AX CLI Ref v2 4 3-20101103

P e r f o r m a n c e
b y
D e s i g n
AX Series Advanced Traffic Manager
Command Line Interface Reference

Document No.: D-030-01-00-0003 Ver. 2.4.3-P2 11/3/2010
Headquarters A10 Networks, Inc. 2309 Bering Dr. San Jose, CA 95131-1125 USA Tel: +1-408-325-8668 (main) Tel: +1-408-325-8676 (support) Fax: +1-408-325-8666 www.a10networks.com
A10 Networks, Inc. 11/3/2010 - All Rights Reserved
Information in this document is subject to change without notice. Trademarks

A10 Networks, the A10 logo, ACOS, aFleX, aFlow, aGalaxy, aVCS, aXAPI, IDaccess, IDSENTRIE, IP to ID, SmartFlow, SoftAX, VirtualADC, Virtual Chassis, and VirtualN are trademarks or registered trademarks of A10 Networks, Inc. All other trademarks are property of their respective owners.
Patents Protection
A10 Networks products including all AX Series products are protected by one or more of the following US patents and patents pending: 7716378, 7675854, 7647635, 7552126, 20090049537, 20080229418, 20080040789, 20070283429, 20070271598, 20070180101
Confidentiality
This document contains confidential materials proprietary to A10 Networks, Inc. This document and information and ideas herein may not be disclosed, copied, reproduced or distributed to anyone outside A10 Networks, Inc. without prior written consent of A10 Networks, Inc. This information may contain forward looking statements and therefore is subject to change.
A10 Networks Inc. Software License and End User Agreement

Software for all AX Series products contains trade secrets of A10 Networks and its subsidiaries and Customer agrees to treat Software as confidential information. Anyone who uses the Software does so only in compliance with the terms of this Agreement. Customer shall not: 1) reverse engineer, reverse compile, reverse de-assemble or otherwise translate the Software by any means 2) sublicense, rent or lease the Software.
Disclaimer
The information presented in this document describes the specific products noted and does not imply nor grant a guarantee of any technical performance nor does it provide cause for any eventual claims resulting from the use or misuse of the products described herein or errors and/or omissions. A10 Networks, Inc. reserves the right to make technical and other changes to their products and documents at any time and without prior notification. No warranty is expressed or implied; including and not limited to warranties of non-infringement, regarding programs, circuitry, descriptions and illustrations herein.
Environmental Considerations
Some electronic components may possibly contain dangerous substances. For information on specific component types, please contact the manufacturer of that component. Always consult local authorities for regulations regarding proper disposal of electronic components in your area.
Further Information
For additional information about A10 products, terms and conditions of delivery, and pricing, contact your nearest A10 Networks, Inc. location which can be found by visiting www.a10networks.com.
AX Series - Command Line Interface - Reference

About This Document
End User License Agreement

IMPORTANT: PLEASE READ THIS END USER LICENSE AGREEMENT CAREFULLY. DOWNLOADING, INSTALLING OR USING A10 NETWORKS OR A10 NETWORKS PRODUCTS, OR SUPPLIED SOFTWARE CONSTITUTES ACCEPTANCE OF THIS AGREEMENT. A10 NETWORKS IS WILLING TO LICENSE THE PRODUCT (AX SERIES) TO YOU ONLY UPON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS CONTAINED IN THIS LICENSE AGREEMENT. BY DOWNLOADING OR INSTALLING THE SOFTWARE, OR USING THE EQUIPMENT THAT CONTAINS THIS SOFTWARE, YOU ARE BINDING YOURSELF AND THE BUSINESS ENTITY THAT YOU REPRESENT (COLLECTIVELY, "CUSTOMER") TO THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, THEN A10 NETWORKS IS UNWILLING TO LICENSE THE SOFTWARE TO YOU AND DO NOT DOWNLOAD, INSTALL OR USE THE PRODUCT. The following terms of this End User License Agreement ("Agreement") govern Customer's access and use of the Software, except to the extent there is a separate signed agreement between Customer and A10 Networks governing Customer's use of the Software License. Conditioned upon compliance with the terms and conditions of this Agreement, A10 Networks Inc. or its subsidiary licensing the Software instead of A10 Networks Inc. ("A10 Networks"), grants to Customer a nonexclusive and nontransferable license to use for Customer's business purposes the Software and the Documentation for which Customer has paid all required fees. "Documentation" means written information (whether contained in user or technical manuals, training materials, specifications or otherwise) specifically pertaining to the product or products and made available by A10 Networks in any manner (including on CD-Rom, or on-line). Unless otherwise expressly provided in the Documentation, Customer shall use the Software solely as embedded in or for execution on A10 Networks equipment owned or leased by Customer and used for Customer's business purposes. General Limitations. This is a license, not a transfer of title, to the Software and Documentation, and A10 Networks retains ownership of all copies of the Software and Documentation. Customer acknowledges that the Software and Documentation contain trade secrets of A10 Networks, its suppliers or licensors, including but not limited to the specific internal design and structure of individual programs and associated interface information. Accordingly, except as otherwise expressly provided under this Agreement, Customer shall have no right, and Customer specifically agrees not to:
a. transfer, assign or sublicense its license rights to any other person or entity, or use the Software on unauthorized or secondhand A10 Networks equipment b. make error corrections to or otherwise modify or adapt the Software or create derivative works based upon the Software, or permit third parties to do the same
P e r f o r m a n c e D e s i g n Document No.: D-030-01-00-0003 - Ver. 2.4.3-P2 11/3/2010 b y
3 of 824

About This Document c. reverse engineer or decompile, decrypt, disassemble or otherwise reduce the Software to human readable form, except to the extent otherwise expressly permitted under applicable law notwithstanding this restriction d. disclose, provide, or otherwise make available trade secrets contained within the Software and Documentation in any form to any third party without the prior written consent of A10 Networks. Customer shall implement reasonable security measures to protect such trade secrets.
Software, Upgrades and Additional Products or Copies. For purposes of this Agreement, "Software" and Products shall include (and the terms and conditions of this Agreement shall apply to) computer programs, including firmware and hardware, as provided to Customer by A10 Networks or an authorized A10 Networks reseller, and any upgrades, updates, bug fixes or modified versions thereto (collectively, "Upgrades") or backup copies of the Software licensed or provided to Customer by A10 Networks or an authorized A10 Networks reseller. OTHER PROVISIONS OF THIS AGREEMENT:
a. CUSTOMER HAS NO LICENSE OR RIGHT TO USE ANY ADDITIONAL COPIES OR UPGRADES UNLESS CUSTOMER, AT THE TIME OF ACQUIRING SUCH COPY OR UPGRADE, ALREADY HOLDS A VALID LICENSE TO THE ORIGINAL SOFTWARE AND HAS PAID THE APPLICABLE FEE FOR THE UPGRADE OR ADDITIONAL COPIES b. USE OF UPGRADES IS LIMITED TO A10 NETWORKS EQUIPMENT FOR WHICH CUSTOMER IS THE ORIGINAL END USER PURCHASER OR LEASEE OR WHO OTHERWISE HOLDS A VALID LICENSE TO USE THE SOFTWARE WHICH IS BEING UPGRADED c. THE MAKING AND USE OF ADDITIONAL COPIES IS LIMITED TO NECESSARY BACKUP PURPOSES ONLY.
Term and Termination. This Agreement and the license granted herein shall remain effective until terminated. All confidentiality obligations of Customer and all limitations of liability and disclaimers and restrictions of warranty shall survive termination of this Agreement Export. Software and Documentation, including technical data, may be subject to U.S. export control laws, including the U.S. Export Administration Act and its associated regulations, and may be subject to export or import regulations in other countries. Customer agrees to comply strictly with all such regulations and acknowledges that it has the responsibility to obtain licenses to export, re-export, or import Software and Documentation. Trademarks. A10 Networks, the A10 logo, ACOS, aFleX, aFlow, aGalaxy, aVCS, aXAPI, IDaccess, IDsentrie, IP-to-ID, SoftAX, Virtual Chassis, and VirtualN are trademarks or registered trademarks of A10 Networks, Inc. All other trademarks are property of their respective owners.
4 of 824
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3-P2 11/3/2010

About This Document
Patents Protection. A10 Networks products including all AX Series are protected by one or more of the following US patents and patents pending: 7716378, 7675854, 7647635, 7552126, 20090049537, 20080229418, 20080040789, 20070283429, 20070271598, 20070180101.
Limited Warranty
Disclaimer of Liabilities. REGARDLESS OF ANY REMEDY SET FORTH FAILS OF ITS ESSENTIAL PURPOSE OR OTHERWISE, IN NO EVENT WILL A10 NETWORKS OR ITS SUPPLIERS BE LIABLE FOR ANY LOST REVENUE, PROFIT, OR LOST OR DAMAGED DATA, BUSINESS INTERRUPTION, LOSS OF CAPITAL, OR FOR SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY OR WHETHER ARISING OUT OF THE USE OF OR INABILITY TO USE PRODUCT OR OTHERWISE AND EVEN IF A10 NETWORKS OR ITS SUPPLIERS OR LICENSORS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. In no event shall A10 Networks or its suppliers' or licensors' liability to Customer, whether in contract, (including negligence), breach of warranty, or otherwise, exceed the price paid by Customer for the Software that gave rise to the claim or if the Software is part of another Product, the price paid for such other Product. Customer agrees that the limitations of liability and disclaimers set forth herein will apply regardless of whetherCustomer has accepted the Software or any other product or service delivered by A10 Networks. Customer acknowledges and agrees that A10 Networks has set its prices and entered into this Agreement in reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same reflect an allocation of risk between the parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss), and that the same form an essential basis of the bargain between the parties. The Warranty and the End User License shall be governed by and construed in accordance with the laws of the State of California, without reference to or application of choice of law rules or principles. If any portion hereof is found to be void or unenforceable, the remaining provisions of the Agreement shall remain in full force and effect. This Agreement constitutes the entire and sole agreement between the parties with respect to the license of the use of A10 Networks Products unless otherwise supersedes by a written signed agreement.
D e s i g n Document No.: D-030-01-00-0003 - Ver. 2.4.3-P2 11/3/2010
b y
5 of 824

About This Document
6 of 824
b y
D e s i g n

About This Document
Obtaining Technical Assistance

For all customers, partners, resellers, and distributors who hold valid A10 Networks Regular and Technical Support service contracts, the A10 Networks Technical Assistance Center provides support services online and over the phone.
Corporate Headquarters A10 Networks, Inc. 2309 Bering Dr. San Jose, CA 95131-1125 USA Tel: +1-408-325-8668 (main) Tel: +1-888-822-7210 (support toll-free in USA) Tel: +1-408-325-8676 (support direct dial) Fax: +1-408-325-8666 www.a10networks.com
Collecting System Information

The AX device provides a simple method to collect configuration and status information for Technical Support to use when diagnosing system issues. To collect system information, use either of the following methods.
USING THE GUI (RECOMMENDED)

1. 2. 3. 4. 5. 6. 7. Log into the GUI. Select Monitor > System > Logging. On the menu bar, click Show Tech. Click Export. The File Download dialog appears. Click Save. The Save As dialog appears. Navigate to the location where you want to save the file, and click Save. Email the file as an attachment to support@A10Networks.com.
b y
7 of 722

About This Document
USING THE CLI

1. Log into the CLI. 2. Enable logging in your terminal emulation application, to capture output generated by the CLI. 3. Enter the enable command to access the Privileged EXEC mode of the CLI. Enter your enable password at the Password prompt. 4. Enter the show techsupport command. 5. After the command output finishes, save the output in a file. 6. Email the file as an attachment to support@A10Networks.com. Note: As an alternative to saving the output in a log file captured by your terminal emulation application, you can export the output from the CLI using the following command: show techsupport export [use-mgmt-port] url (For syntax information, see the AX Series CLI Reference.)
8 of 722
b y
D e s i g n

About This Document
About This Document

This document describes the Command Line Interface (CLI) of the A10 Networks AX Series Advanced Traffic Manager. The CLI enables administrators to configure and manage the device. Descriptions of all commands and their options are provided. Additional information is available for AX Series systems in the following documents. These documents are included on the documentation CD shipped with your AX Series system, and also are available on the A10 Networks support site:
AX Series Installation Guides AX Series Configuration Guide AX Series GUI Reference guide AX Series aFleX Reference Guide AX Series MIB Reference AX Series aXAPI Reference
System Description - The AX Series

FIGURE 1 The AX Series Advanced Traffic Manager
The AX Series is the industrys best performing application acceleration switch that helps organizations scale and maximize application availability through the worlds most advanced application delivery platform. The AX Series Advanced Core Operating System (ACOS) accelerates and secures critical business applications, provides the highest performance and reliability, and establishes a new industry-leading price/performance
9 of 722

About This Document
Audience
This document is for network architects for determining applicability and planning implementation, and for system administrators for provisioning and maintenance of A10 Networks AX Series devices.
10 of 722
b y
D e s i g n

Contents
End User License Agreement Obtaining Technical Assistance About This Document
3 7 9
Collecting System Information.............................................................................................................. 7
System Description - The AX Series..................................................................................................... 9 Audience................................................................................................................................................ 10
Using the CLI
27
System Access ..................................................................................................................................... 27 Session Access Levels ........................................................................................................................ 27 High Availability Status in Command Prompt.................................................................................... 28 CLI Quick Reference............................................................................................................................. 29 Context-Sensitive Help ................................................................................................................... 29 The no Form of Commands ......................................................................................................... 31 Command History ........................................................................................................................... 32 Editing Features and Shortcuts ...................................................................................................... 33 Searching and Filtering CLI Output ................................................................................................ 36 Regular Expressions ....................................................................................................................... 37 Special Character Support in Strings .............................................................................................. 38
EXEC Commands
39
backup config ......................................................................................................................................... 39 backup log ............................................................................................................................................. 40 enable .................................................................................................................................................... 42 exit ......................................................................................................................................................... 42 health-test .............................................................................................................................................. 43 help ........................................................................................................................................................ 44 no ........................................................................................................................................................... 44 ping ........................................................................................................................................................ 44 show ...................................................................................................................................................... 46 ssh ......................................................................................................................................................... 46 telnet ...................................................................................................................................................... 47 traceroute ............................................................................................................................................... 48
Privileged EXEC mode Commands
49
active-partition ........................................................................................................................................ 49 axdebug ................................................................................................................................................. 49 backup config ......................................................................................................................................... 50 backup log ............................................................................................................................................. 50 clear ....................................................................................................................................................... 50
11 of 722

Contents clock ...................................................................................................................................................... 52 config ..................................................................................................................................................... 53 debug ..................................................................................................................................................... 53 diff .......................................................................................................................................................... 53 disable ................................................................................................................................................... 55 exit ......................................................................................................................................................... 55 export ..................................................................................................................................................... 56 health-test .............................................................................................................................................. 57 help ........................................................................................................................................................ 57 import ..................................................................................................................................................... 57 locale ..................................................................................................................................................... 58 no ........................................................................................................................................................... 59 ping ........................................................................................................................................................ 59 reboot .................................................................................................................................................... 59 reload ..................................................................................................................................................... 61 repeat .................................................................................................................................................... 62 show ...................................................................................................................................................... 63 shutdown ............................................................................................................................................... 63 ssh ......................................................................................................................................................... 64 telnet ...................................................................................................................................................... 64 terminal .................................................................................................................................................. 64 traceroute .............................................................................................................................................. 65 write ....................................................................................................................................................... 65 write terminal ......................................................................................................................................... 67
Config Commands: Global
69
access-list (standard) ............................................................................................................................ 69 access-list (extended) ............................................................................................................................ 72 accounting ............................................................................................................................................. 77 admin ..................................................................................................................................................... 79 admin lockout ........................................................................................................................................ 81 aflex ....................................................................................................................................................... 82 arp ......................................................................................................................................................... 82 arp timeout ............................................................................................................................................. 83 audit ....................................................................................................................................................... 83 authentication ........................................................................................................................................ 85 authorization .......................................................................................................................................... 86 axdebug ................................................................................................................................................. 87 banner ................................................................................................................................................... 88 boot-block-fix ......................................................................................................................................... 89 bootimage .............................................................................................................................................. 89 bpdu-fwd-group ..................................................................................................................................... 90 bridge-vlan-group .................................................................................................................................. 91 bw-list .................................................................................................................................................... 92 class-list (for IP limiting) ......................................................................................................................... 93 class-list (for LSN) ................................................................................................................................. 95 clock timezone ....................................................................................................................................... 96
12 of 722
b y
D e s i g n

Contents convert-passwd ...................................................................................................................................... 97 copy ....................................................................................................................................................... 98 delete startup-config .............................................................................................................................. 99 disable ................................................................................................................................................. 100 disable-management ........................................................................................................................... 101 do ......................................................................................................................................................... 103 enable .................................................................................................................................................. 103 enable-core .......................................................................................................................................... 104 enable-management ............................................................................................................................ 105 enable-password .................................................................................................................................. 106 end ....................................................................................................................................................... 107 erase .................................................................................................................................................... 107 exit ....................................................................................................................................................... 108 floating-ip ............................................................................................................................................. 108 fwlb ...................................................................................................................................................... 109 gslb ...................................................................................................................................................... 109 ha ......................................................................................................................................................... 109 health external ..................................................................................................................................... 109 health global ........................................................................................................................................ 110 health monitor ...................................................................................................................................... 112 health postfile ....................................................................................................................................... 113 hostname ............................................................................................................................................. 114 icmp-rate-limit ...................................................................................................................................... 114 interface ............................................................................................................................................... 115 ip .......................................................................................................................................................... 115 ipv6 ...................................................................................................................................................... 116 l3-vlan-fwd-disable ............................................................................................................................... 116 lid ......................................................................................................................................................... 116 link ....................................................................................................................................................... 119 locale ................................................................................................................................................... 121 logging target severity-level ................................................................................................................. 121 logging buffered ................................................................................................................................... 122 logging email buffer .............................................................................................................................. 123 logging email filter ................................................................................................................................ 124 logging email-address .......................................................................................................................... 126 logging export ...................................................................................................................................... 127 logging facility ...................................................................................................................................... 127 logging flow-control .............................................................................................................................. 128 logging host ......................................................................................................................................... 128 lsn-lid ................................................................................................................................................... 129 mac-address ........................................................................................................................................ 131 mac-age-time ....................................................................................................................................... 132 mirror-port ............................................................................................................................................ 132 monitor ................................................................................................................................................. 133 no ......................................................................................................................................................... 134 ntp ........................................................................................................................................................ 135 packet-handling ................................................................................................................................... 136
13 of 722

Contents partition ................................................................................................................................................ 136 ping ...................................................................................................................................................... 137 radius-server ........................................................................................................................................ 137 raid ....................................................................................................................................................... 139 restore ................................................................................................................................................. 139 route-map ............................................................................................................................................ 140 router ................................................................................................................................................... 142 router log file ........................................................................................................................................ 143 router log record-priority ...................................................................................................................... 144 router log stdout ................................................................................................................................... 144 router log syslog .................................................................................................................................. 145 router log trap ...................................................................................................................................... 145 session-filter ........................................................................................................................................ 146 slb ........................................................................................................................................................ 147 smtp ..................................................................................................................................................... 147 snat-on-vip ........................................................................................................................................... 148 snmp-server community ...................................................................................................................... 149 snmp-server contact ............................................................................................................................ 150 snmp-server enable ............................................................................................................................. 150 snmp-server group .............................................................................................................................. 154 snmp-server host ................................................................................................................................. 155 snmp-server location ........................................................................................................................... 156 snmp-server user ................................................................................................................................. 156 snmp-server view ................................................................................................................................ 157 stats-data-disable ................................................................................................................................ 158 stats-data-enable ................................................................................................................................. 159 switch ................................................................................................................................................... 159 syn-cookie ........................................................................................................................................... 160 system {all-vlan-limit | per-vlan-limit} ................................................................................................... 161 system lid ............................................................................................................................................. 162 system module-ctrl-cpu ....................................................................................................................... 163 system pbslb bw-list ............................................................................................................................ 163 system pbslb id .................................................................................................................................... 163 system pbslb over-limit ........................................................................................................................ 164 system pbslb sockstress-disable ......................................................................................................... 164 system pbslb timeout ........................................................................................................................... 165 system resource-usage ....................................................................................................................... 165 system template .................................................................................................................................. 168 system-reset ........................................................................................................................................ 168 tacacs-server ....................................................................................................................................... 169 techreport ............................................................................................................................................ 170 terminal ................................................................................................................................................ 171 tftp blksize ............................................................................................................................................ 172 trunk ..................................................................................................................................................... 173 tx-congestion-ctrl ................................................................................................................................. 175 update .................................................................................................................................................. 176 upgrade ............................................................................................................................................... 176
14 of 722
b y
D e s i g n

Contents vlan ...................................................................................................................................................... 177 web-service .......................................................................................................................................... 178 write ..................................................................................................................................................... 179 write terminal ........................................................................................................................................ 179
Config Commands: Interface
181
access-list ............................................................................................................................................ 181 cpu-process ......................................................................................................................................... 182 disable ................................................................................................................................................. 182 duplexity ............................................................................................................................................... 183 enable .................................................................................................................................................. 183 flow-control ........................................................................................................................................... 184 icmp-rate-limit ...................................................................................................................................... 184 interface ............................................................................................................................................... 185 ip address ............................................................................................................................................ 186 ip allow-promiscuous-vip ...................................................................................................................... 187 ip cache-spoofing-port ......................................................................................................................... 187 ip control-apps-use-mgmt-port (management interface only) .............................................................. 188 ip default-gateway (management interface only) ................................................................................. 189 ip helper-address ................................................................................................................................. 190 ip nat .................................................................................................................................................... 191 ip ospf .................................................................................................................................................. 192 ip router ................................................................................................................................................ 195 ip tcp syn-cookie .................................................................................................................................. 195 ipv6 (on management interface) .......................................................................................................... 196 ipv6 access-list ..................................................................................................................................... 196 ipv6 address ........................................................................................................................................ 197 ipv6 enable .......................................................................................................................................... 198 ipv6 nat ................................................................................................................................................ 198 ipv6 ndisc router-advertisement ........................................................................................................... 199 ipv6 ospf cost ....................................................................................................................................... 203 ipv6 ospf dead-interval ......................................................................................................................... 203 ipv6 ospf hello-interval ......................................................................................................................... 204 ipv6 ospf neighbor ............................................................................................................................... 204 ipv6 network ......................................................................................................................................... 205 ipv6 ospf priority ................................................................................................................................... 205 ipv6 ospf retransmit-interval ................................................................................................................. 206 ipv6 ospf transmit-delay ....................................................................................................................... 206 ipv6 router ............................................................................................................................................ 207 l3-vlan-fwd-disable ............................................................................................................................... 207 load-interval ......................................................................................................................................... 208 monitor ................................................................................................................................................. 208 mtu ....................................................................................................................................................... 209 name .................................................................................................................................................... 210 ospf ...................................................................................................................................................... 211 speed ................................................................................................................................................... 212
b y
15 of 722

Contents
Config Commands: VLAN
215
name .................................................................................................................................................... 216 router-interface .................................................................................................................................... 217 tagged .................................................................................................................................................. 217 untagged .............................................................................................................................................. 218
Config Commands: IP
219
ip address ............................................................................................................................................ 219 ip anomaly-drop ................................................................................................................................... 220 ip as-path ............................................................................................................................................. 222 ip community-list .................................................................................................................................. 222 ip default-gateway ............................................................................................................................... 223 ip dns ................................................................................................................................................... 223 ip extcommunity-list ............................................................................................................................. 224 ip frag timeout ...................................................................................................................................... 224 ip nat alg pptp ...................................................................................................................................... 224 ip nat allow-static-host ......................................................................................................................... 225 ip nat inside ......................................................................................................................................... 225 ip nat inside (for LSN) .......................................................................................................................... 226 ip nat lsn enable-full-cone-for-well-known ........................................................................................... 227 ip nat lsn ip-selection ........................................................................................................................... 227 ip nat lsn logging default-template ....................................................................................................... 228 ip nat lsn logging pool .......................................................................................................................... 229 ip nat lsn port-reservation .................................................................................................................... 229 ip nat lsn stun-timeout ......................................................................................................................... 230 ip nat lsn syn-timeout ........................................................................................................................... 230 ip nat pool ............................................................................................................................................ 231 ip nat pool-group .................................................................................................................................. 233 ip nat range-list .................................................................................................................................... 235 ip nat reset-idle-tcp-conn ..................................................................................................................... 236 ip nat template logging ........................................................................................................................ 236 ip nat translation .................................................................................................................................. 238 ip prefix-list .......................................................................................................................................... 239 ip prefix-list list-id description ............................................................................................................... 242 ip prefix-list sequence-number ............................................................................................................ 243 ip route ................................................................................................................................................. 243 ip tcp syn-cookie threshold .................................................................................................................. 244
Config Commands: IPv6
247
ipv6 access-list .................................................................................................................................... 247 ipv6 address ........................................................................................................................................ 250 ipv6 default-gateway ............................................................................................................................ 250 ipv6 nat pool ........................................................................................................................................ 251 ipv6 neighbor ....................................................................................................................................... 252 ipv6 ospf display .................................................................................................................................. 252 ipv6 ospf restart grace-period .............................................................................................................. 253
P e r f o r m a n c e b y D e s i g n
16 of 722

Contents ipv6 ospf restart helper ........................................................................................................................ 253 ipv6 route ............................................................................................................................................. 254
Config Commands: Router OSPF
257
Configuration Commands Applicable to OSPFv2 or OSPFv3........................................................ 258

area area-id default-cost ...................................................................................................................... 258 area area-id range ............................................................................................................................... 258 area area-id stub .................................................................................................................................. 259 area area-id virtual-link ........................................................................................................................ 260 auto-cost reference bandwidth ............................................................................................................. 261 capability restart ................................................................................................................................... 262 default-metric ....................................................................................................................................... 262 ha-standby-extra-cost .......................................................................................................................... 262 max-concurrent-dd ............................................................................................................................... 263 maximum-area ..................................................................................................................................... 263 passive-interface .................................................................................................................................. 264 redistribute ........................................................................................................................................... 264 router-id ............................................................................................................................................... 268 timers spf exp ....................................................................................................................................... 269
Configuration Commands Applicable to OSPFv2 Only .................................................................. 270

area area-id authentication .................................................................................................................. 270 area area-id filter-list ............................................................................................................................ 271 area area-id multi-area-adjacency ....................................................................................................... 272 area area-id nssa ................................................................................................................................. 272 area area-id shortcut ............................................................................................................................ 273 capability opaque ................................................................................................................................. 274 compatible rfc1583 ............................................................................................................................... 274 default-information originate ................................................................................................................ 274 distance ............................................................................................................................................... 275 distribute-list ......................................................................................................................................... 276 host ipaddr area ................................................................................................................................... 277 neighbor ............................................................................................................................................... 278 network ................................................................................................................................................ 279 ospf abr-type ........................................................................................................................................ 280 overflow database ................................................................................................................................ 280 summary-address ................................................................................................................................ 281
Configuration Commands Applicable to OSPFv3 Only .................................................................. 281
Config Commands: Server Load Balancing
283
slb buff-thresh ...................................................................................................................................... 283 slb compress-block-size ....................................................................................................................... 284 slb conn-rate-limit ................................................................................................................................. 284 slb dns-cache-age ................................................................................................................................ 286 slb dns-cache-enable ........................................................................................................................... 286
b y
17 of 722

Contents slb dsr-health-check-enable ................................................................................................................ 287 slb enable-l7-req-acct .......................................................................................................................... 287 slb fast-path-disable ............................................................................................................................ 288 slb graceful-shutdown .......................................................................................................................... 288 slb hw-compression ............................................................................................................................. 289 slb l2l3-trunk-lb-disable ........................................................................................................................ 290 slb msl-time ......................................................................................................................................... 290 slb mss-table ....................................................................................................................................... 291 slb new-path-enable ............................................................................................................................ 292 slb rate-limit-logging ............................................................................................................................ 292 slb reset-stale-session ......................................................................................................................... 293 slb server ............................................................................................................................................. 293 slb service-group ................................................................................................................................. 294 slb snat-gwy-for-l3 ............................................................................................................................... 295 slb snat-on-vip ..................................................................................................................................... 295 slb ssl-create certificate ....................................................................................................................... 296 slb ssl-create csr .................................................................................................................................. 297 slb ssl-delete ........................................................................................................................................ 299 slb ssl-load ........................................................................................................................................... 300 slb template ......................................................................................................................................... 302 slb transparent-tcp-template ................................................................................................................ 304 slb virtual-server .................................................................................................................................. 304
Config Commands: SLB Templates
307
slb template cache ............................................................................................................................... 307 slb template client-ssl .......................................................................................................................... 312 slb template connection-reuse ............................................................................................................. 315 slb template dns .................................................................................................................................. 318 slb template http .................................................................................................................................. 319 slb template persist cookie .................................................................................................................. 329 slb template persist destination-ip ....................................................................................................... 333 slb template persist source-ip .............................................................................................................. 335 slb template persist ssl-sid .................................................................................................................. 338 slb template policy ............................................................................................................................... 340 slb template port .................................................................................................................................. 346 slb template server .............................................................................................................................. 352 slb template server-ssl ......................................................................................................................... 357 slb template sip (SIP over UDP) .......................................................................................................... 358 slb template sip (SIP over TCP/TLS) ................................................................................................... 360 slb template smtp ................................................................................................................................ 363 slb template streaming-media ............................................................................................................. 366 slb template tcp ................................................................................................................................... 367 slb template tcp-proxy ......................................................................................................................... 369 slb template udp .................................................................................................................................. 372 slb template virtual-port ....................................................................................................................... 374 slb template virtual-server ................................................................................................................... 377
18 of 722
b y
D e s i g n

Contents
Config Commands: SLB Servers
381
conn-limit .............................................................................................................................................. 381 conn-resume ........................................................................................................................................ 382 disable ................................................................................................................................................. 383 enable .................................................................................................................................................. 383 external-ip ............................................................................................................................................ 383 ha-priority-cost ..................................................................................................................................... 384 health-check ........................................................................................................................................ 384 ipv6 ...................................................................................................................................................... 385 port ....................................................................................................................................................... 385 slow-start .............................................................................................................................................. 389 spoofing-cache .................................................................................................................................... 389 stats-data-disable ................................................................................................................................. 390 stats-data-enable ................................................................................................................................. 390 template server .................................................................................................................................... 391 weight .................................................................................................................................................. 391
Config Commands: SLB Service Groups
393
health-check ........................................................................................................................................ 394 member ................................................................................................................................................ 395 method ................................................................................................................................................. 396 min-active-member .............................................................................................................................. 399 reset-on-server-selection-fail ............................................................................................................... 401 stats-data-disable ................................................................................................................................. 401 stats-data-enable ................................................................................................................................. 401
Config Commands: SLB Virtual Servers
403
arp-disable ........................................................................................................................................... 403 disable ................................................................................................................................................. 404 enable .................................................................................................................................................. 404 ha-dynamic .......................................................................................................................................... 405 ha-group .............................................................................................................................................. 405 port ....................................................................................................................................................... 406 redistribution-flagged ........................................................................................................................... 407 stats-data-disable ................................................................................................................................. 407 stats-data-enable ................................................................................................................................. 408 template policy ..................................................................................................................................... 408 template virtual-server ......................................................................................................................... 408
Config Commands: SLB Virtual Server Ports
411
access-list ............................................................................................................................................ 411 aflex ..................................................................................................................................................... 413 conn-limit .............................................................................................................................................. 414 def-selection-if-pref-failed .................................................................................................................... 415 disable ................................................................................................................................................. 416 enable .................................................................................................................................................. 416
19 of 722

Contents gslb-enable .......................................................................................................................................... 416 ha-conn-mirror ..................................................................................................................................... 417 no-dest-nat .......................................................................................................................................... 418 pbslb .................................................................................................................................................... 418 reset-on-server-selection-fail ............................................................................................................... 420 service-group ....................................................................................................................................... 421 snat-on-vip ........................................................................................................................................... 421 source-nat ............................................................................................................................................ 422 stats-data-disable ................................................................................................................................ 423 stats-data-enable ................................................................................................................................. 423 syn-cookie ........................................................................................................................................... 423 template ............................................................................................................................................... 424 template virtual-port ............................................................................................................................. 426 use-default-if-no-server ....................................................................................................................... 426 use-rcv-hop-for-resp ............................................................................................................................ 427
Config Commands: Global Server Load Balancing
429
gslb active-rtt ....................................................................................................................................... 429 gslb dns action ..................................................................................................................................... 431 gslb dns logging ................................................................................................................................... 431 gslb geo-location ................................................................................................................................. 432 gslb geo-location delete ....................................................................................................................... 433 gslb geo-location load .......................................................................................................................... 433 gslb ip-list ............................................................................................................................................. 434 gslb ping .............................................................................................................................................. 435 gslb policy ............................................................................................................................................ 435 gslb protocol ........................................................................................................................................ 436 gslb protocol limit ................................................................................................................................. 438 gslb service-ip ...................................................................................................................................... 438 gslb site ............................................................................................................................................... 441 gslb system wait .................................................................................................................................. 445 gslb template csv ................................................................................................................................. 445 gslb template snmp ............................................................................................................................. 447 gslb zone ............................................................................................................................................. 449
Config Commands: GSLB Policy
457
active-rtt ............................................................................................................................................... 457 active-servers ...................................................................................................................................... 460 admin-preference ................................................................................................................................ 461 alias-admin-preference ........................................................................................................................ 461 bw-cost ................................................................................................................................................ 462 capacity ............................................................................................................................................... 463 connection-load ................................................................................................................................... 464 dns ....................................................................................................................................................... 466 geo-location ......................................................................................................................................... 473 geo-location full-domain-share ............................................................................................................ 474
20 of 722
b y
D e s i g n

Contents geo-location match-first ........................................................................................................................ 474 geo-location overlap ............................................................................................................................. 475 geographic ........................................................................................................................................... 475 health-check ........................................................................................................................................ 476 ip-list .................................................................................................................................................... 476 least-response ..................................................................................................................................... 477 metric-fail-break ................................................................................................................................... 477 metric-force-check ............................................................................................................................... 477 metric-order .......................................................................................................................................... 478 num-session ......................................................................................................................................... 479 ordered-ip ............................................................................................................................................ 480 passive-rtt ............................................................................................................................................ 481 round-robin .......................................................................................................................................... 483 weighted-alias ...................................................................................................................................... 483 weighted-ip .......................................................................................................................................... 484 weighted-site ........................................................................................................................................ 485
Config Commands: Firewall Load Balancing
487
fwlb node ............................................................................................................................................. 487 fwlb service-group ................................................................................................................................ 488 fwlb virtual-firewall ................................................................................................................................ 490
Config Commands: SLB Health Monitors
495
disable-after-down ............................................................................................................................... 495 method ................................................................................................................................................. 496 override-ipv4 ........................................................................................................................................ 505 override-ipv6 ........................................................................................................................................ 505 override-port ......................................................................................................................................... 505 strictly-retry-on-server-error-response ................................................................................................. 506
Config Commands: High Availability
507
ha arp-retry .......................................................................................................................................... 507 ha check gateway ................................................................................................................................ 508 ha check route ..................................................................................................................................... 509 ha check vlan ....................................................................................................................................... 511 ha conn-mirror ...................................................................................................................................... 512 ha force-self-standby ........................................................................................................................... 513 ha forward-l4-packet-on-standby ......................................................................................................... 513 ha group ............................................................................................................................................... 513 ha id ..................................................................................................................................................... 514 ha inline-mode ..................................................................................................................................... 515 ha interface .......................................................................................................................................... 516 ha l3-inline-mode ................................................................................................................................. 517 ha link-event-delay ............................................................................................................................... 518 ha ospf-inline vlan ................................................................................................................................ 519 ha preemption-enable .......................................................................................................................... 519
21 of 722

Contents ha restart-port-list ................................................................................................................................ 520 ha restart-time ..................................................................................................................................... 521 ha sync ................................................................................................................................................ 521 ha time-interval .................................................................................................................................... 526 ha timeout-retry-count ......................................................................................................................... 526
Show Commands
527
show access-list .................................................................................................................................. 527 show active-partition ............................................................................................................................ 527 show admin ......................................................................................................................................... 528 show aflex ............................................................................................................................................ 531 show arp .............................................................................................................................................. 532 show audit ........................................................................................................................................... 533 show axdebug file ................................................................................................................................ 533 show axdebug filter .............................................................................................................................. 534 show axdebug status ........................................................................................................................... 535 show bootimage .................................................................................................................................. 535 show bpdu-fwd-group .......................................................................................................................... 535 show bridge-vlan-group ....................................................................................................................... 536 show bw-list ......................................................................................................................................... 536 show class-list ..................................................................................................................................... 538 show clock ........................................................................................................................................... 539 show core ............................................................................................................................................ 540 show cpu ............................................................................................................................................. 541 show debug ......................................................................................................................................... 542 show disk ............................................................................................................................................. 542 show dns ............................................................................................................................................. 543 show dns-cache-stat ............................................................................................................................ 544 show dumpthread ................................................................................................................................ 545 show environment ............................................................................................................................... 545 show errors .......................................................................................................................................... 546 show fwlb node .................................................................................................................................... 551 show fwlb service-group ...................................................................................................................... 553 show fwlb virtual-firewall ...................................................................................................................... 555 show gslb cache .................................................................................................................................. 556 show gslb geo-location ........................................................................................................................ 558 show gslb ip-list ................................................................................................................................... 561 show gslb memory ............................................................................................................................... 561 show gslb policy .................................................................................................................................. 562 show gslb protocol ............................................................................................................................... 564 show gslb rtt ........................................................................................................................................ 565 show gslb samples conn ..................................................................................................................... 567 show gslb samples conn-load ............................................................................................................. 568 show gslb samples rtt .......................................................................................................................... 570 show gslb service ................................................................................................................................ 571 show gslb service-ip ............................................................................................................................ 572 show gslb service-port ......................................................................................................................... 573
22 of 722
b y
D e s i g n

Contents show gslb session ................................................................................................................................ 573 show gslb site ...................................................................................................................................... 576 show gslb slb-device ............................................................................................................................ 578 show gslb state .................................................................................................................................... 579 show gslb statistics .............................................................................................................................. 579 show gslb zone .................................................................................................................................... 580 show ha ............................................................................................................................................... 582 show ha mac ........................................................................................................................................ 586 show health .......................................................................................................................................... 586 show history ......................................................................................................................................... 589 show icmp ............................................................................................................................................ 590 show interfaces .................................................................................................................................... 591 show ip dns .......................................................................................................................................... 592 show {ip | ipv6} fib ................................................................................................................................ 592 show ip helper-address ........................................................................................................................ 593 show {ip | ipv6} interfaces .................................................................................................................... 597 show {ip | ipv6} isis ............................................................................................................................... 598 show ip nat ........................................................................................................................................... 598 show ip nat lsn ..................................................................................................................................... 602 show ipv6 ndisc .................................................................................................................................... 604 show ipv6 neighbor .............................................................................................................................. 606 show {ip | ipv6} ospf ............................................................................................................................. 606 show ip ospf border-routers ................................................................................................................. 607 show ip ospf database ......................................................................................................................... 608 show ipv6 ospf database ..................................................................................................................... 610 show {ip | ipv6} ospf interface .............................................................................................................. 612 show ip ospf multi-area-adjacencies .................................................................................................... 612 show {ip | ipv6} ospf neighbor .............................................................................................................. 613 show ip ospf redistributed .................................................................................................................... 614 show {ip | ipv6} ospf route .................................................................................................................... 615 show ipv6 ospf topology ....................................................................................................................... 616 show {ip | ipv6} ospf virtual-links .......................................................................................................... 616 show {ip | ipv6} protocols ..................................................................................................................... 617 show ip route ....................................................................................................................................... 617 show ipv6 route .................................................................................................................................... 618 show ipv6 traffic ................................................................................................................................... 619 show isis .............................................................................................................................................. 619 show key-chain .................................................................................................................................... 619 show lid ................................................................................................................................................ 619 show locale .......................................................................................................................................... 620 show log ............................................................................................................................................... 621 show mac-address-table ...................................................................................................................... 622 show management ............................................................................................................................... 623 show memory ....................................................................................................................................... 624 show mirror .......................................................................................................................................... 626 show monitor ........................................................................................................................................ 626 show ntp .............................................................................................................................................. 627
23 of 722

Contents show partition ...................................................................................................................................... 628 show pbslb ........................................................................................................................................... 629 show process ....................................................................................................................................... 630 show reboot ......................................................................................................................................... 631 show router log file .............................................................................................................................. 631 show running-config ............................................................................................................................ 632 show session ....................................................................................................................................... 634 show shutdown .................................................................................................................................... 639 show sip ............................................................................................................................................... 640 show slb ............................................................................................................................................... 640 show smtp ........................................................................................................................................... 640 show startup-config ............................................................................................................................. 641 show statistics ..................................................................................................................................... 643 show switch ......................................................................................................................................... 644 show system resource-usage .............................................................................................................. 645 show tacacs-server .............................................................................................................................. 646 show techsupport ................................................................................................................................ 647 show terminal ...................................................................................................................................... 647 show tftp .............................................................................................................................................. 648 show trunk ........................................................................................................................................... 648 show version ........................................................................................................................................ 649 show vlans ........................................................................................................................................... 650 show web-service ................................................................................................................................ 650
SLB Show Commands
653
show slb cache .................................................................................................................................... 653 show slb connection-reuse .................................................................................................................. 658 show slb conn-rate-limit ....................................................................................................................... 660 show slb fast-http-proxy ....................................................................................................................... 661 show slb ftp .......................................................................................................................................... 663 show slb geo-location .......................................................................................................................... 664 show slb http-proxy .............................................................................................................................. 665 show slb hw-compression ................................................................................................................... 667 show slb l4 ........................................................................................................................................... 668 show slb passthrough .......................................................................................................................... 671 show slb performance ......................................................................................................................... 672 show slb persist ................................................................................................................................... 673 show slb rate-limit-logging ................................................................................................................... 675 show slb server .................................................................................................................................... 676 show slb service-group ........................................................................................................................ 682 show slb sip ......................................................................................................................................... 687 show slb smtp ...................................................................................................................................... 689 show slb ssl ......................................................................................................................................... 691 show slb ssl-proxy ............................................................................................................................... 692 show slb switch .................................................................................................................................... 693 show slb syn-cookie ............................................................................................................................ 697 show slb tcp-proxy ............................................................................................................................... 698
24 of 722
b y
D e s i g n

Contents show slb template ................................................................................................................................ 700 show slb virtual-server ......................................................................................................................... 701
AX Debug Commands
707
capture ................................................................................................................................................. 708 count .................................................................................................................................................... 711 delete ................................................................................................................................................... 711 filter ...................................................................................................................................................... 712 incoming | outgoing .............................................................................................................................. 714 length ................................................................................................................................................... 715 maxfile ................................................................................................................................................. 715 outgoing ............................................................................................................................................... 715 timeout ................................................................................................................................................. 716
show health stat Up / Down Causes
717
Up Causes ........................................................................................................................................... 717 Down Causes ...................................................................................................................................... 718
b y
25 of 722

Contents
26 of 722
b y
D e s i g n

System Access
Using the CLI

This chapter describes how to use the Command Line Interface (CLI) for the AX Series Advanced Traffic Manager from A10 Networks. The commands and their options are described in the other chapters.
System Access
You can access the CLI through a console connection, an SSH session, or a Telnet session. Regardless of which connection method is used, access to the AX CLI is generally referred to as an EXEC session or simply a CLI session. Note: By default, Telnet access is disabled on all interfaces, including the management interface. SSH, HTTP, HTTPS, and SNMP access are enabled by default on the management interface only, and disabled by default on all data interfaces.
Session Access Levels

As a security feature, the AX Series operating system separates EXEC sessions into two different access levels User EXEC level and Privileged EXEC level. User EXEC level allows you to access only a limited set of basic monitoring commands. The privileged EXEC level allows you to access all AX Series commands (configuration mode, configuration submodes and management mode) and can be password protected to allow only authorized users the ability to configure or maintain the system. User EXEC Level: AX> This is the first level entered when a CLI session begins. At this level, users can view basic system information but cannot configure system or port parameters. For example, when an EXEC session is started, the AX Series will display the AX> prompt. The right arrow (>) in the prompt indicates that the system is at the User EXEC level. The User EXEC level does not contain any commands that might control (for example, reload or configure) the operation of the AX device. To list the commands available at the User EXEC level, type a question mark (?) then press Enter at the prompt; for example, AX>?.
b y
27 of 722

High Availability Status in Command Prompt Privileged EXEC Level: AX# This level is also called the enable level because the enable command is used to gain access. Privileged EXEX level can be password secured. The privileged user can perform tasks such as manage files in the flash module, save the system configuration to flash, and clear caches at this level. Critical commands (configuration and management) require that the user be at the Privileged EXEC level. To change to the Privileged EXEC level, type enable then press Enter at the AX> prompt. If an enable password is configured, the AX Series will then prompt for that password. When the correct enable password is entered, the AX Series prompt will change from AX> to AX# indicating that the user is now at the Privileged EXEC level. To switch back to the User EXEC level, type disable at the AX# prompt. Typing a question mark (?) at the Privileged EXEC level will now reveal many more command options than those available at the User EXEC level. Privileged EXEC Level - Config Mode: AX(config)# The Privileged EXEC levels configuration mode is used to configure the system IP address and to configure switching and routing features. To access the configuration mode, you must first be logged into the Privileged EXEC level. From the opening CLI prompt, enter the following command to change to the Privileged level of the EXEC mode: AX>enable To access the CONFIG level of the CLI, enter the config command: AX#config The prompt changes to include (config): AX(config)#
High Availability Status in Command Prompt

If High Availability (HA) is configured on the AX device, the command prompt shows the HA status:
AX-Active#
or
AX-Standby#
28 of 722
b y
D e s i g n

CLI Quick Reference Note: If HA is not configured, the prompt is simply the hostname (AX by default). Display of the HA status is configurable. (See terminal on page 171.)
CLI Quick Reference

Entering the help command (available at any command level) returns the CLI Quick Reference, as follows:
AX>help CLI Quick Reference =============== 1. Online Help Enter ? at a command prompt to list the commands available at that CLI level. Enter "?" at any point within a command to list the available options. Two types of help are provided: 1) When you are ready to enter a command option, type "?" to display each possible option and its description. For example: show ? 2) If you enter part of an option followed by "?", each command or option that matches the input is listed. For example: show us? 2. Word Completion The CLI supports command completion, so you do not need to enter the entire name of a command or option. As long as you enter enough characters of the command or option name to avoid ambiguity with other commands or options, the CLI can complete the command or option. After entering enough characters to avoid ambiguity, press "tab" to auto-complete the command or option. AX>
Context-Sensitive Help
Enter a question mark (?) at the system prompt to display a list of available commands for each command mode. The context-sensitive help feature provides a list of the arguments and keywords available for any command. To view help specific to a command name, a command mode, a keyword, or an argument, enter any of the following commands:
b y
29 of 722

CLI Quick Reference
Prompt
Command Help abbreviatedcommand-help?
Purpose Displays the CLI Quick Reference Lists all commands beginning with abbreviation before the (?). If the abbreviation is not found, the AX Series returns: % Ambiguous command Completes a partial command name if unambiguous.
AX> or AX# or (config)#
abbreviatedcommand-complete<Tab> ? command ? command keyword ?
Lists all valid commands available at the current level Lists the available syntax options (arguments and keywords) for the entered command. Lists the next available syntax option for the command.
A space (or lack of a space) before the question mark (?) is significant when using context-sensitive help. To determine which commands begin with a specific character sequence, type in those characters followed directly by the question mark; e.g. AX#te?. Do not include a space. This help form is called word help, because it completes the word for you. To list arguments or keywords, enter a question mark (?) in place of the argument or the keyword. Include a space before the (?); e.g. AX# terminal ?. This form of help is called command syntax help, because it shows you which keywords or arguments are available based on the command, keywords, and arguments that you already entered. Users can abbreviate commands and keywords to the minimum number of characters that constitute a unique abbreviation. For example, you can abbreviate the config terminal command to conf t. If the abbreviated form of the command is unique, then the AX Series accepts the abbreviated form and executes the command.
30 of 722
b y
D e s i g n

