19
In this example, the two-line message at the bottom is the first entry, which the software immediately generates
the first time an ACL entry permits or denies a packet. In this case, an entry in ACL 101denied a packet. The
packet was a TCP packet from host 209.157.22.198 and was destined for TCP port 80 (HTTP) on host
198.99.4.69.
When the software places the first entry in the log, the software also starts the five-minute timer for subsequent log
entries. Thus, five minutes after the first log entry, the software generates another log entry and SNMP trap for
denied packets.
In this example, the software generates the second log entry five minutes later. The second entry indicates that
the same ACL denied two packets.
The time stamp for the third entry is much later than the time stamps for the first two entries. In this case, no ACLs
denied packets for a very long time. In fact, since no ACLs denied packets during the five-minute interval following
the second entry, the software stopped the ACL log timer. The software generated the third entry as soon as the
ACL denied a packet. The software restarted the five-minute ACL log timer at the same time. As long as at least
one ACL entry permits or denies a packet, the timer continues to generate new log entries and SNMP traps every
five minutes.
EXAMPLE:
Here are some examples of log messages for CLI access.
ServerIron(config)# show logging
Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
Buffer logging: level ACDMEINW, 12 messages logged
level code: A=alert C=critical D=debugging M=emergency E=error
I=informational N=notification W=warning
Log Buffer (50 entries):
Oct
Oct
Oct
Oct
15
15
15
15
18:01:11:info:dg
17:59:22:info:dg
17:38:07:info:dg
17:38:03:info:dg
The first message (the one on the bottom) indicates that user dg logged in to the CLIs User EXEC level on
October 15 at 5:38 PM and 3 seconds (Oct 15 17:38:03). The same user logged in to the Privileged EXEC level
four seconds later.
The user remained in the Privileged EXEC mode until 5:59 PM and 22 seconds. (The user could have used the
CONFIG modes as well. Once you access the Privileged EXEC level, no further authentication is required to
access the CONFIG levels.) At 6:01 PM and 11 seconds, the user ended the CLI session.
show mac-address
Displays all MAC addresses on a ServerIron.
EXAMPLE:
To display all MAC addresses on a ServerIron, enter the following:
ServerIron(config)# show mac-address
Total entries from all ports = 75
MAC
Port
Age CamF CIDX0 CIDX1 CIDX2 CIDX3 CIDX4 CIDX5
0000.0300.0000 10 17293 00H
0
0
0
0
0
0
0060.089f.8086
1
12 0bH
23
15
0
6
0
0
0060.9709.914b 16
2130 00H
0
0
0
0
0
0
00a0.249a.0163 16
130 00H
0
0
0
0
0
0
0060.979d.41a5 11
475 00H
0
0
0
0
0
0
00a0.24c5.01d1 11
0 0cH
0
0
20
14
0
0
0060.979d.41df 11
570 00H
0
0
0
0
0
0
0060.9759.4226 16
240 00H
0
0
0
0
0
0
0060.9759.4235 16
130 00H
0
0
0
0
0
0
0800.208f.725b
2
135 00H
0
0
0
0
0
0
21 - 20
February 2002
Show Commands
0060.9759.4264 16
0 0aH
0
14
0
21
00a0.24c5.02a1 16
15 09H
5
0
0
33
0000.c02c.a2bf
7
11 03H
27
5
0
0
00a0.24c5.02f8
4
135 00H
0
0
0
0
00a0.24c5.02fc
6
0 06H
0
8
31
0
0800.207e.c312
2
2 0dH
25
0
24
13
0800.208f.5331
2
135 00H
0
0
0
0
00e0.5200.0385 10
5160 00H
0
0
0
0
--More--, next page: Space/Return key, quit: Control-c
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
NOTE: The information displayed in columns with headings CamF, and CIDX0 through CIDX5, is not relevant for
day-to-day management of the ServerIron. The information is used by engineering and technical support staff for
debug purposes.
= 41
Port
11
Port
10
11
12
1
13
14
15
16
show media
Shows the types of ports active on a Chassis device.
EXAMPLE:
ServerIron(config)# show media
1/1:SX 1/2:SX 1/3:SX 1/4:SX
2/1:SX 2/2:SX 2/3:SX 2/4:SX 2/5:SX 2/6:SX 2/7:SX 2/8:SX
3/1:SX 3/2:SX 3/3:SX 3/4:SX 3/5:SX 3/6:SX 3/7:SX 3/8:SX
4/1:SX 4/2:SX 4/3:SX 4/4:SX 4/5:SX 4/6:SX 4/7:SX 4/8:SX
5/1:SX 5/2:SX 5/3:SX 5/4:SX 5/5:SX 5/6:SX 5/7:SX 5/8:SX
6/1:SX 6/2:SX 6/3:SX 6/4:SX 6/5:SX 6/6:SX 6/7:SX 6/8:SX
7/1:SX 7/2:SX 7/3:SX 7/4:SX 7/5:SX 7/6:SX 7/7:SX 7/8:SX
8/1:SX 8/2:SX 8/3:SX 8/4:SX 8/5:SX 8/6:SX 8/7:SX 8/8:SX
February 2002
21 - 21
show module
Shows the types of modules installed on a Chassis device.