CLI Quick Reference Context Sensitive Help Examples The following example illustrates how the context-sensitive help feature enables you to create an access list from configuration mode. Enter the letters co at the system prompt followed by a question mark (?). Do not leave a space between the last letter and the question mark. The system provides the commands that begin with co. AX#co? config
Entering config mode
Enter the config command followed by a space and a question mark to list the keywords for the command and a brief explanation: AX#config ? terminal <cr>
Config from the terminal
The <cr> symbol (cr stands for carriage return) appears in the list to indicate that one of your options is to press the Return or Enter key to execute the command, without adding any additional keywords. In this example, the output indicates that your only option for the config command is config terminal (configure manually from the terminal connection).
The no Form of Commands

Most configuration commands have a no form. Typically, you use the no form to disable a feature or function. The command without the no keyword is used to re-enable a disabled feature or to enable a feature that is disabled by default; for example, if the terminal auto-size has been enabled previously. To disable terminal auto-size, use the no terminal autosize form of the terminal auto-size command. To re-enable it, use the terminal auto-size form. This document describes the function of the no form of the command whenever a no form is available.
b y
31 of 722

CLI Quick Reference
Command History
The CLI provides a history or record of commands that you have entered. This feature is particularly useful for recalling long or complex commands or entries, including access lists. To use the command history feature, perform any of the tasks described in the following sections:
Setting the command history buffer size Recalling commands Disabling the command history feature
Setting the Command History Buffer Size

The AX Series records ten command lines in its history buffer, by default. To change the number of command lines that the system will record during the current terminal session, use the following command in EXEC mode:
Convention AX# terminal history [size number-of-lines] AX# no terminal history size AX(config)# terminal history [size number-of-lines]
Description Enables the command history feature for the current terminal session. Resets the number of commands saved in the history buffer to the default of 256 commands. Enables the command history feature for the all the configuration sessions.
Recalling Commands
To recall commands from the history buffer, use one of the following commands or key combinations:
Command or Key Combination Ctrl+P or Up Arrow key.1
Description Recalls commands in the history buffer, beginning with the most recent command. Repeat the key sequence to recall successively older commands.
1.
Ctrl+N or Down Arrow key.
Returns to more recent commands in the history buffer after recalling commands with Ctrl+P or the Up Arrow key. Repeat the key sequence to recall successively more recent commands. While in EXEC mode, lists the most recent commands entered.
AX> show history
1. The arrow keys function only on ANSI-compatible terminals.
32 of 722
b y
D e s i g n

CLI Quick Reference
Editing Features and Shortcuts

A variety of shortcuts and editing features are enabled for the AX Series CLI. The following subsections describe these features:
Moving the cursor on the command line Completing a partial command name Recalling deleted entries Editing command lines that wrap Deleting entries Continuing output at the --MORE-- prompt Re-displaying the current command line
Positioning the Cursor on the Command Line

The table below lists key combinations used to position the cursor on the command line for making corrections or changes. The Control key (ctrl) must be pressed simultaneously with the associated letter key. The Escape key (esc) must be pressed first, followed by its associated letter key. The letters are not case sensitive. Many letters used for CLI navigation and editing were chosen to simplify remembering their functions. In the following table, characters bolded in the Function Summary column indicate the relation between the letter used and the function.
Keystrokes Left Arrow or ctrl+B
Function Summary Back character
Function Details Moves the cursor left one character. When entering a command that extends beyond a single line, press the Left Arrow or Ctrl+B keys repeatedly to move back toward the system prompt to verify the beginning of the command entry, or you can also press Ctrl+A. Moves the cursor right one character. Moves the cursor to the very beginning of the command line. Moves the cursor to the very end of the line.
Right Arrow or ctrl+F ctrl+A ctrl+E
Forward character Beginning of line End of line
b y
33 of 722

CLI Quick Reference
Completing a Partial Command Name

If you do not remember a full command name, or just to reduce the amount of typing you have to do, enter the first few letters of a command, then press tab. The CLI parser then completes the command if the string entered is unique to the command mode. If the keyboard has no tab key, you can also press ctrl+I. The CLI will recognize a command once you enter enough text to make the command unique. For example, if you enter conf while in the privileged EXEC mode, the CLI will associate your entry with the config command, because only the config command begins with conf. In the next example, the CLI recognizes the unique string conf for privileged EXEC mode of config after pressing the tab key: AX# conf<tab> AX# config When using the command completion feature, the CLI displays the full command name. Commands are not executed until the Enter key is pressed. This way you can modify the command if the derived command is not what you expected from the abbreviation. Entering a string of characters that indicate more than one possible command (for example, te) results in the following response from the CLI: AX#te % Ambiguous command AX# If the CLI can not complete the command, enter a question mark (?) to obtain a list of commands that begin with the character set entered. Do not leave a space between the last letter you enter and the question mark (?). In the example above, te is ambiguous. It is the beginning of both the telnet and terminal commands, as shown in the following example: AX#te? telnet terminal AX#te Open a tunnel connection Set terminal line parameters
The letters entered before the question mark (te) are reprinted to the screen to allow continuation of command entry from where you left off.
34 of 722
b y
D e s i g n

CLI Quick Reference
Deleting Command Entries

If you make a mistake or change your mind, you can use the following keys or key combinations to delete command entries:
Keystrokes backspace delete or ctrl+D ctrl+K ctrl+U or ctrl+X ctrl+W
Purpose The character immediately left of the cursor is deleted. The character that the cursor is currently on is deleted. All characters from the cursor to the end of the command line are deleted. All characters from the cursor to the beginning of the command line are deleted. The word to the left of the cursor is deleted.
Editing Command Lines that Wrap

The CLI provides a wrap-around feature for commands extending beyond a single line on the display. When the cursor reaches the right margin, the command line shifts ten spaces to the left. You cannot see the first ten characters of the line, but you can scroll back and check the syntax at the beginning of the command. To scroll back, press ctrl+B or the left arrow key repeatedly until you scroll back to the command entry, or press ctrl+A to return directly to the beginning of the line. The AX Series software assumes you have a terminal screen that is 80 columns wide. If you have a different screen-width, use the terminal width EXEC command to set the width of the terminal. Use line wrapping in conjunction with the command history feature to recall and modify previous complex command entries. See the Recalling Commands section in this chapter for information about recalling previous command entries.
Continuing Output at the --MORE-- Prompt

When working with the CLI, output often extends beyond the visible screen length. For cases where output continues beyond the bottom of the screen, such as with the output of many ?, show, or more commands, the output is paused and a --MORE-- prompt is displayed at the bottom of the screen. To proceed, press the Enter key to scroll down one line, or press the spacebar to display the next full screen of output.
35 of 722

CLI Quick Reference
Redisplay the Current Command Line

If you are entering a command and the system suddenly sends a message to your screen, you can easily recall your current command line entry. To redisplay the current command line (refresh the screen), use either of the following key combinations:
Keystrokes ctrl+L or ctrl+R
Purpose Re-displays the current command line
Searching and Filtering CLI Output

The CLI permits searching through large amounts of command output by filtering the output to exclude information that you do not need. The show command supports the following output filtering options:
begin string Begins the output with the line containing the speci-
fied string include string Displays only the output lines that contain the specified string exclude string Displays only the output lines that do not contain the specified string section string Displays only the lines for the specified section (for example, slb server, virtual-server, or logging). To display all server-related configuration lines, you can enter server. Use | as a delimiter between the show command and the display filter. You can use regular expressions in the filter string, as shown in this example:
AX(config)#show arp | include 192.168.1.3* 192.168.1.3 001d.4608.1e40 Dynamic 192.168.1.33 0019.d165.c2ab Dynamic ethernet4 ethernet4
The output filter in this example displays only the ARP entries that contain IP addresses that match 192.168.1.3 and any value following 3. The asterisk ( * ) matches on any pattern following the 3. (See Regular Expressions on page 37.)
36 of 722
b y
D e s i g n

CLI Quick Reference The following example displays the startup-config lines for logging:
AX(config)#show startup-config | section logging logging console error logging buffered debugging logging monitor debugging logging buffered 30000 logging facility local0
Regular Expressions
Regular expressions are patterns (e.g. a phrase, number, or more complex pattern) used by the CLI string search feature to match against show or more command output. Regular expressions are case sensitive and allow for complex matching requirements. A simple regular expression can be an entry like Serial, misses, or 138. Complex regular expressions can be an entry like 00210... , ( is ), or [Oo]utput. A regular expression can be a single-character pattern or a multiple-character pattern. This means that a regular expression can be a single character that matches the same single character in the command output or multiple characters that match the same multiple characters in the command output. The pattern in the command output is referred to as a string. This section describes creating single-character patterns.
Single-Character Patterns
The simplest regular expression is a single character that matches the same single character in the command output. You can use any letter (AZ, az) or digit (09) as a single-character pattern. You can also use other keyboard characters (such as ! or ~) as single-character patterns, but certain keyboard characters have special meaning when used in regular expressions. The following table lists the keyboard characters that have special meaning.
Character . * + ? ^ $ _ (underscore)
Meaning Matches any single character, including white space Matchers 0 or more sequences of the pattern Matches 1 or more sequences of the pattern Matches 0 or 1 occurrences of the pattern Matches the beginning of the string Matches the end of the string Matches a comma (,), left brace ({), right brace (}), left parenthesis ( ( ), right parenthesis ( ) ), the beginning of the string, the end of the string, or a space.
b y
37 of 722

CLI Quick Reference
Special Character Support in Strings

Special characters are supported in password strings and various other strings. To use special characters in a string, enclose the entire string in double quotation marks. Admin and enable passwords can contain any ASCII characters in the range 0x20-0x7e (inclusive). You can use an opening single-or double-quotation mark without an ending one. In this case, '" becomes ", and "' becomes '. Escape sequences are required for a few of the special characters:
" To use a double-quotation mark in a string, enter the following: \" ? To use a question mark in a string, enter the following sequence:
\077
\ To use a back slash in a string, enter another back slash in front of it:
\\ For example, to use "a\"b\077c\\d" the string a"b?c\d, enter the following:
The \ character will be interpreted as the start of an escape sequence only if it is enclosed in double quotation marks. (The ending double quotation mark can be omitted.) If the following characters do not qualify as an escape sequence, they are take verbatim; for example, \ is taken as \, "\x41" is taken as A (hexadecimal escape), "\101" is taken as A (octal escape), and "\10" is taken as \10. Note: To use a double-quotation mark as the entire string, "\"". If you enter \", the result is \. (Using a single character as a password is not recommended.) It is recommended not to use i18n characters. The character encoding used on the terminal during password change might differ from the character encoding on the terminal used during login.
Note:
38 of 722
b y
D e s i g n

backup config
EXEC Commands
The EXEC commands (sometimes referred to as the User EXEC commands) are available at the CLI level that is presented when you log into the CLI. The EXEC level command prompt ends with >, as in the following example: AX>
backup config
Back up the system. Syntax Description backup config [use-mgmt-port] url Parameter config use-mgmt-port Description Backs up the startup-config file, aFleX policy files, and SSL certificates and keys into a tar file. Uses the management interface as the source interface for the connection to the remote device. The management route table is used to reach the device. Without this option, the AX device attempts to use the data route table to reach the remote device through a data interface. File transfer protocol, username (if required), and directory path. You can enter the entire URL on the command line or press Enter to display a prompt for each part of the URL. If you enter the entire URL and a password is required, you will still be prompted for the password. To enter the entire URL: tftp://host/file ftp://[user@]host[:port]/file scp://[user@]host/file rcp://[user@]host/file Default
url
N/A
b y
39 of 722

backup log Mode Example Privileged EXEC or global configuration The following command backs up the system:
AX>backup tftp://1.1.1.1/back_file
backup log
Description Syntax Configure log backup options and save a backup of the system log. [no] backup log period {all | day | month | week} [no] backup log expedite backup log [use-mgmt-port] url backup log stats-data [use-mgmt-port] url Parameter expedite Description Allocates additional CPU to the backup process. This option allows up to 80% CPU utilization to be devoted to the log backup process.
period {all | day | month | week}
Specifies the period to back up: all Backs up all log messages contained in the log buffer. day Backs up the log messages generated during the most recent 24 hours. month Backs up the log messages generated during the most recent 30 days. week Backs up the log messages generated during the most recent 7 days.
[use-mgmt-port] url Saves a backup of the log to a remote server. The use-mgmt-port option uses the management interface as the source interface for the connection to the remote device. The management route table is used to reach the device. Without this option, the AX device attempts to use the data route table to reach the remote device through a data interface.
40 of 722
b y
D e s i g n

backup log The url specifies the file transfer protocol, username (if required), and directory path. You can enter the entire URL on the command line or press Enter to display a prompt for each part of the URL. If you enter the entire URL and a password is required, you will still be prompted for the password. To enter the entire URL: tftp://host/file ftp://[user@]host[:port]/file scp://[user@]host/file rcp://[user@]host/file stats-data [use-mgmt-port] url Backs up statistical data from the GUI. The usemgmt-port and url options are the same as described above. Default The configurable backup options have the following default values:
expedite The AX device allows up to 50% CPU utilization for log
backup.
period month
Mode Usage
Privileged EXEC or global configuration The expedite option controls the percentage of CPU utilization allowed exclusively to the log backup process. The actual CPU utilization during log backup may be higher, if other management processes also are running at the same time. The following commands change the backup period to all, allow up to 80% CPU utilization for the backup process, and back up the log:
Example
AX>backup log period all AX>backup log expedite AX>backup log scp://192.168.20.161:/log.tgz ...
Example
The following command backs up statistical data from the GUI:
AX>backup log stats-data scp://192.168.20.161:/log.tgz
Note:
The log period and expedite settings also apply to backups of the GUI statistical data.
b y
41 of 722

enable
enable
Description Enter privileged EXEC mode, or any other security level set by a system administrator. enable EXEC Entering privileged EXEC mode enables the use of privileged commands. Because many of the privileged commands set operating parameters, privileged access should be password-protected to prevent unauthorized use. If the system administrator has set a password with the enable password global configuration command, you are prompted to enter it before being allowed access to privileged EXEC mode. The password is case sensitive. The user will enter the default mode of privileged EXEC. Example In the following example, the user enters privileged EXEC mode using the enable command. The system prompts the user for a password before allowing access to the privileged EXEC mode. The password is not printed to the screen. The user then exits back to user EXEC mode using the disable command. Note that the prompt for user EXEC mode is >, and the prompt for privileged EXEC mode is #. AX>enable Password: <letmein> AX# disable AX>
Syntax Mode Usage
exit
Description Syntax Mode Usage Close an active terminal session by logging off the system. exit EXEC and Privileged EXEC Use the exit command in EXEC mode to exit the active session (log off the device). In the following example, the exit (global) command is used to move from global configuration mode to privileged EXEC mode, the disable command is used to move from privileged EXEC mode to user EXEC mode, and the exit (EXEC) command is used to log off (exit the active session):
Example
42 of 722

health-test AX(config)#exit AX#disable AX>exit
health-test
Description Syntax Test the status of a device using a configured health monitor. health-test {ipaddr | ipv6 ipv6addr} [count num] [monitorname monitor-name] [port portnum] Parameter ipaddr | ipv6 ipv6addr count num monitorname monitor-name port portnum Default Description Specifies the IPv4 or IPv6 address of the device to test. Specifies the number of health checks to send to the device. You can specify 1-65535. Specifies the health monitor to use. The health monitor must already be configured. Specifies the protocol port to test, 1-65535.
Only the IP address is required. The other parameters have the following defaults:
count 1 monitorname ICMP ping, the default Layer 3 health check port Override port number set in the health monitor configuration, if
one is set. Otherwise, this option is not set by default. Mode Usage EXEC, Privileged EXEC, and global config If an override IP address and protocol port are set in the health monitor configuration, the AX device will use the override address and port, even if you specify an address and port with the health-test command. The following command tests port 80 on server 192.168.1.66, using configured health monitor hm80:
Example
AX#health-test 192.168.1.66 monitorname hm80 node status UP.
b y
43 of 722

help
help
Description Syntax Example Display a description of the interactive help system of the AX Series. help (See CLI Quick Reference on page 29.)
no
Description See no on page 59. This command is not used at this level.
ping
Description Syntax Send an ICMP echo packet to test network connectivity. ping [ipv6] {hostname | ipaddr} [data HEX-word] [flood] [interface {ethernet port-num | ve ve-num | management}] [repeat count] [size num] [timeout secs] [ttl num] [source {ipaddr | ethernet port-num | ve ve-num}] Parameter [ipv6] hostname | ipaddr data HEX-word Description
Target of the ping. Hexadecimal data pattern to send in the ping. The pattern can be 1-8 hexadecimal characters long. Sends a continuous stream of ping packets, by sending a new packet as soon as a reply to the previous packet is received.
flood
44 of 722
b y
D e s i g n

ping interface {ethernet portnum | ve ve-num | management} Uses the specified interface as the source address of the ping. repeat count size num timeout secs ttl num Number of times to send the ping, 1-10000000 (ten million). Size of the datagram, 1-10000. Number of seconds the AX device waits for a reply to a sent ping packet, 1-2100 seconds. Maximum number of hops the ping is allowed to traverse, 1-255.
source ipaddr | ethernet portnum | ve ve-num Forces the AX device to give the specified IP address, or the IP address configured on the specified interface, as the source address of the ping. Default This command has the following defaults:
data not set flood disabled interface not set. The AX device looks up the route to the ping target
in the main route table and uses the interface associated with the route. (The management interface is not used unless you specify the management IP address as the source interface.)
repeat 5 size datagram size is 84 bytes timeout 10 seconds ttl 1 source not set. The AX device looks up the route to the ping target and
uses the interface associated with the route. Mode Usage EXEC and Privileged EXEC The ping command sends an echo request packet to a remote address, and then awaits a reply. Unless you use the flood option, the interval between sending of each ping packet is 1 second. To terminate a ping session, type ctrl+c.
45 of 722

show Example The following command sends a ping to IP address 192.168.3.116:
AX>ping 192.168.3.116 PING 192.168.3.116 (192.168.3.116) 56(84) bytes of data 64 bytes from 192.168.3.116: icmp_seq=1 ttl=128 time=0.206 ms 64 bytes from 192.168.3.116: icmp_seq=2 ttl=128 time=0.260 ms 64 bytes from 192.168.3.116: icmp_seq=3 ttl=128 time=0.263 ms 64 bytes from 192.168.3.116: icmp_seq=4 ttl=128 time=0.264 ms 64 bytes from 192.168.3.116: icmp_seq=5 ttl=128 time=0.216 ms --- 192.168.3.116 ping statistics --5 packets transmitted, 5 received, 0% packet loss, time 3996ms rtt min/avg/max/mdev = 0.206/0.241/0.264/0.032 ms Example The following command sends a ping to IP address 10.10.1.20, from AX Ethernet port 1. The ping has data pattern ffff, is 1024 bytes long, and is sent 100 times.
AX#ping data ffff repeat 100 size 1024 source ethernet 1 10.10.1.20
show
Description Syntax Default Mode Usage Show system or configuration information. show options N/A EXEC and Privileged EXEC For information about the show commands, see Show Commands on page 527 and SLB Show Commands on page 653.
ssh
Description Establish a Secure Shell (SSH) connection from the AX Series to another device. ssh [use-mgmt-port] {host-name | ipaddr} login-name [protocol-port] Parameter use-mgmt-port Description Uses the management interface as the source interface for the connection to the remote device. The management route table is used to reach the device. By default, the AX device attempts to use
Syntax
46 of 722
b y
D e s i g n

telnet the data route table to reach the remote device through a data interface. host-name ipaddr login-name protocol-port Host name of a remote system. The IP address of a remote system. User name to log into the remote system. TCP port number on which the remote system listens for SSH client traffic.
Default
By default, the AX device will use a data interface as the source interface. The management interface is not used unless you specify the use-mgmtport option. The default protocol-port is 22. EXEC and Privileged EXEC
Mode
telnet
Description Syntax Open a Telnet tunnel connection from the AX Series to another device. telnet [use-mgmt-port] {host-name | ipaddr) [protocol-port] Parameter use-mgmt-port Description Uses the management interface as the source interface for the connection to the remote device. The management route table is used to reach the device. By default, the AX device attempts to use the data route table to reach the remote device through a data interface. Host name of a remote system. The IP address of a remote system. TCP port number on which the remote system listens for Telnet traffic.
host-name ipaddr protocol-port
Default
By default, the AX device will use a data interface as the source interface. The management interface is not used unless you specify the use-mgmtport option. The default protocol-port is 23. EXEC and Privileged EXEC
Mode
b y
47 of 722

traceroute Example The following command opens a Telnet session from the AX to another AX at IP address 10.10.4.55:
AX>telnet 10.10.4.55 Trying 10.10.4.55... Connected to 10.10.4.55. Escape character is '^]'. Welcome to AX3200 AX login:
traceroute
Description Display the router hops through which a packet sent from the AX Series device can reach a remote device. traceroute [ipv6] [use-mgmt-port] {host-name | ipaddr) Parameter ipv6 use-mgmt-port Description Indicates that the target address is an IPv6 address. Uses the management interface as the source interface. The management route table is used to reach the device. By default, the AX device attempts to use the data route table to reach the remote device through a data interface. Device at the remote end of the route to be traced.
Syntax
{hostname | ipaddr)
Default Mode Usage
N/A EXEC and Privileged EXEC If a hop does not respond within 5 seconds, asterisks ( * ) are shown in the row for that hop. The following command traces a route to 192.168.10.99:
Example
AX#traceroute 192.168.10.99 traceroute to 192.168.10.99 (192.168.10.99), 30 hops max, 40 byte packets 1 10.10.20.1 (10.10.20.1) 1.215 ms 1.151 ms 1.243 ms 2 10.10.13.1 (10.10.13.1) 0.499 ms 0.392 ms 0.493 ms ...
48 of 722
b y
D e s i g n

active-partition
Privileged EXEC mode Commands

The Privileged EXEC mode commands are available at the CLI level that is presented when you enter the enable command and a valid enable password from the EXEC level of the CLI. The Privileged EXEC mode level command prompt ends with #, as in the following example: AX#
active-partition
Description Change the partition on an AX device configured for Role-Based Administration (RBA). active-partition {partition-name | shared} Parameter partition-name shared Default Mode Usage See Usage below. Privileged EXEC mode Admins with Root, Read-write, or Read-only privileges can select the partition to view. When an admin with one of these privilege levels logs in, the view is set to the shared partition by default, which means all resources are visible. The following command changes the view to private partition companyA:
AX#active-partition companyA Currently active partition: companyA
Syntax
Description Name of a private partition. The shared partition.
Example
axdebug
Description Enters the AX debug subsystem. (See AX Debug Commands on page 707.)
b y
49 of 722

backup config
backup config
Back up the system. (See backup config on page 39.)
backup log
Description Configure log backup options and save a backup of the system log. (See backup log on page 40.)
clear
Description Clear statistics or reset functions. Sub-command parameters are required for specific sub-commands. clear sub-command parameter Sub-Command Description
Syntax
access-list {acl-num | all} Clears ACL statistics. admin session {session-id | all} aflex [aflex-name] arp {options} core debug dns dns-cache-stat fwlb {options} gslb {options} ha health icmp
Clears admin sessions. Clears aFleX statistics. Clears ARP entries. Clears system core dump files. Clears GSLB debug messages. Clears DNS statistics. Clears DNS caching statistics. Clears Firewall Load Balancing (FWLB) statistics. Clears Global Server Load Balancing (GSLB) information or statistics. Clears High-Availability (HA) statistics. Clears health monitor statistics. Clears ICMP statistics.
50 of 722
b y
D e s i g n

clear ip helperaddress statistics ip nat {options} ip ospf [process-id] process
Clears IPv4 DHCP helper statistics. Clears IPv4 NAT information or statistics.
Terminates OSPFv2 processing. The process-id option specifies the OSPFv2 process. If you omit this option, processing is terminated for all running OSPFv2 processes.
ip route kernel Clears stale IPv4 kernel routes. ipv6 nat pool statistics [pool-name] ipv6 neighbor ipv6 ospf [tag] process
Clears IPv6 NAT statistics. Clears the IPv6 neighbor cache. Terminates OSPFv3 processing. The tag option specifies the OSPFv3 instance (tag). If you omit this option, processing is terminated for all running OSPFv3 instances. Clears stale IPv6 kernel routes. Clears IPv6 traffic statistics. Clears the system log buffer. Clears the MAC address table.
ipv6 route kernel ipv6 traffic logging mac-address {options}
pbslb {options} Clears Policy-Based Server Load Balancing (SLB) client entries or statistics. router log file [type] Clears router log files. The type can be one of the following: nsm [file-num] Clears the specified Network Services Module (NSM) log file, or all NSM log files. ospf6d [file-num] Clears the specified IPv6 OSPFv3 log file, or all OSPFv3 log files. ospfd [file-num] Clears the specified IPv4 OSPFv2 log file, or all OSPFv2 log files.
b y
51 of 722

clock If you do not specify a type, router logs of all types above are cleared. sessions {options} sip slb {options} statistics interface ethernet portnum Default Mode Usage N/A Privileged EXEC mode or global configuration mode To list the options available for a clear command, enter ? after the command name. For example, to display the clear gslb options, enter the following command: clear gslb ? The following command clears the counters on Ethernet interface 3: AX#clear statistics interface ethernet 3 Clears Layer 4 sessions. Clears SIP statistics. Clears SLB statistics.
Clears physical Ethernet interface statistics.
Example
clock
Description Syntax Set the system time and date. clock set time day month year Parameter time day month year Note: Mode Usage Description Format hh:mm:ss (24 hr.) Format 1-31 day of month Format January, February, and so on. Format 2007, 2008, and so on.
The default time zone is GMT. Privileged EXEC mode Use this command to manually set the system time and date. If you use the GUI or CLI to change the AX timezone or system time, the statistical database is cleared. This database contains general system statis-
52 of 722
b y
D e s i g n

config tics (performance, and CPU, memory, and disk utilization) and SLB statistics. For example, in the GUI, the graphs displayed on the Monitor > Overview page are cleared. If the system clock is adjusted while OSPF is enabled, the routing protocols may stop working properly. To work around this issue, disable OSPF before adjusting the system clock. Example Set the system clock to 5:51 p.m. and the date to February 22nd, 2007. AX#clock set 17:51:00 22 February 2007
config
Description Syntax Mode Example
AX#config AX(config)#
Enter the configuration mode from the Privileged EXEC mode mode. config [terminal] Privileged EXEC mode Enter configuration mode.
debug
Note: It is recommended to use the AXdebug subsystem instead of these debug commands. See AX Debug Commands on page 707.
diff
Description Display a side-by-side comparison of the commands in a pair of locally stored configurations. diff {startup-config | profile-name} {running-config | profile-name} N/A Privileged EXEC mode The diff startup-config running-config command compares the configuration profile that is currently linked to startup-config with the running-conb y
Syntax
Default Mode Usage
53 of 722

diff fig. Similarly, the diff startup-config profile-name command compares the configuration profile that is currently linked to startup-config with the specified configuration profile. To compare a configuration profile other than the startup-config to the running-config, enter the configuration profile name instead of startup-config. To compare any two configuration profiles, enter their profile names instead of startup-config or running-config. In the CLI output, the commands in the first profile name you specify are listed on the left side of the terminal screen. The commands in the other profile that differ from the commands in the first profile are listed on the right side of the screen, across from the commands they differ from. The following flags indicate how the two profiles differ:
| This command has different settings in the two profiles. > This command is in the second profile but not in the first one. < This command is in the first profile but not in the second one.
Example
The following command compares the configuration profile currently linked to startup-config with configuration profile testcfg1. This example is abbreviated for clarity. The differences between the profiles are shown in this example in bold type.
( ( ( ( ( ( ( ( ( ( ( ( ( | |
AX#diff startup-config testcfg1 !Current configuration: 13378 bytes !Configuration last updated at 19:18:57 PST Wed Jan 23 2008 !Configuration last saved at 19:19:37 PST Wed Jan 23 2008 !version 1.2.1 ! hostname AX ! clock timezone America/Tijuana ! ntp server 10.1.11.100 1440 ! ... ! interface ve 30 ip address 30.30.31.1 255.255.255.0 10.10.20.1 255.255.255.0 ipv6 address 2001:144:121:3::5/64 fc00:300::5/64 ! ! list v6-1 fc00:300::300/64 2001:144:121:1::900/6 !
ip address ipv6 address
( ( > ip nat range( b y D e s i g n
54 of 722

disable
ipv6 nat pool p1 2001:144:121:3::996 2001:144:121:3::999 netm < ! < slb server ss100 2001:144:121:1::100 < port 22 tcp < --MORE--
disable
Description Syntax Mode Example Exit the Privileged EXEC mode mode and enter the EXEC mode. disable Privileged EXEC mode The following command exits Privileged EXEC mode mode.
AX#disable AX>
Note:
The prompt changes from # to >, indicating change to EXEC mode.
exit
Description Syntax Mode Example Exit the Privileged EXEC mode mode and enter the EXEC Mode. exit Privileged EXEC mode In the following example, the exit command is used to exit the Privileged EXEC mode level and return to the User EXEC level of the CLI: AX#exit AX> Note: The prompt changes from # to >, indicating change to EXEC mode.
b y
55 of 722

export
export
Description Syntax Put a file to a remote site using the specified transport method. export {aflex | class-list | ssl-cert | ssl-key | ssl-crl | axdebug | debug_monitor} file-name [use-mgmt-port] url Parameter aflex class-list ssl-cert ssl-key ssl-crl axdebug debug_monitor file-name use-mgmt-port Description Exports an aFleX file. Exports an IP class list. Exports a certificate. Exports a certificate key. Exports a Certificate Revocation List (CRL). Exports an AX debug capture file. Exports a debug monitor file. Name of the file to export. Uses the management interface as the source interface for the connection to the remote device. The management route table is used to reach the device. By default, the AX device attempts to use the data route table to reach the remote device through a data interface. File transfer protocol, username (if required), and directory path. You can enter the entire URL on the command line or press Enter to display a prompt for each part of the URL. If you enter the entire URL and a password is required, you will still be prompted for the password. To enter the entire URL: tftp://host/file ftp://[user@]host[:port]/file scp://[user@]host/file rcp://[user@]host/file Mode Privileged EXEC mode or global configuration mode
url
56 of 722
b y
D e s i g n

health-test Example The following command exports an aFleX policy from the AX Series device to an FTP server, to a directory named backups.
AX#export aflex aflex-01 ftp://192.168.1.101/backups/aflex-01
health-test
Description See health-test on page 43.
help
Description Syntax Example Display a description of the interactive help system of the AX Series. help (See CLI Quick Reference on page 29.)
import
Description Syntax Get a file from a remote site. import {aflex | bw-list | class-list | geo-location | ssl-cert | ssl-key | ssl-crl } file-name url Parameter aflex bw-list class-list geo-location ssl-cert ssl-key ssl-crl file-name url Description Imports an aFleX file. Imports a black/white list. Imports an IP class list. Imports a geo-location data file for Global Server Load Balancing (GSLB). Imports a certificate. Imports a certificate key. Imports a Certificate Revocation List (CRL). Specifies the filename to use on the target server. Specifies the file transfer protocol, username (if required), and directory path.
b y
57 of 722

locale You can enter the entire URL on the command line or press Enter to display a prompt for each part of the URL. If you enter the entire URL and a password is required, you will still be prompted for the password. To enter the entire URL: tftp://host/file ftp://[user@]host[:port]/file scp://[user@]host/file rcp://[user@]host/file Mode Usage Privileged EXEC mode or global configuration mode For SSL certificates and keys, this command is equivalent to the slb sslload command. You can use either one to import SSL certificates and keys. Note: The AX device only supports certificates that are in Privacy-Enhanced Mail (PEM) format. The maximum supported certificate size is 16KB. To convert a certificate from Windows format to PEM format, see the Importing SSL Certificates chapter in the AX Series Configuration Guide. The following command imports an aFleX policy onto the AX Series device from a TFTP server, from its directory named backups:
Example
AX#import aflex aflex-01 tftp://192.168.1.101/backups/aflex-01
locale
Description Syntax Set the locale for the current terminal session. locale parameter Parameter test en_US.UTF-8 zh_CN.UTF-8 zh_CN.GB18030 zh_CN.GBK zh_CN.GB2312 Description To test current terminal encodings for specific locale English locale for the USA, encoding with UTF8 (default) Chinese locale for PRC, encoding with UTF-8 Chinese locale for PRC, encoding with GB18030 Chinese locale for PRC, encoding with GBK Chinese locale for PRC, encoding with GB2312
58 of 722
b y
D e s i g n

no zh_TW.UTF-8 zh_TW.BIG5 zh_TW.EUCTW ja_JP.UTF-8 ja_JP.EUC-JP Chinese locale for Taiwan, encoding with UTF-8 Chinese locale for Taiwan, encoding with BIG5 Chinese locale for Taiwan, encoding with EUCTW Japanese locale for Japan, encoding with UTF-8 Japanese locale for Japan, encoding with EUCJP
Default Mode
en_US.UTF-8 Privileged EXEC mode or global configuration mode
no
AX#no terminal history AX#
Negate a command or set it to its default setting. no command All The following command disables the terminal command history feature:
ping
Test network connectivity. For syntax information, see ping on page 44.
reboot
Reboot the AX Series device. Syntax reboot [text | in [hh:]mm [text] | at hh:mm [month day | day month] [text] | cancel]
b y
59 of 722

reboot Parameter text in [hh:]mm Description Reason for the reboot, 1-255 characters long. Schedule a reboot to take effect in the specified minutes or hours and minutes. The reboot must take place within approximately 24 hours. Schedule a reboot to take place at the specified time (using a 24-hour clock). If you specify the month and day, the reboot is scheduled to take place at the specified time and date. If you do not specify the month and day, the reboot takes place at the specified time on the current day (if the specified time is later than the current time), or on the next day (if the specified time is earlier than the current time). Specifying 00:00 schedules the reboot for midnight. Name of the month, any number of characters in a unique string. Number of the day, 1-31. Cancel a scheduled reboot.
at hh:mm
month day cancel Mode Usage Privileged EXEC mode
The reboot command halts the system. If the system is set to restart on error, it reboots itself. Use the reboot command after configuration information is entered into a file and saved to the startup configuration. You cannot reboot from a virtual terminal if the system is not set up for automatic booting. This prevents the system from dropping to the ROM monitor and thereby taking the system out of the remote users control. If you modify your configuration file, the system will prompt you to save the configuration. The at keyword can be used only if the system clock has been set on the AX Series (either through NTP, the hardware calendar, or manually). The time is relative to the configured time zone on the AX Series. To schedule reboots across several AX Series to occur simultaneously, the time on each AX Series must be synchronized with NTP. To display information about a scheduled reboot, use the show reboot command.
Example AX(config)# reboot
The following example immediately reboots the AX Series device:
System configuration has been modified. Save? [yes/no]:yes Rebooting System Now !!! Proceed with reboot? [yes/no]:yes
60 of 722
b y
D e s i g n

reload The following example reboots the AX Series device in 10 minutes: AX(config)# reboot in 10 AX(config)# Reboot scheduled for 11:57:08 PDT Fri Apr 21 1996 (in 10 minutes)
Proceed with reboot? [yes/no]yes
AX(config)# The following example reboots the AX Series device at 1:00 p.m. today: AX(config)# reboot at 13:0013:00 AX(config)# Reboot scheduled for 13:00:00 PDT Fri Apr 21 1996 (in 1 hour and 2
minutes) Proceed with reboot? [yes/no]yes AX(config)#
The following example reboots the AX Series device on Apr 20 at 4:20 p.m.: AX(config)# reboot at 16:20 apr 20 AX(config)# Reboot scheduled for 16:20:00 PDT Sun Apr 20 2008 (in 38 hours and
9 minutes) Proceed with reboot? [yes/no]yes AX(config)#
The following example cancels a pending reboot: AX(config)# reboot cancel %Reboot cancelled.
*** *** --- REBOOT ABORTED --***
reload
Description Restart AX system processes and reload the startup-config, without rebooting. reload Privileged EXEC mode The reload command restarts AX system processes and reloads the startupconfig, without reloading the system image. To also reload the system image, use the reboot command instead. (See reboot on page 59.) The AX device closes all sessions as part of the reload.
Syntax Mode Usage
b y
61 of 722

repeat Example
AX(config)#reload Reload AX ....Done. AX(config)#
The following command reloads an AX device:
repeat
Description Syntax Periodically re-enter a show command. repeat seconds show command-options Parameter seconds Description Interval at which to re-enter the command. You can specify 1-300 seconds.
command-options Options of the show command. See Show Commands on page 527 and SLB Show Commands on page 653. Mode Usage Privileged EXEC mode The repeat command is especially useful when monitoring or troubleshooting the system. The elapsed time indicates how much time has passed since you entered the repeat command. To stop the command, press Ctrl+C. Example The following command displays SLB TCP-proxy statistics every 30 seconds:
AX#repeat 30 show slb tcp-proxy Total -----------------------------------------------------------------Currently EST conns 29 Active open conns 6968 Passive open conns 7938 Connect attempt failures 0 Total in TCP packets 678804 Total out TCP packets 712974 Retransmitted packets 359 Resets rcvd on EST conn 5369 Reset Sent 4303 Refreshing command every 30 seconds. (press ^C to quit) Elapsed Time: 00:00:00 Total -----------------------------------------------------------------Currently EST conns 30 Active open conns 6992 Passive open conns 7939
62 of 722
b y
D e s i g n

show
Connect attempt failures 0 Total in TCP packets 679433 Total out TCP packets 712986 Retransmitted packets 367 Resets rcvd on EST conn 5781 Reset Sent 4305 Refreshing command every 30 seconds. (press ^C to quit) Elapsed Time: 00:00:30
show
Description Display system or configuration information. See Show Commands on page 527 and SLB Show Commands on page 653.
shutdown
Schedule a system shutdown at a specified time or after a specified interval, or cancel a scheduled system shutdown. Syntax shutdown {at hh:mm | in hh:mm | cancel [text]} Parameter at in cancel text Mode Example AX#shutdown at 23:59
System configuration has been modified. Save? [yes/no]:yes Building configuration... [OK] Shutdown scheduled for 23:59:00 UTC Fri Sep 30 2005 (in 5 hours and 39 minutes) by admin on 192.168.1.102 Proceed with shutdown? [confirm] AX#
Description Shutdown at a specific time/date (hh:mm) Shutdown after time interval (mm or hh:mm) Cancel pending shutdown Reason for shutdown
Privileged EXEC mode The following command schedules a system shutdown to occur at 11:59 p.m.:
b y
63 of 722

ssh Example The following command cancels a scheduled system shutdown:
AX#shutdown cancel *** *** --- SHUTDOWN ABORTED --***
ssh
Description Establish a Secure Shell (SSH) connection from the AX device to another device. (See ssh on page 46.)
telnet
Description Establish a Telnet connection from the AX device to another device. (See telnet on page 47.)
terminal
Description Syntax Set terminal display parameters. terminal option value Parameter auto-size Description Enables the terminal length and width to automatically change to match the terminal window size. Enables command-line editing. Enables and controls the command history function. The size option specifies the number of command lines that will be held in the history buffer. You can specify 0-1000. Sets the number of lines on a screen. You can specify 0-512. Specifying 0 disables pausing. Copies debug output to the current terminal. Sets the width of the display terminal. You can specify 0-512. The setting 0 means infinite.
editing history [size]
length num monitor width num
64 of 722
b y
D e s i g n

traceroute Default The terminal settings have the following defaults:
auto-size enabled editing enabled history enabled; default size is 256 length 24 monitor disabled width 80
Mode Example
Privileged EXEC mode or global configuration mode The following command changes the terminal length to 40: AX#terminal length 40
traceroute
Description Trace a route. See traceroute on page 48.
write
Description Syntax Write the running-config to a configuration profile. write {memory | force} [primary | secondary | profile-name] [cf] [all-partitions | partition {shared | private-partition-name}] [all-partitions | partition {shared | private-partition-name}] Parameter memory force primary secondary Description Writes (saves) the running-config to a configuration profile. Forces the AX device to save the configuration regardless of whether the system is ready. Replaces the configuration profile stored in the primary image area with the running-config. Replaces the configuration profile stored in the secondary image area with the running-config.
b y
65 of 722

write profile-name cf Replaces the commands in the specified configuration profile with the running-config. Replaces the configuration profile in the specified image area (primary or secondary) on the compact flash rather than the hard disk. If you omit this option, the configuration profile in the specified area on the hard disk is replaced. Saves changes for all resources in all partitions.
all-partitions
partition {shared | privatepartition-name} Saves changes only for the resources in the specified partition. Default If you enter write memory without additional options, the command replaces the configuration profile that is currently linked to by startup-config with the commands in the running-config. If startup-config is set to its default (linked to the configuration profile stored in the image area that was used for the last reboot), then write memory replaces the configuration profile in the image area with the running-config. The all-partitions and partition partition-name options are applicable on AX devices that are configured for Role-Based Administration (RBA). If you omit both options, only the resources in the shared partition are saved. (If RBA is not configured, all resources are in the shared partition, so you can omit both options.) The all-partitions option is applicable only to admins with Root, Readwrite, or Read-only privileges. (See show admin on page 528 for descriptions of the admin privilege levels.) Mode Usage Configuration mode CAUTION! Using the write force command can result in an incomplete or empty configuration! A10 Networks recommends that you use this command only with the advice of A10 Networks Technical Support. Unless you use the force option, the command checks for system readiness and saves the configuration only if the system is ready. For more information about configuration profiles, see the AX Series Configuration Guide.
66 of 722
b y
D e s i g n

write terminal Example The following command saves the running-config to the configuration profile stored in the primary image area of the hard disk:
AX#write memory primary
Example
The following command saves the running-config to a configuration profile named "slbconfig2":
AX#write memory slbconfig2
Example
The following command attempts to save the running-config but the system is not ready:
AX#write memory AX system is not ready. Cannot save the configuration.
Example
The following commands attempt to save the running-config on a system that is not ready, then force the save operation to take place anyway:
AX#write memory AX system is not ready. Cannot save the configuration. AX#write force
write terminal
Description Syntax Display the running-config on the terminal. write terminal [all-partitions | partition {shared | private-partition-name}] Parameter all-partitions Description Displays configuration information for all system partitions.
partition {shared | privatepartition-name} Displays configuration information only for the specified partition. Mode Usage Privileged EXEC mode or global configuration mode The optional parameters are applicable to AX devices on which Role-Based Administration (RBA) is configured.
b y
67 of 722

write terminal
68 of 722
b y
D e s i g n

access-list (standard)
Config Commands: Global

This chapter describes the commands for configuring global AX parameters. To access this configuration level, enter the configure [terminal] command at the Privileged EXEC level. To display global settings, use show commands. (See Show Commands on page 527.) This CLI level also has the following commands, which are available at all configuration levels:
backup See backup config on page 39 and backup log on
page 40.
clear See clear on page 50. debug See debug on page 53. diff See diff on page 53. export See export on page 56. health-test See health-test on page 43. help See CLI Quick Reference on page 29. import See import on page 57. repeat See repeat on page 62. show See Show Commands on page 527. write See write terminal on page 67.
access-list (standard)
Description Configure a standard Access Control List (ACL) to permit or deny source IP addresses. [no] access-list acl-num [seq-num] {permit | deny | l3-vlan-fwd-disable | remark string} source-ipaddr {filter-mask | /mask-length} [log [transparent-session-only]]
b y
Syntax
69 of 722

access-list (standard) Parameter acl-num seq-num Description Standard ACL number. You can specify 1-99. Sequence number of this rule in the ACL. You can use this option to resequence the rules in the ACL. Action to take for traffic that matches the ACL. deny For ACLs applied to interfaces or used for management access, drops the traffic. permit For ACLs applied to interfaces or used for management access, allows the traffic. For ACLS used for IP source NAT, specifies the inside host addresses to be translated into external addresses. Note: If you are configuring an ACL for source NAT, use the permit action. For ACLs used with source NAT, the deny action does not drop traffic, it simply does not use the denied addresses for NAT translations. l3-vlan-fwddisable remark string Disables Layer 3 forwarding between VLANs for IP addresses that match the ACL rule. Adds a remark to the ACL. The remark appears at the top of the ACL when you display it in the CLI. To use blank spaces in the remark, enclose the entire remark string in double quotes. The ACL must already exist before you can configure a remark for it. source-ipaddr {filter-mask | /mask-length}
deny | permit
Denies or permits traffic received from the specified host or subnet. The filter-mask specifies the portion of the address to filter: Use 0 to match. Use 255 to ignore. For example, the following filter-mask filters on a 24-bit subnet: 0.0.0.255 Alternatively, you can use mask-length to specify the portion of the address to filter. For example, you can specify /24 instead 0.0.0.255 to filter on a 24-bit subnet.
70 of 722
b y
D e s i g n

access-list (standard) log [transparentsession-only]
Configures the AX device to generate log messages when traffic matches the ACL. The transparent-session-only option limits logging for an ACL rule to creation and deletion of transparent sessions for traffic that matches the ACL rule.
Default
No ACLs are configured by default. When you configure one, the log option is disabled by default. Configuration mode An ACL can contain multiple rules. Each access-list command configures one rule. Rules are added to the ACL in the order you configure them. The first rule you add appears at the top of the ACL. Rules are applied to the traffic in the order they appear in the ACL (from the top, which is the first rule, downward). The first rule that matches traffic is used to permit or deny that traffic. After the first rule match, no additional rules are compared against the traffic. To move a rule within the sequence, delete the rule, then re-add it with a new sequence number. Access lists do not take effect until you apply them.
To use an ACL to filter traffic on an interface, see access-list on
Mode Usage
page 181.
To use an ACL to filter traffic on a virtual server port, see access-list
on page 411.
To use an ACL to control management access, see disable-manage-
ment on page 101 and enable-management on page 105.