EXAMPLE:
Here is an example of the commands display output on a ServerIron 800.
ServerIron# show module
Module
Status
OK
00e0.52f0.5a00
OK
24
00e0.52f0.5a20
OK
24
00e0.52f0.5a40
OK
24
00e0.52f0.5a60
OK
00e0.52f0.5a00
OK
24
00e0.52f0.5aa0
OK
00e0.52f0.5a00
OK
00e0.52f0.5a00
show monitor
Displays the current port mirroring and monitoring configuration.
EXAMPLE:
ServerIron(config)# show monitor
Mirror Interface:
ethernet 4/1
Monitored Interfaces:
Both
Input
Output
--------------------------------------------------ethernet 4/3
show policy-map
Displays information about the URL switching policies configured on the ServerIron.
21 - 22
February 2002
Show Commands
EXAMPLE:
ServerIron# show policy-map p1
Current Policy: 3
Created: 8
Deleted: 5
Table slot 210
------------------------------------------------Name
: p1
Valid
Tree root
: Yes
Method
Key
--default
/home
Type
---Map Policy
Group ID
: Yes
: prefix
Data
---p2
1
show relative-utilization
Displays an uplink utilization list, which allows you to observe the percentage of the uplinks bandwidth that each
of the downlink ports used during the most recent 30-second port statistics interval. The number of packets sent
and received between the two ports is listed, as well as the ratio of each individual downlink ports packets relative
to the total number of packets on the uplink.
EXAMPLE:
To display an uplink utilization list:
ServerIron(config)# show relative-utilization 1
uplink: ethe 1
30-sec total uplink packet count = 3011
packet count ratio (%)
1/ 2:60
1/ 3:40
In this example, ports 2 and 3 are sending traffic to port 1. Port 2 and port 3 are isolated (not shared by multiple
clients) and typically do not exchange traffic with other ports except for the uplink port, port 1.
show reload
Displays the time and date for scheduled system reloads.
EXAMPLE:
ServerIron# show reload
February 2002
21 - 23
21 - 24
February 2002
Show Commands
The ethernet <portnum> parameter displays the RMON port statistics for the specified port.
The <num> parameter displays the specified entry. Entries are numbered beginning with 1.
Possible values: see above
Default value: N/A
show running-config
Displays the running configuration of the ServerIron on the terminal screen.
NOTE: This command is equivalent to the write terminal command.
EXAMPLE:
ServerIron# show running-config
IP: 209.157.23.100
209.157.23.43, http
209.157.23.60, 8080
209.157.23.43, ftp
209.157.23.60, ftp
209.157.23.43, 70
209.157.23.60, 70
IP: 209.157.23.105
209.157.23.60, 300
209.157.23.60, 200
209.157.23.60, 100
209.157.23.60, 400
209.157.23.60, 500
February 2002
21 - 25
EXAMPLE:
ServerIron# show server conn-rate
Avail. Sessions
=
524286 Total Sessions
=
524288
Total C->S Conn
=
0 Total S->C Conn
=
0
Total Reassign
=
0 Unsuccessful Conn
=
0
last conn rate
=
0 max conn rate
=
0
last TCP attack rate =
0 max TCP attack rate =
0
SYN def RST
=
0 SYN flood
=
0
Server State - 1:enabled, 2:failed, 3:test, 4:suspect, 5:grace_dn, 6:active
Real Server
rs1
State
3
CurrConn
0
TotConn
0
LastRate
0
CurrRate
0
MaxRate
0
Status Tx Rx
0 0 0
0 0 0
21 - 26
February 2002
Show Commands
TCP-age =
30
UDP-age =
5
Sticky-age =
30
TCP-syn-limit =
65535
TCP-total conn =
4337
Unsuccessful conn = 0
ICMP-message = Disabled
=
=
=
=
=
=
=
=
=
=
=
=
=
0
0
0
0
0
0
0
0
0
0
0
0
0
=
=
=
=
=
=
=
=
=
=
=
99999
0
0
0
0
0
0
0
0
0
0
February 2002
21 - 27
Total
State
CurrConn
1
1
0
0
TotConn TotRevConn
0
4233
0
0
CurrSess
PeakConn
0
0
0
39
21 - 28
February 2002
Show Commands
For descriptions of the information shown by this display, see the "Configuring Server Load Balancing" chapter in
the Foundry ServerIron Installation and Configuration Guide.