To use an ACL with source NAT, see ip nat inside on page 225.
The syntax shown in this section configures a standard ACL, which filters based on source IP address. To filter on additional values such as destination address, IP protocol, or TCP/UDP ports, configure an extended ACL. (See access-list (extended) on page 72.) Example The following commands configure a standard ACL and use it to deny traffic sent from subnet 10.10.10.x, and apply the ACL to inbound traffic received on Ethernet interface 4:
b y
71 of 722

access-list (extended)
AX(config)#access-list 1 deny 10.10.10.0 0.0.0.255 AX(config)#interface ethernet 4 AX(config-if:ethernet4)#access-list 1 in
access-list (extended)
Description Configure an extended Access Control List (ACL) to permit or deny traffic based on source and destination IP addresses, IP protocol, and TCP/UDP ports. [no] access-list acl-num [seq-num] {permit | deny | l3-vlan-fwd-disable | remark string} ip {any | host host-src-ipaddr | net-src-ipaddr {filter-mask | /mask-length}} {any | host host-dst-ipaddr | net-dst-ipaddr {filter-mask | /mask-length}} [log [transparent-session-only]] or Syntax [no] access-list acl-num [seq-num] {permit | deny | l3-vlan-fwd-disable | remark string} icmp [type icmp-type [code icmp-code]] {any | host host-src-ipaddr | net-src-ipaddr {filter-mask | /mask-length}} {any | host host-dst-ipaddr | net-dst-ipaddr {filter-mask | /mask-length}} [log [transparent-session-only]] or
Syntax
72 of 722
b y
D e s i g n

access-list (extended) Syntax [no] access-list acl-num [seq-num] {permit | deny | l3-vlan-fwd-disable | remark string} {tcp | udp} {any | host host-src-ipaddr | net-src-ipaddr {filter-mask | /mask-length}} [eq src-port | gt src-port | lt src-port | range start-src-port end-src-port] {any | host host-dst-ipaddr | net-dst-ipaddr {filter-mask | /mask-length}} [eq dst-port | gt dst-port | lt dst-port | range start-dst-port end-dst-port] [log [transparent-session-only]] Parameter acl-num seq-num Description Extended ACL number. You can specify 100199. Sequence number of this rule in the ACL. You can use this option to resequence the rules in the ACL. Action to take for traffic that matches the ACL. deny Drops the traffic. permit Allows the traffic. l3-vlan-fwddisable remark string Disables Layer 3 forwarding between VLANs for IP addresses that match the ACL rule. Adds a remark to the ACL. The remark appears at the top of the ACL when you display it in the CLI. To use blank spaces in the remark, enclose the entire remark string in double quotes. The ACL must already exist before you can configure a remark for it. ip icmp tcp | udp Filters on IP packets. Filters on ICMP packets. Filters on TCP or UDP packets. The tcp and udp options enable you to filter on protocol port numbers.
deny | permit
b y
73 of 722

access-list (extended) type typeoption This option is applicable if the protocol type is icmp. Matches based on the specified ICMP type. You can specify one of the following. Enter the type name or the type number (for example, dest-unreachable or 3). any-type Matches on any ICMP type. dest-unreachable | 3 Type 3, destination unreachable echo-reply | 0 Type 0, echo reply echo-request | 8 Type 8, echo request info-reply | 16 Type 16, information reply info-request | 15 Type 15, information request mask-reply | 18 Type 18, address mask reply mask-request | 17 Type 17, address mask request parameter-problem | 12 Type 12, parameter problem redirect | 5 Type 5, redirect message source-quench | 4 Type 4, source quench time-exceeded | 11 Type 11, time exceeded timestamp | 13 Type 13, timestamp timestamp-reply | 14 Type 14, timestamp reply type-num ICMP type number, 0-254 code code-num This option is applicable if the protocol type is icmp. Matches based on the specified ICMP code. any-code Matches on any ICMP code. code-num ICMP code number, 0-254
74 of 722
b y
D e s i g n

access-list (extended) any | host host-srcipaddr | net-src-ipaddr {filter-mask | /mask-length}
Source IP address(es) to filter. any The ACL matches on all source IP addresses. host host-src-ipaddr The ACL matches only on the specified host IP address. net-src-ipaddr {filter-mask | /mask-length} The ACL matches on any host in the specified subnet. The filter-mask specifies the portion of the address to filter: Use 0 to match. Use 255 to ignore. For example, the following filter-mask filters on a 24-bit subnet: 0.0.0.255 Alternatively, you can use mask-length to specify the portion of the address to filter. For example, you can specify /24 instead 0.0.0.255 to filter on a 24-bit subnet.
eq src-port | gt src-port | lt src-port | range startsrc-port end-src-port
For tcp or udp, the source protocol ports to filter. eq src-port The ACL matches on traffic from the specified source port. gt src-port The ACL matches on traffic from any source port with a higher number than the specified port. lt src-port The ACL matches on traffic from any source port with a lower number than the specified port. range start-src-port end-src-port The ACL matches on traffic from any source port within the specified range.
b y
75 of 722

access-list (extended) any | host host-dstipaddr | net-dst-ipaddr {filter-mask | /mask-length} eq dst-port | gt dst-port | lt dst-port | range startdst-port end-dst-port log [transparentsession-only]
Destination IP address(es) to filter.
For tcp or udp, the destination protocol ports to filter.
Default
No ACLs are configured by default. When you configure one, the log option is disabled by default. Configuration mode An ACL can contain multiple rules. Each access-list command configures one rule. Rules are added to the ACL in the order you configure them. The first rule you add appears at the top of the ACL. Rules are applied to the traffic in the order they appear in the ACL (from the top, which is the first, rule downward). The first rule that matches traffic is used to permit or deny that traffic. After the first rule match, no additional rules are compared against the traffic. To move a rule within the sequence, delete the rule, then re-add it with a new sequence number. Access lists do not take effect until you apply them:
To use an ACL to filter traffic on an interface, see access-list on
Mode Usage
page 181.
To use an ACL to filter traffic on a virtual server port, see access-list
on page 411.
76 of 722
b y
D e s i g n

accounting
To use an ACL with source NAT, see ip nat inside on page 225. To use an ACL to control management access, configure a standard
ACL instead. (See access-list (standard) on page 69.)
accounting
Description Configure TACACS+ as the accounting method for recording information about user activities. The AX Series device supports the following types of accounting:
EXEC accounting provides information about EXEC terminal ses-
sions (user shells) on the AX device.

Command accounting provides information about the EXEC shell
commands executed under a specified privilege level. This command also allows you to specify the debug level. Syntax [no] accounting exec {start-stop | stop-only} {radius | tacplus} [no] accounting commands cmd-level stop-only tacplus [no] accounting debug debug-level Parameter start-stop Description Sends an Accounting START packet to TACACS+ servers when a user establishes a CLI session, and an Accounting STOP packet when the user logs out or the session times out. Only sends an Accounting STOP packet when the user logs out or the session times out. Specifies the type of accounting server to use. Specifies which level of commands will be accounted. The commands are divided into the following levels: 15(admin) Commands available for admin (all commands) 14(config) Commands available in config mode (not include the command of admin and those under the admin mode)
stop-only radius | tacplus cmd-level
b y
77 of 722

accounting 1(priv EXEC) Commands available in privileged EXEC mode 0 (user EXEC) Commands available in user EXEC mode Command levels 2-13 are the same as command level 1. debug-level Specifies the debug level for accounting. The debug level is set as flag bits for different types of debug messages. The AX device has the following types of debug messages: 0x1 Common information such as trying to connect with TACACS+ servers, getting response from TACACS+ servers; they are recorded in syslog. 0x2 Packet fields sent out and received by AX, not including the length fields; they are printed out on the terminal. 0x4 Length fields of the TACACS+ packets will also be printed on the terminal. 0x8 Information about the TACACS+ MD5 encryption is recorded in syslog. Default Mode Usage N/A Configuration mode The accounting server also must be configured. See radius-server on page 137 or tacacs-server on page 169. The following command configures the AX device to send an Accounting START packet to the previously defined TACACS+ servers when a user establishes a CLI session on the device. The AX device also will send an Accounting STOP packet when a user logs out or their session times out.
Example
AX(config)#accounting exec start-stop tacplus
The following command configures the AX device to send an Accounting STOP packet when a user logs out or a session times out.
AX(config)#accounting exec stop-only tacplus
The following command configures the AX device to send an Accounting STOP packet to TACACS+ servers before a CLI command of level 14 is executed.
AX(config)#accounting commands 14 stop-only tacplus
78 of 722
b y
D e s i g n

admin The following command specifies debug level 15 for accounting.
AX(config)#accounting debug l5
admin
Configure an admin account for management access to the AX Series device. Note: Syntax This command is available only to admins who have Root privileges. [no] admin admin-username Parameter admin-username Description Admin username, 1-31 characters.
This command changes the CLI to the configuration level for the specified admin account, where the following admin-related commands are available: Command admin Description Enters the configuration level for another admin account. If you are configuring multiple admin accounts, this command simplifies navigation of the CLI because you do not need to return to the Configuration mode level to begin configuration of the next account. Disables the admin account. Enables the admin account.
disable enable
password string Sets the password, 1-63 characters. Passwords are case sensitive and can contain special characters. (For more information, see Special Character Support in Strings on page 38.) privilege priv-level | [partitionname]}
Sets the privilege level for the account. read The admin can access the User EXEC and Privileged EXEC levels of the CLI only. write The admin can access all levels of the CLI. partition-read The admin has read-only privileges within the private partition to which
b y
79 of 722

admin the admin is assigned, and read-only privileges for the shared partition. partition-write The admin has readwrite privileges within the private partition to which the admin is assigned. The admin has read-only privileges for the shared partition. partition-enable-disable The admin has read-only privileges for real servers, with permission to view service port statistics and to disable or re-enable the servers and their service ports. No other read-only or read-write privileges are granted. partition-name The name of the private partition to which the admin is assigned. This option applies only to admins that have privilege level partition-read, partition-write, or partition-enable-disable. Note:
Private partitions are used in Role-Based Administration (RBA). For information, see the Role-Based Administration chapter of the AX Series Configuration Guide.
trusted-host ipaddr {subnet-mask | /mask-length} unlock
Specifies the host or subnet address from which the admin is allowed to log onto the AX device. Unlocks the account. Use this option if the admin has been locked out due to too many login attempts with an incorrect password. (To configure lockout parameters, see admin lockout on page 81.)
Default
The system has a default admin account, with username admin and password a10. The default admin account has write privilege and can log on from any host or subnet address. Other admin accounts have the following defaults:
enable / disable Admin accounts are enabled by default as soon as
you add them.

password a10. This is the default for the admin account and for
any admin account you configure if you do not configure the password for the account.
privilege read
80 of 722
b y
D e s i g n

admin lockout
trusted-host 0.0.0.0 /0, which allows access from any host or subnet. unlock N/A. Admin accounts are unlocked by default. They can
become locked based on admin lockout settings. Mode Example Configuration mode The following commands add admin adminuser1 with password 1234:
AX(config)#admin adminuser1 AX(config-admin:adminuser1)#password 1234
Example
The following commands add admin adminuser2 with password 12345678 and write privilege:
AX(config)#admin adminuser2 AX(config-admin:adminuser2)#password 12345678 AX(config-admin:adminuser2)#write
Example
The following commands add admin adminuser3 with password abcdefgh and write privilege, and restrict login access to the 10.10.10.x subnet only:
AX(config)#admin adminuser3 AX(config-admin:adminuser3)#password abcdefgh AX(config-admin:adminuser3)#write AX(config-admin:adminuser3)#trusted-host 10.10.10.0 /24
Example
The following commands configure an admin account for a private partition:
AX(config)#admin compAadmin password compApwd AX(config-admin:compAadmin)#privilege partition-write companyA Modify Admin User successful !
admin lockout
Description Syntax Set lockout parameters for admin sessions. [no] admin lockout {duration minutes | enable | reset-time minutes | threshold number} Parameter duration minutes Description Number of minutes a lockout remains in effect. After the lockout times out, the admin can try again to log in. You can specify 0-1440 minutes.
b y
81 of 722

aflex To keep accounts locked until you or another authorized administrator unlocks them, specify 0. enable reset-time minutes Enables the lockout feature. Number of minutes the AX device remembers failed login attempts. You can specify 1-1440 minutes. Number of consecutive failed login attempts allowed before an administrator is locked out. You can specify 1-10.
threshold number
Default
The lockout feature is disabled by default. This command has the following defaults:
duration 10 minutes reset-time 10 minutes threshold 5
Example
The following command enables admin lockout:
AX(config)#admin lockout enable
aflex
Description Configure an aFleX policy. For complete information about aFleX policies, see the aFleX Scripting Language Reference Guide.
arp
Description Syntax Create a static ARP entry or change the timeout for dynamic entries. [no] arp ipaddr mac-address [interface ethernet number [vlan vlan-id]] [no] arp timeout seconds Parameter ipaddr mac-address Description IP address of the static entry. MAC address of the static entry.
82 of 722
b y
D e s i g n

arp timeout interface Specifies the Ethernet data interface.
timeout seconds Number of seconds a dynamic entry can remain unused before it is removed from the ARP cache. You can specify 60-86400 seconds. vlan vlan-id If the AX device is deployed in transparent mode, and the interface is a tagged member of multiple VLANS, use this option to specify the VLAN for which to add the ARP entry.
Default
The default timeout for learned entries is 300 seconds. Static entries do not time out. Configuration mode
Mode
arp timeout
Description Syntax Change the aging timer for dynamic ARP entries. [no] arp timeout seconds Parameter seconds Description Number of seconds a dynamic entry can remain unused before being removed from the ARP table. You can specify 60-86400 seconds.
Default Mode
300 seconds (5 minutes) Configuration mode
audit
Description Syntax Configure command auditing. [no] audit enable [privilege] [no] audit size num-entries
b y
83 of 722

audit Parameter enable [privilege] Description Enables command auditing. The privilege option enables logging of Privileged EXEC commands also. Without this option, only configuration commands are logged. size numentries Specifies the number of entries the audit log file can hold. You can specify 1000-30000 entries. When the log is full, the oldest entries are removed to make room for new entries.
Default
Command auditing is disabled by default. When the feature is enabled, the audit log can hold 20,000 entries by default. Configuration mode Command auditing logs the following types of system management events:
Admin logins and logouts for CLI, GUI, and aXAPI sessions Unsuccessful admin login attempts Configuration changes made by CLI commands. All attempts to change
Mode Usage
the configuration are logged, even if they are unsuccessful.

CLI commands at the Privileged EXEC level (if audit logging is enabled
for this level)

HA configuration synchronization
The audit log is maintained in a separate file, apart from the system log. The audit log is RBA-aware. The audit log messages that are displayed for an admin depend upon the admins role (privilege level). Admins with Root, Read Write, or Read Only privileges who view the audit log can view all the messages, for all system partitions. Admins who have privileges only within a specific partition can view only the audit log messages related to management of that partition. Partition Real Server Operator admins can not view any audit log entries. Note: Example
AX(config)#show audit
Backups of the system log include the audit log. The following command enables command auditing:
84 of 722
b y
D e s i g n

authentication
authentication
Description Set the authentication method used to authenticate administrative access to the AX. [no] authentication type { local [radius | tacplus] | [radius | tacplus] local } Parameter local Description Uses the AX configuration for authentication. If the administrative username and password match an entry in the configuration, the administrator is granted access. Uses an external RADIUS server for authentication. Uses an external TACACS+ server for authentication.
Syntax
radius tacplus
Default Mode Usage
By default, only local authentication is used. Configuration mode The local database (local option) must be included as one of the authentication sources, regardless of the order is which the sources are used. Authentication using only a remote server is not supported. If the same username is configured in the local database and on the remote server but the passwords do not match, the order in which the authentication sources are used determines whether the admin is granted access. (For more information, see the Configuring AAA for Admin Access section in the Management Security Features chapter of the AX Series Configuration Guide.)
Usage
The authentication server(s) also must be configured. See radius-server on page 137 or tacacs-server on page 169. The following commands configure a pair of RADIUS servers and configure the AX device to use them first, before using the local database. Since 10.10.10.12 is added first, this server will be used as the primary server. Server 10.10.10.13 will be used only if the primary server is unavailable.
Example
b y
85 of 722

authorization
AX(config)#radius-server host 10.10.10.12 secret radp1 AX(config)#radius-server host 10.10.10.13 secret radp2 AX(config)#authentication type radius local
authorization
Description Configure authorization for controlling access to functions in the CLI. The AX device can use TACACS+ for authorizing commands executed under a specified privilege level. This command also allows the user to specify the level for authorization debugging. [no] authorization commands cmd-level method {[tacplus [none] | none} [no] authorization debug debug-level Parameter cmd-level Description Specifies the level of commands that will be authorized. The commands are divided into the following levels: 15(admin) This is the most extensive level of authorization. Commands at all CLI levels, including those used to configure admin accounts, are sent to TACACS+ for authorization. 14(config) Commands at all CLI levels except those used to configure admin accounts are sent to TACACS+ for authorization. Commands for configuring admin accounts are automatically allowed. 1(priv EXEC) Commands at the Privileged EXEC and User EXEC levels are sent to TACACS+ for authorization. Commands at other levels are automatically allowed. 0 (user EXEC) Commands at the User EXEC level are sent to TACACS+ for authorization. Commands at other levels are automatically allowed. Command levels 2-13 are equivalent to command level 1. tacplus Specifies TACACS+ as the authorization method. (If you omit this option, you must specP e r f o r m a n c e b y D e s i g n
Syntax
86 of 722

axdebug ify none as the method, in which case no authorization will be performed.) tacplus none If all the TACACS+ servers fail to respond, then no further authorization will be performed and the command is allowed to execute. No authorization will be performed. Specifies the debug level for authorization. The debug level is set as flag bits for different types of debug messages. The AX Series has the following types of debug messages: 0x1 Common system events such as trying to connect with TACACS+ servers and getting response from TACACS+ servers. These events are recorded in the syslog. 0x2 Packet fields sent out and received by the AX Series device, not including the length fields. These events are written to the terminal. 0x4 Length fields of the TACACS+ packets will also be displayed on the terminal. 0x8 Information about TACACS+ MD5 encryption will be sent to the syslog. Default Mode Usage Not set Configuration mode The authorization server also must be configured. See radius-server on page 137 or tacacs-server on page 169. The following command specifies the authorization method for commands executed at level 14: try TACACS+ first but if it fails to respond, then allow the command to execute without authorization.
none debug-level
Example
AX(config)#authorization commands 14 method tacplus none
The following command specifies debug level 15 for authorization:

AX(config)#authorization debug l5
axdebug
Description Access the AX debug subsystem. See AX Debug Commands on page 707.
b y
87 of 722

banner
banner
Set the banners to be displayed when an admin logs onto the CLI or accesses the Privileged EXEC mode. Syntax Description [no] banner {exec | login} [multi-line end-marker] line Parameter exec login multi-line end-marker Description Configures the EXEC mode banner. Configures the login banner. Hexadecimal number to indicate the end of a multi-line message. The end marker is a simple string up to 2-characters long, each of the which must be an ASCII character from the following range: 0x21-0x7e. The multi-line banner text starts from the first line and ends at the marker. If the end marker is on a new line by itself, the last line of the banner text will be empty. If you do not want the last line to be empty, put the end marker at the end of the last non-empty line. line Default Specifies the banner text.
The default login banner is as follows: Welcome to AX The default EXEC banner is as follows: [type ? for help]
Mode Example
Configuration mode The following examples set the login banner to welcome to login mode and set the EXEC banner to a multi-line greeting:
AX(config)#banner exec welcome to exec mode AX(config)#banner login multi-line bb Enter text message, end with string 'bb'. Here is a multi-line Greeting. bb AX(config)#
88 of 722
b y
D e s i g n

boot-block-fix
boot-block-fix
Description Syntax Repair the master boot record (MBR) on the hard drive or compact flash. boot-block-fix {cf | hd} Parameter cf | hd Description Medium to be repaired: cf compact flash hd hard disk Default Mode Usage N/A Configuration mode The MBR is the boot sector located at the very beginning of a boot drive. Under advisement from A10 Networks, you can use the command if your compact flash or hard drive cannot boot. If this occurs, boot from the other drive, then use this command.
bootimage
Description Specify the boot image location from which to load the system image the next time the AX Series is rebooted. bootimage {both | cf | hd} {pri | sec} Parameter cf | hd Description Boot medium. The AX Series device always tries to boot using the hard disk (hd) first. The compact flash (cf) is used only if the hard disk is unavailable. Boot image location, primary or secondary.
Syntax
pri | sec Default
The default location is primary, for both the hard disk and the compact flash. Configuration mode The following command configures the AX Series to boot from the secondary image area on the hard disk the next time the device is rebooted:
Mode Example
AX(config)#bootimage hd sec
b y
89 of 722

bpdu-fwd-group
bpdu-fwd-group
Description Configure a group of tagged Ethernet interfaces for forwarding Bridge Protocol Data Units (BPDUs). BPDU forwarding groups enable you to use the AX device in a network that runs Spanning Tree Protocol (STP). A BPDU forwarding group is a set of tagged Ethernet interfaces that will accept and broadcast STP BPDUs among themselves. When an interface in a BPDU forwarding group receives an STP BPDU (a packet addressed to MAC address 01-80-C2-00-00-00), the interface broadcasts the BPDU to all the other interfaces in the group. Syntax [no] bpdu-fwd-group number Parameter number Description BPDU forwarding group number, 1-8.
This command changes the CLI to the configuration level for the BPDU forwarding group, where the following command is available. Command [no] ethernet portnum [to portnum] [ethernet portnum] ... Description
Ethernet interfaces to add to the BPDU forwarding group.
Default Mode Usage
None Configuration mode This command is specifically for configuring VLAN-tagged interfaces to accept and forward BPDUs. Rules for trunk interfaces:
BPDUs are broadcast only to the lead interface in the trunk. If a BPDU is received on an Ethernet interface that belongs to a trunk,
the BPDU is not broadcast to any other members of the same trunk. Example The following commands create BPDU forwarding group 1 containing Ethernet ports 1-3, and verify the configuration:
90 of 722
b y
D e s i g n

bridge-vlan-group
AX(config)#bpdu-fwd-group 1 AX(config-bpdu-fwd-group:1)#ethernet 1 to 3 AX(config-bpdu-fwd-group:1)#show bpdu-fwd-group BPDU forward Group 1 members: ethernet 1 to 3
bridge-vlan-group
Description Syntax Configure a bridge VLAN group for VLAN-to-VLAN bridging. [no] bridge-vlan-group group-num This command changes the CLI to the configuration level for the specified bridge VLAN group, where the following configuration commands are available: Command forward-alltraffic | forward-iptraffic Description
Specifies the types of traffic the bridge VLAN group is allowed to forward: forward-all-traffic This option forwards all types of traffic. forward-ip-traffic This option includes typical traffic between end hosts, such as ARP requests and responses.
[no] name string
Specifies a name for the group. The string can be 1-63 characters long. If the string contains blank spaces, use double quotation marks around the entire string.
[no] routerinterface ve num
Adds a Virtual Ethernet (VE) interface to the group. This command is applicable only on AX devices deployed in gateway mode.
[no] vlan vlan-id [vlan vlan-id ... | to vlan vlan-id]
Adds VLANs to the group.
b y
91 of 722

bw-list Default By default, the configuration does not contain any bridge VLAN groups. When you create a bridge VLAN group, it has the following default settings:
forward-all-traffic | forward-ip-traffic forward-ip-traffic name Not set router-interface Not set vlan Not set
Mode Usage
Configuration mode VLAN-to-VLAN bridging is useful in cases where reconfiguring the hosts on the network either into the same VLAN, or into different IP subnets, is not desired or is impractical. For more information, including configuration notes and examples, see the VLAN-to-VLAN Bridging chapter in the AX Series Configuration Guide.
Example
bw-list
Description Syntax Import a black/white list for Policy-based SLB (PBSLB). [no] bw-list name [use-mgmt-port] url [period seconds] [load] Parameter name use-mgmt-port Description Black/white list name, 1-63 characters. Uses the management interface as the source interface for the connection to the remote device. The management route table is used to reach the device. By default, the AX device attempts to use the data route table to reach the remote device through a data interface. File transfer protocol, username (if required), directory path, and filename. The following URL format is supported: tftp://host/file period seconds Specifies how often the AX Series device reimports the list to ensure that changes to the list are automatically replicated on the AX device. You can specify 60-86400 seconds.
url
92 of 722
b y
D e s i g n

class-list (for IP limiting) load Immediately re-imports the list to get the latest changes. Use this option if you change the list and want to immediately replicate the changes on the AX device, without waiting for the update period.
Note:
If you use the load option, the CLI cannot accept any new commands until the load is completely finished. For large black/white lists, loading can take a while. Do not abort the load process; doing so can also interrupt periodic black/white-list updates. If you do accidentally abort the load process, repeat the command with the load option and allow the load to complete. The default period is 300 seconds. Configuration mode A TFTP server is required on the PC and the TFTP server must be running when you enter the bw-list command. The following command imports black/white list sample-bwlist.txt onto the AX device:
Default Mode Usage
Example
AX(config)#bw-list sample-bwlist tftp://myhost/TFTP-Root/AX_bwlists/samplebwlist.txt
class-list (for IP limiting)

Description Note: Configure an IP class list for use with the IP limiting feature. To configure an IP class list for Large-Scale NAT (LSN), see class-list (for LSN) on page 95 instead. [no] class-list {list-name | filename file} Parameter list-name filename file Description Adds the list to the running-config. Saves the list to a standalone file on the AX device.
Syntax
Note:
A class list can be exported only if you use the file option. This command changes the CLI to the configuration level for the specified class list, where the following command is available.
b y
93 of 722

class-list (for IP limiting) (The other commands are common to all CLI configuration levels. See Config Commands: Global on page 69.) Command [no] ipaddr /network-mask [glid num | lid num] Description
Adds an entry to the class list. ipaddr /network-mask Specifies the host or subnet address of the client. The network-mask specifies the network mask. To configure a wildcard IP address, specify 0.0.0.0 /0. The wildcard address matches on all addresses that do not match any entry in the class list. glid num | lid num Specifies the ID of the IP limiting rule to use for matching clients. You can use a system-wide (global) IP limiting rule or an IP limiting rule configured in a PBSLB policy template. To use an IP limiting rule configured at the Configuration mode level, use the glid num option. To use an IP limiting rule configured at the same level (in the same PBSLB policy template) as the class list, use the lid num option. To exclude a host or subnet from being limited, do not specify an IP limiting rule.
Default Mode Usage
None Configuration mode Configure the LIDs before configuring the class list entries. To configure a LID for IP limiting, see lid on page 116. As an alternative to configuring class entries on the AX device, you can configure the class list using a text editor on another device, then import the class list onto the AX device. To import a class list, see import on page 57. For more information about IP limiting, see the IP Limiting chapter in the AX Series Configuration Guide.
94 of 722
b y
D e s i g n

class-list (for LSN) Example The following commands configure class list global, which matches on all clients, and uses IP limiting rule 1:
AX(config)#class-list global AX(config-class list)#0.0.0.0/0 glid 1
class-list (for LSN)

Description Note: Configure an IP class list for use with Large-Scale NAT (LSN). To configure an IP class list for IP limiting, see class-list (for IP limiting) on page 93 instead. [no] class-list {list-name | filename file} Parameter list-name filename file Description Adds the list to the running-config. Saves the list to a file.
Syntax
This command changes the CLI to the configuration level for the specified class list, where the following commands are available. (The other commands are common to all CLI configuration levels. See Config Commands: Global on page 69.) Command [no] priv-addr {subnet-mask | /mask-length} lsn-lid num Description
Specifies the internal clients. The priv-addr option specifies the internal host or subnet address. Use the subnet-mask or /mask-length option to specify the subnet mask or mask length. The lsn-lid num option specifies the LSN LID number.
Default Mode Usage
None Configuration mode Configure the LSN LIDs before configuring the class list entries. To configure an LSN LID for IP limiting, see lsn-lid on page 129. As an alternative to configuring class entries on the AX device, you can configure the class list using a text editor on another device, then import the
b y
95 of 722

clock timezone class list onto the AX device. To import a class list, see import on page 57. For more information about LSN, see the Large-Scale NAT chapter in the AX Series Configuration Guide. Example The following commands configure a class list to bind internal subnet 5.5.5.x/24 to LSN LID 5:
AX(config)#class-list list1 AX(config-class list)#5.5.5.0 /24 lsn-lid 5
clock timezone
Set the clock timezone. Syntax Description clock timezone timezone [nodst] Parameter timezone Description Timezone to use. To view the available timezones, enter the following command: clock timezone ? Disables Daylight Savings Time.
nodst Default Mode Usage Europe/Dublin (GMT) Configuration mode
If you use the GUI or CLI to change the AX timezone or system time, the statistical database is cleared. This database contains general system statistics (performance, and CPU, memory, and disk utilization) and SLB statistics. For example, in the GUI, the graphs displayed on the Monitor > Overview page are cleared. The following commands list the available timezones, then set the timezone to America/Los_Angeles:
Example
AX(config)#clock timezone ? Pacific/Midway (GMT-11:00)Midway Island, Samoa Pacific/Honolulu (GMT-10:00)Hawaii America/Anchorage (GMT-09:00)Alaska ... AX(config)#clock timezone America/Los_Angeles
96 of 722
b y
D e s i g n

convert-passwd
convert-passwd
Description Convert admin accounts and enable passwords into pre-1.2.7 format before downgrade to AX Release 1.2.6 or earlier. convert-passwd {pri | sec} Parameter pri | sec Description Specifies the image area to which you want to save the admin accounts and passwords. Specify the image area from which you to plan to boot using the 1.2.6 or earlier image.
Syntax
Default Mode Usage
N/A Configuration mode Use this command only if you are planning to downgrade to AX Release 1.2.6 or earlier. Use the command before you downgrade. In AX Release 1.2.7 and later, the AX device maintains all admin accounts and enable passwords in a single file, which applies to both the primary and secondary image areas. In software releases prior to 1.2.7, the AX device maintained separate files for the primary and secondary image areas. During runtime, the AX device used the admin accounts and enable passwords that were in the file corresponding to the image area from which the device was booted. To keep the new admin accounts and enable passwords, perform the following steps before you downgrade: 1. Log onto the CLI, with an admin account that has Root or global ReadWrite (Super User) privileges. Partition admin accounts can not be used. 2. Save the configuration (write memory), to save any new or changed admin accounts or passwords. (If you perform step 2 without first saving the configuration, any unsaved admin account or password changes will be lost.) 3. Use the following command at the Configuration mode level of the CLI: convert-passwd {pri | sec} The pri | sec option specifies the image area to which you want to save the admin accounts and passwords. Specify the image area from which you to plan to boot using the 1.x image.
b y
97 of 722

copy
copy
Copy a running-config or startup-config. Syntax Description copy {running-config | startup-config | from-profile-name} [use-mgmt-port] {url | to-profile-name [cf]} Parameter running-config startup-config Description Copies the commands in the running-config to the specified URL or local profile name. Copies the configuration profile that is currently linked to startup-config and saves the copy under the specified URL or local profile name. Uses the management interface as the source interface for the connection to the remote device. The management route table is used to reach the device. By default, the AX device attempts to use the data route table to reach the remote device through a data interface. Copies the running-config or configuration profile to a remote device. The URL specifies the file transfer protocol, username, and directory path. You can enter the entire URL on the command line or press Enter to display a prompt for each part of the URL. If you enter the entire URL and a password is required, you will still be prompted for the password. To enter the entire URL: tftp://host/file ftp://[user@]host[:port]/file scp://[user@]host/file rcp://[user@]host/file from-profilename Configuration profile you are copying from.
use-mgmt-port
url
to-profile-name [cf] Configuration profile you are copying to. The cf option copies the profile to the compact flash instead of the hard disk.
98 of 722
b y
D e s i g n

delete startup-config Note: Copying a profile from the compact flash to the hard disk is not supported. You cannot use the profile name default. This name is reserved and always refers to the configuration profile that is stored in the image area from which the AX device most recently rebooted. None Configuration mode If you are planning to configure a new AX device by loading the configuration from another AX device: 1. On the configured AX device, use the copy startup-config url command to save the startup-config to a remote server. 2. On the new AX device, use the copy url startup-config command to copy the configured AX devices startup-config from the remote server onto the new AX device. 3. Use the reboot command (at the Privileged EXEC level) to reboot the new AX device. 4. Modify parameters as needed (such as IP addresses). If you attempt to copy the configuration by copying-and-pasting it from a CLI session on the configured AX device, some essential parameters such as interface states will not be copied. Example The following command copies the configuration profile currently linked to startup-config to a profile named slbconfig3 and stores the profile locally on the AX device:
Note:
Default Mode Usage
AX(config)#copy startup-config slbconfig3
delete startup-config
Description Syntax Delete a locally stored configuration profile. delete startup-config profile-name [cf] Parameter profile-name cf Description Configuration profile name. Deletes the specified profile from compact flash instead of the hard disk. If you omit this option, the profile is deleted from the hard disk.
b y
99 of 722

disable Default Mode Usage N/A Configuration mode Although the command uses the startup-config option, the command only deletes the configuration profile linked to startup-config if you enter that profiles name. The command deletes only the profile you specify. If the configuration profile you specify is linked to startup-config, startup-config is automatically relinked to the default. (The default is the configuration profile stored in the image area from which the AX device most recently rebooted). Example The following command deletes configuration profile slbconfig2:
AX(config)#delete startup-config slbconfig2
disable
Description Syntax Disable real or virtual servers. disable slb server [server-name] [port port-num] disable slb virtual-server [server-name] [port port-num] Parameter server-name port port-num Description Disables the specified real or virtual server. Disables only the specified service port. If you omit the server-name option, the port is disabled on all real or virtual servers. Otherwise, the port is disabled only on the server you specify.
Default Mode Example
Enabled Configuration mode The following command disables all virtual servers:
AX(config)#disable slb virtual-server
Example
The following command disables port 80 on all real servers:
AX(config)#disable slb server port 80
100 of 722
b y
D e s i g n

disable-management Example The following command disables port 8080 on real server rs1:
AX(config)#disable slb server rs1 port 8080
disable-management
Description Syntax Disable management access to the AX Series device. [no] disable-management service {all | ssh | telnet | http | https | snmp | ping} {management | ethernet port-num [to port-num] | ve ve-num [to ve-num]} or Syntax [no] disable-management service acl acl-num {management | ethernet port-num [to port-num] | ve ve-num [to ve-num]} Parameter all ssh telnet http https snmp ping Description Disables access to all the management services listed in Table 1. Disables SSH access to the CLI. Disables Telnet access to the CLI. Disables HTTP access to the management GUI. Disables HTTPS access to the management GUI. Disables SNMP access to the AX devices SNMP agent. Disables ping replies from AX interfaces. This option does not affect the AX devices ability to ping other devices. Permits or denies management access based on permit or deny rules in the ACL.
acl acl-num management | ethernet port-num [to port-num] | ve ve-num [to ve-num]
Specifies the interfaces for which you are configuring access control.
b y
101 of 722

disable-management Note: Disabling ping replies from being sent by the device does not affect the devices ability to ping other devices. Table 1 lists the default settings for each management service. TABLE 1 Default Management Access
Ethernet Management Interface Enabled Disabled Enabled Enabled Enabled Enabled Ethernet and VE Data Interfaces Disabled Disabled Disabled Disabled Disabled Enabled
Default
Management Service SSH Telnet HTTP HTTPS SNMP Ping
Mode Usage
Configuration mode If you disable the type of access you are using on the interface you are using at the time you enter this command, your management session will end. If you accidentally lock yourself out of the device altogether (for example, if you use the all option for all interfaces), you can still access the CLI by connecting a PC to the AX devices serial port. To enable management access, see enable-management on page 105. You can enable or disable management access, for individual access types and interfaces. You also can use an Access Control List (ACL) to permit or deny management access through the interface by specific hosts or subnets. Notes Regarding Use of ACLs If you use an ACL to secure management access, the action in the ACL rule that matches the management traffics source address is used to permit or deny access, regardless of other management access settings. For example, if you disable Telnet access to a data interface, but you also enable access to the interface using an ACL with permit rules, the ACL permits Telnet (and all other) access to the interface, for traffic that matches the permit rules in the ACL. If you want certain types of management access to be disabled on an interface, do not use a permit ACL to control management access to the interface.
102 of 722
b y
D e s i g n

do Each ACL has an implicit deny any any rule at the end. If the management traffics source address does not match a permit rule in the ACL, the implicit deny any any rule is used to deny access. On data interfaces, you can disable or enable access to specific services and also use an ACL to control access. However, on the management interface, you can disable or enable access to specific services or control access using an ACL, but you can not do both. Example The following command disables HTTP access to the out-of-band management interface:
AX(config)#disable-management service http management You may lose connection by disabling the http service. Continue? [yes/no]:yes
do
Description Run a Privileged EXEC level command from a configuration level prompt, without leaving the configuration level. do command N/A Configuration mode For information about the Privileged EXEC commands, see Privileged EXEC mode Commands on page 49. The following command runs the traceroute command from the Configuration mode level:
Syntax Default Mode Usage
Example
AX(config)#do traceroute 10.10.10.9
enable
Description Syntax Enable real or virtual servers. enable slb server [server-name] [port port-num] enable slb virtual-server [server-name] [port port-num]
b y
103 of 722

enable-core Parameter server-name port port-num Description Enables the specified real or virtual server. Enables only the specified service port. If you omit the server-name option, the port is enabled on all real or virtual servers. Otherwise, the port is enabled only on the server you specify.
Enabled Configuration mode The following command enables all virtual servers:
AX(config)#enable slb virtual-server
Example
The following command enables port 80 on all real servers:
AX(config)#enable slb server port 80
Example
The following command enables port 8080 on real server rs1:
AX(config)#enable slb server rs1 port 8080
enable-core
Description Syntax Change the file size of core dumps. [no] enable-core [a10] Parameter a10 Description Enables A10 core dump files. Without this option, system core dump files are used instead. System core dump files are larger than A10 core dump files.
Default
If HA is configured, system core dump files are enabled by default. If HA is not configured, A10 core dump files are enabled by default. Configuration mode
Mode
104 of 722
b y
D e s i g n

enable-management
enable-management
Description Syntax Enable management access to the AX Series device. [no] enable-management service {all | ssh | telnet | http | https | snmp | ping} {management | ethernet port-num [to port-num] | ve ve-num [to ve-num]} or Syntax [no] enable-management service acl acl-num {management | ethernet port-num [to port-num] | ve ve-num [to ve-num]} Parameter all ssh telnet http https snmp ping Description Enables access to all the management services listed in Table 1. Enables SSH access to the CLI. Enables Telnet access to the CLI. Enables HTTP access to the management GUI. Enables HTTPS access to the management GUI. Enables SNMP access to the AX devices SNMP agent. Enables ping replies from AX interfaces. This option does not affect the AX devices ability to ping other devices. Permits or denies management access based on permit or deny rules in the ACL.
acl acl-num management | ethernet portnum [to portnum] | ve ve-num [to ve-num]
Specifies the interfaces for which you are configuring access control.
Default
Table 2 lists the default settings for each management service.
b y
105 of 722

enable-password TABLE 2 Default Management Access
Management Interface Enabled Disabled Enabled Enabled Enabled Enabled Data Interfaces Disabled Disabled Disabled Disabled Disabled Enabled
Management Service SSH Telnet HTTP HTTPS SNMP Ping
Mode Usage Example
Configuration mode See the Usage section in disable-management on page 101. The following command enables Telnet access to Ethernet data interface 6:
AX(config)#enable-management service telnet ethernet 6
enable-password
Description Set the enable password, which secures access to the Privileged EXEC level of the CLI. [no] enable-password password-string Parameter Description
Syntax
password-string Password string, 1-63 characters. Passwords are case sensitive and can contain special characters. (For more information, see Special Character Support in Strings on page 38.) Default Mode Example By default, the password is blank. (Just press Enter.) Configuration mode The following command sets the Privileged EXEC password to execadmin:
AX(config)#enable-password execadmin
106 of 722
b y
D e s i g n

end
end
Description Syntax Default Mode Usage Return to the Privileged EXEC level of the CLI. end N/A Config The end command is valid at all configuration levels of the CLI. From any configuration level, the command returns directly to the Privileged EXEC level. The following command returns from the Configuration mode level to the Privileged EXEC level:
Example
AX(config)#end AX#
erase
Description Syntax Default Mode Usage Erase the startup-config file. erase N/A Configuration mode The no form of this command is not valid. To recover the configuration, you can save the running-config or reload the configuration from another copy of the startup-config file. Example
AX(config)#erase
The following command erases the startup-config file.
b y
107 of 722

exit
exit
Description Syntax Default Mode Usage Return to the Privileged EXEC level of the CLI. exit N/A Config The exit command is valid at all CLI levels. At each level, the command returns to the previous CLI level. For example, from the server port level, the command returns to the server level. From the Configuration mode level, the command returns to the Privileged EXEC level. From the user EXEC level, the command terminates the CLI session. From the Configuration mode level, you also can use the end command to return to the Privileged EXEC level. Example
AX(config)#exit AX#
The following command returns from the Configuration mode level to the Privileged EXEC level:
floating-ip
Description Syntax Set a virtual IP address in a High-Availability configuration. [no] floating-ip ipaddr ha-group group-id Parameter ipaddr group-id Default Mode Usage None Configuration mode Use this command to specify the IP address of a next-hop upstream or downstream router used by real servers. (Also see Config Commands: High Availability on page 507.) Description Virtual IP address of the HA group. HA group ID.
108 of 722
b y
D e s i g n

fwlb
fwlb
Description Configure Firewall Load Balancing (FWLB) parameters. See Config Commands: Firewall Load Balancing on page 487.
gslb
Description Configure Global Server Load Balancing (GSLB) parameters. See Config Commands: Global Server Load Balancing on page 429.
ha
Description Configure High-Availability (HA) parameters. See Config Commands: High Availability on page 507.
health external
Use an external program for health monitoring. Syntax health external {delete program-name | import [use-mgmt-port] [description] url | export [use-mgmt-port] program-name url} Parameter program-name use-mgmt-port Description Program file name, 1-31 characters. Uses the management interface as the source interface for the connection to the remote device. The management route table is used to reach the device. By default, the AX device attempts to use the data route table to reach the remote device through a data interface. Description of the program file, 1-63 characters. File transfer protocol, username (if required), and directory path. You can enter the entire URL on the command line or press Enter to display a prompt for each part of the URL. If you enter the entire URL and a password is required, you will still be prompted for the password. To enter the entire URL:
description url
109 of 722

health global tftp://host/program-name ftp://[user@]host[:port]/program -name scp://[user@]host/program-name rcp://[user@]host/program-name Default Mode Usage N/A Configuration mode There is no no form of this command. To use an imported program for health monitoring, you also must configure a health method and apply the method to the server ports you want to monitor. See the description of the external option for method on page 496 and see health-check on page 384. The following example imports external program mail.tcl from FTP server 192.168.0.1:
Example
AX(config)#health external import "checking mail server" ftp://192.168.0.1/mail.tcl
health global
Description Syntax Globally change health monitor parameters. health global { interval seconds | retry number | timeout seconds | up-retry number } Parameter monitor-name interval seconds Description Name of the health monitor, 1-31 characters. Number of seconds between health check attempt, 1-180 seconds. A health check attempt consists of the AX device sending a packet to the server. The packet type and payload depend on the health monitor type. For example, an HTTP health monitor might send an HTTP GET request packet. Default is 5 seconds.
110 of 722

health global retry number Maximum number of times the AX Series will send the same health check to an unresponsive server before determining that the server is down. You can specify 1-5. Default is 3.
timeout seconds Number of seconds the AX Series waits for a reply to a health check, 1-12 seconds. Default is 5 seconds. up-retry number Number of consecutive times the device must pass the same periodic health check, in order to be marked Up. You can specify 1-10. The default is 1. Note: The timeout parameter is not applicable to external health monitors. You can change one or more parameters on the same command line. Default Note: See above. To change a global parameter back to its factory default, use the health global form of the command and specify the parameter value to use. Configuration mode Globally changing a health monitor parameter changes the default for that parameter. For example, if you globally change the interval from 5 seconds to 10 seconds, the default interval becomes 10 seconds. If a parameter is explicitly set on a health monitor, globally changing the parameter does not affect the health monitor. For example, if the interval on health monitor hm1 is explicitly set to 20 seconds, the interval remains 20 seconds on hm1 regardless of the global setting. Note: Global health monitor parameter changes automatically apply to all new health monitors configured after the change. To apply a global health monitor parameter change to health monitors that were configured before the change, you must reboot the AX device. The following command globally changes the default number of retries to 5:
Mode Usage
Example
AX(config)#health global retry 5
Example
The following command globally changes the timeout to 10 seconds and default number of retries to 4:
AX(config)#health global timeout 10 retry 4
b y
111 of 722

health monitor
health monitor
Description Syntax Configure a health monitor. [no] health monitor monitor-name [interval seconds] [retry number] [timeout seconds] [up-retry number] Parameter monitor-name interval seconds Description Name of the health monitor, 1-31 characters. Number of seconds between health check attempt, 1-180 seconds. A health check attempt consists of the AX device sending a packet to the server. The packet type and payload depend on the health monitor type. For example, an HTTP health monitor might send an HTTP GET request packet. Default is 5 seconds. Maximum number of times the AX Series will send the same health check to an unresponsive server before determining that the server is down. You can specify 1-5. Default is 3.
retry number
timeout seconds Number of seconds the AX Series waits for a reply to a health check, 1-12 seconds. Default is 5 seconds. up-retry number Number of consecutive times the device must pass the same periodic health check, in order to be marked Up. You can specify 1-10. The default is 1. Note: Default Mode Usage The timeout parameter is not applicable to external health monitors. See above. Configuration mode For information about the commands available at the health-monitor configuration level, see Config Commands: SLB Health Monitors on page 495. For more usage information about health monitors, see the Health Monitoring chapter of the AX Series Configuration Guide.
112 of 722
b y
D e s i g n

health postfile Example The following command creates a health monitor named hm1 and accesses the configuration level for it:
AX(config)#health monitor hm1 AX(config-health:monitor)#
health postfile
Description Syntax Import or delete a POST data file for an HTTP or HTTPS health check. health postfile {import | delete} filename Parameter Description
import | delete Specifies whether you are importing a POST data file or deleting one. filename Default Mode Usage N/A Configuration mode The maximum length of POST data you can specify in the CLI or GUI is 255 bytes. For longer data (up to 2 Kbytes), you must import the data in a file and refer to the file in the HTTP or HTTPS health check. To use a POST data payload file in an HTTP/HTTPS health monitor, use the postfile filename option in the method http or method https command, at the configuration level for the health monitor. Example The following commands import a file containing a large HTTP POST data payload (up to 2 Kbytes), and add the payload to an HTTP health monitor: Specifies the filename.
AX(config)#health postfile import long-post AX(config)#health monitor http1 AX2000(config-health:monitor)#method http url post / postfile long-post expect def
In this example, health checks that use this health monitor will send a POST request containing the data in postfile, and expect the string def in response.
b y
113 of 722

hostname
hostname
Set the AX Series devices hostname. Syntax Description Default Mode Usage Example [no] hostname string AX Configuration mode The CLI command prompt also is changed to show the new hostname. The following example sets the hostname to SLBswitch2:
AX(config)#hostname SLBswitch2
icmp-rate-limit
Description Configure ICMP rate limiting, to protect against denial-of-service (DoS) attacks. [no] icmp-rate-limit normal-rate lockup max-rate lockup-time Parameter normal-rate Description Maximum number of ICMP packets allowed per second. If the AX device receives more than the normal rate of ICMP packets, the excess packets are dropped until the next one-second interval begins. The normal rate can be 1-65535 packets per second. Maximum number of ICMP packets allowed per second before the AX device locks up ICMP traffic. When ICMP traffic is locked up, all ICMP packets are dropped until the lockup expires. The maximum rate can be 1-65535 packets per second. The maximum rate must be larger than the normal rate. Number of seconds for which the AX device drops all ICMP traffic, after the maximum rate is exceeded. The lockup time can be 1-16383 seconds.
Syntax
lockup max-rate
lockup-time
Default
None
114 of 722

interface Mode Usage Configuration mode This command configures ICMP rate limiting globally for all traffic to or through the AX device. To configure ICMP rate limiting on individual Ethernet interfaces, see icmp-rate-limit on page 184. To configure it in a virtual server template, see slb template virtual-server on page 377. If you configure ICMP rate limiting filters at more than one of these levels, all filters are applicable. Specifying a maximum rate (lockup rate) and lockup time is optional. If you do not specify them, lockup does not occur. Example The following command globally configures ICMP rate limiting to allow up to 2048 ICMP packets per second, and to lock up all ICMP traffic for 10 seconds if the rate exceeds 3000 ICMP packets per second:
AX(config)#icmp-rate-limit 2048 lockup 3000 10
interface
Description Syntax Access the CLI configuration level for an interface. interface {ethernet port-num | ve ve-num | loopback number | management} N/A Configuration mode For information about the commands available at the interface configuration level, see Config Commands: Interface on page 181. The following command changes the CLI to the configuration level for Ethernet interface 3:
Default Mode Usage
Example
AX(config)#interface ethernet 3 AX(config-if:ethernet3)#
ip
Description Configure global IP settings. For information, see Config Commands: IP on page 219.
b y
115 of 722

ipv6
ipv6
Description Configure global IPv6 settings. For information, see Config Commands: IPv6 on page 247.
l3-vlan-fwd-disable
Description Syntax Default Mode Usage Globally disable Layer 3 forwarding between VLANs. [no] l3-vlan-fwd-disable By default, the AX device can forward Layer 3 traffic between VLANs. Configuration mode This option is applicable only on AX devices deployed in gateway (route) mode. If the option to disable Layer 3 forwarding between VLANs is configured at any level, the AX device can not be changed from gateway mode to transparent mode, until the option is removed. Depending on the granularity of control required for your deployment, you can disable Layer 3 forwarding between VLANs at any of the following configuration levels:
Global Layer 3 forwarding between VLANs is disabled globally, for
all VLANs. (Use this command at the Configuration mode level.)

Individual interfaces Layer 3 forwarding between VLANs is disabled
for incoming traffic on specific interfaces. (Seel3-vlan-fwd-disable on page 207.)

Access Control Lists (ACLs) Layer 3 forwarding between VLANs is
disabled for all traffic that matches ACL rules that use the l3-vlan-fwddisable action. (See access-list (standard) on page 69 or access-list (extended) on page 72.) To display statistics for this option, see show slb switch on page 693.
lid
Description Note: Configure a global set of IP limiting rules for system-wide IP limiting. This command configures a limit ID (LID) for use with the IP limiting feature. To configure a LID for use with Large-Scale NAT (LSN) instead, see lsn-lid on page 129.
116 of 722

lid Syntax [no] lid num Parameter num Description Limit ID, 1-31.
This command changes the CLI to the configuration level for the specified LID, where the following command is available. (The other commands are common to all CLI configuration levels. See Config Commands: Global on page 69.) Command [no] conn-limit num Description Specifies the maximum number of concurrent connections allowed for a client. You can specify 1-1048575.
[no] conn-ratelimit num per num-of-100ms Specifies the maximum number of new connections allowed for a client within the specified limit period. You can specify 1-4294967295 connections. The limit period can be 100-6553500 milliseconds (ms), specified in increments of 100 ms. [no] requestlimit num Specifies the maximum number of concurrent Layer 7 requests allowed for a client. Maximum number of concurrent Layer 7 requests allowed for a client. You can specify 1-1048575.
[no] requestrate-limit num per num-of100ms
Specifies the maximum number of Layer 7 requests allowed for the client within the specified limit period. You can specify 1-4294967295 connections. The limit period can be 1006553500 milliseconds (ms), specified in increments of 100 ms.
b y
117 of 722

lid [no] overlimit-action [forward | reset] [lockout minutes] [log minutes]
Specifies the action to take when a client exceeds one or more of the limits. The command also configures lockout and enables logging. The action can be one of the following: drop The AX device drops that traffic. If logging is enabled, the AX device also generates a log message. (There is no drop keyword. This is the default action.) forward The AX device forwards the traffic. If logging is enabled, the AX device also generates a log message. reset For TCP, the AX device sends a TCP RST to the client. If logging is enabled, the AX device also generates a log message. The lockout option specifies the number of minutes during which to apply the over-limit action after the client exceeds a limit. The lockout period is activated when a client exceeds any limit. The lockout period can be 1-1023 minutes. The logging option generates log messages when clients exceed a limit. When you enable logging, a separate message is generated for each overlimit occurrence, by default. You can specify a logging period, in which case the AX device holds onto the repeated messages for the specified period, then sends one message at the end of the period for all instances that occurred within the period. The logging period can be 0-255 minutes. The default is 0 (no wait period).
Default
The LID options have the following default values:

conn-limit Not set conn-rate-limit Not set request-limit Not set
118 of 722
b y
D e s i g n

link
request-rate-limit Not set over-limit-action Drop. There is no default lockout period. Logging is
disabled by default. The default logging period is 0 (no wait period). Mode Usage Configuration mode This command uses a single class list for IP limiting. To use multiple class lists for system-wide IP limiting, use a PBSLB policy template instead. See slb template policy on page 340. A PBSLB policy template is also required if you plan to apply IP limiting rules to individual virtual servers or virtual ports. Example
AX(config)#lid 1 AX(config-global lid)#conn-rate-limit 10000 per 1 AX(config-global lid)#conn-limit 2000000 AX(config-global lid)#over-limit forward logging AX(config-global lid)#exit AX(config)#system lid 1 AX(config)#class-list global AX(config-class list)#0.0.0.0/0 glid 1
The following commands configure a global IP limiting rule to be applied to all IP clients (the clients that match class list global):
link
Description Link the startup-config token to the specified configuration profile. By default, startup-config is linked to default, which means the configuration profile stored in the image area from which the AX device most recently rebooted. link startup-config {default | profile-name} [primary | secondary] [cf] Parameter default Description Links startup-config to the configuration profile stored in the image area from which the AX device was most recently rebooted. Links startup-config to the specified configuration profile.
Syntax
profile-name
b y
119 of 722

link primary | secondary cf Specifies the image area. If you omit this option, the image area last used to boot is selected. Links the profile to the specified image area in compact flash instead of the hard disk.
Default
The startup-config token is linked to the configuration profile stored in the image area from which the AX device was most recently rebooted. Configuration mode This command enables you to easily test new configurations without replacing the configuration stored in the image area. The profile you link to must be stored on the boot device you select. For example, if you use the default boot device (hard disk) selection, the profile you link to must be stored on the hard disk. If you specify cf, the profile must be stored on the compact flash. (To display the profiles stored on the boot devices, use the show startup-config all and show startup-config all cf commands. See show startup-config on page 641.) After you link startup-config to a different configuration profile, configuration management commands that affect startup-config affect the linked profile instead of affecting the configuration stored in the image area. For example, if you enter the write memory command without specifying a profile name, the command saves the running-config to the linked profile instead of saving it to the configuration stored in the image area. Likewise, the next time the AX device is rebooted, the linked configuration profile is loaded instead of the configuration that is in the image area. To relink startup-config to the configuration profile stored in the image area, use the default option (link startup-config default).
Mode Usage
Example
The following command links configuration profile slbconfig3 with startup-config:
AX(config)#link startup-config slbconfig3
Example
The following command relinks startup-config to the configuration profile stored in the image area from which the AX device was most recently rebooted:
AX(config)#link startup-config default
120 of 722
b y
D e s i g n

locale
locale
Set the CLI locale. Syntax Description Default Mode Usage Example [no] locale {test | locale} en_US.UTF-8 Configuration mode Use this command to configure the locale or to test the supported locales. The following commands test the Chinese locales and set the locale to zh_CN.GB2312:
AX(config)#locale test zh_CN AX(config)#locale zh_CN.GB2312
logging target severity-level

Description Specify the severity levels of event messages to send to message targets other than the AX log buffer. [no] logging target severity-level Parameter target Description Specifies where event messages are sent: console serial console email email monitor Telnet and SSH sessions syslog external Syslog host trap external SNMP trap host Note: For information about the email option, see logging email buffer on page 123. and logging email filter on page 124.
Syntax
b y
121 of 722

logging buffered severity-level Specifies the severity levels to log. You can enter the name or the number of the severity level. {0 | emergency} {1 | alert} {2 | critical} {3 | error} {4 | warning} {5 | notification} {6 | information} {7 | debugging} Default The default severity level depends on the target:
console 3 (error) email not set (no logging) monitor 7 (debugging) syslog not set (no logging) trap not set (no logging)
Mode Usage
Configuration mode To send log messages to an external host, you must configure the external host using the logging host command. The following command sets the severity level for event messages sent to the console to 2 (critical):
Example
AX(config)#logging console 2
logging buffered
Description Syntax Configure the event log on the AX Series device. [no] logging buffered {maximum-messages | severity-level} Parameter maximummessages Description Specifies the maximum number of messages the event log buffer will hold.
122 of 722

logging email buffer severity-level Specifies the severity levels to log. You can enter the name or the number of the severity level. {0 | emergency} {1 | alert} {2 | critical} {3 | error} {4 | warning} {5 | notification} {6 | information} {7 | debugging} Default The default buffer size (maximum messages) is 30000. The default severity level is 7 (debugging). Configuration mode The following command sets the severity level for log messages to 7 (debugging):
Mode Example
AX(config)#logging buffered 7
logging email buffer

Description Syntax Configure log email settings. [no] logging email buffer [number num] [time minutes] Parameter number num time minutes Description Specifies the maximum number of messages to buffer. You can specify 16-256. Specifies how long to wait before sending all buffered messages, if the buffer contains fewer than the maximum allowed number of messages. You can specify 10-1440 minutes.
Default
By default, emailing of log messages is disabled. When you enable the feature, the buffer options have the following default values:
number 50 time 10
b y
123 of 722

logging email filter Mode Usage Configuration mode To configure the AX device to send log messages by email, you also must configure an email filter and specify the email address to which to email the log messages. See logging email filter on page 124 and logging emailaddress on page 126. The following command configures the AX device to buffer log messages to be emailed. Messages will be emailed only when the buffer reaches 32 messages, or 30 minutes passes since the previous log message email, whichever happens first.
Example
AX(config)#logging email buffer number 32 time 30
logging email filter

Description Syntax Configure a filter for emailing log messages. [no] logging email filter filter-num conditions operators [trigger] Parameter filter-num conditions Description Specifies the filter number, 1-8. Message attributes on which to match. The conditions list can contain one or more of the following: level severity-levels Specifies the severity levels of messages to send in email. You can specify the severity levels by number (0-7) or by name: emergency, alert, critical, error, warning, notification, information, or debugging. mod software-module-name Specifies the software modules for which to email messages. Messages are emailed only if they come from one of the specified software modules. For a list of module names, enter ? instead of a module name, and press Enter. pattern regex Specifies the string requirements. Standard regular expression syntax is supported. Only messages that meet the criteria of the regular expression will be emailed. The regular expression can be a simple text string or a
124 of 722
b y
D e s i g n

logging email filter more complex expression using standard regular expression logic. operators Set of Boolean operators (AND, OR, NOT) that specify how the conditions should be compared. The CLI Boolean expression syntax is based on Reverse Polish Notation (also called Postfix Notation), a notation method that places an operator (AND, OR, NOT) after all of its operands (in this case, the conditions list). After listing all the conditions, specify the Boolean operator(s). The following operators are supported: AND All conditions must match in order for a log message to be emailed. OR Any one or more of the conditions must match in order for a log message to be emailed. NOT A log message is emailed only if it does not match the conditions (For more information about Reverse Polish Notation, see the following link: http://en.wikipedia.org/wiki/Reverse_Polish_notation.) trigger Immediately sends the matching messages in an email instead of buffering them. If you omit this option, the messages are buffered based on the logging email buffer settings.
Default Mode Usage
Not set. Emailing of log messages is disabled by default. Configuration mode To configure the AX device to send log messages by email, you also must specify the email address to which to email the log messages. See logging email-address on page 126. Considerations
You can configure up to 8 filters. The filters are used in numerical order,
starting with filter 1. When a message matches a filter, the message will be emailed based on the buffer settings. No additional filters are used to examine the message.
A maximum of 8 conditions are supported in a filter. P e r f o r m a n c e D e s i g n Document No.: D-030-01-00-0003 - Ver. 2.4.3-P2 11/3/2010 b y
125 of 722

logging email-address
The total number of conditions plus the number of Boolean operators
supported in a filter is 16.

For backward compatibility, the following syntax from previous releases
is still supported: logging email severity-level The severity-level can be one or more of the following: 0, 1, 2, 5, emergency, alert, critical, notification. The command is treated as a special filter. This filter is placed into effect only if the command syntax shown above is in the configuration. The filter has an implicit trigger option for emergency, alert, and critical messages, to emulate the behavior in previous releases. Example The following command configures a filter that matches on log messages if they are information-level messages and contain the string abc. The trigger option is not used, so the messages will be buffered rather than emailed immediately.
AX(config)#logging email filter 1 level information pattern "abc" and
Example
The following command reconfigures the filter to immediately email matching messages.
AX(config)#logging email filter 1 level information pattern "abc" and trigger
logging email-address
Description Syntax Specify the email addresses to which to send event messages. [no] logging email-address address [...] Parameter address Description Specifies an email address. You can enter more than one address on the command line. Use a space between each address.
Default Mode Usage
None Configuration mode To configure the AX device to send log messages by email, you also must configure an email filter. See logging email filter on page 124.
126 of 722
b y
D e s i g n

logging export Example The following command sets two email addresses to which to send log messages:
AX(config)#logging email-address admin1@example.com admin2@example.com
logging export
Description Syntax Send the messages that are in the event buffer to an external file server. [no] logging export [all] url Parameter all url Description Include system support messages. File transfer protocol, username (if required), and directory path. You can enter the entire URL on the command line or press Enter to display a prompt for each part of the URL. If you enter the entire URL and a password is required, you will still be prompted for the password. To enter the entire URL: tftp://host/file ftp://[user@]host[:port]/file scp://[user@]host/file rcp://[user@]host/file Default Mode N/A Configuration mode
logging facility
Description Syntax Enable logging facilities. [no] logging facility facility-name Parameter facility-name Description Name of a log facility: local0 local1 local2
127 of 722

logging flow-control local3 local4 local5 local6 local7 Default Mode The default facility is local0. Configuration mode
logging flow-control
Description Control handling of log messages when the logging buffer is full.
When flow control is disabled, messages are dropped. When flow control is enabled, messages are saved on an external data
store. Older messages replace newer ones. Depending on the state of logging flow control, the oldest messages are deleted or copied to an external data store to make room for new messages. Syntax Default Mode [no] logging flow-control enable Disabled Configuration mode
logging host
Description Syntax Specify a Syslog server to which to send event messages. [no] logging host ipaddr [ipaddr...] [port protocol-port] Parameter ipaddr Description IP address of the Syslog server. You can enter multiple IP addresses. Up to 10 remote logging servers are supported.
128 of 722
b y
D e s i g n

lsn-lid port protocolport Protocol port number to which to send messages. You can specify only one protocol port with the command. All servers must use the same protocol port to listen for syslog messages.
Default Mode Usage
The default protocol port is 514. Configuration mode If you use the command to add some log servers, then need to add a new log server later, you must enter all server IP addresses in the new command. Each time you enter the logging host command, it replaces any set of servers and syslog port configured by the previous logging host command. The following command configures 4 external log servers. In this example, the servers use the default syslog protocol port, 514, to listen for log messages.
Example
AX(config)#logging host 1.1.1.1 2.2.2.2 3.3.3.3 4.4.4.4
Example
The following command reconfigures the set of external log servers, with a different protocol port. All the log servers must use this port.
AX(config)#logging host 1.1.1.1 2.2.2.2 3.3.3.3 4.4.4.4 port 8899
lsn-lid
Description Syntax Note: Configure a limit ID (LID) for Large-Scale NAT (LSN). [no] lsn-lid num This command configures a limit ID (LID) for use with LSN. To configure a LID for use with IP limiting instead, see lid on page 116. Parameter num Description LSN LID number, 1-31.
This command changes the CLI to the configuration level for the specified LSN LID, where the following commands are available. (The other commands are common to all CLI configuration levels. See Config Commands: Global on page 69.)
b y
129 of 722

lsn-lid Command [no] extendeduser-quota {tcp | udp | icmp} service-port portnum sessions num Description
Configures a per-user extended quota for essential services. The port option specifies the Layer 4 protocol port of the service, and can be 1-65535. The sessions option specifies how many extended sessions are allowed for the protocol port, and can be 1-255.
[no] sourcenat-pool pool-name [no] user-quota {tcp | udp | icmp} quota-num [reserve reserve-num]
Binds an LSN NAT pool to the LID.
Configures the per-user mapping quota for each type of protocol supported for LSN (TCP, UDP, or ICMP). The quota-num option specifies the maximum number of sessions allowed per client and can be 1-64000. The reserve option allows you to specify how many ports to reserve on a NAT IP for each user, 0-64000. If unspecified, the reserve value is the same as the user-quota value.
Default
The LSN LID options have the following default values:

extended-user-quota not set source-nat-pool not set user-quota Not set. By default, the reserve value is the same as the
user-quota value. Mode Example Configuration mode The following commands configure an LSN LID. The LID is bound to pool LSN_POOL1. Per-user quotas are configured for TCP, UDP, and ICMP. For UDP, this class of users will reserve only 100 UDP ports instead of 300.
130 of 722
b y
D e s i g n

mac-address An extended quota of sessions per client is allocated for TCP port 25 (SMTP).
AX(config)#lsn-lid 5 AX(config-lsn lid)#source-nat-pool LSN_POOL1 AX(config-lsn lid)#user-quota tcp 100 AX(config-lsn lid)#user-quota udp 300 reserve 100 AX(config-lsn lid)#user-quota icmp 10 AX(config-lsn lid)#extended-user-quota tcp port 25 sessions 3
mac-address
Description Syntax Configure a static MAC address. [no] mac-address mac-address port port-num vlan vlan-id [trap {source | dest | both}] Parameter mac-address port port-num vlan vlan-id trap Description Hardware address, in the following format: aabb.ccdd.eeff AX Ethernet port to which to assign the MAC address. Layer 2 broadcast domain in which to place the device. Send packets to the CPU for processing, instead of switching them in hardware. source Send packets that have this MAC as a source address to the CPU. dest Send packets that have this MAC as a destination address to the CPU. both Send packets that have this MAC as either a source or destination address to the CPU. Note: The trap option is supported only on models AX 2200, AX 3100, AX 3200, AX 5100, and AX 5200. On models AX 5100 and AX 5200, only trap dest is supported. No static MAC addresses are configured by default. Configuration mode
Default Mode
b y
131 of 722

mac-age-time Example The following command configures static MAC address abab.cdcd.efef on port 5 in VLAN 3:
AX(config)#mac-address abab.cdcd.efef port 5 vlan 3
mac-age-time
Description Set the aging time for dynamic (learned) MAC entries. An entry that remains unused for the duration of the aging time is removed from the MAC table. [no] mac-age-time seconds Parameter seconds Description Number of seconds a learned MAC entry can remain unused before it is removed from the MAC table. You can specify 10-600 seconds.
Syntax
Default Mode Usage
300 seconds Configuration mode On models AX 1000, AX 2000, AX 2100, and AX 3000, the actual MAC aging time can be +/- 10 seconds from the configured value. On models AX 2200, AX 3100, AX 3200, AX 5100, and AX 5200, the actual MAC aging time can be up to 2 times the configured value. For example, if the aging time is set to 50 seconds, the actual aging time will be between 50 and 100 seconds.
Example
The following command changes the MAC aging time to 600 seconds:
AX(config)#mac-age-time 600
mirror-port
Description Syntax Specify a port to which to copy monitored traffic to or from another port. [no] mirror-port ethernet port-num Parameter port-num Description Ethernet port number out which the monitored traffic will be sent.
Default
No ports are mirrored.

132 of 722

monitor Mode Usage Configuration mode To specify the port to monitor, use the monitor command at the interface configuration level. (See monitor on page 208.) The following commands enable monitoring of input traffic on Ethernet port 5, and enable the monitored traffic to be copied (mirrored) to Ethernet port 3:
Example
AX(config)#mirror-port ethernet 3 AX(config)#interface ethernet 5 AX(config-if:ethernet5)#monitor input
monitor
Description Syntax Specify event thresholds for utilization of resources. monitor {buffer-drop | buffer-usage | ctrl-cpu | data-cpu | disk | memory | warn-temp} threshold-value Parameter buffer-drop buffer-usage ctrl-cpu data-cpu disk memory warn-temp Description Packet drops (dropped IO buffers) Control buffer utilization Control CPU utilization Data CPUs utilization Hard disk utilization Memory utilization CPU temperature
threshold-value The values you can specify depend on the event type: buffer-drop You can specify 1-32767 drops per 10-second interval. buffer-usage You can specify 60000-120000 buffers. ctrl-cpu You can specify 1-100 percent. data-cpu You can specify 1-100 percent. disk You can specify 1-100 percent. memory You can specify 1-100 percent.
b y
133 of 722

no warn-temp You can specify 1-68 C (degrees Centigrade). Default The default threshold values are as follows:
buffer-usage 100 drops per 10-second interval buffer-usage 90000 buffers ctrl-cpu 90% data-cpu 90% disk 85% memory 95% warn-temp 68 C
Usage
If utilization of a system resource crosses the configured threshold, a log message is generated. If applicable, an SNMP trap is also generated. To display the configured event thresholds, see show monitor on page 626.
Example
The following command sets the event threshold for data CPU utilization to 80%:
AX(config)#monitor data-cpu 80
no
Description Syntax Default Mode Usage Remove a configuration command from the running configuration. no command-string N/A Config Use the no form of a command to disable a setting or remove a configured item. Configuration commands at all Config levels of the CLI have a no form, unless otherwise noted. The command is removed from the running-config. To permanently remove the command from the configuration, use the write memory command to save the configuration changes to the startup-config. (See write terminal on page 67.)
134 of 722
b y
D e s i g n

ntp Example The following command removes server http99 from the running-config:
AX(config)#no slb server http99
ntp
Description Syntax Configure Network Time Protocol (NTP) parameters. [no] ntp server {hostname | ipaddr} [minutes] [no] ntp {disable | enable} Parameter hostname | ipaddr minutes Description Hostname or IP address of the NTP server. Synchronization interval, which specifies how often the AX polls the NTP server for updated time information. You can specify 1-518400 minutes. Disables synchronization with the NTP server. Enables synchronization with the NTP server.
disable enable Default
NTP synchronization is disabled by default. If you enable it, the default interval is 1440 minutes. DST is enabled by default, if applicable to the specified timezone. Configuration mode You can configure a maximum of 4 NTP servers. If the system clock is adjusted while OSPF is enabled, the routing protocols may stop working properly. To work around this issue, disable OSPF before adjusting the system clock.
Mode Usage
Example
The following commands configure an NTP server and enable NTP:
AX(config)#ntp server 10.1.4.20 AX(config)#ntp server enable
b y
135 of 722

packet-handling
packet-handling
Description Syntax Set handling of Layer 2 broadcast packets. packet-handling broadcast {trap | flood} Parameter trap flood Default Mode Usage trap Configuration mode This command is supported only on models AX 2200, AX 3100, and AX 3200. Description Sends broadcast packets to the CPU for processing, instead of forwarding them in hardware. Forwards broadcast packets in hardware.
partition
Description Syntax Configure a private partition for Role-Based Administration (RBA). partition partition-name [max-aflex-file num] no partition [partition-name] [max-aflex-file num] Parameter partition-name max-aflex-file num Description Specifies the name of the private partition, 1-14 characters. Specifies the maximum number of aFleX policies the partition can have, 1-128.
Default
The AX device has a shared partition but no private partitions by default. When you create a private partition, it can have a maximum of 32 aFleX policies by default. Configuration mode To use this command, you must be logged in with an admin account that has Root or Read-write privileges. (See show admin on page 528 for descriptions of the admin privilege levels.)
Mode Usage
136 of 722

ping Example The following commands configure two private partitions, companyA and companyB:
AX(config)#partition companyA AX(config)#partition companyB
Example
The following command removes all private partitions:
AX(config)#no partition Remove all RBA partitions and configurations therein? (y/n) y
ping
Ping is used to diagnose basic network connectivity. For syntax information, see ping on page 44.
radius-server
Description Set RADIUS parameters, for authenticating administrative access to the AX Series device. [no] radius-server host {hostname | ipaddr} secret secret-string [acct-port protocol-port] [auth-port protocol-port] [retransmit num] [timeout seconds] [default-privilege-read-write] Parameter hostname | ipaddr secret secret-string acct-port protocol-port auth-port protocol-port retransmit num Description Hostname or IP address of the RADIUS server. Password required by the RADIUS server for authentication requests. Protocol port to which the AX Series device sends RADIUS accounting information. Protocol port to which the AX Series device sends authentication requests. Maximum number of times the AX device can resend an unanswered authentication request to
Syntax
b y
137 of 722

radius-server the server. If the AX device does not receive a reply to the final request, the AX device tries the secondary server, if one is configured. If no secondary server is available, or if the secondary server also fails to reply after the maximum number of retries, authentication fails and the admin is denied access. You can specify 0-5 retries. timeout seconds Maximum number of seconds the AX device will wait for a reply to an authentication request before resending the request. You can specify 1-15 seconds. defaultprivilege-readwrite Change the default privilege authorized by RADIUS from read-only to read-write. The default privilege is used if the Service-Type attribute is not used, or the A10 vendor attribute is not used. Default No RADIUS servers are configured by default. When you add a RADIUS server, it has the following default settings:
acct-port 1813 auth-port 1812 retransmit 3 retries timeout 3 seconds default-privilege-read-write Disabled. By default, if the Service-
Type attribute is not used, or the A10 vendor attribute is not used, successfully authenticated admins are authorized for read-only access. You can configure up to 2 RADIUS servers. The servers are used in the order in which you add them to the configuration. Thus, the first server you add is the primary server. The second server you add is the secondary (backup) server. Enter a separate command for each of the servers. The secondary server is used only if the primary server does not respond. Mode Example Configuration mode The following commands configure a pair of RADIUS servers and configure the AX device to use them first, before using the local database. Since 10.10.10.12 is added first, this server will be used as the primary server. Server 10.10.10.13 will be used only if the primary server is unavailable.
138 of 722

raid
AX(config)#radius-server host 10.10.10.12 secret radp1 AX(config)#radius-server host 10.10.10.13 secret radp2 AX(config)#authentication type radius local
raid
Description Syntax Enter the configuration level for RAID. raid CAUTION! RAID configuration should be performed only by or with the assistance of A10 Networks. A10 strongly advises that you do not experiment with these commands.
restore
Description Restore the startup-config, aFleX policy files, and SSL certificates and keys from a tar file previously created by the backup command. The restored configuration takes effect following a reboot. [no] restore [use-mgmt-port] url Parameter use-mgmt-port Description Uses the management interface as the source interface for the connection to the remote device. The management route table is used to reach the device. By default, the AX device attempts to use the data route table to reach the remote device through a data interface. File transfer protocol, username (if required), and directory path. You can enter the entire URL on the command line or press Enter to display a prompt for each part of the URL. If you enter the entire URL and a password is required, you will still be prompted for the password. To enter the entire URL: tftp://host/file ftp://[user@]host[:port]/file scp://[user@]host/file rcp://[user@]host/file
Syntax
url
b y
139 of 722

route-map Default Mode Usage N/A Configuration mode Do not save the configuration (write memory) after restoring the startupconfig. If you do, the startup-config will be replaced by the running-config and you will need to restore the startup-config again. To place the restored configuration into effect, reboot the AX device. The no form of this command is invalid.
route-map
Description Configure a rule in a route map. You can use route maps to provide input to the following OSPF commands:
redistribute on page 264 default-information originate on page 274
Syntax
[no] route-map map-name {deny | permit} sequence-num Parameter map-name deny | permit sequence-num Description Route map name. Action to perform on data that matches the rule. Sequence number of the rule within the route map, 1-65535. Rules are used in ascending sequence order. The action in the first matching rule is used, and no further matching is performed. You do not need to configure route map rules in numerical order. The CLI automatically places them in the configuration (running-config) in ascending numerical order. This command changes the CLI to the configuration level for the specified route map rule, where the following match commands are available. Note: Some match options apply only to BGP, which is not supported in the current release.
140 of 722
b y
D e s i g n

route-map Command match as-path acl-id match community acl-id [exact-match] match extcommunity acl-id [exact-match] match interface {ethernet portnum | loopback num | management | ve ve-num} match ip address {acl-id | prefix-list list-name} match ip next-hop {acl-id | prefix-list list-name} match ip peer acl-id match ipv6 address {acl-id | prefix-list list-name} Description Matches on the BGP AS paths listed in the specified ACL.
Matches on the BGP communities listed in the specified ACL.
Matches on the BGP external communities listed in the specified ACL.
Matches on the interface used as the first hop for a route.
Matches on the route IP addresses in the specified ACL or prefix list.
Matches on the next-hop router IP addresses in the specified ACL or prefix list. Matches on the peer router IP addresses in the specified ACL.
Matches on the route IP addresses in the specified ACL or prefix list.
b y
141 of 722

router match ipv6 next-hop {acl-id | prefix-list list-name | ipv6-addr}
Matches on the next-hop router IP addresses in the specified ACL or prefix list, or the specified IPv6 address. Matches on the peer router IP addresses in the specified ACL. Matches on the 0-4294967295. specified metric value,
match ipv6 peer acl-id match metric num match origin {egp | igp | incomplete} match route-type external {type-1 | type-2} match tag
Matches on the specified BGP origin code.
Matches on the specified external route type. Matches on the 0-4294967295. specified TAG value,
Default
Specifies the maximum number of concurrent connections allowed on the server for this port, 0-1000000 (one million). The default is 1000000None Configuration mode For options that use an ACL, the ACL must use a permit action. Otherwise, the route map action is deny.
Mode Usage
router
Description Syntax Enter the configuration mode for a dynamic routing protocol. [no] router ipv6 ospf [tag] [no] router ospf [process-id]
142 of 722
b y
D e s i g n

router log file Parameter Description
ipv6 ospf [tag] Specifies the IPv6 OSPFv3 instance to run on the IPv6 link, 1-65535. ospf [process-id] Specifies the IPv4 OSPFv2 instance to run on the AX device, 1-65535.
Note:
The isis option is provided only for testing and is not supported in this release. Dynamic routing protocols are disabled by default. Configuration mode This command is valid only when the AX is configured for gateway mode (Layer 3). For more information about OSPF, see Config Commands: Router OSPF on page 257.
Default Mode Usage
Example
The following command enters the configuration level for OSPFv2 process 1:
AX(config)#router ospf 1 AX(config-router)#
router log file

Description Syntax Configure router logging to a local file. [no] router log file { name string | per-protocol | rotate num | size Mbytes } Parameter name string per-protocol Description Name of the log file. Uses separate log files for each protocol. Without this option, log messages for all protocols are written to the same file. Specifies the number of backups to allow for each log file. When a log file becomes full, the
rotate num
b y
143 of 722

router log record-priority logs are saved to a backup file and the log file is cleared for new logs. You can specify 0-100 backups. If the maximum number of backups is reached, the oldest backups are purged to make way for new ones. size Mbytes Specifies the size of each log file. You can specify 0-1000000 Mbytes. If you specify 0, the file size is unlimited.
Default
This command has the following default values:

per-protocol disabled rotate 0 size 0 (unlimited)
Mode Usage
Configuration mode When you enable logging, the default minimum severity level that is logged is debugging. To change the minimum severity level that is logged, see router log trap on page 145. The per-protocol option is recommended. Without this option, messages from all routing protocols will be written to the same file, which may make troubleshooting more difficult.
router log record-priority

Description Syntax Default Mode Include the message priority within each router log message. [no] router log record-priority Disabled Configuration mode
router log stdout

Description Syntax Default Mode Enable router logging to the terminal. [no] router log stdout Disabled Configuration mode
144 of 722

router log syslog Usage When you enable logging, the default minimum severity level that is logged is debugging. To change the minimum severity level that is logged, see router log trap on page 145.
router log syslog

Description Syntax Default Mode Usage Enable router logging to the local log buffer. [no] router log syslog Disabled Configuration mode When you enable logging, the default minimum severity level that is logged is debugging. To change the minimum severity level that is logged, see router log trap on page 145. To display the log messages in the local log buffer, use the show log command.
router log trap

Description Syntax Specify the minimum severity level to log for router logs. [no] router log trap severity-level Parameter severity-level Description Minimum severity level to log. You can specify one of the following: emergencies alerts critical errors warnings notifications informational debugging Default debugging
b y
145 of 722

session-filter Mode Configuration mode
session-filter
Description Configure a session filter. session-filter filter-name { ipv4addr-suboptions | ipv6 | sip | filter filter-name } Parameter ipv4addrsuboptions Description Matches on sessions that have a source or destination IPv4 address. The following address suboptions are supported: source-addr ipaddr [{subnet-mask | /mask-length}] Matches on IPv4 sessions that have the specified source IP address. source-port port-num Matches on IPv4 sessions that have the specified source protocol port number, 1-65535. dest-addr ipaddr [{subnet-mask | /mask-length}] Matches on IPv4 sessions that have the specified destination IP address. dest-port port-num Matches on IPv4 sessions that have the specified destination protocol port number, 1-65535. You can use one or more of the suboptions, in the order listed above. For example, if the first suboption you enter is dest-addr, the only additional suboption you can specify is dest-port. ipv6 sip Default Matches on all sessions that have a source or destination IPv6 address. Matches on all SIP sessions.
No session filters are configured by default.
146 of 722
b y
D e s i g n

slb Mode Usage Configuration mode Session filters allows you to save session display options for use with the clear session and show session commands. Configuring a session filter allows you to specify a given set of options one time rather than re-entering the options each time you use the clear session or show session command. The following commands configure a session filter and use it to filter show session output:
Example
AX(config)#session-filter f1 source-addr 1.0.4.147 AX(config)#show session filter f1 Prot Forward Source Forward Dest Reverse Source Reverse Dest Age Hash ---------------------------------------------------------------------------------------------------------Tcp 1.0.4.147:51613 1.0.100.1:21 1.0.3.148:21 1.0.4.147:51613 120 1
slb
Description Configure Server Load Balancing (SLB) parameters. For information about the slb commands, see Config Commands: Server Load Balancing on page 283.
smtp
Description Configure a Simple Mail Transfer Protocol (SMTP) server to use for sending emails from the AX device. [no] smtp {hostname | ipaddr} [mailfrom email-src-addr] [needauthentication] [port protocol-port] [username string password string] Parameter hostname | ipaddr mailfrom email-src-addr Description Specifies an SMTP server. Specifies the email address to use as the sender (From) address.
Syntax
needauthenticat ion Specifies that authentication is required.

147 of 722

snat-on-vip port protocol-port Specifies the protocol port on which the server listens for SMTP traffic.
username string password string Specifies the username and password required for access. Default No SMTP servers are configured by default. When you configure one, it has the following default settings:
port 25 needauthentication disabled mailfrom not set
Mode Example
Configuration mode The following command configures the AX Series device to use SMTP server ourmailsrvr: AX(config)#smtp ourmailsrvr
snat-on-vip
Description Syntax Default Mode Usage Globally enable IP NAT support for VIPs. [no] snat-on-vip Disabled Configuration mode Source IP NAT can be configured on a virtual port in the following ways: 1. ACL-based source NAT (access-list command at virtual port level) 2. VIP source NAT (slb snat-on-vip command at Configuration mode level) 3. aFleX policy (aflex command at virtual port level) 4. Non-ACL source NAT (source-nat command at virtual port level) These methods are used in the order shown above. For example, if IP source NAT is configured using an ACL on the virtual port, and the slb snat-onvip command is also used, then a pool assigned by the ACL is used for traf-
148 of 722
b y
D e s i g n

snmp-server community fic that is permitted by the ACL. For traffic that is not permitted by the ACL, VIP source NAT can be used instead.
snmp-server community
Description Syntax Configure an SNMP community string. [no] snmp-server community read ro-community-string [oid oid-value] [remote {hostname | ipaddr mask-length | ipv6-addr/prefix-length}] Parameter ro-communitystring oid oid-value Description The read-only community string. Object ID. This option restricts the objects that the AX Series device returns in response to GET requests. Values are returned only for the objects within or under the specified OID.
remote {hostname | ipaddr masklength | ipv6addr/prefixlength]}
Restricts SNMP access to a specific host or subnet. When you use this option, only the specified host or subnet can receive SNMP data from the AX Series device by sending a GET request to this community.
Default
The configuration does not have any default SNMP communities. When you configure one, all OIDs are allowed by default and all remote hosts are allowed by default. Configuration mode All SNMP communities are read-only. Read-write communities are not supported. The OID for A10 Networks AX Series objects is 1.3.6.1.4.1.22610. The no form removes the read-only community string.
Mode Usage
b y
149 of 722

snmp-server contact Example The following commands enable SNMP, define community string A10_AX, and restrict access to hosts in subnet 10.10.20.x/24 and to AX MIB objects only:
AX(config)#snmp-server enable AX(config)#snmp-server community read A10_AX oid AxMgmt remote 10.10.20.0 24
Example
The following commands enable SNMP, define community string A10_AX2, and restrict access to hosts in IPv6 network a101::1111:
AX(config)#snmp-server enable AX(config)#snmp-server community read A10_AX2 remote a101::1111
snmp-server contact
Description Syntax Configure SNMP contact information. [no] snmp-server contact contact-name Parameter contact-name Default Mode Usage Example Empty string Configuration mode The no form removes the contact information. The following command defines the contact person as snmp-admin: Description The contact persons name.
AX(config)#snmp-server contact snmp-admin
snmp-server enable
Description Enable the AX Series device to accept SNMP MIB data queries and to send SNMP v1/v2c traps. To use SNMP on the device, you must enter this command. Enter this command first, then enter the other snmp-server commands to further configure the feature.
150 of 722
b y
D e s i g n

snmp-server enable Syntax [no] snmp-server enable [ traps [ snmp [trap-name] system [trap-name] ha [trap-name] network [trap-name] slb [trap-name] ] ] Parameter traps Description Specifies the traps to enable. You can enable all traps, all traps of a specific type, or individual traps. To enable all traps, specify traps, without any additional options. To enable all traps of a specific type, specify one of the following: traps snmp Enables the following traps: linkdown Indicates that an Ethernet interface has gone down. linkup Indicates that an Ethernet interface has come up. traps system Enables the following traps: control-cpu-high Indicates that the control CPU utilization is higher than the configured threshold. (See monitor on page 133.) data-cpu-high Indicates that data CPU utilization is higher than the configured threshold. (See monitor on page 133.) fan Indicates that a system fan has failed. Contact A10 Networks. high-disk-use Indicates that hard disk usage on the AX device is higher than the configured threshold. (See monitor on page 133.) high-memory-use Indicates that the memory usage on the AX device is higher than the configured threshold. (See monitor on page 133.)
151 of 722

snmp-server enable high-temp Indicates that the temperature inside the AX chassis is higher than the configured threshold. (See monitor on page 133.) packet-drop Indicates that the number of dropped packets during the previous 10-second interval exceeded the configured threshold. (See monitor on page 133.) power Indicates that a power supply has failed. Contact A10 Networks. pri-disk Indicates that the primary Hard Disk has failed or the RAID system has failed. In dual-disk models, the primary Hard Disk is the one on the left, as you are facing the front of the AX chassis. restart Indicates that the AX device is going to reboot or reload. sec-disk Indicates that the secondary Hard Disk has failed or the RAID system has failed. The secondary Hard Disk is the one on the right, as you are facing the front of the AX chassis. Note: This trap does not apply to the following models: AX 2500, AX 2600, AX 3000, AX 5100, or AX 5200. shutdown Indicates that the AX device has shut down. start Indicates that the AX device has started. traps network Enables the following trap: trunk-port-threshold Indicates that the trunk ports threshold feature has disabled trunk members because the number of up ports in the trunk has fallen below the configured threshold. (To configure the threshold, see trunk on page 173.) traps ha Enables the following traps: active Indicates that the AX device is going from HA Standby mode to Active mode.
152 of 722
b y
D e s i g n

snmp-server enable standby Indicates that the AX device is going from HA Active mode to Standby mode. active-active Indicates that an Active-Active HA configuration has been enabled. traps slb Enables the following traps: application-buffer-limit Indicates that the configured SLB application buffer threshold has been exceeded. (See monitor on page 133.) server-conn-limit Indicates that an SLB server has reached its configured connection limit. server-conn-resume Indicates that an SLB server has reached its configured connection-resume value. server-down Indicates that an SLB server has gone down. server-up Indicates that an SLB server has come up. service-conn-limit Indicates that an SLB service has reached its configured connection limit. service-conn-resume Indicates that an SLB service has reached its configured connection-resume value. service-down Indicates that an SLB service has gone down. service-up Indicates that an SLB service has come up. vip-connlimit Indicates that the connection limit configured on a virtual server has been exceeded. vip-connratelimit Indicates that the connection rate limit configured on a virtual server has been exceeded. vip-port-connlimit Indicates that the connection limit configured on a virtual port has been exceeded.
b y
153 of 722

snmp-server group vip-port-connratelimit Indicates that the connection rate limit configured on a virtual port has been exceeded. vip-port-down Indicates that an SLB virtual service port has gone down. vip-port-up Indicates that an SLB virtual service port has come up. An SLB virtual servers service port is up when at least one member (real server and real port) in the service group bound to the virtual port is up. Note: If you enter the snmp-server enable command without a trap option, the SNMP service is enabled but no traps are enabled. The SNMP service is disabled by default and all traps are disabled by default. Configuration mode The no form disables traps. The following command enables all traps:
Default
Mode Usage Example
AX(config)#snmp-server enable traps
Example
The following command enables all SLB traps:
AX(config)#snmp-server enable traps slb
Example
The following commands enable SLB traps server-conn-limit and serverconn-resume:
AX(config)#snmp-server enable traps slb server-conn-limit AX(config)#snmp-server enable traps slb server-conn-resume
snmp-server group
Description Syntax Configure an SNMP group. [no] snmp-server group group-name {v1 | v2c | v3 {auth | noauth | priv}} read view-name Parameter group-name v1 Description Specifies the name of the SNMP group. Uses the least secure of the security models.
154 of 722
b y
D e s i g n

snmp-server host v2c v3 auth Uses the second-least secure of the security models. Uses the most secure of the security models. Uses packet authentication but does not encrypt the packets. (This is the authNoPriv security level.) Does not use any authentication of packets. (This is the noAuthNoPriv security level.) Uses packet authentication and encryption. (This is the authPriv security level.) Specifies the name of a read-only view for accessing the MIB object values.
noauth priv view-name
The configuration does not have any default SNMP groups. Configuration mode The following commands add SNMP v3 group group1 with authPriv security and read-only view view1:
AX(config)#snmp-server group group1 v3 priv read view1
snmp-server host
Description Syntax Configure an SNMP v1/v2c trap receiver. [no] snmp-server host trap-receiver [version {v1 | v2c}] community-string [udp-port port-num] Parameter trap-receiver version {v1 | v2c} communitystring port-num Description Hostname or IP address of the remote device to which traps will be sent. SNMP version. If you omit this option, the trap receiver can use SNMP v1 or v2c. Community string for the traps. UDP port to which the AX Series device will send the traps.
b y
155 of 722

snmp-server location Default No SNMP hosts are defined. When you configure one, the default SNMP version is v2c and the default UDP port is 162. Configuration mode You can configure up to 2 trap receivers. The no form removes the trap receiver. Example The following command configures SNMP trap receiver 100.10.10.12 to use community string public and UDP port 166 for SNMP v2c traps.
Mode Usage
AX(config)#snmp-server host 100.10.10.12 public udp-port 166
snmp-server location
Description Syntax Configure SNMP location information. [no] snmp-server location location Parameter location Default Mode Usage Example Empty string Configuration mode The no form removes the location information. The following command configures the location as A10-HQ: Description The location of this AX device.
AX(config)#snmp-server location A10-HQ
snmp-server user
Description Syntax Configure SNMP user-based groups. [no] snmp-server user username group groupname {v1 | v2 | v3 [auth {md5 | sha} password [encrypted]]}
156 of 722
b y
D e s i g n

snmp-server view Parameter username groupname v1 | v2c v3 [auth {md5 | sha} password [encrypted]] Description Specifies the SNMP user name. Specifies the group to which the SNMP user belongs. Specifies SNMP version 1 or v2c.
Specifies SNMP version 3 and the authentication to use. md5 | sha HMAC MD5 (md5) or HMAC SHA (sha). password [encrypted] Password for SNMP messages. To encrypt the password, use the encrypted option.
Default
No SNMP users are configured by default. When you configure one, all remote hosts are allowed by default. For v3, there is no authentication by default. Configuration mode The following command adds an SNMP user belonging to group group1. The SNMP version is 3 and the authentication method is HMAC MD5. The password is 12345678. The password is not encrypted.
Mode Example
AX(config)#snmp-server user user1 group group1 v3 auth md5 12345678
snmp-server view
Description Syntax Configure an SNMP view. [no] snmp-server view view-name oid [oid-mask] {included | excluded} Parameter view-name oid oid-mask included excluded
P e r f o r m a n c e b y
Description SNMP views name. MIB view family name or OID. OID mask. Use hex octets, separated by .. MIB family is included in the view. MIB family is excluded from the view.
157 of 722

stats-data-disable Default Mode Usage Example N/A Configuration mode The OID for A10 Networks AX Series objects is 1.3.6.1.4.1.22610. The following command adds SNMP view view1 and includes all objects in the 1.3.6 tree:
AX(config)#snmp-server view view1 1.3.6 included
stats-data-disable
Description Syntax Default Mode Usage Globally disable collection of statistical data. stats-data-disable Statistical data collection is enabled by default. Configuration mode This command disables statistical data collection for system resources, including the following:
CPU Memory Disk Interfaces
This command also disables statistical data collection for any of the following types of load-balancing resources, if collection is enabled on those resources:
SLB resources: Real server Real server port Service group Virtual server Virtual server port FWLB resources: Firewall node Firewall group Virtual firewall
158 of 722
b y
D e s i g n

stats-data-enable
stats-data-enable
Description Syntax Default Mode Usage Globally re-enable collection of statistical data. stats-data-enable Statistical data collection is enabled by default. Configuration mode This command re-enables statistical data collection for system resources, including the following:
CPU Memory Disk Interfaces
The command also re-enables statistical data collection for any individual load-balancing resources on which collection had been enabled before it was globally disabled.
switch
Description Configure hardware settings on Ethernet ports. CAUTION! Do not use this command unless advised to do so by A10 Networks. The command is used for troubleshooting and can affect performance of the AX Series. Syntax switch phy-10g-reg port port-num register hex-number value hex-number switch phy-10g-reg-ext device number port portnum register hex-number value hex-number switch phy-reg port port-num register hex-number value hex-number switch register {bitmask number-hex value numberhex | field-offset number field-length number value number-hex | value number-hex} Mode
Configuration mode
b y
159 of 722

syn-cookie Usage There is no no form of this command.
syn-cookie
Description Enable hardware-based SYN cookies, which protect against TCP SYN flood attacks. [no] syn-cookie [on-threshold num off-threshold num] Parameter on-threshold num Description Maximum number of concurrent half-open TCP connections allowed on the AX device, before SYN cookies are enabled. If the number of halfopen TCP connections exceeds the on-threshold, the AX device enables SYN cookies. You can specify 0-2147483647 half-open connections. Minimum number of concurrent half-open TCP connections for which to keep SYN cookies enabled. If the number of half-open TCP connections falls below this level, SYN cookies are disabled. You can specify 0-2147483647 halfopen connections.
Syntax
off-threshold num
Note:
It may take up to 10 milliseconds for the AX device to detect and respond to crossover of either threshold. Hardware-based SYN cookies are disabled by default. When the feature is enabled, there are no default settings for the on and off thresholds. Configuration mode Hardware-based SYN cookies are available only on the AX 2200, AX 3100, AX 3200, AX 5100, and AX 5200. If both hardware-based and software-based SYN cookies are enabled, only hardware-based SYN cookies are used. You can leave software-based SYN cookies enabled but they are not used. (Software-based SYN cookies are enabled at the virtual port level using the syn-cookie enable command.) If you omit the on-threshold and off-threshold options, SYN cookies are enabled and are always on regardless of the number of half-open TCP connections present on the AX device.
Default
Mode Usage
160 of 722
b y
D e s i g n

system {all-vlan-limit | per-vlan-limit} This command globally enables SYN cookie support for SLB and also enables SYN cookie support for Layer 2/3 traffic. No additional configuration is required for SLB SYN cookie support. However, to use Layer 2/3 SYN cookie support, you also must enable it at the configuration level for individual interfaces. See ip tcp syn-cookie on page 195. Example
AX(config)#syn-cookie
The following command enables hardware-based SYN cookies:
Example
The command in the following example configures dynamic SYN cookies when the number of concurrent half-open TCP connections exceeds 50000, and disables SYN cookies when the number falls below 30000:
AX(config)#syn-cookie on-threshold 50000 off-threshold 30000
system {all-vlan-limit | per-vlan-limit}

Description Set traffic limits for VLANs. You can set a global limit for all VLANs or per VLAN. [no] system {all-vlan-limit | per-vlan-limit} {bcast | ipmcast | mcast | unknown_ucast} num Parameter all-vlan-limit | per-vlanlimit Description
Syntax
Specifies whether the limit is system-wide for all VLANs or for each individual VLAN. all-vlan-limit Limit applies systemwide to all VLANs. Collectively, all the AX Series devices VLANS together cannot exceed the specified limit. per-vlan-limit Limit applies to each VLAN. No individual can exceed the specified limit.
bcast | ipmcast | mcast | unknown_ucast
Specifies the type of traffic to limit: bcast Broadcast traffic ipmcast IP multicast traffic mcast All multicast packets except IP multicast packets.
b y
161 of 722

system lid unknown_ucast Unknown unicast traffic num Specifies the maximum number of packets per second that are allowed of the specified traffic type.
Not set Configuration mode The following command limits each VLAN to 1000 multicast packets per second:
AX(config)#system per-vlan-limit mcast 1000
system lid
Description Syntax Apply a combined set of IP limiting rules to the whole system. [no] system lid num Parameter num Default Mode Usage None Configuration mode This command uses a single LID. To configure the LID, see lid on page 116. For more information about IP limiting, see the IP Limiting chapter in the AX Series Configuration Guide. Example
AX(config)#lid 1 AX(config-global lid)#conn-rate-limit 10000 per 1 AX(config-global lid)#conn-limit 2000000 AX(config-global lid)#over-limit forward logging AX(config-global lid)#exit AX(config)#system lid 1
Description Specifies the LID to use.
The following commands configure a standalone IP limiting rule to be applied globally to all IP clients (the clients that match class list global):
162 of 722
b y
D e s i g n

system module-ctrl-cpu
system module-ctrl-cpu
Description Specify the maximum amount of control CPU that can be used at any given time for processing of CLI or SNMP output. [no] system module-ctrl-cpu {low | medium | high} Not set Configuration mode The command takes effect only for new CLI sessions that are started after you enter the command. After entering the command, close currently open CLI sessions and start a new one.
Syntax
Default Mode Usage
system pbslb bw-list

Description Specify the name of a black/white list to use for system-wide Policy-Based SLB (BPSLB). [no] system pbslb bw-list name None Configuration mode
Syntax Default Mode
system pbslb id
Description Specify the action to take for clients in a black/white list used for systemwide PBSLB. [no] system pbslb id id {drop | reset} [logging minutes] Parameter id drop | reset Description Group ID within the black/white list. Specifies the action to take for clients in the specified group: drop Drops the connections. reset Resets the connections.
Syntax
b y
163 of 722

system pbslb over-limit logging minutes Enables logging. The minutes option specifies how often messages can be generated. Default Mode Not set Configuration mode
system pbslb over-limit

Description Specify the action to take for system-wide PBSLB clients who either exceed the connection limit specified in the black/white list, or exceed the threshold of any IP anomaly filter used for system-wide PBSLB. [no] system pbslb over-limit [reset] [lockup minutes] [logging minutes] Parameter reset Description Resets all new connection attempts from the client. If you omit this option, new connection attempts are dropped instead. Continues to apply the over-limit action to all new connection attempts from the client, for the specified number of minutes.
Syntax
lockup minutes
logging minutes Enables logging. The minutes option specifies how often messages can be generated. Default Mode Usage Not set Configuration mode The IP anomaly filters used by system-wide PBSLB are bad-content, outof-sequence, and zero-window. These filters are enabled automatically when you configure system-wide PBSLB. To modify the filters, see ip anomaly-drop on page 220.
system pbslb sockstress-disable

Description Syntax Disable Sockstress protection, if enabled by a system-wide PBSLB policy. [no] system pbslb sockstress-disable
164 of 722
b y
D e s i g n

system pbslb timeout Default Mode Usage By default, Sockstress protection, if configured, is enabled. Configuration mode Sockstress protection can be configured (and enabled) using a system-wide PBSLB policy. This command provides a simple way to disable Sockstress protection, without the need to remove the system-wide PBSLB policy.
system pbslb timeout

Description Set the timeout for dynamic black/white-list entries, used by system-wide PBSLB. [no] system pbslb timeout minutes Parameter minutes Default Mode Usage 5 minutes Configuration mode If the lockup option is used with the system pbslb over-limit command, aging of the dynamic entry for a locked up client begins only after the lockup expires. Description Specifies the timeout, 1-127 minutes.
Syntax
system resource-usage
Description Syntax Change the capacity of a system resource. [no] system resource-usage resource-type maximum Parameter resource-type Description Specifies the system resource you are resizing: client-ssl-template-count Total configurable client SSL templates conn-reuse-template-count Total configurable connection reuse templates fast-tcp-template-count Total configurable Fast TCP templates
b y
165 of 722

system resource-usage fast-udp-template-count Total configurable Fast UDP templates http-template-count Total configurable HTTP templates l4-session-count Total Layer 4 sessions nat-pool-addr-count source NAT pools Total IP
persist-cookie-template-count Total configurable persistent cookie templates persist-srcip-template-count Total configurable source IP persistence templates proxy-template-count Total configurable proxy templates real-port-count Total real server ports real-server-count Total real servers server-ssl-template-count Total configurable server SSL templates service-group-count Total service groups stream-template-count Total configurable streaming-media templates virtual-port-count Total virtual server ports virtual-server-count Total virtual servers maximum The maximum number of the specified resource you want to allow on the AX Series.
Default
The default maximum number for each type of system resource depends on the AX Series model. To display the defaults and current values for your AX Series, enter the following command: show system resource-usage on page 645. Configuration mode
Mode
166 of 722
b y
D e s i g n

system resource-usage Usage The maximum number you can configure depends on the resource type and the AX Series model. To display the range of values that are valid for a resource, enter a question mark instead of a quantity.
The maximum number of real servers allowed in a service group is half
the total number of real servers allowed on the device.