Possible values: N/A
Default value: N/A
=
=
=
=
=
=
26753
4
0
8429
0
14
Server->Client
Aged
Rev_drops
old-conn
Exceed_drop
Unsuccessful
=
=
=
=
=
=
24817
38
0
0
0
0
February 2002
NO
NO
NO
NO
NO
NO
NO
NO
0
0
0
0
0
4233
0
0
PeakConn
0
39
0
0
21 - 29
ssl
smtp
nntp
ntp
dns
pop2
pop3
tftp
imap4
snmp
ldap
70
default
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
enabled
YES
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
NO
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
21 - 30
when
202
202
poll
4
0
delay
0.0
0.0
disp
5.45
0.0
February 2002
Show Commands
The following table describes the information displayed by the show sntp associations command.
This Field...
Displays...
(leading character)
ref clock
st
when
Amount of time since the last NTP packet was received from the peer
poll
delay
disp
Dispersion in seconds
Indicates...
unsynchronized
synchronized
stratum
reference clock
precision
reference time
clock offset
root delay
root dispersion
February 2002
21 - 31
This Field...
Indicates...
peer dispersion
show span
Displays spanning tree statistics for a ServerIron such as root cost, root port and priority.
EXAMPLE:
ServerIron# show span
Global STP Parameters:
VLAN Root
Root Root Prio
ID
ID
Cost Port rity
Hex
1 800000e052801400 0
Root 8000
Max
Age
sec
20
Hello
sec
2
Hold
sec
2
Fwd
dly
sec
15
Last
Chang
sec
0
Chg
cnt
Bridge
Address
00e052801400
Path State
Cost
Fwd
Trans
Design Design
Cost
Root
Design
Bridge
1
0
0
0
0
1
0
0
0
0
0
0
0
0
0
800000e052801400
0000000000000000
0000000000000000
0000000000000000
0000000000000000
FORWARDING
DISABLED
DISABLED
DISABLED
DISABLED
800000e052801400
0000000000000000
0000000000000000
0000000000000000
0000000000000000
Max
Age
Hex
8000
2
800000e0520002f5 0
Root
00e0520002f5
Port STP Parameters:
VLAN Port Prio Path State
Fwd
ID
Num
rity
Cost
Trans
Hex
2
1
0080
0
0000000000000000
0000000000000000
2
2
0080
0
0000000000000000
0000000000000000
2
3
0080
0
0000000000000000
0000000000000000
2
4
0080
0
21 - 32
Design
Cost
Last
Chg
Chang cnt
sec
2
15
Design
Root
Bridge
Address
0
Design
Bridge
DISABLED
DISABLED
DISABLED
DISABLED
February 2002
Show Commands
0000000000000000
2
5
0000000000000000
0000000000000000
0080
0
0000000000000000
DISABLED
show statistics
Displays port statistics for a ServerIron(transmit, receive, collisions, errors).
EXAMPLE:
ServerIron# show statistics
Buffer Manager
Queue
[Pkt Receive Pkt Transmit]
0
0
Port Counters: Packets
Collisions
Port
[Receive Transmit] [Receive Transmit]
1/1
15935
5443
0
0
1/2
0
0
0
0
1/3
0
0
0
0
1/4
0
0
0
0
2/1
0
0
0
0
2/2
0
0
0
0
2/3
0
0
0
0
2/4
0
0
0
0
2/5
0
0
0
0
2/6
0
0
0
0
2/7
0
0
0
0
2/8
0
0
0
0
[Align
0
0
0
0
0
0
0
0
0
0
0
0
Errors
FCS
Giant
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Short]
0
0
0
0
0
0
0
0
0
0
0
0
Displays...
Packet counters
Receive
Transmit
Collision counters
Receive
February 2002
21 - 33
Displays...
Transmit
Packet Errors
These fields show statistics for various types of packet errors. The device drops packets that contain one of
these errors.
Align
FCS
Giant
The number of packets that were longer than the configured MTU.
Short
The number of packets that were shorter than the minimum valid
length.
show tech-support
Shows technical details to you for assistance in troubleshooting issues when working with technical support. The
information show is a sub-set of all the available information.
show telnet
Shows the IP address of the station with the active Telnet session. Up to five read access Telnet sessions can be
supported on the ServerIron at one time. Write access through Telnet is limited to one session.
EXAMPLE:
ServerIron# show telnet
Console connections:
established, active
14 seconds in idle
Telnet connections:
21 - 34
February 2002
Show Commands
established,
7 seconds in
2
established,
3 seconds in
3
closed
4
closed
5
closed
SSH connections:
1
closed
2
closed
3
closed
4
closed
5
closed
show trunk
Displays trunk groups and their port membership for ServerIrons.