The maximum number of real ports allowed on a real server is half the
total number of real ports allowed on the device.

For all the following types of SLB templates, the total number allowed
is 256 each, and is not configurable in the current release: RAM caching SIP SMTP Policy (PBSLB)
The total number of health monitors allowed is 1024 and is not configu-
rable.
For every type of system resource that has a default, the AX device
reserves one instance of the resource. For example, the device allows a total of 256 RAM caching templates. However, the device reserves one RAM caching template for the default template, which leaves a maximum of 255 additional RAM caching templates that can be configured. Reload or Reboot Required To place a change to l4-session-count into effect, a reboot is required. A reload will not place this change into effect. For changes to any of the other system resources, a reload is required but a reboot is not required. Example The following commands display the current usage and settings for maximum URI count, then display the range of values to which the default maximum can be set, then reset the default maximum to 512.
AX(config)#show system resource-usage Resource Current Default Minimum Maximum -------------------------------------------------------------------------l4-session-count 8388608 8388608 524288 33554432 ... stream-uri-count 256 256 32 1024 ... AX(config)system resource-usage stream-uri-count ? <32-1024> Total configurable URI strings in the System AX(config)system resource-usage stream-uri-count 512 Changes will take effect next time the software is reloaded.
b y
167 of 722

system template
system template
Description Syntax Default Mode Usage Globally applies a PBSLB policy template to the AX device. [no] system template policy template-name N/A Configuration mode You can use this command to globally apply IP limits to the AX device, configured on a per-client basis. For more information, see the IP Limiting chapter in the AX Series Configuration Guide.
system-reset
Description Syntax Default Mode Usage Restore the AX device to its factory default configuration. system-reset N/A Configuration mode This command is helpful when you need to redeploy an AX device in a new environment or at a new customer site, or you need to start over the configuration at the same site. The command erases any saved configuration profiles, as well as system files such as SSL certificates and keys, aFleX policies, black/white lists, and system logs. The management IP address and admin-configured admin and enable passwords are also removed. However, the command does not remove the running-config and does not automatically reboot or power down the device. The device continues to operate using the running-config and any other system files in memory, until you reboot or power down the device. Reboot the AX device to erase the running-config and place the system reset into effect. Example The following commands reset an AX device to its factory default configuration, then reboot the device to erase the running-config:
168 of 722
b y
D e s i g n

tacacs-server
AX(config)#system-reset AX(config)#end AX#reboot
tacacs-server
Description Configure TACACS+ for authorization and accounting. If authorization or accounting is specified, the AX device will attempt to use the TACACS+ servers in the order they are configured. If one server fails to respond, the next server will be used. [no] tacacs-server host {hostname | ipaddr} secret secret-string [port protocol-portnum] [timeout seconds] Parameter hostname | ipaddr Description Hostname or IP address of the TACACS+ server. If a hostname is to be used, make sure a DNS server has been configured. The shared secret. The port used for setting up a connection with a TACACS+ server. The maximum number of seconds allowed for setting up a connection with a TACACS+ server. You can specify 1-12 seconds.
Syntax
secret-string protocolportnum seconds
Default Mode
The default port number is 49. The default timeout is 12 seconds. Configuration mode You can configure up to 2 TACACS+ servers. The servers are used in the order in which you add them to the configuration. Thus, the first server you add is the primary server. The second server you add is the secondary (backup) server. Enter a separate command for each of the servers. The secondary server is used only if the primary server does not respond.
Example
The following command adds a TACACS+ server "192.168.3.45" and sets its shared secret as "SharedSecret":
AX(config)#tacacs-server host 192.168.3.45 secret SharedSecret
b y
169 of 722

techreport The following command adds a TACACS+ server "192.168.3.72", sets the shared secret as "NewSecret", sets the port number as 1980, and sets the connection timeout value as 6 seconds:
AX(config)#tacacs-server host 192.168.3.72 secret NewSecret port 1980 timeout 6
The following command deletes TACACS+ server 192.168.3.45:

AX(config)#no tacacs-server host 192.168.3.45
The following command deletes all TACACS+ servers:

AX(config)#no tacacs-server
techreport
Description Configure automated collection of system information. If you need to contact Technical Support, they may ask you to for the techreports to help diagnose system issues. [no] techreport {interval minutes | disable} Parameter interval minutes disable Description Specifies how often to collect new information. You can specify 15-120 minutes. Disables automated collection of system information.
Syntax
Default
Automated collection of system information is enabled by default. The default interval is 15 minutes. Configuration mode The AX device saves all techreport information for a given day in a single file. Timestamps identify when each set of information is gathered. The AX device saves techreport files for the most recent 31 days. Each days reports are saved in a separate file. The techreports are a light version of the output generated by the show techsupport command. To export the information, use the show techsupport command. (See show techsupport on page 647.)
Mode Usage
170 of 722
b y
D e s i g n

terminal
terminal
Description Syntax Set the terminal configuration. [no] terminal {auto-size | editing | history [size number] | idle-timeout minutes | length number | no-ha-prompt | width lines} Parameter auto-size editing history [size number] idle-timeout minutes Description Automatically adjusts the length and width of the terminal display. Enables command editing. Enables the command history and specifies the number of commands it can contain, 0-1000. Specifies the number of minutes a CLI session can be idle before it times out and is terminated, 0-60 minutes. To disable timeout, enter 0. Specifies the number of lines to display per page, 0-512. To disable paging, enter 0. Disables display of the HA status in the CLI prompt. (For more information, see High Availability Status in Command Prompt on page 28.) Specifies the number of columns to display, 0512. To use an unlimited number of columns, enter 0.
length number no-ha-prompt
width lines
Default
This command has the following defaults:

auto-size enabled editing enabled history enabled, for up to 256 commands idle-timeout 10 minutes length 24 lines no-ha-prompt Disabled. (Display of the HA status is enabled.) width 80 columns
Mode
Configuration mode
b y
171 of 722

tftp blksize Example The following example sets the idle-timeout to 30 minutes:
AX(config)#terminal idle-timeout 30
tftp blksize
Description Syntax Change the TFTP block size. [no] tftp blksize bytes Parameter bytes Description Maximum packet length the AX TFTP client can use when sending or receiving files to or from a TFTP server. You can specify from 512-32768 bytes.
Default Mode Usage
512 bytes Configuration mode Increasing the TFTP block size can provide the following benefits:
TFTP file transfers can occur more quickly, since fewer blocks are
required to a send a file.

File transfer errors due to the server reaching its maximum block size
before a file is transferred can be eliminated. To determine the maximum file size a block size will allow, use the following formula: 1K-blocksize = 64MB-filesize Here are some examples. Block Size 1024 8192 32768 Maximum File Size 64 MB 512 MB 2048 MB
Increasing the TFTP block size of the AX device only increases the maximum block size supported by the AX device. The TFTP server also must support larger block sizes. If the block size is larger than the TFTP server supports, the file transfer will fail and a communication error will be displayed on the CLI terminal.
172 of 722
b y
D e s i g n

trunk If the TFTP block size is larger than the IP Maximum Transmission Unit (MTU) on any device involved in the file transfer, the TFTP packets will be fragmented to fit within the MTU. The fragmentation will not increase the number of blocks; however, it can re-add some overhead to the overall file transmission speed. Example The following commands display the current TFTP block size, increase it, then verify the change:
AX(config)#show tftp TFTP client block size is set to 512 AX(config)#tftp blksize 4096 AX(config)#show tftp TFTP client block size is set to 4096
trunk
Description Configure a trunk group, which is a single logical link consisting of multiple Ethernet ports. [no] trunk num This command changes the CLI to the configuration level for the specified trunk, where the following trunk-related commands are available: Command disable ethernet portnum [to portnum] [ethernet portnum] ... enable ethernet portnum [to portnum] [ethernet portnum] ... [no] ethernet portnum [to portnum] [ethernet portnum] ... Description
Syntax
Disables ports in the trunk.
Enables ports in the trunk.
Adds ports to the trunk.
b y
173 of 722

trunk [no] ports-threshold num Specifies the minimum number of ports that must be up in order for the trunk to remain up. You can specify 2-8. If the number of up ports falls below the configured threshold, the AX automatically disables the trunks member ports. The ports are disabled in the running-config. The AX device also generates a log message and an SNMP trap, if these services are enabled. [no] portsthreshold-timer seconds Specifies how many seconds to wait after a port goes down before marking the trunk down, if the threshold is exceeded. You can set the portsthreshold timer to 1-300 seconds. The default is 10 seconds. Default Mode Usage N/A Configuration mode A maximum of 8 trunk groups are supported. Each group can have a maximum of 8 ports. Trunk group port numbers do not need to be consecutive. Operations such as setting an IP interface or VLAN are performed on the lead member of the trunk, which is the lowest-numbered interface. For example, to configure an IP interface on a trunk containing ports 1-4, add the interface to port 1. Ports-Threshold By default, a trunks status remains UP so long as at least one of its member ports is up. You can change the ports threshold of a trunk to 2-8 ports. If the number of up ports falls below the configured threshold, the AX automatically disables the trunks member ports. The ports are disabled in the running-config. The AX device also generates a log message and an SNMP trap, if these services are enabled. Note: After the feature has disabled the members of the trunk group, the ports are not automatically re-enabled. The ports must be re-enabled manually after the issue that caused the ports to go down has been resolved.
174 of 722
b y
D e s i g n

tx-congestion-ctrl In some situations, a timer is used to delay the ports-threshold action. The configured port threshold is not enforced until the timer expires. The portsthreshold timer for a trunk is used in the following situations:
When a member of the trunk links up. A port is added to or removed from the trunk. The port threshold for the trunk is configured during runtime. (If the
threshold is set in the startup-config, the timer is not used.) Example The following commands configure trunk 1 and add ports 6-8 and 14 to it:
AX(config)#trunk 1 AX(config-trunk:1)#ethernet 6 to 8 ethernet 14
Example
AX(config)#trunk 1
The following commands configure an 8-port trunk, set the port threshold to 6, and display the trunks configuration:
AX(config-trunk:1)#ethernet 1 to 8 AX(config-trunk:1)#ports-threshold 6 AX(config-trunk:1)#show trunk Trunk ID Trunk Status Members Cfg Status Oper Status Ports-Threshold Working Lead : 1 : Up : 1 : Up : 6 : 1 2 Up 3 Up 4 Up 5 Up 6 Up 7 Up 8 Up : Enb Enb Enb Enb Enb Enb Enb Enb Timer: 10 sec(s) Running: No Member Count: 8
tx-congestion-ctrl
Description Note: Configure looping on the polling driver, on applicable AX models. This command can impact system performance. It is recommended not to use this command unless advised by A10 Networks technical support. tx-congestion-ctrl retries 1 Configuration mode
Syntax Default Mode
b y
175 of 722

update
update
Description Copy the currently running system image from the hard disk to the compact flash (cf). update cf {pri | sec} Parameter pri | sec Description Image to replace: pri primary image sec secondary image Default Mode Usage N/A Configuration mode This command does not save the configuration or reboot. To verify the update, enter the show version command. The following command copies the currently running system image from the hard disk to the secondary image area on the compact flash.
Syntax Description
Example
AX(config)#update cf sec
upgrade
Upgrade the system. Syntax Description upgrade {cf | hd} {pri | sec} [use-mgmt-port] url Parameter cf | hd Description System location to which write the upgrade image: cf compact flash hd hard drive pri | sec Image to replace: pri primary image sec secondary image use-mgmt-port Uses the management interface as the source interface for the connection to the remote device. The management route table is used to reach the
176 of 722

vlan device. By default, the AX device attempts to use the data route table to reach the remote device through a data interface. url File transfer protocol, username (if required), and directory path. You can enter the entire URL on the command line or press Enter to display a prompt for each part of the URL. If you enter the entire URL and a password is required, you will still be prompted for the password. To enter the entire URL: tftp://host/file ftp://[user@]host[:port]/file scp://[user@]host/file rcp://[user@]host/file Default Mode Usage N/A Configuration mode For complete upgrade instructions, see the release notes for the AX release to which you plan to upgrade. There is no no form of this command. Example The following example uses TFTP to upgrade the system image in the secondary image area of the hard disk:
AX(config)#upgrade hd sec tftp://192.168.1.144/ax2k_upg_1_2_0_107.tgz Do you want to reboot the system after the upgrade?[yes/no]:yes
vlan
Description Configure a virtual LAN (VLAN). This command changes the CLI to the configuration level for the VLAN. [no] vlan vlan-id Parameter vlan-id Default Description VLAN ID, from 1 to 4094.
Syntax
VLAN 1 is configured by default. All Ethernet data ports are members of VLAN 1 by default.
b y
177 of 722

web-service Mode Usage Configuration mode You can add or remove ports in VLAN 1 but you cannot delete VLAN 1 itself. For information about the commands available at the VLAN configuration level, see Config Commands: VLAN on page 215. Example
AX(config)#vlan 69 AX(config-vlan:69)#
The following command adds VLAN 69 and enters the configuration level for it:
web-service
Description Syntax Configure access parameters for the Graphical User Interface (GUI). [no] web-service { auto-redir | axapi-timeout-policy idle minutes | port protocol-port | secure-port protocol-port | server | secure-server | timeout-policy idle minutes } Parameter auto-redir Description Enables requests for the unsecured port (HTTP) to be automatically redirected to the secure port (HTTPS).
axapi-timeoutpolicy idle minutes
Specifies the number of minutes an aXAPI session can remain idle before being terminated. Once the aXAPI session is terminated, the session ID generated by the AX device for the session is no longer valid. You can specify 0-60 minutes. If you specify 0, sessions never time out. Specifies the protocol port number for the unsecured (HTTP) port.
port protocolport
178 of 722

write secure-port protocol-port server secure-server timeout-policy idle minutes Specifies the protocol port number for the secure (HTTPS) port. Enables the HTTP server. Enables the HTTPS server. Specifies the number of minutes a Web management session can remain idle before it times out and is terminated by the AX device. You can specify 0-60 minutes. To disable the timeout, enter 0.
Default
This command has the following defaults:

auto-redir enabled axapi-timeout-policy idle 5 minutes port 80 secure-port 443 server enabled secure-server enabled timeout-policy 10 minutes
Mode Usage
Configuration mode If you disable HTTP or HTTPS access, any sessions on the management GUI are immediately terminated. The following command disables management access on HTTP:
Example
AX(config)#no web-service server
write
Description Write the running-config to a configuration profile. (See write on page 65.)
write terminal
Description Display the running-config on the terminal. (See write terminal on page 67.)
b y
179 of 722

write terminal
180 of 722
b y
D e s i g n

access-list
Config Commands: Interface

This chapter describes the commands for configuring AX interface parameters. To access this configuration level, enter the following command at the Global Config level: interface {ethernet port-num | ve number | loopback number | management} This CLI level also has the following commands, which are available at all configuration levels:
clear See clear on page 50. do See do on page 103. end See end on page 107. exit See exit on page 108. no See no on page 134. show See Show Commands on page 527. write See write terminal on page 67.
access-list
Description Syntax Apply an Access Control List (ACL) to an interface. [no] access-list acl-num in Parameter acl-num in Description Number of a configured ACL. Applies the ACL to inbound traffic received on the interface.
Default Mode
N/A Interface
b y
181 of 722

cpu-process Usage The ACL must be configured before you can apply it to an interface. To configure an ACL, see access-list (standard) on page 69 and access-list (extended) on page 72. You can apply ACLs to Ethernet data interfaces, Virtual Ethernet (VE) interfaces, the management interface, and virtual server ports. Applying ACLs to the out-of-band management interface is not supported. You can apply ACLs only to the inbound traffic direction. This restriction ensures that ACLs are used most efficiently by filtering traffic as it attempts to enter the AX Series device, before being further processed by the device. Example The following commands configure a standard ACL to deny traffic from subnet 10.10.10.x, and apply the ACL to the inbound traffic direction on Ethernet interface 4:
AX(config)#access-list 1 deny 10.10.10.0 0.0.0.255 AX(config)#interface ethernet 4 AX(config-if:ethernet4)#access-list 1 in
cpu-process
Description Note: Enable software-based switching or routing of Layer 2/Layer 3 traffic. This command is applicable only to models AX 2200, AX 3100, AX 3200, AX 5100, and AX 5200. The command does not appear in the CLI on other models. [no] cpu-process Disabled. Traffic is switched or routed in hardware. Interface
Syntax Default Mode
disable
Description Syntax Default Disable an interface. disable The management interface is enabled by default. Data interfaces are disabled by default. Interface
Mode
182 of 722
b y
D e s i g n

duplexity Usage This command applies to all interface types: Ethernet data interfaces, outof-band Ethernet management interface, Virtual Ethernet (VE) interfaces, and loopback interfaces. The following command disables Ethernet interface 3:
Example
AX(config-if:ethernet3)#disable
duplexity
Description Syntax Set the duplex mode for an Ethernet interface. [no] duplexity {Full | Half | auto} Parameter Full Half auto Description Full-duplex mode. Half-duplex mode. The mode is negotiated based on the mode of the other end of the link.
Default Mode Usage
auto Interface This command applies only to physical interfaces (Ethernet ports or the management port). The following command changes the mode on Ethernet interface 6 to halfduplex:
Example
AX(config-if:ethernet6)#duplexity Half
enable
Description Syntax Default Enable an interface. enable The management interface is enabled by default. Data interfaces are disabled by default. Interface
Mode
b y
183 of 722

flow-control Usage This command applies to all interface types: Ethernet data interfaces, outof-band Ethernet management interface, Virtual Ethernet (VE) interfaces, and loopback interfaces. The following command enables Ethernet interface 3:
Example
AX(config-if:ethernet3)#enable
flow-control
Description Syntax Default Enable 802.3x flow control on a full-duplex Ethernet interface. [no] flow-control Disabled. The AX Ethernet interface auto-negotiates flow control settings with the other end of the link. Interface
Mode
icmp-rate-limit
Description Configure ICMP rate limiting, to protect against denial-of-service (DoS) attacks. [no] icmp-rate-limit normal-rate lockup max-rate lockup-time Parameter normal-rate Description Maximum number of ICMP packets allowed per second on the interface. If the AX interface receives more than the normal rate of ICMP packets, the excess packets are dropped until the next one-second interval begins. The normal rate can be 1-65535 packets per second. Maximum number of ICMP packets allowed per second before the AX device locks up ICMP traffic on the interface. When ICMP traffic is locked up, all ICMP packets on the interface are dropped until the lockup expires. The maximum rate can be 1-65535 packets per second. The maximum rate must be larger than the normal rate.
Syntax
lockup max-rate
184 of 722
b y
D e s i g n

interface lockup-time Number of seconds for which the AX device drops all ICMP traffic on the interface, after the maximum rate is exceeded. The lockup time can be 1-16383 seconds.
Default Mode Usage
None Global Config This command configures ICMP rate limiting on a physical, virtual Ethernet, or loopback interface. To configure ICMP rate limiting globally, see icmp-rate-limit on page 114. To configure it in a virtual server template, see slb template virtual-server on page 377. If you configure ICMP rate limiting filters at more than one of these levels, all filters are applicable. Specifying a maximum rate (lockup rate) and lockup time is optional. If you do not specify them, lockup does not occur.
Example
The following command configures ICMP rate limiting on Ethernet interface 3:
AX(config-if:ethernet3)#icmp-rate-limit 1024 lockup 1200 10
interface
Description Syntax Access the interface configuration level for another interface. interface {ethernet port-num | ve number | loopback number | management} N/A Interface This command allows you to go directly to the configuration level for another interface, without the need to return to the global Config level first. The following command changes the CLI from the configuration level for Ethernet interface 3 to the configuration level for Ethernet interface 4:
Default Mode Usage
Example
AX(config-if:ethernet3)#interface ethernet 4 AX(config-if:ethernet4)#
b y
185 of 722

ip address
ip address
Description Syntax Assign an IP address to an interface. [no] ip address ipaddr {subnet-mask | /mask-length} There are no IP addresses configured by default. Interface This command applies only when the AX Series is used in gateway mode. You can configure multiple IP addresses on Ethernet and Virtual Ethernet (VE) data interfaces and on loopback interfaces, on AX devices deployed in gateway (route) mode. Each IP address must be unique on the AX device. Addresses within a given subnet can be configured on only one interface on the device. (The AX device can have only one data interface in a given subnet.) IP addresses are added to an interface in the order you configure them. The addresses appear in show command output and in the configuration in the same order. The first IP address you add to an interface becomes the primary IP address for the interface. If you remove the primary address, the next address in the list (the second address to be added to the interface) becomes the primary address. The AX device automatically generates a directly connected route to each IP address. If you enable redistribution of directly connected routes by OSPF, those protocols can advertise the routes to the IP addresses. Example The following command assigns IP address 10.2.4.69 to Ethernet interface 9:
Default Mode Usage
AX(config-if:ethernet9)#ip address 10.2.4.69 /24
Example
The following commands configure multiple IP addresses on an Ethernet data interface, display the addresses, then delete the primary IP address and display the results.
AX(config)#interface ethernet 1 AX(config-if:ethernet1)#ip address 10.10.10.1 /24 AX(config-if:ethernet1)#ip address 10.10.20.2 /24 AX(config-if:ethernet1)#ip address 20.20.20.1 /24
186 of 722
b y
D e s i g n

ip allow-promiscuous-vip
AX(config-if:ethernet1)#show ip interfaces ethernet 1 Ethernet 1 ip addresses: 10.10.10.1 /24 (Primary) 10.10.20.2 /24 20.20.20.1 /24 AX(config-if:ethernet1)#no ip address 10.10.20.2 /24 AX(config-if:ethernet1)#show ip interfaces ethernet 1 Ethernet 1 ip addresses: 10.10.10.1 /24 (Primary) 20.20.20.1 /24
ip allow-promiscuous-vip
Description Enable client traffic received on this interface and addressed to TCP port 80 to be load balanced for any VIP address. [no] ip allow-promiscuous-vip Disabled Interface This feature also requires configuration of a virtual server that has IP address 0.0.0.0. For more information, see the Wildcard VIPs chapter in the AX Series Configuration Guide.
ip cache-spoofing-port
Description Configure the interface to support a spoofing cache server. A spoofing cache server uses the clients IP address instead of its own as the source address when obtaining content requested by the client. [no] ip cache-spoofing-port Disabled Interface This command applies to the Transparent Cache Switching (TCS) feature. Enter the command on the interface that is attached to the spoofing cache. For more information about TCS, including additional configuration requirements and examples, see the Transparent Cache Switching chapter in the AX Series Configuration Guide.
b y
187 of 722

ip control-apps-use-mgmt-port (management interface only) Example The following command configures interface 9 to support a spoofing cache server that is attached to the interface.
AX(config-if:ethernet9)#cache-spoofing-port
ip control-apps-use-mgmt-port (management interface only)

Description Enable use of the management interface as the source interface for automated management traffic. [no] ip control-apps-use-mgmt-port By default, use of the management interface as the source interface for automated management traffic is disabled. Interface The AX device uses separate route tables for management traffic and data traffic.
Management route table Contains all static routes whose next hops are
Syntax Default
Mode Usage
connected to the management interface. The management route table also contains the route to the device configured as the management default gateway.
Main route table Contains all routes whose next hop is connected to a
data interface. Also contains copies of all static routes in the management route table, excluding the management default gateway route. Only the data routes are used for load-balanced traffic. By default, the AX device attempts to use a route from the main route table for management connections originated on the AX device. The ip controlapps-use-mgmt-port command enables the AX device to use the management route table for these connections instead. The AX device will use the management route table for reply traffic on connections initiated by a remote host that reaches the AX device on the management port. For example, this occurs for SSH or HTTP connections from remote hosts to the AX device. Example The following command enables use of the management interface as the source interface for automated management traffic:
AX(config-if:management)#ip control-apps-use-mgmt-port
188 of 722
b y
D e s i g n

ip default-gateway (management interface only)
ip default-gateway (management interface only)

Description Syntax Default Mode Specify the default gateway for the out-of-band management interface. [no] ip default-gateway ipaddr None Interface Configuring a default gateway for the management interface provides the following benefits:
Ensures that reply management traffic sent by the AX Series travels
through the correct gateway

Keeps reply management traffic off the data interfaces
The default gateway configured on the management interface applies only to traffic sent from this interface. For traffic sent through data interfaces, either the globally configured default gateway is used instead (if the AX is deployed in transparent mode) or an IP route is used (if the AX is deployed in route mode). To configure the default gateway for data interfaces on an AX Series device deployed in transparent mode, use the ip default-gateway command at the global Config level. (See ip default-gateway on page 223.) Note: Normally, if the AX device is deployed in transparent mode, outbound traffic through the management interface is limited to the same subnet. However, outbound traffic through data interfaces is not restricted to the same subnet. To perform operations that require exchanging files with a host (upgrade, import, export, and so on) that is in a different subnet from the management interface:
For automated management traffic such as syslog messages and
SNMP traps, see ip control-apps-use-mgmt-port (management interface only) on page 188. For management traffic that you initiate using a command, use the use-mgmt-port option with the command. Example The following commands configure an IP address and default gateway for the management interface:
AX(config)#interface management AX(config-if:management)#ip address 10.10.20.1 /24 AX(config-if:management)#ip default-gateway 10.10.20.1
b y
189 of 722

ip helper-address
ip helper-address
Description Configure a helper address for Dynamic Host Configuration Protocol (DHCP). [no] ip helper-address ipaddr Parameter ipaddr Default Mode Usage None Interface In the current release, the helper-address feature provides service for DHCP packets only. The AX interface on which the helper address is configured must have an IP address. The helper address can not be the same as the IP address on any AX interface or an IP address used for SLB. The current release supports DHCP relay service for IPv4 only. Example The following commands configure two helper addresses. The helper address for DHCP server 100.100.100.1 is configured on AX Ethernet interface 1 and on Virtual Ethernet (VE) interfaces 5 and 7. The helper address for DHCP server 20.20.20.102 is configured on VE 9. Description IP address of the DHCP server.
Syntax
AX(config)#interface ethernet 1 AX(config-if:ethernet1)#ip helper-address 100.100.100.1 AX(config-if:ethernet1)#interface ve 5 AX(config-if:ve5)#ip helper-address 100.100.100.1 AX(config-if:ve5)#interface ve 7 AX(config-if:ve7)#ip helper-address 100.100.100.1 AX(config-if:ve7)#interface ve 9 AX(config-if:ve9)#ip helper-address 20.20.20.102
190 of 722
b y
D e s i g n

ip nat
ip nat
Description Syntax Enable source Network Address Translation (NAT) on an interface. [no] ip nat {inside | outside} Parameter inside Description Specifies that this AX interface is connected to the internal hosts on the private network that need to be translated into external addresses for routing. Specifies that this AX interface is connected to the external network or Internet. Before sending traffic from an inside host out on this interface, the AX device translates the hosts private address into a public, routable address.
outside
Default Mode Usage
None Interface On an AX device deployed in transparent mode, this command is valid only on Ethernet data ports. On an AX device deployed in route mode, this command is valid on Ethernet data ports and on Virtual Ethernet (VE) interfaces. To use source NAT, you also must configure global NAT parameters. See the ip nat commands in Config Commands: IP on page 219. In addition, on some AX models, if Layer 2 IP NAT is required, you also must enable CPU processing on the interface. (See cpu-process on page 182.) This applies to models AX 2200, AX 3100, AX 3200, AX 5100, and AX 5200.
Example
The following commands configure IP source NAT for internal addresses in the 10.1.1.x/24 subnet connected to interface 14. The addresses are translated into addresses in the range 10.153.60.120-150 before traffic from the internal hosts is sent onto the Internet on interface 15. Likewise, return traffic is translated back from public addresses into the private host addresses.
AX(config)#access-list 3 permit 10.1.1.0 0.0.0.255 AX(config)#ip nat pool 1 10.153.60.120 10.153.60.150 netmask /24 AX(config)#ip nat inside source list 3 pool 1 AX(config)#interface ethernet 14 AX(config-if:ethernet14)#ip address 10.1.1.1 255.255.255.0 AX(config-if:ethernet14)#ip nat inside
b y
191 of 722

ip ospf
AX(config-if:ethernet14)#interface ethernet 15 AX(config-if:ethernet15)#ip address 10.153.60.100 255.255.255.0 AX(config-if:ethernet15)#ip nat outside
ip ospf
Description Syntax Configure OSPFv2 parameters on a data interface. [no] ip ospf [ipaddr] parameter Parameter ipaddr Description Configures the parameter only for the specified IP address. Without this option, the parameter is configured for all IP addresses on the interface.
authentication
[message-digest | null]
Type of authentication used to validate OSPF route updates sent or received on this interface: message-digest Message Digest 5 (MD5) null No authentication is used. If you enter the authentication command without either of the options above, a simple key is used for authentication.
authenticationkey key-string Password used by the interface to authenticate link-state messages exchanged with neighbor OSPF routers. Applies to simple authentication only. Can be a string up to 8 characters long, with no blanks. cost number Numeric cost for using the interface, 1-65535.
database-filter all out Blocks flooding of LSAs to the OSPF interface. dead-interval seconds Number of seconds that neighbor OSPF routers will wait for a new OSPF Hello packet from the AX Series before declaring this OSPF router (the AX Series) to be down, 1-65535 seconds. Disables all OSPF packet processing on the interface.
disable all
192 of 722
b y
D e s i g n

ip ospf hello-interval seconds Number of seconds between transmission of OSPF Hello packets on this interface, 1-65535 seconds.
message-digestkey key-id md5 key-string Set of MD passwords used by the interface to authenticate link-state messages exchanged with neighbor OSPF routers. You can enter up to four key strings. Applies only to MD authentication. Key strings can be up to 16 bytes long, with no blanks. mtu Specifies the Maximum Transmission Unit (MTU) for OSPF packets transmitted on the interface. You can specify 576-65535 bytes. Disables MTU size checking Database Description (DD) exchange. OSPF network type from the default for the media. You can specify one of the following: broadcast Broadcast network. non-broadcast Non-broadcast multiaccess (NBMA) network. point-to-multipoint Point-to-multipoint network. point-to-point Point-to-point network. priority number Eligibility of this OSPF router to be elected as the designated router (DR) or backup designated router (BDRs) for the routing domain, 0-255. 1 is the lowest priority and 255 is the highest priority. resync-timeout seconds Time to wait before resetting the adjacency with a neighbor, after receiving a restart signal from the neighbor. The resync-timeout is applicable if out-of-band resynchronization does not occur following the restart signal. You can specify 1-65535 seconds.
mtu-ignore network network-type
retransmitinterval seconds
Number of seconds between retransmissions of link-state advertisements (LSAs) to adjacent routers for this interface, 3-65535 seconds.
b y
193 of 722

ip ospf transmit-delay seconds Number of seconds it takes to transmit Link State Update packets (route updates) on this interface, 1-65535 seconds. This amount is added to the ages of LSAs sent in the updates.
Default
The OSPF interface options have the following defaults:

authentication Not set authentication-key Not set cost By default, an interfaces cost is calculated based on the inter-
faces bandwidth. If the auto-cost reference bandwidth is set to its default value (100 Mbps), the default interface cost is 10.
database-filter all out Disabled. LSA flooding is permitted. dead-interval 40 seconds hello-interval 10 seconds message-digest-key Not set mtu The IP MTU set on the interface is used. mtu-ignore MTU size checking is enabled. If the MTU size in DD
packets from a neighbor does not match the interface MTU, adjacency is not established.
network depends on the media type priority 1 resync-timeout 40 seconds retransmit-interval 5 seconds transmit-delay 1 second
Mode Usage
Interface The OSPF router with the highest priority is elected as the DR and the router with the second highest priority is elected as the BDR. If more than one router has the highest priority, the router with the highest OSPF router ID is selected. Priority applies only to multi-access networks, not to pointto-point networks. If you set the priority to 0, the AX Series does not participate in DR and BDR election. For the message-digest-key key-id md5 key-string option, the CLI lists the encrypted keyword. This keyword encrypts display of the string in the startup-config and running-config. Do not enter this keyword. The AX
194 of 722
b y
D e s i g n

ip router device automatically applies the keyword. Entering the keyword manually is not valid. Example The following command sets the OSPF priority on Ethernet interface 10 to 100:
AX(config-if:ethernet10)#ip ospf priority 100
ip router
Description Syntax Mode Please contact A10 Networks for information. [no] ip router Interface
ip tcp syn-cookie
Description Syntax Default Mode Usage Enable Layer 2/3 SYN cookies on the interface. [no] ip tcp syn-cookie Disabled Interface To globally enable SYN cookie support, see syn-cookie on page 160. To configure the SYN cookie expire threshold, see ip tcp syn-cookie threshold on page 244. The following commands globally enable SYN cookie support, then enable Layer 2/3 SYN cookies on Ethernet interfaces 4 and 5:
Example
AX(config)#syn-cookie on-threshold 50000 off-threshold 30000 AX(config)#interface ethernet 4 AX(config-if: ethernet4)#ip tcp syn-cookie AX(config-if: ethernet4)#interface ethernet 5 AX(config-if: ethernet5)#ip tcp syn-cookie
b y
195 of 722

ipv6 (on management interface)
ipv6 (on management interface)

Description Configure an IP version 6 address and default gateway on the management interface. [no] ipv6 address ipaddr/mask-length [no] ipv6 default-gateway gateway-ipaddr None. Interface The ipv6 default-gateway command applies only to the management interface. To configure IPv6 on a data interface, see ipv6 address on page 197. The following commands configure an IPv6 address and default gateway on the management port:
Syntax Syntax Default Mode Usage
Example
AX(config-if:management)#ipv6 address 2001:db8:11:2/32 AX(config-if:management)#ipv6 default-gateway 2001:db8:11:1/32
ipv6 access-list
Description Syntax Apply an IPv6 Access Control List (ACL) to an interface. [no] ipv6 access-list acl-id in Parameter acl-id in Description Name of a configured IPv6 ACL. Applies the ACL to inbound IPv6 traffic received on the interface.
Default Mode
N/A Interface
196 of 722
b y
D e s i g n

ipv6 address
ipv6 address
Description Syntax Configure an IPv6 address on the interface. [no] ipv6 address ipaddr/prefix-length [link-local] Parameter ipv6-addr prefix-length link-local Description Valid unicast IPv6 address. Prefix length, up to 128. Explicitly configures the specified address as the link-local IPv6 address for the interface, instead of a global address. Without this option, the address is a global address.
Default Mode Usage
None. Interface Use this command to configure the link-local and global IP addresses for the interface.
The ipv6 address command, used without the link-local option, config-
ures a global address. If you use the link-local option, the address is instead configured as the link-local address.
To enable automatic configuration of the link-local IPv6 address instead,
use the ipv6 enable command. To configure IPv6 on the management interface, see ipv6 (on management interface) on page 196. Example The following command configures a global IPv6 address on Ethernet interface 8:
AX(config-if:ethernet8)#ipv6 address e101::1112/64
Example
The following command overrides any auto-generated link-local address on interface 6 and explicitly configures a new link-local address:
AX(config-if:ethernet6)#ipv6 address fe80::1/64 link-local
b y
197 of 722

ipv6 enable
ipv6 enable
Description Syntax Default Mode Usage Enable automatic configuration of a link-local IPv6 address on the interface. [no] ipv6 enable Disabled Interface Use this command to enable automatic configuration of the link-local IPv6 address. To manually configure the address instead, see ipv6 address on page 197. Example The following command enables an automatically generated link-local IPv6 address on Ethernet interface 6:
AX(config-if:ethernet6)#ipv6 enable
ipv6 nat
Description Enable Network Address Translation Protocol Translation (NAT-PT) on an IPv6 interface. [no] ipv6 nat [prefix ipv6-addr/prefix-length] Parameter prefix ipv6-addr/ prefix-length Default Mode None Interface Description
Syntax
Specifies the prefix.
198 of 722
b y
D e s i g n

ipv6 ndisc router-advertisement

Description Syntax Configure IPv6 router discovery (RFC 4861). [no] ipv6 ndisc router-advertisement { default-lifetime seconds | disable | enable | ha-group-id group-id [use-floating-ip ipv6-addr/prefix-length] | hop-limit num | max-interval seconds | min-interval seconds | mtu {disable | bytes} | prefix ipv6-addr/prefix-length [not-autonomous | not-on-link | preferred-lifetime seconds | valid-lifetime seconds] | rate-limit num | reachable-time ms | retransmit-timer seconds } Parameter defaultlifetime seconds Description
Specifies the number of seconds for which router advertisements sent on this interface are valid. You can specify 0 or 4-9000 seconds. The value can not be less than the maximum advertisement interval. If you specify 0, the host will not use this interface (IPv6 router) as a default route. Disables IPv6 router discovery. Enables IPv6 router discovery.
disable enable ha-group-id group-id [use-floatingip ipv6-addr/ prefix-length]
Specifies an HA group for which to send router advertisements. The use-floating-ip option specifies a floating IPv6 address to use as the source address for router advertisements for the HA group. The
b y
199 of 722

ipv6 ndisc router-advertisement address must be a link-local address on this interface. The HA virtual MAC address will be used as the source address. hop-limit num Specifies the default hop count value that should be used by hosts. For a given packet, the hop count is decremented at each router hop. If the hop count reaches 0, the packet becomes invalid. You can specify 0-255. If you specify 0, the value is unspecified by this IPv6 router. Specifies the maximum number of seconds between transmission of unsolicited router advertisement messages on this interface. You can specify 4-1800 seconds. Specifies the minimum number of seconds between transmission of unsolicited router advertisement messages on this interface. You can specify 3-1350 seconds.
max-interval seconds
min-interval seconds
mtu {disable | bytes}
Specifies the MTU value to include in the MTU options field. You can specify 1200-1500 bytes (on 1-Gbps interfaces) or disabled.
Note:
If the option is disabled, no MTU value is included. prefix ipv6-addr/ prefix-length [options]
Specifies the IPv6 prefixes to advertise on this interface. A maximum of 32 prefixes can be advertised on an interface. The following options are supported: not-autonomous Disables support for autoconfiguration of IPv6 addresses by clients. not-on-link Disables the On-Link flag. When enabled, the On-Link flag indicates that the prefix is assigned to this interface. If you enable this option, the valid-lifetime is 2592000 seconds (30 days). preferred-lifetime seconds Specifies the number of seconds for which auto-generated
200 of 722
b y
D e s i g n

ipv6 ndisc router-advertisement addresses remain preferred. You can specify 0-4294967295 seconds. The default is 604800. valid-lifetime seconds specifies the number of seconds for which advertisement of the prefix is valid. You can specify 1-4294967295 seconds. The default is 2592000. rate-limit num Specifies the maximum number of router solicitation requests per second that will be processed on the interface. You can specify 1-100000 messages per second. Specifies the number of milliseconds (ms) for which the host should assume a neighbor is reachable, after receiving a reachability confirmation from the neighbor. You can specify 0-3600000 ms. If you specify 0, the value is unspecified by this IPv6 router. Specifies the number of seconds a host should wait between sending neighbor solicitation messages. You can specify 0-4294967295 seconds. If you specify 0, the value is unspecified by this IPv6 router.
reachable-time ms
retransmittimer seconds
Default
IPv6 router discovery is disabled by default. The command options have the following default values:
default-lifetime 1800 seconds disable Disabled enable Disabled ha-group-id Not set. Advertisements are sent regardless of HA group. hop-limit 255 max-interval 600 seconds min-interval 200 seconds mtu disabled prefix All prefixes for IPv6 addresses that are configured on this inter-
face are advertised. The prefix options have the following defaults: not-autonomous disabled (Auto-configuration of IPv6 addresses by clients is enabled.) not-on-link enabled (On-Link is disabled.)
201 of 722

preferred-lifetime 604800 seconds valid-lifetime 2592000 seconds rate-limit 100000 messages per second reachable-time 0 (The value is unspecified by this IPv6 router.) retransmit-timer 0 (The value is unspecified by this IPv6 router.)
Mode Usage
Interface When router discovery is enabled, the AX device:

Sends IPv6 router advertisements out the IPv6 interfaces on which
router discovery is enabled. IPv6 hosts that receive the router advertisements will use the AX device as their default gateway.
Replies to IPv6 router solicitations received by IPv6 interfaces on which
router discovery is enabled. IPv6 router discovery is not supported in transparent mode. The AX device must be deployed in gateway mode. When IPv6 router discovery is enabled on an interface, any new IPv6 addresses that you add to the interface are automatically added to the set of prefixes to advertise. Router advertisements are sent to the all-nodes multicast address at an interval that is uniformly distributed between the minimum and maximum advertisement intervals. If a host sends a router solicitation message, the AX device sends a router advertisement as a unicast to that host instead. The source address of router advertisements is always a link-local IPv6 address. For the reachable-time, hop-limit, and retransmit-timer options, the AX device recommends the configured value to hosts but does not itself use the value. Example The following commands configure an IPv6 address on Ethernet interface 1, enable IPv6 router discovery, change the minimum and maximum advertisement intervals, and add two prefixes to the prefix advertisement list.
AX(config)#interface ethernet 1 AX(config-if:ethernet1)#ipv6 address 2001::1/64 AX(config-if:ethernet1)#ipv6 ndisc router-advertisement enable AX(config-if:ethernet1)#ipv6 ndisc router-advertisement max-interval 300 AX(config-if:ethernet1)#ipv6 ndisc router-advertisement min-interval 150
202 of 722
b y
D e s i g n

ipv6 ospf cost
AX(config-if:ethernet1)#ipv6 ndisc router-advertisement prefix 2001::/64 on-link AX(config-if:ethernet1)#ipv6 ndisc router-advertisement prefix 2001:a::/96 on-link
ipv6 ospf cost

Description Syntax Explicitly set the link-state metric (cost) for this OSPF interface. [no] ipv6 ospf cost num Parameter num Default Description Specifies the cost, 1-65535.
By default, an interfaces cost is calculated based on the interfaces bandwidth. If the auto-cost reference bandwidth is set to its default value (100 Mbps), the default interface cost is 10. Interface
Mode
ipv6 ospf dead-interval

Description Specify the maximum time to wait for a reply to a hello message, before declaring the neighbor to be offline. [no] ipv6 ospf dead-interval seconds Parameter seconds Description Number of seconds this OSPF router will wait for a reply to a hello message sent out this interface to an OSPF neighbor, before declaring the neighbor to be offline. You can specify 1-65535 seconds.
Syntax
Default Mode
40 Interface
b y
203 of 722

ipv6 ospf hello-interval
ipv6 ospf hello-interval

Description Syntax Specify the time to wait between sending hello packets to OSPF neighbors. [no] ipv6 ospf hello-interval seconds Parameter seconds Description Number of seconds this OSPF router will wait between transmission of hello packets out this interface to OSPF neighbors. You can specify 1-65535 seconds.
Default Mode
10 Interface
ipv6 ospf neighbor

Description Configure an OSPFv3 neighbor that is located on a non-broadcast network reachable through this interface. [no] ipv6 ospf neighbor ipv6-addr [ cost num [instance-id num] | instance-id num | poll-interval seconds [priority num] [instance-id num] | priority num [poll-interval seconds] [instance-id num] ] Parameter ipv6-addr cost num poll-interval seconds Description IPv6 address of the OSPF neighbor. Specifies the link-state metric to the neighbor, 1-65535. Number of seconds this OSPFv3 interface will wait for a reply to a hello message sent to the neighbor, before declaring the neighbor to be offline. You can specify 1-65535 seconds. Router priority of the neighbor, 1-255.
Syntax
priority num
204 of 722
b y
D e s i g n

ipv6 network Default No neighbors on non-broadcast networks are configured by default. When you configure one, the other parameters have the following default settings:
cost not set poll-interval 120 seconds priority 0
ipv6 network
Description Change the OSPF network type to a type different from the default for the media. [no] ipv6 ospf network network-type Parameter network-type Description Type of network. You can specify one of the following: broadcast Broadcast network. non-broadcast Non-broadcast multiaccess (NBMA) network. point-to-multipoint Point-to-multipoint network. point-to-point Point-to-point network. Default Mode Broadcast Interface
Syntax
ipv6 ospf priority

Description Priority of this OSPF router (and process) on this interface for becoming the designated router for the OSPF domain. [no] ipv6 ospf priority num Parameter num Description Priority of this OSPF process on this interface, 0255. The lowest priority is 0 and the highest priority is 255.
Syntax
Default
b y
205 of 722

ipv6 ospf retransmit-interval Mode Usage Interface If more than one OSPF router has the highest priority, the router with the highest router ID is selected as the designated router.
ipv6 ospf retransmit-interval

Description Specify the time to wait before resending an unacknowledged packet out this interface to an OSPF neighbor. [no] ipv6 ospf retransmit-interval seconds Parameter seconds Description Number of seconds this OSPF router waits before resending an unacknowledged packet out this interface to a neighbor. You can specify 1-65535 seconds.
Syntax
Default Mode
5 Interface
ipv6 ospf transmit-delay

Description Specify the time to wait between sending packets out this interface to an OSPF neighbor. [no] ipv6 ospf transmit-delay seconds Parameter seconds Description Number of seconds this OSPF router waits between transmission of packets out this interface to OSPF neighbors. You can specify 1-65535 seconds.
Syntax
Default Mode
1 Interface
206 of 722
b y
D e s i g n

ipv6 router
ipv6 router
Description Syntax Configure OSPFv3 on the interface. [no] ipv6 router ospf { area {num | ipaddr} [tag tag [instance-id num]] | tag tag area {num | ipaddr} [instance-id num] } Interface
Mode
l3-vlan-fwd-disable
Description Syntax Default Mode Usage Disable Layer 3 forwarding between VLANs on tis interface. [no] l3-vlan-fwd-disable By default, the AX device can forward Layer 3 traffic between VLANs. Interface This command is applicable only on AX devices deployed in gateway (route) mode. If the option to disable Layer 3 forwarding between VLANs is configured at any level, the AX device can not be changed from gateway mode to transparent mode, until the option is removed. The command is applicable to inbound traffic on the interface. The command is valid on physical Ethernet interfaces, Virtual Ethernet (VE) interfaces, and on the lead interface in trunks. However, if the command is configured on a physical Ethernet interface, that interface can not be added to a trunk or VE. If the command is used on a trunk or VE and that trunk or VE is removed from the configuration, the command is also removed from all physical Ethernet interfaces that were members of the trunk or VE. Likewise, if a VLAN is removed, the command is removed from any physical Ethernet interfaces that were members of the VLAN. To display statistics for this option, see show slb switch on page 693.
b y
207 of 722

load-interval
load-interval
Description Syntax Change the interval for utilization statistics for the interface. [no] load-interval seconds Parameter seconds Description You can specify 5-300 seconds. You must specify the amount in 5-second intervals. For example, 290 and 295 are valid interval values. However, 291, 292, 293, and 294 are not valid interval values. Default Mode Usage 300 seconds Interface This command applies only to data interfaces. To display interface utilization statistics, see and show interfaces on page 591 and show statistics on page 643. Example The following command changes the utilization statistics interval for Ethernet interface 1 to 200 seconds: AX(config-if:ethernet1)#load-interval 200
monitor
Description Configure an Ethernet interface to send a copy of its traffic to another Ethernet interface. [no] monitor [both | input | output] Parameter both | input | output Description Traffic direction to mirror. If you do not specify a direction, traffic in both directions is copied.
Syntax
Default
By default, no traffic is mirrored. When you enable a port to be monitored, both traffic directions are mirrored by default. Interface
Mode
208 of 722
b y
D e s i g n

mtu Usage This command is valid only on Ethernet data interfaces. To specify the port to which to mirror the traffic, use the mirror-port command at the global Config level. (See mirror-port on page 132.) Note: On models AX 1000, AX 2000, AX 2100, AX 2500, AX 2600, and AX 3000, you can monitor only one port. On AX models AX 2200, AX 3100, AX 3200, AX 5100, and AX 5200, you can monitor multiple ports. On all models, only one mirror port is supported. All mirrored traffic for the directions you specify goes to that port. The following commands enable monitoring of input traffic on Ethernet port 5, and enable the monitored traffic to be copied (mirrored) to Ethernet port 3:
Example
AX(config)#mirror-port ethernet 3 AX(config)#interface ethernet 5 AX(config-if:ethernet5)#monitor input
mtu
Description Syntax Change the Maximum Transmission Unit (MTU) for an Ethernet interface. [no] mtu bytes Parameter bytes Description Largest packet size that can be forwarded out the interface. You can specify 1200-1500 bytes.
Default Mode Usage
1500 bytes Interface This command applies to the management interface and Ethernet data interfaces. If the AX device needs to forward a packet that is larger than the MTU of the AX egress interface to the next hop, but the Do Not Fragment bit is set in the packet, the AX device drops the packet and sends an ICMP Destination Unreachable code 4 (Fragmentation required, and DF set) message to the sender. If the Do Not Fragment bit is not set, the AX device silently drops the packet.
b y
209 of 722

name To display a counter of how many outbound packets have been dropped because they were longer than the outbound interface's MTU, use the following command: show slb switch [detail | ethernet port-num [detail]] The counter is labeled MTU exceeded Drops. The counter includes packets that had the Do Not Fragment bit set and packets that did not have the bit set.
name
Description Syntax Assign a name to the interface. [no] name string Parameter string Default Mode Usage None Interface This command applies to physical and virtual Ethernet data interfaces. This command does not apply to the management interface. The following commands assign the name "WLAN-interface" to an interface and show the result: Description Name for the interface, 1-63 characters.
Example
AX(config)#interface ve 1 AX(config-if:ve1)#name WLAN-interface AX(config-if:ve1)#show ip interfaces Port IP Netmask PrimaryIP Name ---------------------------------------------------------------------------mgm 192.168.20.136 255.255.255.0 Yes ve1 192.168.217.1 255.255.255.0 Yes WLAN-interface ve2 50.50.50.1 255.255.255.0 Yes
210 of 722
b y
D e s i g n

ospf
ospf
Description Syntax Configure OSPF on the interface. [no] ospf [ipaddr] parameter Parameter authentication
[message-digest | null]
Description
Type of authentication used to validate OSPF route updates sent or received on this interface: message-digest Message Digest 5 (MD5) null No authentication is used. If you enter the authentication command without either of the options above, a simple key is used for authentication.
authenticationkey key-string Password used by the interface to authenticate link-state messages exchanged with neighbor OSPF routers. Applies to simple authentication only. Can be a string up to 8 characters long, with no blanks. cost number dead-interval seconds Numeric cost for using the interface, 1-65535. Number of seconds that neighbor OSPF routers will wait for a new OSPF Hello packet from the AX Series before declaring this OSPF router (the AX Series) to be down, 1-65535 seconds. Number of seconds between transmission of OSPF Hello packets on this interface, 1-65535 seconds.
hello-interval seconds
priority number Eligibility of this OSPF router to be elected as the designated router (DR) or backup designated router (BDRs) for the routing domain, 0-255. 1 is the lowest priority and 255 is the highest priority. retransmitinterval seconds
Number of seconds between retransmissions of link-state advertisements (LSAs) to adjacent routers for this interface, 3-65535 seconds.
b y
211 of 722

speed transmit-delay seconds Number of seconds it takes to transmit Link State Update packets (route updates) on this interface, 1-65535 seconds. This amount is added to the ages of LSAs sent in the updates.
Default
The OSPF interface options have the following defaults:

authentication Not set authentication-key Not set cost By default, an interfaces cost is calculated based on the inter-
faces bandwidth. If the auto-cost reference bandwidth is set to its default value (100 Mbps), the default interface cost is 10.
dead-interval 40 seconds hello-interval 10 seconds priority 1 retransmit-interval 5 seconds transmit-delay 1 second
Mode
Interface
speed
Description Syntax Set the maximum speed on an Ethernet interface. [no] speed {10 | 100 | 1000 | 10000 | auto} Parameter 10 100 1000 10000 auto Description 10 Megabits per second (Mbs/sec) 100 Megabits per second (Mbs/sec) 1 Gigabit per second (Gb/sec) 10 Gigabits per second (Gbs/sec) The interface speed is negotiated based on the speed of the other end of the link.
Default Mode
auto Interface
212 of 722
b y
D e s i g n

speed Usage This command applies to the management interface and Ethernet data interfaces. The following command changes the speed of Ethernet interface 6 to 10 Mbs/sec:
AX(config-if:ethernet6)#speed 10
Example
b y
213 of 722

speed
214 of 722
b y
D e s i g n
Config Commands: VLAN

The commands in this chapter configure parameters on individual VLANs. To access this CLI level, enter the vlan vlan-id command from the global Config level. This CLI level also has the following commands, which are available at all configuration levels:
clear See clear on page 50. debug See debug on page 53. do See do on page 103. end See end on page 107. exit See exit on page 108. no See no on page 134. show See Show Commands on page 527. write See write terminal on page 67.
b y
215 of 722

name
name
Description Syntax Assign a name to the VLAN. [no] name string Parameter string Default Description Name for the VLAN, 1-63 characters.
The default name for VLAN 1 is DEFAULT VLAN. For other VLANs, if a name is not configured, None appears in place of the name. VLAN The following commands assign the name Test100 to VLAN 100 and show the result:
Mode Example
AX(config)#vlan 100 AX(config-vlan:100)#name Test100 AX(config-vlan:100)#show vlan Total VLANs: 3 VLAN 1, Name [DEFAULT VLAN]: Untagged Ports: 3 4 5 6 Tagged Ports: None VLAN 100, Name [Test100]: Untagged Ports: 1 Tagged Ports: None Router Interface: ve 1 VLAN 200, Name [None]: Untagged Ports: 2 Tagged Ports: None Router Interface: ve 2
10
216 of 722
b y
D e s i g n

router-interface
router-interface
Description Add a virtual Ethernet (VE) router interface to the VLAN. A VE is required in order to configure an IP address on a VLAN. [no] router-interface ve ve-num Parameter ve-num Default Mode Usage Example Description VE number, 1-128.
Syntax
By default, a VLAN does not have a VE. VLAN This command is valid only on AX devices deployed in route mode. The following command configures VE 4 on VLAN 4: AX(config-vlan:4)#router-interface ve 4
tagged
Description Add tagged ports to a VLAN. A tagged port can be a member of more than one VLAN. An untagged port can be a member of only a single VLAN. [no] tagged ethernet port-num [ethernet port-num ... | to port-num] A VLAN has no ports by default. VLAN A port can be a tagged member of a maximum of 128 VLANs. The following command adds ports 4 and 5 to VLAN 4 as tagged ports: AX(config-vlan:4)#tagged ethernet 4 to 5
Syntax
Default Mode Usage Example
b y
217 of 722

untagged
untagged
Description Add untagged ports to a VLAN. Untagged ports can belong to only one VLAN. [no] untagged ethernet port-num [ethernet port-num ... | to port-num] VLAN 1 contains all ports by default. New VLANs do not contain any ports by default. VLAN The following command adds port 6 to VLAN 4 as an untagged port: AX(config-vlan:4)#untagged ethernet 6
Syntax
Default
Mode Example
218 of 722
b y
D e s i g n

ip address
Config Commands: IP
The IP commands configure global IPv4 parameters. This CLI level also has the following commands, which are available at all configuration levels:
page 40.
Note:
To configure global IPv6 parameters, see Config Commands: IPv6 on page 247.
ip address
Description Configure the global IP address of the AX Series device, when the device is deployed in transparent mode (Layer 2 mode). [no] ip address ipaddr {subnet-mask | /mask-length} None. Configuration mode This command applies only when the AX Series device is deployed in transparent mode. To assign IP addresses to individual interfaces instead (gateway mode), use the ip address command at the interface configuration level. (See ip address on page 186.)
Syntax
Default Mode Usage
b y
219 of 722

ip anomaly-drop Loopback Interface Support for OSPF If an IP address is configured on a loopback interface, and the address is in a subnet that is also configured as an OSPF network subnet, the loopback interface is automatically included in the OSPF subnet. The AX devices table of OSPF interfaces will include the loopback interface. Likewise, the AX device will include the loopback interface in linkstate advertisements sent to neighbor OSPF routers. Multiple OSPF Networks on the Same Interface Not Supported The AX device does not support multiple OSPF networks on a data interface. One OSPF network configuration can enable at most one network per interface. For example, assume a data port has 3 IP addresses configured that belong to 3 separate subnets, S1, S2, and S3. If you configure network S4 with area A.B.C.D, and S4 contains S1, S2, and S3, then only S1 will be running OSPF. S2 and S3 will not be known to other OSPF routers. To work around this limitation, enable OSPF redistribution of directly connected routes so that OSPF will redistribute S2 and S3 via the network running on S1. Example The following command configures global IP address 10.10.10.4/24:
AX(config)#ip address 10.10.10.4 /24
ip anomaly-drop
Description Syntax Enable protection against distributed denial-of-service (DDoS) attacks. [no] ip anomaly-drop anomaly-type Parameter anomaly-type Description Specifies the type of IP anomaly to protect against: bad-content [threshold] Checks for invalid HTTP or SSL payloads in new HTTP or HTTPS connection requests from clients. (For more information, see IP Anomaly Filters Used for System-Wide Policy-Based SLB in the Usage section below.) drop-all Enables all the DDoS protection options listed below.
220 of 722
b y
D e s i g n

ip anomaly-drop frag Drops all IP fragments, which can be used to attack hosts running IP stacks that have known vulnerabilities in their fragment reassembly code. \ ip-option Drops all packets that contain any IP options. land-attack Drops spoofed SYN packets containing the same IP address as the source and destination, which can be used to launch an IP land attack. out-of-sequence [threshold] Checks for out-of-sequence packets in new HTTP or HTTPS connection requests from clients. (For more information, see IP Anomaly Filters Used for System-Wide Policy-Based SLB in the Usage section below.) ping-of-death Drops all jumbo IP packets longer than the maximum valid IP packet size (65535 bytes), known as ping of death packets. Note: On models AX 1000, AX 2000, AX 2100, AX 2500, AX 2600, and AX 3000, the ping-of-death option drops all IP packets longer than 32000 bytes. On models AX 2200, AX 3100, AX 3200, AX 5100, and AX 5200, the option drops IP packets longer than 65535 bytes. tcp-no-flag Drops all TCP packets that do not have any TCP flags set. tcp-syn-fin Drops all TCP packets in which both the SYN and FIN flags are set. tcp-syn-frag Drops incomplete (fragmented) TCP Syn packets, which can be used to launch TCP Syn flood attacks. zero-window [threshold] Checks for a zero-length TCP window in new HTTP or HTTPS connection requests from clients. (For more information, see IP Anomaly Filters Used for System-Wide Policy-Based SLB in the Usage section below.) Default Mode All IP anomaly drop options are disabled by default. Configuration mode
b y
221 of 722

ip as-path Usage All filters are supported for IPv4. All filters except ip-option are supported for IPv6. On models AX 2200, AX 3100, AX 3200, AX 5100, and AX 5200, DDoS protection is hardware-based. On other models, DDoS protection is software-based. DDoS protection applies only to Layer 3, Layer 4, and Layer 7 traffic. Layer 2 traffic is not affected by the feature. IP Anomaly Filters Used for System-Wide Policy-Based SLB The bad-content, out-of-sequence, and zero-window filters apply only to system-wide Policy-Based SLB (PBSLB). Filtering for these anomalies is disabled by default. However, if you configure a system-wide PBSLB policy, the filters are automatically enabled. You also can configure the filters on an individual basis. Each of these filters has a configurable threshold. The threshold specifies the number of times the anomaly is allowed to occur in a clients connection requests. If a client exceeds the threshold, the AX device applies the system-wide PBSLB policys over-limit action to the client. For each of the new IP anomaly filters, the threshold can be set to 1-127 occurrences of the anomaly. The default is 10. Note: The thresholds are not tracked by PBSLB policies bound to individual virtual ports. The AX device tracks each of these types of anomaly for each client in each black/white list. For dynamic black/white-list clients, the statistics counters for these anomalies are reset to 0 when the clients dynamic entry ages out. Example The following command enables DDoS protection against ping-of-death attacks:
AX(config)#ip anomaly-drop ping-of-death
ip as-path
Description Please contact A10 Networks for information.
ip community-list
222 of 722
b y
D e s i g n

ip default-gateway
ip default-gateway
Description Specify the default gateway to use to reach other subnets, when the AX Series device is deployed in transparent mode (Layer 2 mode). [no] ip default-gateway ipaddr None. Configuration mode This command applies only when the AX Series device is used in transparent mode. If you instead want to use the device in gateway mode (Layer 3 mode), configure routing. To configure the default gateway for the out-of-band management interface, use the interface management command to go to the configuration level for the interface, then enter the ip default-gateway command. (See ip default-gateway (management interface only) on page 189.) Example The following command configures an AX Series device deployed in transparent mode to use router 10.10.10.1 as the default gateway for data traffic:
AX(config)#ip default-gateway 10.10.10.1
ip dns
Description Configure DNS servers and the default domain name (DNS suffix) for hostnames on the AX device. [no] ip dns {primary | secondary} ipaddr [no] ip dns suffix string Default Mode Usage Example None Configuration mode This command applies to transparent mode and gateway mode. The following command sets primary DNS server 20.20.20.5:
Syntax
AX(config)#ip dns primary 20.20.20.5
b y
223 of 722

ip extcommunity-list
ip extcommunity-list
ip frag timeout
Description Syntax Configure the timeout for IP packet fragments. [no] ip frag timeout ms Parameter ms Description Specifies the number of milliseconds (ms) the AX device buffers fragments for fragmented IP packets. If all the fragments of an IP packet do not arrive within the specified time, the fragments are discarded and the packet is not reassembled. You can specify 4-1600 ms (16 seconds), in 10-ms increments.
Default Mode
1000 ms (1 second) Configuration mode
ip nat alg pptp

Description Disable or re-enable NAT Application-Layer Gateway (ALG) support for the Point-to-Point Tunneling Protocol (PPTP). This feature enables clients and servers to exchange Point-to-Point (PPP) traffic through the AX device over a Generic Routing Encapsulation (GRE) tunnel. PPTP is used to connect Microsoft Virtual Private Network (VPN) clients and VPN hosts. ip nat alg pptp {enable | disable} Enabled Configuration mode NAT ALG for PPTP has additional configuration requirements. For information, see the NAT ALG Support for PPTP section in the Network Address Translation chapter of the AX Series Configuration Guide.
224 of 722
b y
D e s i g n

ip nat allow-static-host
ip nat allow-static-host
Description Syntax Default Mode Usage Enable static Network Address Translation (NAT). [no] ip nat allow-static-host Disabled Configuration mode This command is required only if you configure individual static source mappings, using the ip nat inside source static command. If you configure a static range list instead, you do not need the ip nat allow-static-host command. The following command enables static NAT support:
Example
AX(config)#ip nat allow-static-host
ip nat inside
Description Syntax Configure inside Network Address Translation (NAT). [no] ip nat inside source { list acl-name pool pool-or-group-name | static inside-ipaddr nat-ipaddr [ha-group-id group-id] } Parameter list acl-name Description Specifies an Access Control List (ACL) that matches on the inside addresses to be translated. (To configure the ACL, see access-list (standard) on page 69 or access-list (extended) on page 72.) Dynamically assigns addresses from a range defined in a pool or pool group.
pool pool-orgroup-name static inside-ipaddr nat-ipaddr
Statically maps the specified inside address to a specific NAT address.
b y
225 of 722

ip nat inside (for LSN) ha-group-id group-id Default Mode Usage None Configuration mode For static NAT mappings, the following limitations apply:
Application Layer Gateway (ALG) services other than FTP are not sup-
HA group ID, 1-31.
ported when the server is on the inside.

HA session synchronization is not supported. However, sessions will
not be interrupted by HA failovers.

Syn-cookies are not supported.
Example
The following command configures static inside NAT translation of 10.10.10.55 to 192.168.20.44:
AX(config)#ip nat inside source static 10.10.10.55 192.168.20.44
ip nat inside (for LSN)

Description Syntax Bind an IP class list for use with LSN. [no] ip nat inside source class-list list-name Parameter class-list list-name Default Mode Usage None Configuration mode The class list must already be configured. You can import the class list or configure it on the AX device. For more information, see the Large-Scale NAT chapter in the AX Series Configuration Guide. Description Specifies the name of the class list.
226 of 722
b y
D e s i g n

ip nat lsn enable-full-cone-for-well-known
ip nat lsn enable-full-cone-for-well-known

Description Enable LSN to provide full-cone support for user sessions initiated from an internal IP address to a well-known TCP or UDP port (0-1023) on an external address. [no] ip nat lsn enable-full-cone-for-well-known Disabled Configuration mode
Syntax Default Mode
ip nat lsn ip-selection

Description Syntax Specify the method for LSN to use to select IP addresses within a pool. [no] ip nat lsn ip-selection method Parameter method Description Specifies the method, which can be one of the following: random Selects addresses randomly, instead of using any of the other methods. round-robin Selects addresses sequentially. least-used-strict Selects the address with the fewest NAT ports of any type (ICMP, TCP, or UDP) used. least-udp-used-strict Selects the address with the fewest UDP NAT ports used. least-tcp-used-strict Selects the address with the fewest TCP NAT ports used. least-reserved-strict Selects the address with the fewest NAT ports of any type (ICMP, TCP, or UDP) reserved. least-reserved-udp-strict Selects the address with the fewest UDP NAT ports reserved. least-reserved-tcp-strict Selects the address with the fewest TCP NAT ports reserved. least-users Selects the address with the fewest users.
227 of 722

ip nat lsn logging default-template Default Mode Usage random Configuration mode The IP address selection method applies only to the IP addresses within individual pools. The method does not apply to selection of pools within a pool group. LSN randomly selects a pool from within a pool group, then uses the configured IP address selection method to select an address from within the pool.
ip nat lsn logging default-template

Description Set a configured LSN traffic logging template as the default template for all LSN pools. [no] ip nat lsn logging default-template template-name Parameter template-name Description Specifies the name of the LSN traffic logging template to use as the default for all LSN pools.
Syntax
Default Mode Usage
Not set Configuration mode The NAT logging template you plan to use as the default must already be configured. To configure a NAT logging template, see ip nat template logging on page 236. You also can assign a NAT logging template to an individual pool. In this case, the NAT logging template assigned to the pool is used instead of the default NAT logging template. See ip nat lsn logging pool on page 229.
Example
The following commands configure a NAT logging template, then set it as the default logging template for LSN:
AX5200(config)#slb server syslog1 192.168.1.100 AX5200(config-real server)#port 514 udp AX5200(config-real server)#exit AX5200(config)#slb service-group syslog udp AX5200(config-slb svc group)#member syslog1:514 AX5200(config-slb svc group)#exit AX5200(config)#ip nat template logging lsn_logging AX5200(config-nat logging)#log port-mappings
228 of 722
b y
D e s i g n

ip nat lsn logging pool
AX5200(config-nat logging)#service-group syslog AX5200(config-nat logging)#exit AX5200(config)#ip nat lsn logging default-template lsn_logging
ip nat lsn logging pool

Description Syntax Assign a NAT logging template to an LSN pool. [no] ip nat lsn logging pool pool-name template template-name Parameter pool-name template-name Default Description Specifies the LSN pool. Specifies the NAT logging template.
Not set. If a NAT logging template has been set as the default NAT logging template, that template is used. Configuration mode The NAT logging template you plan to use must already be configured. To configure a NAT logging template, see ip nat template logging on page 236.
Mode Usage
ip nat lsn port-reservation

Description Configure static LSN mappings for a range of protocol ports for an internal address. [no] ip nat lsn port-reservation inside priv-ipaddr start-priv-portnum end-priv-portnum nat public-ipaddr start-public-portnum end-public-portnum Parameter priv-ipaddr start-privportnum Description Specifies the internal IP address. Specifies the beginning (lowest-numbered) protocol port number in the range of internal protocol port numbers.
Syntax
b y
229 of 722

ip nat lsn stun-timeout end-privportnum Specifies the ending (highest-numbered) protocol port number in the range of internal protocol port numbers. Specifies the public IP address to map to the internal IP address. Specifies the beginning public protocol port number in the range to map to the internal protocol port numbers. Specifies the ending public protocol port number in the range to map to the internal protocol port numbers.
public-ipaddr start-publicportnum
end-publicportnum
Default
None. If LSN is configured, LSN mappings are created and deleted dynamically. Configuration mode
Mode
ip nat lsn stun-timeout

Description Configure the LSN STUN timeout. The LSN STUN timeout specifies how long a NAT mapping for a full-cone session is maintained after the data session ends. [no] ip nat lsn stun-timeout minutes Parameter minutes Default Mode 2 Configuration mode Description Specifies the timeout, 0-60 minutes.
Syntax
ip nat lsn syn-timeout

Description Default Configure the SYN timeout for LSN. [no] ip nat lsn syn-timeout seconds
230 of 722
b y
D e s i g n

ip nat pool Parameter seconds Default Mode Usage 4 Configuration mode The LSN SYN timeout is separate from the IP NAT translation timeout. If you need to configure the IP NAT translation timeout out instead, see ip nat translation on page 238. Description Specifies the timeout, 2-7 seconds.
ip nat pool
Description Syntax Configure a named set of IP addresses for use by NAT. [no] ip nat pool pool-name start-ipaddr end-ipaddr netmask {subnet-mask | /mask-length} [lsn [max-users-per-ip num]] [gateway ipaddr] [ha-group-id group-id [ha-use-all-ports]] Parameter pool-name start-ipaddr end-ipaddr netmask {subnet-mask | /mask-length} Description Name of the address pool. Beginning (lowest) IP address in the range. Ending (highest) IP address in the range.
Network mask for the IP addresses in the pool.
lsn [max-users-perip num] Enables the pool to be used for Large-Scale NAT (LSN). The max-user-per-ip option specifies the maximum number of internal addresses that can be mapped to a single public address at the same time. You can specify 1-65535. By default, there is no limit. Note: The lsn option applies only to the LSN feature. Pools that use the lsn option can not be used with any type of NAT except LSN. gateway ipaddr
Default gateway to use for NATted traffic.
231 of 722

ip nat pool ha-group-id group-id [ha-use-allports]
HA group ID, 1-31. The ha-use-all-ports option disables division of the pools ports between AX devices. Without this option, the AX device automatically allocates half of each pool addresss ports to one of the AX devices and allocates the other half of the ports to the other AX device. (See Usage below.)
Note:
It is recommended to use the ha-use-all-ports option only for DNS virtual ports. Using this option with other virtual port types is not valid. None. Configuration mode The pool can be used by other ip nat commands. The IP addresses must be IPv4 addresses. To configure a pool of IPv6 addresses, see ipv6 nat pool on page 251. To enable inside or outside NAT on interfaces, see ip nat on page 191. When you use the gateway option, the gateway you specify is used as follows:
For forward traffic (traffic from a client to a server), the NAT gateway is
Default Mode Usage
used if the source NAT address (the address from the pool) and the server address are not in the same IP subnet.
On reverse traffic (reply traffic from a server to a client), the NAT gate-
way is used if all the following conditions are true: The session is using translated addresses (is source NATted). The source protocol port is in the source NAT subnet. The destination is not in the source NAT subnet. For conditions under which the NAT gateway is needed, if no NAT gateway is configured, the AX device uses the default gateway configured for the AX devices other traffic instead.
232 of 722
b y
D e s i g n

ip nat pool-group Port Allocation Between AX Devices in High Availability Deployments (ha-use-all-ports option) By default, when you assign an IP NAT pool to an HA group, the AX device automatically allocates half of each pool addresss ports to one of the AX devices and allocates the other half of the ports to the other AX device. This automatic allocation is used to prevent simultaneous use of the same port number by both AX devices. For example, without this protection, it would be possible for the same IP address and protocol port number to be in use on both AX devices in an Active-Active configuration. However, this protection also requires the pool to be configured with more addresses than will actually be needed. In some cases, there is no benefit to dividing the pools ports between the AX devices. In particular, there is no benefit for DNS virtual ports. DNS sessions are very short-lived and are never synchronized between the AX devices. For this reason, there is no risk that the same NAT port will be in use on more than one session at the same time. You can use the ha-use-allports option to disable division of the ports between AX devices. Note: It is recommended to use the ha-use-all-ports option only for DNS virtual ports. Using this option with other virtual port types is not valid. The following command configures an IP address pool named pool1 that contains addresses from 30.30.30.1 to 30.30.30.254:
Example
AX(config)#ip nat pool pool1 30.30.30.1 30.30.30.254 netmask /24
ip nat pool-group
Description Configure a set of IP pools for use by NAT. Pool groups enable you to use non-contiguous IP address ranges, by combining multiple IP address pools. [no] ip nat pool-group pool-group-name Parameter Description
Syntax
pool-group-name Name of the pool group. This command changes the CLI to the configuration level for the specified pool group, where the following command is available. (The other commands are common to all CLI configuration levels. See Config Commands: Global on page 69.)
b y
233 of 722

ip nat pool-group Parameter member pool-name Default Mode Usage None. Configuration mode To use a non-contiguous range of addresses, configure a separate pool for each contiguous portion of the range, then configure a pool group that contains the pools. The addresses within an individual pool still must be contiguous, but you can have gaps between the ending address in one pool and the starting address in another pool. You also can use pools that are in different subnets. For Large-Scale NAT (LSN), a pool group can contain up to 25 pools. For other types of NAT, a pool group can contain up to 5 pools. Pool group members must belong to the same protocol family (IPv4 or IPv6) and must use the same HA ID. A pool can be a member of multiple pool groups. If a pool group contains pools in different subnets, the AX device selects the pool that matches the outbound subnet. For example, of there are two routes to a given destination, in different subnets, and the pool group has a pool for one of those subnets, the AX selects the pool that is in the subnet for the outbound route. The AX device selects the pool whose addresses are in the same subnet as the next-hop interface used by the data route table to reach the server. Example The following commands create a pool group for LSN and add 25 pools to the group: Description Name of a configured IP address pool.
AX(config)#ip nat pool-group group1 AX(config-pool-group)member pool1 AX(config-pool-group)member pool2 AX(config-pool-group)member pool3 ... AX(config-pool-group)member pool25
234 of 722
b y
D e s i g n

ip nat range-list
ip nat range-list
Description Syntax Configure a range of IP addresses to use with static NAT. [no] ip nat range-list list-name local-ipaddr /mask-length global-ipaddr /mask-length count number [ha-group-id group-id] Parameter list-name local-ipaddr /mask-length global-ipaddr /mask-length count number Description Name of the static NAT address range. Beginning (lowest) IP address in the range of local addresses. Beginning (lowest) IP address in the range of global addresses. Number of addresses to be translated, 1-200000. The range contains a contiguous block of the number of addresses you specify. The block of local addresses starts with the address you specify for local-ipaddr. Likewise, the block of global addresses begins with the address you specify for global-ipaddr.
ha-group-id group-id
HA group ID, 1-31. Specifying the HA group ID allows a newly Active AX device to properly continue management of NATted IP resources following a failover.
Default Mode Usage
None. Configuration mode You can configure up to 1000 ranges. You can specify IPv4 or IPv6 addresses within a range. The following command configures an IP address range named nat-list-1 that maps up to 100 local addresses starting from 10.10.10.97 to Internet addresses starting from 192.168.22.50:
Example
AX(config)#ip nat range-list nat-list-1 10.10.10.97 /16 192.168.22.50 /16
count 100
b y
235 of 722

ip nat reset-idle-tcp-conn
ip nat reset-idle-tcp-conn
Description Enable client and server TCP Resets for NATted TCP sessions that become idle. [no] ip nat reset-idle-tcp-conn Disabled. Configuration mode
Syntax Default Mode
ip nat template logging

Description Syntax Configure a template for external logging of LSN traffic events. [no] ip nat template logging template-name This command changes the CLI to the configuration level for the specified NAT logging template, where the following command is available. (The other commands are common to all CLI configuration levels. See Config Commands: Global on page 69.) Parameter [no] facility facility-name Description Specifies the logging facility to use. For a list of available facilities, enter the following command: facility ? Includes the destination IP addresses and protocol ports in NAT port mapping logs. Enables logging of LSN port mapping events. Enables logging of LSN data session events.
[no] includedestination [no] log portmappings [no] log sessions [no] servicegroup group-name
Specifies the service group for the external log servers.
236 of 722
b y
D e s i g n

ip nat template logging [no] severity severity-level Specifies the severity level to assign to LSN traffic logs generated using this template. You can enter the name or the number of a severity level. 0 | emergency 1 | alert 2 | critical 3 | error 4 | warning 5 | notification 6 | information 7 | debugging [no] sourceport port-num Specifies the UDP port number from which the AX device will send the log messages.
Default
There is no NAT logging template by default. When you configure one, the template options have the following default values:
facility local0 include-destination disabled log port-mappings enabled log sessions disabled log service-group not set log severity 7 (debugging) log source-port 514
Mode Usage
Configuration mode The template does not take effect until you set it as the default LSN logging template or assign it to individual LSN pools.
To set the template as the default LSN logging template, see ip nat lsn
logging default-template on page 228.

To assign the template to an LSN pool, see ip nat lsn logging pool on
page 229.
b y
237 of 722

ip nat translation Example The following commands configure external logging for LSN traffic events, using the same template for all LSN pools:
AX5200(config)#slb server syslog1 192.168.1.100 AX5200(config-real server)#port 514 udp AX5200(config-real server)#exit AX5200(config)#slb service-group syslog udp AX5200(config-slb svc group)#member syslog1:514 AX5200(config-slb svc group)#exit AX5200(config)#ip nat template logging lsn_logging AX5200(config-nat logging)#log port-mappings AX5200(config-nat logging)#service-group syslog AX5200(config-nat logging)#exit AX5200(config)#ip nat lsn logging default-template lsn_logging
ip nat translation
Description Syntax Configure NAT timers. [no] ip nat translation { icmp-timeout {seconds | fast} | service-timeout {seconds | fast} | syn-timeout seconds | tcp-timeout seconds | udp-timeout seconds } Parameter icmp-timeout seconds | fast Description Specifies how long NATted ICMP sessions can remain idle before being terminated. You can specify 60-15000 seconds, or fast. The fast option terminates the session as soon as a response is received.
service-timeout seconds | fast Specifies how long NATted sessions on a specific protocol port can remain idle before being terminated. The timeout set for an individual protocol port overrides the global TCP or UDP timeout for NATted sessions. You can specify 6015000 seconds, or fast. The fast option terminates the session as soon as a response is received.
238 of 722
b y
D e s i g n

ip prefix-list syn-timeout seconds tcp-timeout seconds Timeout after a SYN. You can specify 60-300 seconds, in intervals of 60 seconds. Timeout for TCP sessions that are not ended normally by a FIN or RST. You can specify 6015000 seconds, in intervals of 60 seconds. Timeout for UDP sessions. You can specify 60300 seconds, in intervals of 60 seconds.
udp-timeout seconds
Default
The NAT timers have the following defaults:

icmp-timeout SLB maximum session life (MSL), which is 2 seconds
by default. (See slb msl-time on page 290.)

service-timeout Not set. For all service ports except UDP 53, the tcp-
timeout or udp-timeout setting is used. For UDP port 53, the SLB MSL time is used.
syn-timeout 60 seconds tcp-timeout 300 seconds udp-timeout 300 seconds
Mode Example
Configuration mode The following command changes the SYN timeout to 120 seconds:
AX(config)#ip nat translation syn-timeout 120
ip prefix-list
Description Syntax Configure an IP prefix list. [no] prefix-list {name | sequence-num} [seq sequence-num] {deny | permit} {any | ipaddr/mask-length} [ge prefix-length] [le prefix-length] Parameter name | sequence-num Description Name or sequence number of the IP prefix-list rule. The name can not contain blanks. The sequence number can be 1-4294967295.
b y
239 of 722

ip prefix-list seq sequencenum Changes the sequence number of the IP prefixlist rule. The sequence number can be 1-4294967295. Action to take for IP addresses that match the prefix list. IP address and number of mask bits, from left to right, on which to match. If you omit the ge and le options (described below), the mask-length is also the subnet mask on which to match. Specifies a range of prefix lengths on which to match. Any prefix length equal to or greater than the one specified will match. For example, ge 25 will match on any of the following mask lengths: /25, /26, /27, /28, /29, /30, /31, or /32. Specifies a range of prefix lengths on which to match. Any prefix length less than or equal to the one specified will match. The lowest prefix length in the range is the prefix specified with the IP address. For example, 192.168.1.0/24 le 28 will match on any of the following mask lengths: /24, /25, /26, /27, or /28.
deny | permit any | ipaddr /mask-length
ge prefixlength
le prefixlength
Default Mode Usage
N/A Configuration mode You can use IP prefix lists to provide input to the OSPFv2 command area area-id filter-list on page 271. How Matching Occurs Matching begins with the lowest numbered IP prefix-list rule and continues until the first match is found. The action in the first matching rule is applied to the IP address. For example, if the IP prefix list contains the following two rules, rule 5 is used for IP address 192.168.1.9, even though the address also matches rule 10. ip prefix-list 5 permit any ip prefix-list 10 deny 192.168.1.0/24 The ge prefix-length and le prefix-length options enable you to specify a range of mask lengths on which to match. If you do not use either option,
240 of 722
b y
D e s i g n

ip prefix-list the mask-length in the address (/24 in the example above) specifies both the following:
Number of bits to match, from left to right Mask length on which to match
If you use one or both of the ge or le options, the mask-length specifies only the number of bits to match. The ge or le option specifies the mask length(s) on which to match. The following rule matches on any address whose first octet is 10 and whose mask-length is 8: ip prefix-list match_on_8bit_mask_only permit 10.0.0.0/8 IP address 10.10.10.10/8 would match this rule but 10.10.10.10/24 would not. The following rule uses the le option to extend the range of mask lengths that match: ip prefix-list match_on_24bit_mask_or_less permit 10.0.0.0/8 le 24 This rule matches on any address that has 10 in the first octet, and whose mask length is 24 bits or less. IP addresses 10.10.10.10/8 and 10.10.10.10/ 24 would both match this rule. The following rule permits any address from any network that has a mask 16-24 bits long. ip prefix-list match_any_on_16-24bit_mask permit 0.0.0.0/0 ge 16 le 24 Implied Deny any Rule The IP prefix list has an implied deny any rule at the end. This rule is not visible and can not be changed or deleted. If an IP address does not match any of the rules in the IP prefix list, the AX device uses the implied deny any rule to deny the address. Sequence Numbering As described above, the sequence of rules in the IP prefix list can affect whether a given address matches a permit rule or a deny rule. When you configure the first IP prefix-list rule, the AX device assigns sequence number 5 to the rule by default. After that, the sequence number for each new rule is incremented by 5. If you explicitly set the sequence number of a rule, subsequent rules are still sequenced in increasing increments of 5. For example, if you set the sequence number of the first rule to 7, the next rule is 12 by default.
241 of 722

ip prefix-list list-id description You can explicitly set the sequence number of a rule when you configure the rule. You also can change the sequence number of a rule that is already configured.
ip prefix-list list-id description

Description Syntax Add a description to an IP prefix list. [no] prefix-list {name | sequence-num} description string Parameter name | sequence-num description string Description Name or sequence number of the IP prefix-list rule. Description of the IP prefix list. The string can be up to 80 characters, and can contain blanks. Quotation marks are not required.
Default Mode Usage Example
None Configuration mode The description is placed above the rule it describes. (See the CLI example.) The following commands add descriptions to some IP prefix-list rule and display the results:
AX(config)#ip prefix-list aaa description Here is a string to describe the rule. AX(config)#ip prefix-list ccc description And here is a string to describe this rule. AX(config)#show running-config | section ip prefix-list ip prefix-list aaa description Here is a string to describe the rule. ip prefix-list aaa seq 5 permit any ip prefix-list bbb seq 10 permit 192.168.1.0/24 ip prefix-list ccc description And here is a string to describe this rule. ip prefix-list ccc seq 15 deny 10.10.10.0/8 le 24
242 of 722
b y
D e s i g n

ip prefix-list sequence-number
ip prefix-list sequence-number
Description Syntax Default Mode Usage Enable or disable display of the sequence numbers of IP prefix-list rules. [no] prefix-list sequence-number Enabled Configuration mode When this option is enabled, the sequence numbers are displayed in the running-config. After you save the configuration, the sequence numbers also are displayed in the startup-config. The following commands configure some IP prefix-list rules, then display them in the running-config. Display of sequence numbers is enabled.
Example
AX(config)#ip prefix-list aaa deny 10.10.10.0/8 le 24 AX(config)#ip prefix-list bbb permit 192.168.1.0/24 AX(config)#ip prefix-list ccc permit any AX(config)#show running-config | section ip prefix-list ip prefix-list aaa seq 5 permit any ip prefix-list bbb seq 10 permit 192.168.1.0/24 ip prefix-list ccc seq 15 deny 10.10.10.0/8 le 24
Example
The following commands disable display of sequence numbers, then re-display the IP prefix-list rules:
AX(config)#no ip prefix-list sequence-number AX(config)#show running-config | section ip prefix-list ip prefix-list aaa deny 10.10.10.0/8 le 24 ip prefix-list bbb permit 192.168.1.0/24 ip prefix-list ccc permit any
ip route
Description Syntax Configure a static IP route. [no] ip route destination-ipaddr {subnet-mask | /mask-length} next-hop-ipaddr [cpu-process]
b y
243 of 722

ip tcp syn-cookie threshold Parameter Description
destinationipaddr {subnetmask | /masklength} Specifies the destination of the route. To configure a default route, specify 0.0.0.0/0. next-hop-ipaddr Specifies the next-hop router to use to reach the route destination. The address must be in the same subnet as the AX Series device. cpu-process Sends traffic that uses this route to the CPU for processing. This option is applicable only to models AX 2200, AX 3100, AX 3200, AX 5100, and AX 5200. The option does not appear in the CLI on other models.
Default Mode Usage
There are no static routes configured by default. Configuration mode If a destination can be reached by an explicit route (a route that is not a default route), then the explicit route is used. If an explicit route is not available to reach a given destination, the default route is used (if a default route is configured). The following command configures a default route using gateway 10.10.10.1 and the default metric:
Example
AX(config)#ip route 0.0.0.0/0 10.10.10.1
ip tcp syn-cookie threshold

Description Modify the threshold for TCP handshake completion. The TCP handshake threshold is applicable when SYN cookies are active. [no] ip tcp syn-cookie threshold seconds Parameter seconds Description Specifies the number of seconds allowed for a TCP handshake to be completed. If the handshake is not completed within the allowed time, the AX device drops the session. You can specify 1-100 seconds.
Syntax
Default
4 seconds
244 of 722
b y
D e s i g n

ip tcp syn-cookie threshold Mode Usage Configuration mode The TCP handshake threshold is applicable only when hardware-based SYN cookies are active. To enable support for hardware-based SYN cookies, see syn-cookie on page 160. The following command changes the TCP TCP handshake threshold to 15 seconds:
Example
AX(config)#ip tcp syn-cookie threshold 15
b y
245 of 722

ip tcp syn-cookie threshold
246 of 722
b y
D e s i g n

ipv6 access-list
Config Commands: IPv6

The IPv6 commands configure global IPv6 parameters. This CLI level also has the following commands, which are available at all configuration levels:
page 40.
Note:
To configure global IPv4 parameters, see Config Commands: IP on page 219.
ipv6 access-list
Description Syntax Configure an extended IPv6 ACL. [no] ipv6 access-list acl-id This command changes the CLI to the configuration level for the ACL, where the following ACL-related commands are available. Syntax [no] [seq-num] {permit | deny} {ipv6 | icmp} {any | host host-src-ipv6addr | net-src-ipv6addr /mask-length} {any | host host-dst-ipv6addr | net-dst-ipv6addr /mask-length} [log [transparent-session-only]]
247 of 722

ipv6 access-list or Syntax [no] {permit | deny} {tcp | udp} {any | host host-src-ipv6addr | net-src-ipv6addr /mask-length} [eq src-port | gt src-port | lt src-port | range start-src-port end-src-port] {any | host host-dst-ipv6addr | net-dst-ipv6addr /mask-length} [eq dst-port | gt dst-port | lt dst-port | range start-dst-port end-dst-port] [log [transparent-session-only]] Parameter seq-num Description Sequence number of this rule in the ACL. You can use this option to resequence the rules in the ACL. Action to take for traffic that matches the ACL. deny Drops the traffic. permit Allows the traffic. ipv6 | icmp tcp | udp Filters on IPv6 or ICMP packets. Filters on TCP or UDP packets. The tcp and udp options enable you to filter on protocol port numbers.
deny | permit
any | host host-srcipv6addr | net-srcipv6addr /masklength Source IP address(es) to filter. any The ACL matches on all source IP addresses. host host-src-ipv6addr The ACL matches only on the specified host IPv6 address. net-src-ipv6addr /mask-length The ACL matches on any host in the specified subnet. The mask-length specifies the portion of the address to filter.
248 of 722
b y
D e s i g n

ipv6 access-list eq src-port | gt src-port | lt src-port | range startsrc-port end-src-port
For tcp or udp, the source protocol ports to filter. eq src-port The ACL matches on traffic from the specified source port. gt src-port The ACL matches on traffic from any source port with a higher number than the specified port. lt src-port The ACL matches on traffic from any source port with a lower number than the specified port. range start-src-port end-src-port The ACL matches on traffic from any source port within the specified range.
any | host host-dstipv6addr | net-dstipv6addr /masklength Destination IP address(es) to filter. eq dst-port | gt dst-port | lt dst-port | range startdst-port end-dst-port log [transparentsession-only]
For tcp or udp, the destination protocol ports to filter.
Syntax
[no] remark string The remark command adds a remark to the ACL. The remark appears at the top of the ACL when you display it in the CLI. The string can be 1-63
b y
249 of 722

ipv6 address characters. To use blank spaces in the remark, enclose the entire remark string in double quotes. Default Mode None Configuration mode
ipv6 address
Description Configure the global IPv6 address of the AX Series device, when the device is deployed in transparent mode (Layer 2 mode). [no] ipv6 address ipv6-addr/prefix-length Parameter ipv6-addr prefix-length Default Mode Usage N/A Configuration mode This command applies only when the AX Series device is deployed in transparent mode. To assign IPv6 addresses to individual interfaces instead (gateway mode), use the ipv6 address command at the interface configuration level. (See ipv6 address on page 197.) The following command configures global IPv6 address 2001:db8::1521:31ab/32: Description Valid unicast IPv6 address. Prefix length, up to 128.
Syntax
Example
AX(config)#ipv6 address 2001:db8::1521:31ab/32
ipv6 default-gateway
Description Specify the default gateway to use to reach other IPv6 networks, when the AX Series device is used in transparent mode (Layer 2 mode). [no] ipv6 default-gateway ipv6-addr Parameter ipv6-addr Default N/A Description IPv6 address of the next-hop gateway.
Syntax
250 of 722
b y
D e s i g n

ipv6 nat pool Mode Usage Configuration mode This command applies only when the AX Series device is used in transparent mode. If you instead want to use the device in gateway mode (Layer 3 mode), configure routing. The following command configures default IPv6 gateway 2001:db8::1521:31ac:
Example
AX(config)#ipv6 default-gateway 2001:db8::1521:31ac
ipv6 nat pool

Description Configure a named set of IPv6 addresses for use by Network Address Translation (NAT). [no] ipv6 nat pool pool-name start-ipv6-addr end-ipv6-addr netmask mask-length [gateway ipaddr] [ha-group-id group-id] Parameter pool-name start-ipaddr end-ipaddr netmask masklength gateway ipv6-addr
group-id
Syntax
Description Name of the address pool. Beginning (lowest) IP address in the range. Ending (highest) IP address in the range. Network mask for the IP addresses in the pool, 96-128. Next-hop gateway address. HA group ID, 1-31.
None. Configuration mode The following command configures an IPv6 address pool named ipv6pool2:
AX(config)#ipv6 nat pool ipv6pool2 abc1::1 abc1::10 netmask 96
b y
251 of 722

ipv6 neighbor
ipv6 neighbor
Description Syntax Configure a static IPv6 neighbor. [no] ipv6 neighbor ipv6-addr macaddr ethernet port-num [vlan vlan-id] Parameter ipv6-addr macaddr port-num vlan-id Description IPv6 unicast address of the neighbor. MAC address of the IPv6 neighbor. Ethernet interface connected to the neighbor. VLAN for which to add the IPv6 neighbor entry. If you do not specify the VLAN, the entry is added for all VLANs.
Default Mode Usage
N/A Configuration mode The neighbor must be directly connected to the AX Series devices Ethernet port you specify, or connected through a Layer 2 switch. The following command configures IPv6 neighbor 2001:db8::1111:2222 with MAC address abab.cdcd.efef, connected to the AX Series devices Ethernet port 5:
Example
AX(config)#ipv6 neighbor 2001:db8::1111:2222 abab.cdcd.efef ethernet 5
ipv6 ospf display