EXAMPLE:
ServerIron(config-if)# show trunk
Configured trunks:
Trunk Group
Ports
Operational trunks:
Trunk Group
Ports
Duplex
1 2 3
Full
Speed
100M
Tag
No
Priority
High
show users
Lists the user accounts configured on the ServerIron. See the Foundry Security Guide.
EXAMPLE:
ServerIron# show users
show version
Lists software, hardware and firmware details for a ServerIron.
EXAMPLE:
ServerIron# show version
February 2002
21 - 35
show vlans
Displays all VLANs configured on the system, their member ports, assigned priority and STP status. To view a
specific VLAN, enter VLAN ID after the show vlans command.
EXAMPLE:
ServerIron(config)# show vlans
show web-connection
Displays the access levels and IP addresses of the devices that currently have Web management interface
sessions with the ServerIron.
To clear all sessions displayed by this command, see clear web-connection on page 5-8.
EXAMPLE:
ServerIron(config)# show web-connection
User
set
Privilege
0
IP address
192.168.1.234
show who
The show who command lists the active console and Telnet CLI sessions. This command can be used in
conjunction with the kill command, which lets you terminate an active CLI session.
EXAMPLE:
To display the active console and Telnet CLI sessions:
ServerIron# show who
Console connections:
established
Telnet connections:
1 established, client ip address 209.157.22.63
2 closed
3 closed
4 closed
5 closed
show wsm-map
Displays the WSM CPU allocations for the forwarding modules in the chassis.
EXAMPLE:
To display the slot allocations for the WSM CPUs, enter the following command at any CLI level:
ServerIron(config)# show wsm-map
slot 2 (weight 24 x 100M) is processed by WSM 1/2 (weight 24)
slot 3 (weight 8 x 1000M) is processed by WSM 1/1 (weight 80)
slot 4 (weight 24 x 100M) is processed by WSM 1/3 (weight 24)
21 - 36
February 2002
Show Commands
The chassis slot (slot 2 in the first row of the example above)
The weight of the module in the slot (weight 24 x 100M in the first row of the example above)
The chassis slot that contains the Web Switching Management Module and the WSM CPU to which the
forwarding module described by this row is allocated (is processed by WSM 1/2). The 1 in this example
indicates the Web Switching Management Module is in chassis slot 1. The 2 in this example indicates that
WSM CPU 2 is handling Layer 4 7 processing for the forwarding module in slot 2.
The total weight assigned to the WSM CPU (weight 24 in the first row of this example)
show wsm-state
Displays general information for a Web Switching Management Module.
EXAMPLE:
ServerIron(config)# show wsm-state
==================================================
WSM MODULE (6) App CPU
0 MB SHM, 3 Application Processors
CPU 0 in state of WSM_STATE_RUNNING
CPU 1 in state of WSM_STATE_RUNNING
CPU 2 in state of WSM_STATE_RUNNING
--------------Module 6 App CPU 1, SW: Version 07.2.00T71
Compiled on Sep 25 2000 at 21:33:50 labeled as wsm-cpu3b
DRAM 268M, BRAM 262K, FPGA Version 0050
Code Flash 4M: Primary (880346 bytes, 07.2.00T71),
Secondary (871842 bytes, 07.0.00T71)
Boot Flash 131K, Boot Version 06.00.00
The system uptime is 0 day 1 hour 54 minute 17 second
General Status: 0 ipc msg rec, 2 ipc msg sent
--------------Module 6 App CPU 2, SW: Version 07.2.00T71
Compiled on Sep 25 2000 at 21:33:50 labeled as wsm-cpu3b
DRAM 134M, BRAM 262K, FPGA Version 0050
Code Flash 4M: Primary (880346 bytes, 07.2.00T71),
Secondary (871842 bytes, 07.0.00T71)
Boot Flash 131K, Boot Version 06.00.00
The system uptime is 0 day 1 hour 54 minute 17 second
General Status: 0 ipc msg rec, 2 ipc msg sent
--------------Module 6 App CPU 3, SW: Version 07.2.00T71
Compiled on Sep 25 2000 at 21:33:50 labeled as wsm-cpu3b
DRAM 268M, BRAM 262K, FPGA Version 0050
Code Flash 4M: Primary (880346 bytes, 07.2.00T71),
Secondary (871842 bytes, 07.0.00T71)
Boot Flash 131K, Boot Version 06.00.00
The system uptime is 0 day 1 hour 54 minute 17 second
General Status: 0 ipc msg rec, 2 ipc msg sent
February 2002
21 - 37
21 - 38
February 2002