Description Syntax Default Mode Change how IPv6 routes are displayed in show ipv6 ospf route output. [no] ipv6 ospf display route single-line By default, this option is disabled. Routes are displayed on multiple lines. Configuration mode
252 of 722
b y
D e s i g n

ipv6 ospf restart grace-period
ipv6 ospf restart grace-period

Description Specify the number of seconds to wait following termination of the OSPFv3 process before restarting it again. [no] ipv6 ospf restart grace-period seconds Parameter seconds Default Mode 120 Configuration mode Description Number of seconds, 1-1800.
Syntax
ipv6 ospf restart helper

Description Syntax Configure helper settings for graceful restart of the OSPFv3 process. [no] ipv6 ospf restart helper { max-grace-period seconds [only-reload] [only-upgrade] | never [router-id ipv6-addr] | only-reload [max-grace-period seconds] [only-upgrade] | only-upgrade [max-grace-period seconds] [only-reload] } Parameter max-graceperiod seconds Description Uses helper mode only if the received grace period is less than this value. The seconds can be 1-1800. Helper mode is used only for reloads. Helper mode is used only for upgrades.
only-reload only-upgrade never [router-id ipv6-addr]
Prevents the specified OSPFv3 neighbor from entering helper mode. If you do not specify the router-id ipv6-addr option, the never option applies to all neighbors.
b y
253 of 722

ipv6 route Default Mode Not set Configuration mode
ipv6 route
Description Syntax Configure a static IPv6 route. [no] ipv6 route ipv6-addr/prefix-length gateway-addr [ethernet port-num | trunk num | ve ve-num] Parameter ipv6-addr prefix-length gateway-addr ethernet portnum | trunk num | ve ve-num Description IPv6 unicast address of the route destination. Prefix length, 1-128. IPv6 unicast address of the next-hop gateway to the destination.
Uses the link-local address on the specified interface as the next hop.
Default Mode Usage
N/A Configuration mode The ethernet, trunk, and ve options are available only if the gateway-addr is a link-local address. Otherwise, the options are not displayed in the online help and are not supported.
If you use an individual Ethernet port, the port can not be a member of a
trunk or a VE. If you use a trunk, the trunk can not be a member of a VE.
After you configure the static route, you can not change the interfaces
membership in trunks or VEs. For example, if you configure a static route that uses Ethernet port 6s link-local address as the next hop, it is not supported to later add the interface to a trunk or VE. The static route must be removed first. Example The following command configures a static IPv6 route to destination 2001:db8::3333:3333/32, though gateway 2001:db8::3333:4444:
AX(config)#ipv6 route 2001:db8::3333:3333/32 2001:db8::3333:4444
254 of 722
b y
D e s i g n

ipv6 route Example The following command configures a default IPv6 route:
AX(config)#ipv6 route ::/0 abc1::1111
The following command configures an IPv6 static route that uses Ethernet port 6s link-local address as the next hop:
AX(config)#ipv6 route abaa:3::0/64 fe80::2 ethernet 6
b y
255 of 722

ipv6 route
256 of 722
b y
D e s i g n
Config Commands: Router OSPF

This chapter describes the commands for configuring global OSPFv2 and OSPFv3 parameters. Note: This CLI level also has the following commands, which are available at all configuration levels:
Enabling OSPF To enable OSPF, use one of the following commands at the global configuration level of the CLI. Each command changes the CLI to the configuration level for the specified OSPFv2 process ID or OSPFv3 instance tag. OSPFv2 router ospf [process-id] The process-id specifies the IPv4 OSPFv2 instance to run on the AX device, and can be 1-65535. OSPFv3 router ipv6 ospf [tag] The tag specifies the IPv6 OSPFv3 instance to run on the IPv6 link, and can be 1-65535. Interface-level OSPF Commands In addition to global parameters, OSPF has parameters on the individual interface level. To configure OSPF on an interface, use the interface command to access the configuration level for the interface, then use the ip ospf or ipv6 ospf command. (See ip ospf on page 192.)
257 of 722

area area-id default-cost Show Commands To display OSPF settings, use show ip ospf or show ipv6 ospf commands. (See Show Commands on page 527.)
Configuration Commands Applicable to OSPFv2 or OSPFv3

The following configuration commands are applicable to OSPFv2 and OSPFv3. The commands in this section apply throughout the OSPFv2 process or OSPFv3 instance in which the commands are entered.
area area-id default-cost

Description Syntax Specify the cost of a default summary route sent into a stub area. [no] area area-id default-cost num Parameter area-id num Default Mode Example The default is 1. OSPFv2 or OSPFv3 The following command assigns a cost of 4400 to default summary routes injected into stub areas: Description Area ID, either an IP address or a number. Cost of the default summary route, 0-16777214.
AX(config-router)#area 5.5.5.5 default-cost 4400
area area-id range

Description Syntax Summarize routes at an area boundary. [no] area area-id range ipaddr/mask-length [advertise | not-advertise]
258 of 722
b y
D e s i g n

area area-id stub Parameter area-id range area-id ipaddr /mask-length advertise not-advertise Description Beginning area ID. Ending area ID. Subnet address for the range. Network mask length for the range. Generates Type 3 summary LSAs for the areas in the range. Does not generate Type 3 summary LSAs. The networks are hidden from other networks.
Default
There is no default range configuration. When you configure a range, the default advertisement string is advertise. OSPFv2 or OSPFv3 The following command configures a range and disables advertisement of routes into the areas:
Mode Example
AX(config-router)#area 8.8.8.8 range 10.10.10.10/16 not-advertise
area area-id stub

Description Syntax Configure a stub area. [no] area area-id stub [no-summary] Parameter area-id no-summary Description Area ID. ABRs do not send summary LSAs into the stub area.
None OSPFv2 or OSPFv3 The following command configures a stub area with area ID 10.2.4.5:
AX(config-router)#area 10.2.4.5 stub
b y
259 of 722

area area-id virtual-link
area area-id virtual-link

Description Configure a link between two backbone areas that are separated by nonbackbone areas. [no] area area-id virtual-link ipaddr [authentication] [authentication-key string [string ...]] [dead-interval seconds] [hello-interval seconds] [message-digest-key num md5 string [string ...]] [retransmit-interval seconds] [transmit-delay seconds] Parameter area-id ipaddr authentication Description Area ID, either an IP address or a number. IP address of the OSPF neighbor at the other end of the link. Enables authentication on the link.
Syntax
authenticationkey string [string ...] Specifies a simple text password for authenticating OSPF traffic between this router and the neighbor at the other end of the virtual link. The string is an 8-character authentication password. dead-interval seconds Number of seconds this OSPF router will wait for a reply to a hello message sent to the neighbor on the other end of the virtual link, before declaring the neighbor to be offline. You can specify 1-65535 seconds. Number of seconds this OSPF router waits between sending hello messages to the neighbor on the other end of the virtual link. You can specify 1-65535 seconds.
hello-interval seconds
message-digestkey num md5 string [string ...] Specifies an MD5 key, 1-255. The string is a 16character authentication password.
260 of 722
b y
D e s i g n

auto-cost reference bandwidth retransmitinterval seconds
Number of seconds this OSPF router waits before resending an unacknowledged packet to the neighbor on the other end of the virtual link. You can specify 1-65535 seconds. Number of seconds this OSPF router waits between sending packets to the neighbor on the other end of the virtual link. You can specify 1-65535 seconds.
transmit-delay seconds
Default
None. When you configure a virtual link, it has the following default settings:
authentication disabled authentication-key not set dead-interval 40 hello-interval 10 message-digest-key not set retransmit-interval 5 transmit-delay 1
Mode
OSPFv2 or OSPFv3
auto-cost reference bandwidth

Description Syntax Change the reference bandwidth used by OSPF to calculate default metrics. [no] auto-cost reference-bandwidth mbps Parameter mbps Description Specifies the reference bandwidth, in Mbps. You can specify 1-4294967.
Default Mode Usage
100 Mbps OSPFv2 or OSPFv3 By default, OSPF calculates the OSPF metric for an interface by dividing the reference bandwidth by the interface bandwidth. This command differentiates high-bandwidth links from lower-bandwidth links. If multiple links
b y
261 of 722

capability restart have high bandwidth, specify a larger reference bandwidth so that the cost of those links is differentiated from the cost of lower-bandwidth links.
capability restart
Description Syntax Enable graceful restart of the OSPF process or OSPF signalling. [no] capability restart {graceful | signaling} Parameter graceful signaling Default Mode Description Enables graceful restart of OSPF. Enables restart of OSPF signalling.
Graceful restart and signalling are both enabled by default. OSPFv2 or OSPFv3
default-metric
Description Set the numeric cost that is assigned to OSPF routes by default. The metric (cost) is added to routes when they are redistributed. [no] default-metric num Parameter num Default Mode Example 20 OSPFv2 or OSPFv3 The following command configures a default metric of 6666: Description Default cost, 0-16777214.
Syntax
AX(config-router)#default-metric 6666
ha-standby-extra-cost
Description Syntax Enable OSPF awareness of High Availability (HA). [no] ha-standby-extra-cost num
262 of 722
b y
D e s i g n

max-concurrent-dd Parameter num Description Specifies the extra cost to add to the AX devices OSPF interfaces, if the HA status of one or more of the devices HA groups is Standby. You can specify 1-65535. If the resulting cost value is more than 65535, the cost is set to 65535.
Default
Not set. The OSPF protocol on the AX device is not aware of the HA state (Active or Standby) of the AX device. OSPFv2 or OSPFv3 Enter the command on each of the AX devices in the HA pair.
Mode Usage
max-concurrent-dd
Description Set the maximum number of OSPF neighbors that can be processed concurrently during database exchange between this OSPF router and its OSPF neighbors. [no] max-concurrent-dd num Parameter num Description Specifies the maximum number of neighbors that can be processed at the same time during database exchange. You can specify 1-65535.
Syntax
Default Mode Usage
Not set (no limit) OSPFv2 or OSPFv3 This command is useful in cases where router performance is being adversely affected by processing of neighbor adjacencies.
maximum-area
Description Syntax Set the maximum number of OSPF areas supported for this OSPF process. [no] maximum-area num Parameter num Description Specifies the maximum number of areas allowed for this OSPF process. You can specify 1-4294967294.
b y
263 of 722

passive-interface Default Mode 4294967294 OSPFv2 or OSPFv3
passive-interface
Description Syntax Disable Link-State Advertisements (LSAs) from being sent on an interface. [no] passive-interface {ethernet portnum | loopback num | management | ve ve-num} LSAs are enabled. (No interfaces are passive.) OSPFv2 or OSPFv3 The following command configures a passive interface on the Virtual Ethernet (VE) interface on VLAN 3:
AX(config-router)#passive-interface ve 3
redistribute
Description Enable distribution of routes from other sources into OSPF. [no] redistribute { connected [options] | floating-ip [options] | ip-nat [ipaddr/mask-length floating-IP-forward-address ipaddr] [options] | ip-nat-list [options] | ospf [process-id] [options] | static [options] | vip [ipaddr floating-IP-forward-address ipaddr | {only-flagged | only-not-flagged}] [options] } Parameter connected [options] Description Redistributes routes into OSPF for reaching directly connected networks. For options, see the end of this parameter list.
264 of 722
b y
D e s i g n

redistribute floating-ip [options] Redistributes routes into OSPF for reaching HA floating IP addresses. For options, see the end of this parameter list.
ip-nat [ipaddr/masklength floating-IPforward-address ipaddr] [options] Redistributes routes into OSPF for reaching translated NAT addresses allocated from a pool. By default, the forward address for all redistributed NAT pool addresses is 0.0.0.0. To set a floating IP address as the forward address, use the ipaddr/mask-length] option to specify the NAT pool address. The floating-IP-forwardaddress ipaddr option specifies the forward address to use when redistributing the route to the NAT pool address. For options, see the end of this parameter list. ip-nat-list [options] Redistributes routes into OSPF for reaching translated NAT addresses allocated from a range list. For options, see the end of this parameter list.
ospf [process-id] [options]
Redistributes routes into this OSPFv2 process for reaching networks in another OSPFv2 process. For options, see the end of this parameter list. Redistributes routes into OSPF for reaching networks through static routes. For options, see the end of this parameter list.
static [options]
b y
265 of 722

redistribute vip [ipaddr floating-IPforward-address ipaddr | {only-flagged | only-notflagged}] [options] Redistributes routes into OSPF for reaching virtual server IP addresses. By default, the forward address for all redistributed VIPs is 0.0.0.0. To set a floating IP address as the forward address, use the ipaddr option to specify the VIP address. Use the floating-IP-forward-address ipaddr option to specify the forward address to use when redistributing the route to the VIP. By default, all VIPs are redistributed when you use the vip option. To restrict redistribution to a subset of VIPs, use one of the following options: only-flagged Redistributes only the VIPs on which the redistribution-flagged command is used. only-not-flagged Redistributes all VIPs except those on which the redistributionflagged command is used. For more information, see Usage. For options, see below. options Optional parameters supported for all the options listed above: metric-type {1 | 2} External link type associated with the route advertised into the OSPF routing domain: 1 Type 1 external route 2 Type 2 external route metric num Metric for the default route, 0-16777214. The default is 20. route-map map-name Name of a route map. (To configure a route map, see route-map on page 255.) tag num Includes the specified tag value in external Link-State Advertisements (LSAs).
266 of 722
b y
D e s i g n

redistribute Inter-domain routers running Border Gateway Protocol (BGP) can be configured to make routing decisions based on the tag value. The tag value can be 0-4294967295. The default is 0. Note: The bgp, isis, and kernel options are not applicable to the current release and are not supported. Disabled. By default, OSPF routes are not redistributed. For other defaults, see above. OSPFv2 or OSPFv3 When you enable redistribution, routes to all addresses of the specified type are redistributed. For example, if you use the vip option, routes to all VIPs are redistributed into OSPF. By default, the AX device uses 0.0.0.0 as the forward address in routes that are redistributed in OSPF type-5 link state advertisement (LSAs). In this case, other OSPF routers find a route to reach the AX device (which is acting as OSPF ASBR), then use the corresponding next-hop address as the next hop for the destination network. You can specify a floating IP address to use as the forward address, for individual NAT pools or VIPs. (See the syntax above.) VIP Redistribution VIP redistribution is not supported for VIPs on which destination NAT has been disabled. For example, VIP redistribution is not supported for VIPs that are configured for Direct Server Return (DSR). You can exclude redistribution of individual VIPs using one or the other of the following methods. They are mutually exclusive.
If more VIPs will be excluded than will be allowed to be redistributed: At the configuration level for each of the VIPs to allow to be redis-
Default
Mode Usage
tributed, enter the following command: redistribution-flagged At the configuration level for the OSPFv2 process or OSPFv3 instance, enter the following command: redistribute vip onlyflagged
If fewer VIPs will be excluded than will be allowed to be redistributed: At the configuration level for each of the VIPs to exclude from
redistribution, enter the following command: redistributionflagged At the configuration level for the OSPFv2 process or OSPFv3 instance, enter either of the following commands: redistribute vip only-not-flagged or redistribute vip
267 of 722

router-id Note: In the configuration, the redistribute vip only-not-flagged command is automatically converted into the redistribute vip command. When you display the configuration, it will contain the redistribute vip command, not the redistribute vip only-not-flagged command. This command conversion makes the behavior in the current release backwards compatible with the behavior in previous releases. VIP Redistribution Usage Examples:
If you have 10 VIPs and all of them need to be redistributed by OSPF,
use the redistribute vip command at the configuration level for the OSPF process.
If you have 10 VIPs but only 2 of them need to be redistributed, use the
redistribution-flagged command at the configuration level for each of the 2 VIPs, then use the redistribute vip only-flagged command at the configuration level for the OSPFv2 process or OSPFv3 instance.
If you have 10 VIPs and need to redistribute 8 of them, use the redistri-
bution-flagged command at the configuration level for the 2 VIPs that should not be redistributed. Enter the redistribute vip only-not-flagged command at the configuration level for the OSPFv2 process or OSPFv3 instance. (In this case, alternatively, you could enter redistribute vip instead of redistribute vip only-not-flagged.) Example The following commands redistribute floating IP addresses and VIP addresses into OSPF:
AX(config-router)#redistribute floating-ip AX(config-router)#redistribute vip
Example
The following commands flag a VIP, then configure OSPF to redistribute only that flagged VIP. The other (unflagged) VIPs will not be redistributed.
AX(config)#slb virtual-server vip1 AX(config-slb virtual server)#redistribution-flagged AX(config-slb virtual server)#exit AX(config)#router ospf AX(config-router)redistribute vip only-flagged
Example
The following command enables redistribution of VIPs, and sets tag value 555 to be included in external LSAs that advertise the route to the VIP:
AX(config-router)#redistribute vip metric-type 1 metric 1 tag 555
router-id
Description Set the value used by this OSPF router to identify itself when exchanging route information with other OSPF routers.
268 of 722
b y
D e s i g n

timers spf exp Syntax Default [no] router-id ipaddr For OSPFv2, the default router ID is the highest-numbered IP address configured on any of the AX devices loopback interfaces. If no loopback interfaces are configured, the highest-numbered IP address configured on any of the AX devices other Ethernet data interfaces is used. For OSPFv3, the router ID must be set. Note: Setting the router ID is required for OSPFv3 and is strongly recommended for OSPFv2. OSPFv2 or OSPFv3 The AX device has only one router ID. The address does not need to match an address configured on the AX device. However, the address must be an IPv4 address and must be unique within the routing domain. New or changed router IDs require a restart of the OSPF process. To restart the OSPF process, use the clear ip ospf process command. Example The following commands set the router ID to 2.2.2.2 and reload OSPF to place the new router ID into effect:
Mode Usage
AX(config-router)#router-id 2.2.2.2 AX(config-router)#clear ip ospf process
timers spf exp

Description Change Shortest Path First (SPF) timers used for route recalculation following a topology change. [no] timers spf {exp min-delay max-delay | delay hold-time} Parameter exp min-delay max-delay Description Enables exponential back-off delays for route recalculation. The min-delay specifies the minimum number of milliseconds (ms) the OSPF process waits after receiving a topology change, before recalculating its OSPF routes. You can specify 0-2147483647. The max-delay specifies the maximum number of milliseconds (ms) the OSPF process waits after receiving a topology change, before recalP e r f o r m a n c e D e s i g n Document No.: D-030-01-00-0003 - Ver. 2.4.3-P2 11/3/2010 b y
Syntax
269 of 722

area area-id authentication culating its OSPF routes. You can specify 0-2147483647. delay hold-time Specifies the delay time between the receipt of a topology change and the calculation of the SPF. This option also configures the hold time between two consecutive SPF calculations. The delay specifies the number of milliseconds (ms) the OSPF process waits after receiving a topology change, before recalculating its OSPF routes. You can specify 0-2147483647 ms. The hold-time specifies the minimum number of seconds the OSPF process must wait between consecutive route recalculations. You can specify 0-2147483647 ms. Default For the exp option, the default min-delay is 50 ms and the default max-delay is also 50 ms. For delay hold-time option, the default delay is 50 ms. The default hold-time is 100 ms. OSPFv2 or OSPFv3 After you enter this command, any pending route recalculations are rescheduled based on the new timer values.
Mode Usage
Configuration Commands Applicable to OSPFv2 Only

The following configuration commands are applicable to OSPFv2 only. The commands in this section apply throughout the OSPFv2 process in which the commands are entered.
area area-id authentication

Description Syntax Enable authentication for an OSPF area. [no] area area-id authentication [message-digest] Parameter message-digest Description Enables MD5 authentication. If you omit this option, simple text authentication is used.
Default
Disabled. No authentication is used.

270 of 722

area area-id filter-list Mode Usage OSPFv2 To configure a simple text password or MD5 key, see ip ospf on page 192.
area area-id filter-list

Description Filter the summary routes advertised by this OSPF router, if it is acting as an Area Border Router (ABR). [no] area area-id filter-list { access acl-id {in | out} | prefix list-name {in | out} } Parameter area-id access acl-id {in | out} Description Area ID, either an IP address or a number. ID of an Access Control List (ACL). The only routes that are advertised are routes to the subnets permitted by the ACL.
Syntax
prefix list-name {in | out}
ID of an IP prefix list. The only routes that are advertised are routes to the subnets that match the list.
Default Mode Usage
Not set. OSPFv2 You can specify an ACL or an IP prefix list. To configure an ACL, see the AX Series CLI Reference. To configure a prefix list, see Prefix List Command Reference on page 259.
area area-id multi-area-adjacency

Description Enables support for multiple OSPF area adjacencies on the specified interface. [no] area area-id multi-area-adjacency {ethernet portnum | loopback num | management | ve ve-num} neighbor ipaddr
b y
Syntax
271 of 722

area area-id nssa Default Disabled. By default, only one OSPF adjacency is allowed on an interface for a given OSPF process. OSPFv2 This command is applicable only if this OSPF router is an ABR.
Mode Usage
area area-id nssa

Description Syntax Configure a not-so-stubby area (NSSA). [no] area area-id nssa [ default-information-originate [metric num] [metric-type {1 | 2}] | no-redistribution | no-summary | translator-role {always | candidate | never} ] Parameter area-id defaultinformationoriginate [metric num] [metric-type {1 | 2}] Description Area ID.
Generates a Type 7 LSA into the NSSA area. (This option takes effect only on Area Border Routers (ABRs)). metric num Metric for the default route, 0-16777214. The default is 20. metric-type {1 | 2} External link type associated with the route advertised into the OSPF routing domain: 1 Type 1 external route 2 Type 2 external route
noredistribution no-summary
Disables redistribution of routes into the area. Disables sending summary LSAs into the NSSA.
272 of 722
b y
D e s i g n

area area-id shortcut translator-role {always | candidate | never} Specifies the types of LSA translation performed by this OSPF router for the NSSA: always If this OSPF router is an NSSA border router, the router will always translate Type 7 LSAs into Type 5 LSAs, regardless of the translator state of other NSSA border routers. candidate If this OSPF router is an NSSA border router, the router is eligible to be elected the Type 7 NSSA translator. never This OSPF router is ineligible to be elected the Type 7 NSSA translator. Default Mode Example None OSPFv2 The following command configures an NSSA with area ID 6.6.6.6:
AX(config-router)#area 6.6.6.6 nssa
area area-id shortcut

Description Syntax Configure short-cutting through an area. [no] area area-id shortcut {default | disable | enable} Parameter area-id default disable enable Default Mode Usage None OSPFv2 A shortcut enables traffic to go through a non-backbone area with a lower metric, regardless of whether the ABR router is attached to the backbone area.
b y
Description Area ID. Enables the default shortcut behavior. (See below.) Disables shortcutting through the area. Forces shortcutting through the area.
273 of 722

capability opaque
capability opaque
Description Syntax Default Mode Usage Disable or re-enable opaque LSA capability. [no] capability opaque Enabled. OSPFv2 Opaque-LSAs deliver information used by external applications. Type 9, 10 and 11 LSAs can be opaque LSAs.
compatible rfc1583
Description Syntax Default Mode Enable calculation of summary route costs per RFC 1583. [no] compatible rfc1583 Disabled. Summary route costs are calculated based on RFC 2328. OSPFv2
default-information originate
Description Syntax Create a default route into the OSPF domain. [no] default-information originate [always] [metric num] [metric-type {1 | 2}] [route-map name] Parameter always Description Configures the AX device to automatically declare itself a default gateway for other OSPF routers, even if the AX device does not have a default route to 0.0.0.0/0. Metric for the default route, 0-16777214. External link type associated with the default route advertised into the OSPF routing domain:
metric num metric-type {1 | 2}
274 of 722
b y
D e s i g n

distance 1 Type 1 external route 2 Type 2 external route route-map map-name Name of a route map. (To configure a route map, see route-map on page 255.)
Default
This option is disabled by default. If you enable it, the default metric is 10. The default metric type is 2. OSPF The following command creates a default route into the OSPF domain with a metric of 20:
Mode Example
AX(config-router)#default-information originate metric 20
distance
Description Syntax Set the administrative distance for OSPF routes, based on route type. [no] distance { num | ospf {external | inter-area | intra-area} num } Parameter num ospf {external | inter-area | intra-area} num Description Sets the administrative distance for all route types. You can specify 1-255.
Sets the administrative distance for specific route types: external Routes that OSPF learns from other routing domains by redistribution. intra-area Routes within the same OSPF area. inter-area Routes between OSPF areas. You can use the ospf option with one or more of its suboptions. For each route type, you can specify 1-255.
b y
275 of 722

distribute-list Default Mode Usage For all route types, the default administrative distance is 110. OSPFv2 The administrative distance specifies the trustworthiness of routes. A low administrative distance value indicates a high level of trust. Likewise, a administrative distance value indicates a low level of trust. For example, setting the administrative distance value for external routes to 255 means those routes are very untrustworthy and should not be used.
distribute-list
Description Syntax Filter the networks received or sent in route updates. [no] distribute-list acl-id { in | out {connected | floating-ip | ip-nat | ip-nat-list | ospf | static | vip} Parameter acl-id in Description ID of an ACL. Only the networks permitted by the ACL will be allowed. Uses the specified ACL to filter routes received by OSPF from other sources. The filter applies to routes from all sources. Uses the specified ACL to filter routes advertised by OSPF to other routing domains. The routetype can be one of the following: connected Filters advertisement of directly connected networks. floating-ip Filters advertisement of networks for HA floating IP addresses. ip-nat Filters advertisement of networks that are translated NAT addresses allocated from a pool. ip-nat-list Filters advertisement of networks that are translated NAT addresses allocated from a range list. ospf [process-id] Filters advertisement of networks to another OSPF process.
out route-type
276 of 722
b y
D e s i g n

host ipaddr area static [only-flagged | only-not-flagged] Filters advertisement of networks reached by static routes. vip [only-flagged | only-not-flagged] Filters advertisement of networks to reach VIPs. By default, the option applies to all VIPs. To restrict the option to a subset of VIPs, use one of the following options: only-flagged Redistributes only the VIPs on which the redistribution-flagged command is used. only-not-flagged Redistributes all VIPs except those on which the redistribution-flagged command is used. Note: The bgp, isis, and kernel options are not applicable to the current release and are not supported. None OSPFv2
Default Mode
host ipaddr area

Description Syntax Configure a stub host entry for an area. [no] host ipaddr area area-id [cost num] Parameter ipaddr area area-id cost num Default Mode Usage None OSPFv2 Routes to the host are listed in router LSAs as stub links. Description IP address of the host. OSPF area where the host is located. Cost of the stub host entry, 0-65535.
b y
277 of 722

neighbor
neighbor
Description Syntax Configure an OSPF neighbor that is located on a non-broadcast network. [no] neighbor ipaddr [ cost num | poll-interval seconds [priority num] | priority num [poll-interval seconds] ] Parameter ipaddr cost num poll-interval seconds Description IP address of the OSPF neighbor. Specifies the link-state metric to the neighbor, 1-65535. Number of seconds this OSPF router will wait for a reply to a hello message sent to the neighbor, before declaring the neighbor to be offline. You can specify 1-65535 seconds. Router priority of the neighbor, 1-255.
priority num Default
No neighbors on non-broadcast networks are configured by default. When you configure one, the other parameters have the following default settings:
cost not set poll-interval 120 seconds priority 0
Mode Usage
OSPFv2 This command is required only for neighbors on networks. Adjacencies to neighbors on other types of networks are automatically established by the OSPF protocol. It is recommended to set the poll-interval to a much higher value than the hello interval.
278 of 722
b y
D e s i g n

network
network
Description Enable OSPF routing for an area, on interfaces that have IP addresses in the specified area subnet. [no] network ipaddr {/mask-length | wildcard-mask} area area-id [instance-id num] Parameter ipaddr {/mask-length | wildcard-mask} Description
Syntax
Subnet of the area. You can specify the subnet in CIDR format (ipaddr/mask-length) or as ipaddr wildcard-mask. In a wildcard-mask, 0s represent the network portion and 1s represent the host portion. For example, for a subnet that has 254 hosts and a 24-bit network mask, the wildcardmask is 0.0.0.255. Area ID.
area area-id
instance-id num Range of OSPF instances for which to enable OSPF routing for the area, 0-255. If you omit this option, OSPF routing is enabled for all OSPF instances that are running on interfaces that have IP addresses in the specified area subnet. Default Mode Example None OSPFv2 The following command configures an OSPF network:
AX(config-router)#network 10.10.20.20/24 area 10.10.20.30
ospf abr-type
Description Syntax Specify the Area Border Router (ABR) type. [no] ospf abr-type {cisco | ibm | shortcut | standard} Parameter cisco Description Alternative ABR using Cisco implementation (RFC 3509).
b y
279 of 722

overflow database ibm shortcut standard Default Mode cisco OSPFv2 Alternative ABR using IBM implementation (RFC 3509). Shortcut 02.txt). ABR (draft-ietf-ospf-shortcut-abr-
Standard ABR behavior (RFC 2328)
overflow database
Description Specify the maxim number of LSAs or the maximum size of the external database. [no] overflow database { max-lsa [hard | soft] | external max-lsa recover-time } Parameter max-lsa [hard | soft] Description Specifies the maximum number of LSAs per OSPF instance, 0-4294967294. The hard | soft option specifies the action to take if the LSA limit is exceeded: hard Shut down the OSPF process for the instance. soft Issue a warning message without shutting down the OSPF process for the instance. external max-lsa recover-time
Syntax
Specifies the maximum number of AS-externalLSAs the OSPF router can receive, 0-2147483647. The recover-time option specifies the number of seconds OSPF waits before attempting to recover after max-lsa is exceeded. You can specify 0-65535 seconds. To disable recovery, specify 0.
Default
The default max-lsa is 2147483647.
280 of 722
b y
D e s i g n

summary-address Mode OSPFv2
summary-address
Description Summarize or disable advertisement of external routes for a specific IP address range. A summary-address helps reduce the size of the OSPF linkstate database. [no] summary-address ipaddr/mask {not-advertise | tag num} Parameter ipaddr/mask not-advertise tag num Description Specifies the address range. Disables advertisement of routes for the specified range. Includes the specified tag value in external LSAs for IP addresses within the specified range. The tag value can be 0-4294967295. The default tag value is 0.
Syntax
Default Mode
None OSPFv2
Configuration Commands Applicable to OSPFv3 Only

All the global OSPF commands that are applicable to OSPFv3 are also applicable to OSPFv2. (See Configuration Commands Applicable to OSPFv2 or OSPFv3 on page 258.)
b y
281 of 722

summary-address
282 of 722
b y
D e s i g n

slb buff-thresh
Config Commands: Server Load Balancing

The commands in this chapter configure SLB parameters. In some cases, the commands create an SLB configuration item and change the CLI to the configuration level for that item. This CLI level also has the following commands, which are available at all configuration levels:
page 40.
slb buff-thresh
Description Caution: Syntax Fine-tune thresholds for SLB buffer queues. Do not use this command except under advisement by A10 Networks. [no] slb buff-thresh hw-buff num relieve-thresh num sys-buff-low num sys-buff-high num Parameter hw-buff num Description IO buffer threshold. For each CPU, if the number of queued entries in the IO buffer reaches this threshold, fast aging is enabled and no more IO buffer entries are allowed to be queued on the CPUs IO buffer.
b y
283 of 722

slb compress-block-size relieve-thresh num sys-buff-low num Threshold at which fast aging is disabled, to allow IO buffer entries to be queued again. Threshold of queued system buffer entries at which the AX begins refusing new incoming connections. Threshold of queued system buffer entries at which the AX device drops a connection whenever a packet is received for that connection.
sys-buff-high num
Mode
Configuration mode
slb compress-block-size
Description Syntax Change the default compression block size used for SLB. [no] compress-block-size bytes Parameter bytes Description Default compression block size, 6000-32000 bytes.
Default Mode
16000 Configuration mode
slb conn-rate-limit
Description Syntax Configure source-IP based connection rate limiting. [no] slb conn-rate-limit src-ip {tcp | udp} conn-limit per {100 | 1000} [shared] [exceed-action [log] [lock-out lockout-period]] Parameter tcp | udp conn-limit Description Specifies the Layer 4 protocol for which the filter applies. Specifies the connection limit. The connection limit is the maximum number of connection
284 of 722

slb conn-rate-limit requests allowed from a client, within the limit period. You can specify 1-1000000. per {100 | 1000} Specifies the limit period, The limit period is the interval to which the connection limit is applied. A client is conforming to the rate limit if the number of new connection requests within the limit period does not exceed the connection limit. You can specify 100 milliseconds or 1000 milliseconds. Specifies that the connection limit applies in aggregate to all virtual ports. If you omit this option, the limit applies separately to each virtual port.
shared
exceed-action [log] [lock-out lockout-period] Enables optional exceed actions: log Enables logging. Logging generates a log message when a client exceeds the connection limit. lock-out lockout-period Locks out the client for a specified number of seconds. During the lockout period, all connection requests from the client are dropped. The lockout period can be 13600 seconds (1 hour). There is no default. Note: All connection requests in excess of the connection limit that are received from a client within the limit period are dropped. This action is enabled by default when you enable the feature, and can not be disabled. Not set Configuration mode For more information, including deployment considerations, see the Source-IP Based Connection Rate Limiting section in the Traffic Security Features chapter of the AX Series Configuration Guide. The following command allows up to 1000 connection requests per onesecond interval from any individual client. If a client sends more than 1000 requests within a given limit period, the client is locked out for 3 seconds. The limit applies separately to each individual virtual port. Logging is not enabled.
Default Mode Usage
Example
AX(config)#slb conn-rate-limit src-ip 1000 per 1000 exceed-action lock-out 3 P e r f o r m a n c e D e s i g n Document No.: D-030-01-00-0003 - Ver. 2.4.3-P2 11/3/2010 b y
285 of 722

slb dns-cache-age Example The following command allows up to 2000 connection requests per 100millisecond interval. The limit applies to all virtual ports together. Logging is enabled but lockout is not enabled.
AX(config)#slb conn-rate-limit src-ip 2000 per 100 shared exceed-action log
Example
The following command allows up to 2000 connection requests per 100millisecond interval. The limit applies to all virtual ports together. Logging is enabled and lockout is enabled. If a client sends a total of more than 2000 requests within a given limit period, to one or more virtual ports, the client is locked out for 3 seconds.
AX(config)#slb conn-rate-limit src-ip 2000 per 100 shared exceed-action log lock-out 3
slb dns-cache-age
Description Syntax Configure the amount of time the AX device locally caches DNS replies. [no] slb dns-cache-age seconds Parameter seconds Description Number of seconds the AX device caches DNS replies. You can specify 1-1000000 seconds.
Default Mode Usage
300 Configuration mode A DNS reply begins aging as soon as it is cached and continues aging even if the cached reply is used after aging starts. Use of a cached reply does not reset the age of that reply. DNS cache aging is applicable only when DNS caching is enabled. (See slb dns-cache-enable on page 286.)
slb dns-cache-enable
Description Syntax Default Mode Enable local caching of replies to DNS queries. [no] slb dns-cache-enable Disabled Configuration mode
286 of 722

slb dsr-health-check-enable Usage When DNS caching is enabled, the AX device sends the first request for a given name (hostname, fully-qualified domain name, URL, and so on) to the DNS server. The AX device caches the reply from the DNS server, and sends the cached reply in response to the next request for the same name. The AX device continues to use the cached DNS reply until the reply times out. After the reply times out, the AX devices sends the next request for the URL to the DNS server, and caches the reply, and so on. DNS caching applies only to DNS requests sent to a UDP virtual port in a DNS SLB configuration. DNS caching is not supported for DNS requests sent over TCP.
slb dsr-health-check-enable
Description Enable health checking of the virtual server IP addresses instead of the real server IP addresses in Direct server Return (DSR) configurations. [no] slb dsr-health-check-enable Disabled Configuration mode This feature also requires configuration of a Layer 3 health method (ICMP), with the transparent option enabled, and with the alias address set to the virtual IP address. (See method on page 496.) The health monitor must be applied to the real server ports. The following commands configure a Layer 3 health monitor for DSR health checking, apply it to the real server ports, and enable DSR health checking:
Example
AX(config)#health monitor dsr-hm AX(config-health:monitor)#method icmp transparent 10.10.10.99 AX(config-health:monitor)#exit AX(config)#slb dsr-health-check-enable
slb enable-l7-req-acct
Description Syntax Default
Globally enable Layer 7 request accounting. [no] slb enable-l7-req-acct Disabled

b y
287 of 722

slb fast-path-disable Mode Usage Configuration mode If you use the least-request load-balancing method in a service group, Layer 7 request accounting is automatically enabled for the service groups members, and for the virtual service ports that are bound to the service groups members. To display Layer 7 request statistics, use the show slb service-group groupname command. See show slb server on page 676, show slb servicegroup on page 682, and show slb virtual-server on page 701.
slb fast-path-disable
Description Syntax Default Enable fast-path packet inspection. [no] slb fast-path-disable Fast processing of packets is enabled by default. (Deep inspection of every packet field is enabled.) Configuration mode Fast processing of packets maximizes performance by using all the underlying hardware assist facilities. Typically, the feature should remain enabled. The option to disable it is provided only for troubleshooting, in case it is suspected that the fast processing logic is causing an issue. If you disable fast-path processing, ACOS does not perform a deep inspection of every field within a packet.
Mode Usage
slb graceful-shutdown
Description Allow currently active sessions time to terminate normally before shutting down a service when you delete or disable the real or virtual server or port providing the service. [no] slb graceful-shutdown grace-period [server | virtual-server] [after-disable] Parameter grace-period Description Number of seconds existing connections on a disabled or deleted server or port are allowed to remain up before being terminated. You can specify 1-65535 seconds.
Syntax
288 of 722
b y
D e s i g n

slb hw-compression server virtual-server after-disable Limits the graceful shutdown to real servers only. Limits the graceful shutdown to virtual servers only. Applies graceful shutdown to disabled servers and service ports, as well as deleted servers. Without this option, graceful shutdown applies only to deleted servers.
Default
Disabled. When you delete a real or virtual service port, the AX device places all the ports sessions in the delete queue, and stops accepting new sessions on the port. Configuration mode When graceful shutdown is enabled, the AX device stops accepting new sessions on a disabled or deleted port, but waits for the specified grace period before moving active sessions to the delete queue. The following command enables graceful shutdown and sets the grace period to one hour:
Mode Usage
Example
AX(config)#slb graceful-shutdown 3600
slb hw-compression
Description Syntax Default Mode Usage Enable hardware-based compression. [no] slb hw-compression Disabled. Configuration mode Hardware-based compression is available using an optional hardware module in the following models: AX 2100, AX 2200, AX 3100, AX 3200, and AX 5200. If this command does not appear on your AX device, the device does not contain a compression module. Note: Installation of the compression module into AX devices in the field is not supported. Contact A10 Networks for information on obtaining an AX device that includes the module. When you enable hardware-based compression, all compression settings configured in HTTP templates, except the compression level, are used.
b y
289 of 722

slb l2l3-trunk-lb-disable Hardware-based compression always uses the same compression level, regardless of the compression level configured in an HTTP template. Example The following command enables hardware-based compression:
AX(config)#slb hw-compression
slb l2l3-trunk-lb-disable
Description Syntax Default Mode Usage Disable or re-enable trunk load balancing. [no] slb l2l3-trunk-lb-disable Enabled. Configuration mode When trunk load balancing is enabled, the AX device load balances outbound Layer 2/3 traffic among all the ports in a trunk. The round-robin method is used to load balance the traffic. For example, in a trunk containing ports 1-4, the first Layer 2/3 packet is sent on port 1. The second packet is sent on port 2. The third packet is sent on port 3, and so on. If you disable trunk load balancing, the lead port was always used for outbound traffic. The other ports were standby ports in case the lead port went down. Trunk load balancing applies only to Layer 2/3 traffic, and is enabled by default. However, the CLI provides a command to disable trunk load balancing, in case there is a need to do so. Disabling trunk load balancing causes the AX device to use only the lead port for outbound traffic. Note: Trunk load balancing does not apply to Layer 4-7 traffic.
slb msl-time
Description Configure the maximum session life for client sessions. The maximum session life controls how long the AX device maintains a session table entry for a client-server session after the session ends. [slb] msl-time seconds
Syntax
290 of 722
b y
D e s i g n

slb mss-table Parameter seconds Description Number of seconds a client session can remain in the session table following completion of the session. You can specify 1-40 seconds.
Default Mode Usage
2 seconds Configuration mode The maximum session life allows time for retransmissions from clients or servers, which can occur if there is an error in a transmission. If a retransmission occurs while the AX device still has a session entry for the session, the AX device is able to forward the retransmission. However, if the session table entry has already aged out, the AX device drops the retransmission instead. The maximum session life begins aging out a session table entry when the session ends:
TCP The session ends when the AX device receives a TCP FIN from
the client or server.

UDP The session ends after the AX device receives a server response
to the clients request. If the reply is fragmented, the maximum session life begins only after the last fragment is received. Note: For UDP sessions, the maximum session life is used only if UDP aging is set to short, instead of immediate. UDP aging is set in the UDP template bound to the UDP virtual port. The default setting is short.
slb mss-table
Description Configure the TCP Maximum Segment Size (MSS) allowed for client traffic. [no] slb mss-table num Parameter num Description Minimum MSS allowed in traffic from clients. You can specify 128-750.
Syntax
Default Mode
538 Configuration mode
b y
291 of 722

slb new-path-enable Usage Clients who can only transmit TCP segments that are smaller than the MSS are unable to reach servers. This command globally changes the MSS. You also can change the MSS in individual TCP-proxy templates. (See slb template tcp-proxy on page 369.)
slb new-path-enable
Description Caution: Enable new-path processing for Large4-Scale NAT (LSN). In the current release, new-path processing is required for LSN and applies only to LSN. The option does not apply to any other features. [no] slb new-path-enable Disabled Configuration mode
Syntax Default Mode
slb rate-limit-logging
Description Syntax Configure rate limiting settings for system logging. slb rate-limit-logging [max-local-rate msgs-per-second] [max-remote-rate msgs-per-second] [exclude-destination {local | remote}] Parameter Description
max-local-rate msgs-per-second Specifies the maximum number of messages per second that can be sent to the local log buffer. You can specify 1-100. max-remote-rate msgs-per-second Specifies the maximum number of messages per second that can be sent to remote log servers. You can specify 1-100000. excludedestination {local | remote}
Excludes logging to the specified destination, local or remote.

292 of 722

slb reset-stale-session Default Log rate limiting is enabled by default and can not be disabled. The configurable settings have the following default values:
max-local-rate 32 messages per second max-remote-rate 15000 messages per second exclude-destination Logging to both destinations is enabled.
Mode Usage
Configuration mode The log rate limiting mechanism works as follows:

If the number of new messages within a one-second interval exceeds the
internal maximum (32 by default), then during the next one-second interval, the AX sends log messages only to the external log servers.
If the number of new messages generated within the new one-second
interval is the internal maximum or less, then during the following onesecond interval, the AX will again send messages to the local logging buffer as well as the external log server.
In any case, all messages (up to the external maximum) are sent to the
external log servers. Example The following command increases the maximum number of external messages per second:
AX(config)#slb rate-limit-logging max-remote-rate 30000
slb reset-stale-session
slb server
Description Configure a real server. Use the first command shown below to create or a delete a server. Use the second command to edit a server. [no] slb server server-name {ipaddr | hostname} Parameter server-name hostname Description Server name, 1-31 characters. Fully-qualified hostname, for dynamic real server creation.
Syntax
b y
293 of 722

slb service-group ipaddr IP address of the server in either IPv4 or IPv6 format. The address is required only if you are creating a new server.
Default Mode Usage
N/A Configuration mode The normal form of this command creates a new or edits an existing real server. The CLI changes to the configuration level for the server. See Config Commands: SLB Servers on page 381. The IP address of the server can be in either IPv4 or IPv6 format. The AX Series supports both address formats. The no form of this command removes an existing real server. The maximum number of real servers is configurable. See system resource-usage on page 165.
Example
The following example creates a new real server with an IPv4 address:
AX(config)#slb server rs1 10.10.10.99 AX(config-real server)#
Example
The following example creates a new real server with an IPv6 address:
AX(config)#slb server rs2 2020:3e8::3 AX(config-real server)#
The following commands configure a hostname server for dynamic server creation using DNS, add a port to it, and bind the server template to it:
AX(config)#slb server s-test1 s1.test.com AX(config-real server)#template server temp-server AX(config-real server)#port 80 tcp AX(config-real server-node port)#exit AX(config-real server)#exit
slb service-group
Description Syntax Configure an SLB service group. [no] slb service-group group-name {tcp | udp}
294 of 722
b y
D e s i g n

slb snat-gwy-for-l3 Parameter group-name tcp | udp Default Mode Usage Description Name of the group, 1-31 characters. Application type of the group.
There are no service groups configured by default. Configuration mode The normal form of this command creates a new or edits an existing service group. The CLI changes to the configuration level for the service group. See Config Commands: SLB Service Groups on page 393. The following example adds TCP service group my-service-group:
Example
AX(config)#slb service-group my-service-group tcp AX(config-slb service group)#
slb snat-gwy-for-l3
Description Syntax Default Mode Usage Use an IP pools default gateway to forward traffic from a real server. [no] slb snat-gwy-for-l3 Disabled Configuration mode When this feature is enabled, ACOS checks the server IP subnet against the IP NAT pool subnet. If they are on the same subnet, then ACOS uses the gateway as defined in the IP NAT pool for Layer 2 / Layer 3 forwarding. This feature is useful if the server does not have its own upstream router and ACOS can leverage the same upstream router for Layer 2 / Layer 3.
slb snat-on-vip
Description Syntax Default Mode Globally enable IP NAT support for VIPs. [no] slb snat-on-vip Disabled Configuration mode
b y
295 of 722

slb ssl-create certificate Usage Source IP NAT can be configured on a virtual port in the following ways:
ACL-SNAT Binding at the virtual port level VIP source NAT at the Configuration configuration level aFleX policy bound to the virtual port Source NAT Pool at the virtual port level
These methods are used in the order shown above. For example, if IP source NAT is configured using an ACL on the virtual port, and VIP source NAT is also enabled globally, then a pool assigned by the ACL is used for traffic that is permitted by the ACL. For traffic that is not permitted by the ACL, the globally configured VIP source NAT can be used instead. Note: The current release does not support source IP NAT on FTP or RTSP virtual ports.
slb ssl-create certificate

Description Syntax Create a self-signed certificate for use with SLB. slb ssl-create certificate certificate-name Parameter certificatename Description Name of the certificate, 1-31 characters.
This command displays a series of prompts for the following information:

Key length, which can be 512, 1024, or 2048 bits Common name, 1-64 characters Division, 0-31 characters Organization, 0-63 characters Locality, 0-31 characters State or Province, 0-31 characters Country, 2 characters Email address, 0-64 characters Number of days the certificate is valid, 30-3650 days
296 of 722
b y
D e s i g n

slb ssl-create csr The key length, common name, and number of days the certificate is valid are required. The other information is optional. The certificate is created when you press enter after answering the last prompt. Default The default key length is 1024 bits. The default number of days the certificate is valid is 730. Configuration mode To use the certificate, add it to a client-SSL or server-SSL template. (See slb template client-ssl on page 312 or slb template server-ssl on page 357.) If you need to create a wildcard certificate, use an asterisk as the first part of the common name. For example, to create a wildcard certificate for domain example.com and it sub-domains, enter the following common name: *.example.com Example The following commands create a self-signed certificate named "slbcert1" and verify the configuration:
Mode Usage
AX(config)#slb ssl-create certificate slbcert1 input key bits(512,1024,2048) default 1024:<Enter> input Common Name, 1~64:slbcert1 input Division, 0~31:Div1 input Organization, 0~63:Org2 input Locality, 0~31:WestCoast input State or Province, 0~31:CA input Country, 2 characters:US input email address, 0~64:axadmin@example.com input valid days, 30~3650, default 730:<Enter> AX(config)#show slb ssl cert name: slbcert1 type: certificate/key Common Name: slbcert1 Organization: Org2 Expiration: Apr 10 00:34:34 2010 GMT Issuer: Self key size: 1024
slb ssl-create csr

Description Create a Certificate Signing Request (CSR), to use for requesting a signed certificate from an external Certificate Authority (CA). slb ssl-create certificate csr-name url
b y
Syntax
297 of 722

slb ssl-create csr Parameter csr-name url Description Name of the CSR, 1-31 characters. File transfer protocol, username (if required), and directory path, for exporting the CSR request. You can enter the entire URL on the command line or press Enter to display a prompt for each part of the URL. If you enter the entire URL and a password is required, you will still be prompted for the password. To enter the entire URL: tftp://host/file ftp://[user@]host[:port]/file scp://[user@]host/file rcp://[user@]host/file This command displays a series of prompts for the following information:
IP address of the server to which to export the CSR Username for write access to the server Password for write access to the server Path and filename Key length, which can be 512, 1024, or 2048 bits Common name, 1-64 characters Division, 0-31 characters Organization, 0-63 characters Locality, 0-31 characters State or Province, 0-31 characters Country, 2 characters Email address, 0-64 characters Passphrase to use for the key, 0-31 characters
The CSR is created when you press enter after answering the last prompt. The key for the certificate is also created. Default The default key length is 1024 bits. The default number of days the certificate will be valid is 730. Configuration mode
Mode
298 of 722

slb ssl-delete Usage After the CSR is generated and exported by this command, send the CSR to the CA. After you receive the signed certificate from the CA, use the import command to import the CA onto the AX device. (See import on page 57.) The key does not need to be imported. The key is generated along with the CSR. If you need to create a request for a wildcard certificate, use an asterisk as the first part of the common name. For example, to request a wildcard certificate for domain example.com and it sub-domains, enter the following common name: *.example.com Example The following commands generate and export a CSR, then import the signed certificate.
AX(config)#slb ssl-create csr slbcsr1 ftp: Address or name of remote host []?192.168.1.10 User name []?axadmin Password []?******** File name [/]?slbcsr1 input key bits(512,1024,2048) default 1024:<Enter> input Common Name, 1~64:slbcsr1 input Division, 0~31:div1 input Organization, 0~63:org2 input Locality, 0~31:westcoast input State or Province, 0~31:ca input Country, 2 characters:us input email address, 0~64:axadmin@example.com input Pass Phrase, 0~31:csrpword Confirm Pass Phrase:csrpword AX(config)#import ca-signedcert1 ftp: Address or name of remote host []?192.168.1.10 User name []?axadmin Password []?******** File name [/]?ca-signedcert1
slb ssl-delete
Description Syntax Delete an SSL certificate or private key from the AX Series device. [no] slb ssl-delete {certificate cert-name | private-key key-string} None. Configuration mode
Default Mode
b y
299 of 722

slb ssl-load Usage This command does not affect the server certificate of the Web management interface. The command applies only to certificates that have been imported for use with SSL offload. The following commands delete SSL certificate testcert.crt and its key:
Example
AX(config)#slb ssl-delete certificate testcert.crt AX(config)#slb ssl-delete private-key testcertkey.pem
slb ssl-load
Description Load an SSL certificate, private key, or Certificate Revocation List (CRL) for use with SSL offload. Note: The AX device only supports certificates that are in Privacy-Enhanced Mail (PEM) format. The maximum supported certificate size is 16KB. To convert a certificate from Windows format to PEM format, see the Importing SSL Certificates chapter in the AX Series Configuration Guide. [no] slb ssl-load {certificate file-name [type {der | pem | pfx}] | private-key file-name | crl file-name} [use-mgmt-port] url Parameter file-name Description File name of the certificate, key, or CRL. If you are importing a certificate, use the type option to specify the format of the certificate. The AX device supports PEM format only. If you specify the certificate format, the AX device can convert the certificate into PEM format. use-mgmt-port Uses the management interface as the source interface for the connection to the remote device. The management route table is used to reach the device. By default, the AX device attempts to use the data route table to reach the remote device through a data interface. File transfer protocol, username (if required), and directory path. You can enter the entire URL on the command line or press Enter to display a prompt for each part of the URL. If you enter the entire URL and
Syntax
url
300 of 722
b y
D e s i g n

slb ssl-load a password is required, you will still be prompted for the password. To enter the entire URL: tftp://host/file ftp://[user@]host[:port]/file scp://[user@]host/file rcp://[user@]host/file http://[user@]host/file https://[user@]host/file Default Mode Usage None. Configuration mode This command is equivalent to the import ssl-cert and import ssl-key commands. You can use those commands or slb ssl-load to import SSL certificates and keys. The following commands load SSL certificate testcert.crt and its key:
Example
AX(config)#slb ssl-load certificate testcert.pem scp: Address or name of remote host []?1.1.1.2 User name []?axadmin Password []?********* File name [/]?testcert.pem AX(config)#slb ssl-load certificate testcertkey.pem scp: Address or name of remote host []?1.1.1.2 User name []?axadmin Password []?********* File name [/]?testcertkey.pem
Example
The following commands import a CA certificate and its key, and a CRL file:
AX(config)#slb ssl-load certificate ca-cert.pem scp: Address or name of remote host []?192.168.1.1 User name []?admin Password []?********* File name [/]?ca-cert.pem AX(config)#slb ssl-load private-key ca-certkey.pem scp: Address or name of remote host []?192.168.1.1 User name []?admin Password []?********* File name [/]?ca-certkey.pem
b y
301 of 722

slb template
AX(config)#slb ssl-load certificate ca-crl.pem scp: Address or name of remote host []?192.168.1.1 User name []?admin Password []?********* File name [/]?ca-crl.pem
slb template
Description Syntax Configure an SLB template. [no] slb template template-type template-name Parameter template-type Description Type of template: cache Configures RAM caching of HTTP Web content. client-ssl Configures offload of SSL validation of clients from real servers connection-reuse Configures re-use of established connections dns Configures DNS security. http Configures HTTP modifications to server replies to clients and configures load balancing based on HTTP information persist cookie Configures session persistence by inserting persistence cookies into server replies to clients persist destination-ip Configures the granularity of load balancing persistence (selection of the same server resources) for clients, based on destination IP address persist source-ip Configures the granularity of load balancing persistence for clients, based on source IP address persist ssl-sid Directs clients based on SSL session ID policy Configures Policy-Based SLB (PBSLB) settings port Configures settings for real server ports server Configures settings for real servers
302 of 722
b y
D e s i g n

slb template server-ssl Configures the AX device to validate real servers based on their certificates sip Configures separate load balancing of Session Initiation Protocol (SIP) registration traffic and non-registration traffic smtp Configures STARTTLS support for Simple Mail Transfer Protocol (SMTP) clients streaming-media Configures load balancing of multimedia content tcp Configures TCP connection settings tcp-proxy Configures TCP/IP stack parameters udp Configures UDP connection settings virtual-port Configures settings for virtual server ports virtual-server Configures settings for virtual servers template-name Default Name of the template.
The templates have default settings, and some template types are automatically added to a virtual port depending on its service type. For information, see the AX Series Configuration Guide. Configuration mode The normal form of this command creates a new or edits an existing template. The CLI changes to the configuration level for the template. See Config Commands: SLB Templates on page 307. The no form of this command removes an existing template. The maximum number of templates is configurable. See system resourceusage on page 165.
Mode Usage
Example
The following command creates a TCP-proxy template named proxy1:
AX(config)#slb template tcp-proxy proxy1 AX(config-TCP proxy template)#
b y
303 of 722

slb transparent-tcp-template
slb transparent-tcp-template
Description Set the idle timeout for pass-through TCP sessions. A pass-through TCP session is one that is not terminated by the AX device (for example, a session for which the AX device is not serving as a proxy for SLB). [no] slb transparent-tcp-template template-name Parameter template-name Description Specifies the name of a TCP template. The idle timeout specified in the TCP template is used for pass-through TCP sessions.
Syntax
Note: Default
To use the default TCP template, specify the name default. The default idle timeout for pass-through TCP sessions is 30 minutes. The default idle timeout in TCP templates is 120 seconds. Configuration mode Only the idle timeout setting in the specified TCP template is applicable to pass-through TCP sessions. None of the other options in TCP templates affect pass-through TCP sessions. The following command changes the idle timeout for pass-through TCP sessions to the idle timeout set in the default TCP template:
Mode Usage
Example
AX(config)#slb transparent-tcp-template default
slb virtual-server
Description Syntax Configure a virtual server. [no] slb virtual-server name [ipaddr] or [no] slb virtual-server server-name starting-ip {subnet-mask | /mask-length} Parameter name Description Virtual server name, 1-31 characters.
304 of 722
b y
D e s i g n

slb virtual-server ipaddr IP address of the virtual server in either IPv4 or IPv6 format. The address is required only if you are creating a new virtual server. If you are configuring a wildcard VIP, enter one of the following for the IP address: 0.0.0.0 IPv4 wildcard VIP :: IPv6 wildcard VIP You can use the acl acl-id option to specify the IP addresses to be handled as wildcard VIPs. (For more information, see the Wildcard VIPs chapter in the AX Series Configuration Guide.) starting-ip {subnet-mask | /mask-length}
Configures a contiguous set of IPv4 or IPv6 VIPs, beginning with the starting-ip.
Default Mode Usage
N/A Configuration mode The normal form of this command creates a new or edits an existing virtual server. The CLI changes to the configuration level for the virtual server. See Config Commands: SLB Virtual Servers on page 403. The no form of this command removes an existing virtual server. The maximum number of virtual servers is configurable. See system resource-usage on page 165. Notes on VIP Ranges
The IP addresses in the specified subnet range can not belong to an IP
interface, real server, or other virtual server configured on the AX device.

The largest supported IPv4 subnet length is /20. Statistics are aggregated for all VIPs in the subnet virtual server. The current release supports this feature only for DNS ports on the
default DNS port number (TCP port 53 or UDP port 53). Example The following command configures a new virtual server named vs1:
AX(config)#slb virtual vs1 10.10.2.1 AX(config-slb virtual server)#
b y
305 of 722

slb virtual-server Example The following command configures a set of VIPs for IP addresses 1.1.1.51.1.1.255:
AX(config)#slb virtual-server vs1 1.1.1.5 /24
306 of 722
b y
D e s i g n

slb template cache
Config Commands: SLB Templates

This chapter describes the commands and subcommands for configuring SLB configuration templates. To access this configuration level, enter the slb template template-type template-name command at the Configuration mode level. To display configured templates, use the show template command. To apply a template to a virtual port, use the template template-type template-name command at the configuration level for the virtual port. For more information about how to use templates, including configuration examples, see the Templates chapter in the AX Series Configuration Guide. This CLI level also has the following commands, which are available at all configuration levels:
slb template cache

Description Syntax Configure the AX device to perform transparent Web caching. [no] slb template cache template-name Parameter template-name Description Name of the template, up to 31 characters long.
b y
307 of 722

slb template cache This command changes the CLI to the configuration level for the specified RAM caching template, where the following commands are available. (The other commands are common to all CLI configuration levels. See Config Commands: Global on page 69.) Command [no] acceptreload-req Description Enables support for the following Cache-Control headers: Cache-Control: no-cache Cache-Control: max-age=0 When support for these headers is enabled, either header causes the AX device to reload the cached object from the origin server. [no] age seconds Specifies how long a cached object can remain in the AX RAM cache without being requested. You can specify 1-999999 seconds (about 11-1/2 days). Changes the default cache policy in the template from cache to nocache. This option gives you tighter control over content caching. When you use the default no-cache policy, the only content that is cached is cacheable content whose URI matches an explicit cache policy. Disables insertion of Age headers into cached responses. Insertion of Age headers is enabled by default. Disables insertion of Via headers into cached responses. Insertion of Via headers is enabled by default.
[no] defaultpolicy-nocache
[no] disableinsert-age
[no] disableinsert-via
[no] max-cachesize MB Specifies the size of the AX RAM cache. On models AX 1000, AX 2000, AX 2100, AX 2200, AX 3100, and AX 3200, you can specify 1-512 MB. On model AX 2500, you can specify 1-1024 MB.
308 of 722
b y
D e s i g n

slb template cache On models AX 2600 and AX 3000, you can specify 1-2048 MB. On models AX 5100 and AX 5200, you can specify 1-4096 MB. [no] maxcontent-size bytes
Specifies the maximum object size that can be cached. The AX device will not cache objects larger than this size. You can specify 0-4194303 bytes (4 MB). If you specify 0, no objects can be cached.
[no] mincontent-size bytes
Specifies the minimum object size that can be cached. The AX device will not cache objects smaller than this size. You can specify 0-4194303 bytes (4 MB). If you specify 0, all objects smaller than or equal to the maximum content size can be cached.
[no] policy uri pattern {cache [seconds] | nocache | invalidate inv-pattern}
Configures a policy for dynamic caching. pattern Specifies the portion of the URL string to match on. The options below specify the action to take for URLs that match the pattern: cache [seconds] Caches the content. By default, the content is cached for the number of seconds configured in the template (set by the age command). To override the aging period set in the template, specify the number of seconds with the cache command. nocache Does not cache the content. invalidate inv-pattern Invalidates the content that has been cached for inv-pattern.
[no] removecookies
Removes cookies from server replies so the replies can be cached. RAM caching does not cache server replies that contain cookies. (Image
b y
309 of 722

slb template cache files are an exception. RAM caching can cache images that have cookies.) [no] replacementpolicy LFU
Specifies the policy used to make room for new objects when the RAM cache is full. The policy supported in the current release is Least Frequently Used (LFU). When the RAM cache becomes more than 90% full, the AX device discards the least-frequently used objects to ensure there is sufficient room for new objects.
[no] verifyhost
Enables the AX device to cache the host name in addition to the URI for cached content. Use this command if a real server that contains cacheable content will host more than one host name (for example, www.abc.com and www.xyz.com).
Default
The default RAM caching template has the following defaults:

accept-reload-req Disabled age 3600 seconds (1 hour) disable-insert-age Insertion of Age headers is enabled by default. disable-insert-via Insertion of Via headers is enabled by default. max-cache-size 80 MB max-content-size 81920 bytes (80 KB) min-content-size 512 bytes remove-cookies disabled replacement-policy Least Frequently Used (LFU) verify-host Disabled. Host names are not cached along with URIs for
cached content. Mode Usage Configuration mode The normal form of this command creates a RAM caching configuration template. The no form of this command removes the template. You can bind only one RAM caching template to a virtual port. However, you can bind the same RAM caching template to multiple ports.
310 of 722
b y
D e s i g n

slb template cache If a URI matches the pattern in more than one policy command, the policy command with the most specific match is used. For example, if a template has the following commands, content for page122 is cached whereas content for page123 is not cached: policy uri /page12 cache 300 policy uri /page123 nocache Wildcard characters (for example: ? and *) are not supported in RAM Caching policies. For example, if the string pattern contains *, it is interpreted literally, as the * character. In the current release, matching is performed based on containment. All URIs that contain the pattern string match the rule. For example, the following policy matches all URIs that contain the string .jpg and sets the cache timeout for the matching objects to 7200 seconds: policy uri .jpg cache 7200 Example The following commands configure a RAM caching template. In this example, all the default RAM cache settings are used.
AX(config)#slb template cache ramcache AX(config-RAM caching template)#
Example
The following commands configure some dynamic caching policies. The policy that matches on /list caches content for 5 minutes. The policy that matches on /private does not cache content.
AX(config)#slb template cache ram-cache AX(config-RAM caching template)#policy uri /list cache 300 AX(config-RAM caching template)#policy uri /private nocache
Example
The following commands configure a RAM caching template that will only cache content from www.xyz.com/news-clips.
AX(config)#slb template cache ramcache AX(config-RAM caching template)#default-policy-nocache AX(config-RAM caching template)#policy uri www.xyz.com/news-clips cache
b y
311 of 722

slb template client-ssl
slb template client-ssl

Description Syntax Configure offload of SSL validation of clients from real servers. [no] slb template client-ssl template-name Parameter template-name Description Name of the template, up to 31 characters long.
This command changes the CLI to the configuration level for the specified client-SSL template, where the following commands are available. (The other commands are common to all CLI configuration levels. See Config Commands: Global on page 69.) Command [no] ca-cert cert-name Description Specifies the name of the Certificate Authority (CA) certificate to use for validating client certificates. The CA certificate must be installed on the AX device. (You can use the import or slb ssl-load command. They are equivalent. See import on page 57 or slb ssl-load on page 300.) Specifies the name of the certificate to use for terminating or initiating an SSL connection. The certificate must be installed on the AX.
[no] cert cert-name
[no] chain-cert chain-cert-name Specifies a certificate-key chain. [no] cipher cipher Specifies the cipher suite to support for certificates from clients: SSL3_RSA_DES_192_CBC3_SHA SSL3_RSA_DES_40_CBC_SHA SSL3_RSA_DES_64_CBC_SHA SSL3_RSA_RC4_128_MD5 SSL3_RSA_RC4_128_SHA SSL3_RSA_RC4_40_MD5 TLS1_RSA_AES_128_SHA
312 of 722
b y
D e s i g n

slb template client-ssl TLS1_RSA_AES_256_SHA TLS1_RSA_EXPORT1024_RC4_56_MD5 TLS1_RSA_EXPORT1024_RC4_56_SHA [no] clientcertificate {ignore | request | require}
Specifies the action that the AX device takes in response to a clients connection request: ignore The AX device does not request the client to send its certificate. request The AX device requests the client to send its certificate. With this action, the SSL handshake proceeds even if either of the following occurs: The client sends a NULL certificate (one with zero length). The certificate is invalid, causing client verification to fail. Use this option if you want the request to trigger an aFleX policy for further processing. require The AX device requires the client certificate. This action requests the client to send its certificate. However, the SSL handshake does not proceed (it fails) if the client sends a NULL certificate or the certificate is invalid.
[no] closenotify
Enables closure alerts for SSL sessions. When this option is enabled, the AX device sends a close_notify message when an SSL transaction ends, before sending a FIN. This behavior is required by certain types of client applications, including PHP cgi. For this type of client, if the AX device does not send a close_notify, an error or warning appears on the client. Specifies the Certificate Revocation List (CRL) to use for verifying that client certificates have not been revoked. The CRL must be installed on the AX device first. (You can use the slb ssl-load command. See slb ssl-load on page 300.)
[no] crl filename
b y
313 of 722

slb template client-ssl When you add a CRL to a client SSL template, the AX device checks the CRL to ensure that the certificates presented by clients have not been revoked by the issuing CA. Note: If you plan to use a CRL, you must set the client-certificate mode to require. The CRL should be signed by the same issuer as the CA certificate. Otherwise, the client and AX device will not be able to establish a connection. [no] key key-name [passphrase passphrasestring] [no] sessioncache-size number
Specifies the key for the certificate, and the passphrase used to encrypt the key.
Maximum number of cached sessions for SSL session ID reuse, 0-131072. The value 0 disables session ID reuse.
Default
The configuration does not have a default client-side SSL template. If you create one, the template has the following defaults:
cipher All options are enabled. (This is equivalent to entering the
cipher command multiple times, once with each of the options listed in the Syntax section.)
client-certificate ignore close-notify disabled session cache-size 0 (Session ID reuse is disabled.)
Mode Usage
Configuration mode The normal form of this command creates a client-SSL configuration template. The no form of this command removes the template. The certificate must be imported onto the AX Series. To import a certificate, see import on page 57 or slb ssl-load on page 300. You can bind only one client-SSL template to a virtual port. However, you can bind the same client-SSL template to multiple ports.
Example
The following commands configure a client-SSL template named clientssl1 that uses imported CA certificates and requires clients to present their certificates when requesting connections to servers:
314 of 722

slb template connection-reuse
AX(config)#slb template client-ssl client-ssl1 AX(config-client SSL template)#ca-cert ca-bundle.crt AX(config-client SSL template)#client-certificate require
Example
The following commands configure a client SSL template to use an imported CA certificate and key, and an imported Certificate Revocation List (CRL) from the CA:
AX(config)#slb template client-ssl client-ssl1 AX(config-client SSL template)#ca-cert ca-cert.pem AX(config-client SSL template)#ca-cert ca-crl.pem AX(config-client SSL template)#client-certificate require
slb template connection-reuse

Description Syntax Configure re-use of established connections. [no] slb template connection-reuse template-name Parameter template-name Description Name of the template, 1-31 characters.
This command changes the CLI to the configuration level for the specified connection-reuse template, where the following commands are available. (The other commands are common to all CLI configuration levels. See Config Commands: Global on page 69.) Command [no] keepalive-conn number Description
Specifies the number of new reusable connections to open before beginning to reuse existing connections. You can specify 1-1024 connections.
Note:
This option is applicable only for SIP-over-TCP sessions. The option is not applicable to other types of sessions, such as HTTP sessions. [no] limit-perserver number [smart-flowcontrol queuedepth] Maximum number of reusable connections per server port. You can specify 0-65535. 0 means unlimited.
b y
315 of 722

slb template connection-reuse The smart-flow-control option queues HTTP packets from clients when a server port reaches a configured connection limit, instead of dropping them. The AX device then monitors the port, and begins forwarding the queued packets when connections become available again. To prevent flooding of the port, the AX device forwards the queued packets at a steady rate. The queue-depth option specifies the maximum number of packets the AX device will queue for the port. You can specify 1-32000. The default 1000. If this queue becomes full, the AX device will drop additional packets. [no] timeout seconds Maximum number of seconds a connection can remain idle before it times out. You can specify 1-3600 seconds.
Default
The default connection reuse template has the following defaults:

keep-alive-conn 100 limit-per-server 1000 timeout 2400 seconds (40 minutes)
To display the default template settings, use the show slb template connection-reuse default command. Mode Usage Configuration mode The normal form of this command creates a connection reuse template. The no form of this command removes the template. You can bind only one connection-reuse template to a virtual port. However, you can bind the same connection-reuse template to multiple ports. The keep-alive-conn option is applicable only for SIP-over-TCP sessions. The option is not applicable to other types of sessions, such as HTTP sessions. Due to the way the connection-reuse feature operates, backend sessions with servers will not be reused in either of the following cases:
The limit-per-server option is set to a very low value, lower than the
number of data CPUs on the AX device.

The keep-alive-conn option is set to a lower value than the limit-per-
server option.
316 of 722
b y
D e s i g n

slb template dns SmartFlow Control
In the current release, this feature applies only to traffic sent to HTTP
virtual ports.
This feature is configured using a new connection-reuse option. The fea-
ture can be activated if a real port either reaches the smart-flow-control limit configured in the connection-reuse template, or the connection limit specified on the port or in the port template used by the port. If the real-port connection limit is set and the limit-per-server is set in the connection-reuse template, the smaller of the two limits is used for SmartFlow control. The connection limit is applied across the data CPUs. It is possible for an individual CPU to reach its maximum while other CPUs have not reached their maximums. The actual connection limit is calculated as follows:
(rport-conn-limit/data-cpu-num - n)* data-cpu-num
where n is the largest possible value among 2, 1 or 0. Here are some examples: Case 1: rport-conn-limit = 10; data-cpu-num = 7; n must be 0 (otherwise the result will be negative). The result will be (10/7 0)*7=7. Case 2: rport-conn-limit = 30; data-cpu-num = 7; n should be 2. The result will be (30/7 2)*7=14.
If you remove the SmartFlow control configuration from a connection-
reuse template, any packets that are queued due to the feature are released for transmission. Example The following commands configure a connection reuse template named conn-reuse1 and set the limit per server to 2000 re-used connections:
AX(config)#slb template connection-reuse conn-reuse1 AX(config-connection reuse template)#limit-per-server 2000
slb template dns

Description Syntax Configure DNS security. [no] slb template dns template-name Parameter template-name Description Name of the template, 1-31 characters.
b y
317 of 722

slb template dns This command changes the CLI to the configuration level for the specified DNS template, where the following commands are available. (The other commands are common to all CLI configuration levels. See Config Commands: Global on page 69.) Command Description
[no] malformedquery {drop | forward service-groupname} Specifies the action to take for malformed DNS queries: drop Drops malformed queries. forward Sends the queries to the specified service group. With either option, the malformed queries are not sent to the DNS virtual port. Default The configuration does not have a default DNS template. If you configure one, the default action is to drop malformed DNS queries. Configuration mode The normal form of this command creates a DNS template. The no form of this command removes the template. You can bind only one DNS template to a virtual port. However, you can bind the same DNS template to multiple ports. Example The following commands configure a DNS template for DNS security and bind the template to the DNS virtual port on a virtual server:
Mode Usage
AX(config)#slb template dns dns-sec AX(config-dns-policy)#malformed-query drop AX(config-dns-policy)#exit AX(config)#slb virtual-server dnsvip1 192.168.1.53 AX(config-slb vserver)#port 53 udp AX(config-slb vserver-vport)#template dns dns-sec
Since the drop action is specified, malformed DNS queries sent to the virtual DNS server are dropped by the AX device.
318 of 722
b y
D e s i g n

slb template http
slb template http

Description Configure HTTP modifications to server replies to clients and configure load balancing based on HTTP information. [no] slb template http template-name Parameter template-name Description Name of the template
Syntax
This command changes the CLI to the configuration level for the specified HTTP template, where the following commands are available. (The other commands are common to all CLI configuration levels. See Config Commands: Global on page 69.) Command [no] compression option Description
Offloads Web servers from CPU-intensive HTTP compression operations. Options: content-type content-string Specifies the type of content to compress, based on a string in the content-type header of the HTTP response. The content-string can be 1-31 characters long. enable Enables compression. exclude-content-type content-string Excludes the specified content type from being compressed. The content-string can be 1-31 characters long. For a list of media type strings, see the Internet Assigned Numbers Authority Web site: http://www.iana.org/assignments/media-types exclude-uri uri-string Excludes an individual URI from being compressed. The URI string can be 1-31 charac-
b y
319 of 722

slb template http ters. An HTTP template can exclude up to 10 URI strings. The order in which content-type, exclude-content-type, and exclude-uri filters appear in the configuration does not matter. keep-accept-encoding enable Configures the AX device to leave the Accept-Encoding header in HTTP requests from clients instead of removing the header. When keep-accept-encoding is enabled, compression is performed by the real server instead of the AX device, if the server is configured to perform the compression. The AX device compresses the content that the real server does not compress. This option is disabled by default, which means the AX device performs all the compression. level number Specifies the compression level. You can use compression level 1-9. Each level provides a higher compression ratio, beginning with level 1, which provides the lowest compression ratio. A higher compression ratio results in a smaller file size after compression. However, higher compression levels also require more CPU processing than lower compression levels, so performance can be affected. minimum-content-length bytes Specifies the minimum length (in bytes) a server response can be in order to be compressed. The length applies to the content (payload) only and does not include the headers. You can specify 0-2147483647 bytes. Note: Compression is supported only for HTTP and HTTPS virtual ports. Compression is not supported for fast-HTTP virtual ports. [no] failoverurl url-string Specifies the fallback URL to send in an HTTP 302 response when all real servers are down.
320 of 722
b y
D e s i g n

slb template http [no] hostswitching {starts-with |contains | ends-with} host-string service-group service-groupname
Selects a service group based on the value in the Host field of the HTTP header. The selection overrides the service group configured on the virtual port. For host-string, you can specify an IP address or a hostname. If the host-string does not match, the service group configured on the virtual port is used. starts-with host-string matches only if the hostname or IP address starts with hoststring. contains host-string matches if the host-string appears anywhere within the hostname or host IP address. ends-with host-string matches only if the hostname or IP address ends with host-string.
[no] insertclient-ip [http-headername] [replace] Inserts the clients source IP address into HTTP headers. If you specify an HTTP header name, the source address is inserted only into headers with that name. The replace option replaces any client addresses that are already in the header. Without this option, the client IP address is appended to the lists of client IP addresses already in the header. For example, if the header already contains X-Forwarded-For:1.1.1.1 and the current clients IP address is 2.2.2.2, the replace option changes the field:value pair to X-Forwarded-For:2.2.2.2. Without the replace option, the field:value pair becomes X-Forwarded-For:1.1.1.1, 2.2.2.2. [no] log-retry Logs HTTP retries. An HTTP retry occurs when the AX device resends a clients HTTP request to
b y
321 of 722

slb template http a server because the server did not reply to the first request. (HTTP retries are enabled using the retry-on-5xx or retry-on-5xx-per-req command in the HTTP template.) [no] redirectrewrite match url-string rewrite-to url-string
Modifies redirects sent by servers by rewriting the matching URL string to the specified value before sending the redirects to clients.
[no] redirectrewrite secure {port tcpportnum}
Changes HTTP redirects sent by servers into HTTPS redirects before sending the redirects to clients. To redirect clients to the default HTTPS port (443), enter the following command: redirect-rewrite secure To redirect clients to an HTTPS port other than the default, enter the following command instead: redirect-rewrite secure port port-num
[no] requestheader-erase field [no] requestheader-insert field:value [insert-always | insert-ifnot-exist]
Erases the specified header (field) from HTTP requests.
Inserts the specified header into HTTP requests. The field:value pair indicates the header field name and the value to insert. If you use the insert-always option, the command always inserts the field:value pair. If the request already contains a header with the same field name, the new field:value pair is added after the existing field:value pair. Existing headers are not replaced. If you use the insert-if-not-exist option, the command inserts the header only if the request
322 of 722

slb template http does not already contain a header with the same field name. Without either option, if a request already contains one or more headers with the specified field name, the command replaces the last header. [no] responseheader-erase field [no] responseheader-insert field:value [insert-always | insert-ifnot-exist]
Erases the specified header (field) from HTTP responses.
Inserts the specified header into HTTP responses. The field:value pair indicates the header field name and the value to insert. If you use the insert-always option, the command always inserts the field:value pair. If the response already contains a header with the same field name, the new field:value pair is added after the existing field:value pair. Existing headers are not replaced. If you use the insert-if-not-exist option, the command inserts the header only if the response does not already contain a header with the same field name. Without either option, if a response already contains one or more headers with the specified field name, the command replaces the first header.
[no] retry-on5xx num
Configures the AX device to retry sending a clients request to a service port that replies with an HTTP 5xx status code, and reassign the request to another server if the first server replies with a 5xx status code. The retry number specifies the number of times the AX device is allowed to reassign the request. For example, assume that a service group has three members (s1, s2, and s3), and the retry is set to 1. In this case, if s1 replies with a 5xx status code, the AX device reassigns the request to s2. If s2 also responds with a 5xx status code, the AX device will not reassign the request to s3,
b y
323 of 722

slb template http because the maximum number of retries has already been used. If you use this command, the AX device stops sending client requests to a service port for 30 seconds following reassignment. If you want the service port to remain eligible for client requests, use the following command instead. An HTTP template can contain one or the other of these commands, but not both. Note: The 5xx options are supported only for virtual port types HTTP and HTTPS. They are not supported for fast-HTTP or any other virtual port type. [no] retry-on5xx-per-req num This command provides the same function as the retry-on-5xx command (described above). However, the retry-on-5xx-per-req command does not briefly stop using a service port following reassignment. An HTTP template can contain one or the other of these commands, but not both. [no] stricttransactionswitch
Forces the AX device to perform the server selection process anew for every HTTP request. Without this option, the AX device reselects the same server for subsequent requests (assuming the same server group is used), unless overridden by other template options.
[no] term11client-hdrconn-close
Enables the AX device to terminate HTTP 1.1 client connections when the Connection: close header exists in the HTTP request. This option is applicable to connection-reuse deployments that have HTTP 1.1 clients that are not compliant with the HTTP 1.1 standard. Without this option, sessions for non-compliant HTTP 1.1. clients are not terminated.
[no] url-hashpersist {first | last} bytes [use-serverstatus}
Enables server stickiness based on hash values. If this feature is configured, for each URL request,
324 of 722

slb template http the AX device calculates a hash value based on part of the URL string. The AX device then selects a real server based on the hash value. A given hash value always results in selection of the same real server. Thus, requests for a given URL always go to the same real server. The first | last option specifies which end of the URL string to use to calculate the hash value. The bytes option specifies how many bytes to use to calculate the hash value. Optionally, you can use URL hashing with either URL switching or host switching. Without URL switching or host switching configured, URL hash switching uses the hash value to choose a server within the default service group (the one bound to the virtual port). If URL switching or host switching is configured, for each HTTP request, the AX device first selects a service group based on the URL or host switching values, then calculates the hash value and uses it to choose a server within the selected service group. The use-server-status option enables server load awareness, which allows servers to act as backups to other servers, based on server load. Note: This feature requires some custom configuration on the server. For information, see the URL Hash Switching section in the HTTP Options for SLB chapter of the AX Series Configuration Guide. [no] urlswitching {starts-with | contains | ends-with} url-string service-group service-groupname
Selects a service group based on the URL string requested by the client. The selection overrides the service group configured on the virtual port.
b y
325 of 722

slb template http starts-with /url-string matches only if the URL starts with url-string. contains url-string matches if the urlstring appears anywhere within the URL. ends-with url-string matches only if the URL ends with url-string. Note: You can use URL switching or Host switching in an HTTP template, but not both. However, if you need to use both types of switching, you can do so with an aFleX script. The configuration has a default HTTP template. In the template, most options are disabled or not set. Compression is disabled by default. When you enable it, it has the following default settings:
content-type text and application included by default exclude-content-type not set (nothing excluded) exclude-uri not set (no URIs excluded) keep-accept-encoding disabled level 1 minimum-content-length 120 bytes
Default
To display the default HTTP template settings, use the show slb template http default command. Mode Usage Configuration mode The normal form of this command creates an HTTP configuration template. The no form of this command removes the template. You can bind only one HTTP template to a virtual port. However, you can bind the same HTTP template to multiple ports. Header insertion is not supported on fast-HTTP virtual ports. Starts-with, Contains, and Ends-with Rule Matching The starts-with, contains, and ends-with options are always applied in the following order, regardless of the order in which the commands appear in the configuration. The service group for the first match is used.
326 of 722
b y
D e s i g n

slb template http
starts-with contains ends-with
If a template has more than one command with the same option (startswith, contains, or ends-with) and a host name or URL matches on more than one of them, the most-specific match is always used. For example, if a template has the following commands, host "ddeeff" will always be directed to service group http-sgf:
slb template http http-host host-switching starts-with d service-group http-sgd host-switching starts-with dd service-group http-sge host-switching starts-with dde service-group http-sgf
If a contains rule and an ends-with rule match on exactly the same string, the ends-with rule is used, because it has the more specific match. If you use the starts-with option with URL switching, use a slash in front of the URL string. For example:
url-switching starts-with /urlexample service-group http-sg1
Redirect-Rewrite Rule Matching If a URL matches on more than redirect-rewrite rule within the same HTTP template, the AX device selects the rule that has the most specific match to the URL. For example, if a server sends redirect URL 66.1.1.222/000.html, and the HTTP template has the redirect-rewrite rules shown below, the AX device will use the last rule because it is the most specific match to the URL:
slb template http 1 redirect-rewrite match /00 rewrite-to http://66.1.1.202/a redirect-rewrite match /000.html rewrite-to /001.gif redirect-rewrite match 66.1.1.222/000.html rewrite-to 66.1.1.202/003.bmp
Example
The following commands configure an HTTP template called http-compression that enables compression. The minimum length a packet must be for it to be compressed is set at 120 bytes.
AX(config)#slb template http http-compression AX(config-HTTP template)#compression enable AX(config-HTTP template)#compression minimum-content-length 120
b y
327 of 722

slb template http Example The following commands configure an HTTP template called http-header that inserts the client IP address and a Cookie field into HTTP headers in requests from clients before sending the requests to servers:
AX(config)#slb template http http-header AX(config-HTTP template)#insert-client-ip AX(config-HTTP template)#header-insert Cookie:a = b
Example
The following commands configure an HTTP template called http-host that selects a service group based on the contents of the Host field in the HTTP headers of client requests. Requests for hostnames that start with Gossip are directed to service group http-sg1. Requests for hostnames that contain NewsDeskA are directed to service group http-sg2. Requests for hostnames that end with weather.com are directed to service group http-sg3.
template http http-host template)#host-switching starts-with Gossip service-group httptemplate)#host-switching contains NewsDeskA service-group httptemplate)#host-switching ends-with weather.com service-group
AX(config)#slb AX(config-HTTP sg1 AX(config-HTTP sg2 AX(config-HTTP http-sg3
Example
The following commands configure an HTTP template to use URL hashing. Hash values will be calculated based on the last 8 bytes of the URL. In this example, URL switching is also configured in the template. As a result, the AX device uses URL switching to select a service group first, then uses URL hashing to select a server within that service group. If the template did not also contain URL switching commands, this template would always select a server from service group sg3.
AX(config)#slb template http hash AX(config-HTTP template)#url-hash-switching last 8 AX(config-HTTP template)#url-switching starts-with /news service-group sg1 AX(config-HTTP template)#url-switching starts-with /sports service-group sg2 AX(config-HTTP template)#exit AX(config)#slb virtual-server vs1 1.1.1.1 AX(config-slb virtual server)#port 80 http AX(config-slb virtual server-slb virtua...)#service-group sg3 AX(config-slb virtual server-slb virtua...)#template http hash
Example
The following commands configure an HTTP template called http-compress, that uses compression level 5 to compress files with media type application or image. Files with media type application/zip are explicitly excluded from compression.
AX(config)#slb template http http-compress AX(config-HTTP template)#compression enable AX(config-HTTP template)#compression level 5
328 of 722
b y
D e s i g n

slb template persist cookie
AX(config-HTTP template)#compression content-type image AX(config-HTTP template)#compression exclude-content-type application/zip
Example
The following commands configure an HTTP template that replaces the client IP addresses in the X-Forwarded-For field with the current client IP address:
AX(config)#slb template http clientip-replace AX(config-HTTP template)#insert-client-ip X-Forwarded-For replace
slb template persist cookie

Description Configure session persistence by inserting persistence cookies into server replies to clients. [no] slb template persist cookie template-name Parameter template-name Description Name of the template, 1-31 characters.
Syntax
This command changes the CLI to the configuration level for the specified persistence template, where the following commands are available. (The other commands are common to all CLI configuration levels. See Config Commands: Global on page 69.) Command [no] domain domain-name [no] donthonor-connrules Description Adds the specified domain name to the cookie.
Ignores connection limit settings configured on real servers and real ports. This option is useful for applications in which multiple sessions (connections) are likely to be used for the same persistent cookie. Specifies the number of seconds a cookie persists on a clients PC before being deleted by the clients browser. You can specify from 0 to 31,536,000 seconds (one year). (Do not enter the commas.) If you specify 0, cookies persist only for the current session.
[no] expire expire-seconds
b y
329 of 722

slb template persist cookie [no] insertalways Specifies whether to insert a new persistence cookie in every reply, even if the request already had a persistence cookie previously inserted by the AX device.
[no] match-type {server [service-group] | servicegroup} [scan-allmembers] Changes the granularity of cookie persistence. server The cookie inserted into the HTTP header of the server reply to a client ensures that subsequent requests from the client for the same VIP are sent to the same real server. (This assumes that all virtual ports of the VIP use the same cookie persistence template with matchtype set to server.) Without this option, the default behavior is used: subsequent requests from the client will be sent to the same real port on the same real server. server service-group Sets the granularity to the same as server, and also enables cookie persistence to be used along with URL switching or host switching. Without the service-group option, URL switching or host switching can be used only for the initial request from the client. After the initial request, subsequent requests are always sent to the same service group. service-group This option enables support for URL switching and host switching, along with the default cookie persistence behavior. scan-all-members This option scans all members bound to the template. This option is useful in configurations where match-type server is used, and where some members have different priorities or are disabled. (For more information about this option, see the Scan-AllMembers Option in Persistence Templates chapter in the AX Series Configuration Guide.)
330 of 722
b y
D e s i g n

slb template persist cookie Note: To use URL switching or host switching, you also must configure an HTTP template with the host-switching or url-switching command. [no] name cookie-name [no] path path-name Specifies the name of the persistence cookie, 1-63 characters. Adds path information to the cookie, 1-31 characters.
Default
The configuration does not have a default cookie-persistence template. If you create one, it has the following defaults:
domain Not set dont-honor-conn-rules Disabled; by default, the connection limit set
on real servers and real ports is used.

expire about 10 years
Note:
Although the default is 10 years (essentially, unlimited), the maximum configurable expiration is one year. insert-always Disabled. The AX device inserts a persistence cookie
only if the client request does not already contain a persistence cookie inserted by the AX device, or if the server referenced by the cookie is unavailable.
match-type The default match type is port. (There is no port key-
word. See Usage for more information.)

name sto-id path /
Mode Usage
Configuration mode The normal form of this command creates a cookie-persistence template. The no form of this command removes the template. You can bind only one cookie-persistence template to a virtual port. However, you can bind the same cookie-persistence template to multiple ports. When cookie persistence is configured, the AX device adds a persistence cookie to the server reply before sending the reply to the client. The clients browser re-inserts the cookie into each request. Note: For security, address information in the cookie is encrypted.
b y
331 of 722

slb template persist cookie The format of the cookie depends on the match-type setting:
match-type (port) This is the default setting. Subsequent requests
from the client will be sent to the same real port on the same real server. URL switching or host switching can be used only for the first request. The cookie that the AX device inserts into the server reply has the following format: Set-Cookie: cookiename-vport=rserverIP_rport The vport is the virtual port number. The rserverIP is the real server IP address and the rport is the real server port number. Note: The port option is shown in parentheses because the CLI does not have a port keyword. If you do not set the match type to server (see below), the match type is automatically port.
match-type server Subsequent requests from the client for the same
VIP will be sent to the same real server, provided that all virtual ports of the VIP use the same cookie persistence template with match-type set to server. URL switching or host switching can be used only for the first request. The cookie that the AX device inserts into the server reply has the following format: Set-Cookie: cookiename=rserverIP
match-type (port) service-group Subsequent requests from the client
will be sent to the same real port on the same real server, within the service group selected by URL switching or host switching. URL switching or host switching, if configured, is still used for every request. The cookie that the AX device inserts into the server reply has the following format: Set-Cookie: cookiename-vport-servicegroupname=rserverIP_rport
match-type server service-group Subsequent requests from the cli-
ent for the same VIP will be sent to the same real server, within the service group selected by URL switching or host switching. URL switching or host switching, if configured, is still used for every request. The cookie that the AX device inserts into the server reply has the following format: Set-Cookie: cookiename-servicegroupname=rserverIP Example The following commands configure a cookie persistence template named persist-cookie. The template inserts a cookie named MyCookie, containing the real servers IP address and protocol port in encrypted form, into server responses before sending the responses to clients. The template also sets the cookie to persist on client PCs for only 10 minutes (600 seconds).
332 of 722

slb template persist destination-ip
AX(config)#slb template persist cookie persist-cookie AX(config-cookie persistence template)#name MyCookie AX(config-cookie persistence template)#expire 600
slb template persist destination-ip

Description Configure the granularity of load balancing persistence (selection of the same server resources) for clients, based on destination IP address. [no] slb template persist destination-ip template-name Parameter template-name Description Name of the template, 1-31 characters.
Syntax
This command changes the CLI to the configuration level for the specified persistence template, where the following commands are available. (The other commands are common to all CLI configuration levels. See Config Commands: Global on page 69.) Command [no] donthonor-connrules Description
Ignores connection limit settings configured on real servers and real ports. This option is useful for applications in which multiple sessions (connections) are likely to be used for the same persistent destination IP address.
[no] match-type {server | service-group} [scan-allmembers]
Specifies the granularity of persistence: server Traffic to a given destination IP address is always sent to the same real server, for any service port. By default (without the server option), traffic to the same destination IP address and virtual port is always sent to the same real port. This is the most granular setting. service-group This option is applicable if you also plan to use URL switching or host switching. If you use the service-group option,
b y
333 of 722

slb template persist destination-ip URL or host switching is used for every request to select a service group. The first time URL or host switching selects a given service group, the load-balancing method is used to select a real port within the service group. The next time URL or host switching selects the same service group, the same real port is used. Thus, service group selection is performed for every request, but once a service group is selected for a request, the request goes to the same real port that was selected the first time that service group was selected. scan-all-members This option scans all members bound to the template. This option is useful in configurations where match-type server is used, and where some members have different priorities or are disabled. (For more information about this option, see the Scan-AllMembers Option in Persistence Templates chapter in the AX Series Configuration Guide.) Note: To use URL switching or host switching, you also must configure an HTTP template with the host-switching or url-switching command. [no] netmask ipaddr Specifies the granularity of IP address hashing for initial server port selection. You can specify an IPv4 network mask in dotted decimal notation. To configure initial server port selection to occur once per destination VIP subnet, configure the network mask to indicate the subnet length. For example, to select a server port once for all requested VIPs within a subnet such as 10.10.10.x, 192.168.1.x, and so on (class C subnets), use mask 255.255.255.0. SLB selects a server port for the first request to the given VIP subnet, the sends all other requests for the same VIP subnet to the same port. To configure initial server port selection to occur independently for each requested VIP, use mask 255.255.255.255. (This is the default.)
334 of 722
b y
D e s i g n

slb template persist source-ip [no] timeout timeout-minutes Specifies how many minutes the mapping remains persistent after the last time it is used. You can specify 1-2000 minutes. Default The configuration does not have a default destination-IP persistence template. If you configure one, it has the following defaults:
dont-honor-conn-rules Disabled; by default, the connection limit set

match-type For SLB, by default, traffic to a given destination IP
address and port is always sent to the same real port. This is the most granular setting. (There is no port keyword.)
netmask 255.255.255.255 timeout 5 minutes
Mode Usage
Configuration mode The normal form of this command creates a destination-IP persistence template. The no form of this command removes the template. You can bind only one destination-IP persistence template to a virtual port. However, you can bind the same destination-IP persistence template to multiple ports.
Example
The following command creates a destination-IP persistence template named persist-dest:
AX(config)#slb template persist destination-ip persist-source
slb template persist source-ip

Description Configure the granularity of load balancing persistence (selection of the same server resources) for clients, based on source IP address. [no] slb template persist source-ip template-name Parameter template-name Description Name of the template, 1-31 characters.
Syntax
This command changes the CLI to the configuration level for the specified persistence template, where the following commands are available. (The other commands are common to all CLI configuration levels. See Config Commands: Global on page 69.)
335 of 722

slb template persist source-ip Command [no] donthonor-connrules Description
Ignores connection limit settings configured on real servers and real ports. This option is useful for applications in which multiple sessions (connections) are likely to be used for the same persistent client source IP address.
[no] incl-sport Includes the source port in persistent sessions. [no] match-type {server | service-group} [scan-allmembers]
Specifies the granularity of persistence: server Traffic from a given client to the same VIP is always sent to the same real server, for any service port requested by the client. By default (without the server option), traffic from a given client to the same virtual port is always sent to the same real port. This is the most granular setting. service-group This option is applicable if you also plan to use URL switching or host switching. If you use the service-group option, URL or host switching is used for every request to select a service group. The first time URL or host switching selects a given service group, the load-balancing method is used to select a real port within the service group. The next time URL or host switching selects the same service group, the same real port is used. Thus, service group selection is performed for every request, but once a service group is selected for a request, the request goes to the same real port that was selected the first time that service group was selected. scan-all-members This option scans all members bound to the template. This option is useful in configurations where match-type server is used, and where some members have different priorities or are disabled. (For more information about this option, see the Scan-AllMembers Option in Persistence Templates chapter in the AX Series Configuration Guide.)
336 of 722
b y
D e s i g n

slb template persist source-ip Note: To use URL switching or host switching, you also must configure an HTTP template with the host-switching or url-switching command. The match type for FWLB is always server, which sets the granularity of source-IP persistence to individual firewalls, not firewall groups or individual service ports. [no] netmask ipaddr Specifies the granularity of IP address hashing for server port selection. You can specify an IPv4 network mask in dotted decimal notation. To configure server port selection to occur on a per subnet basis, configure the network mask to indicate the subnet length. For example, to send all clients within a subnet such as 10.10.10.x, 192.168.1.x, and so on (class C subnets) to the same server port, use mask 255.255.255.0. SLB selects a server port for the first client in a given subnet, the sends all other clients in the same subnet to the same port. To configure server port selection to occur on a per client basis, use mask 255.255.255.255. SLB selects a server port for the first request from a given client, the sends all other requests from the same client to the same port. (This is the default.) [no] timeout timeout-minutes Specifies how many minutes the mapping remains persistent after the last time traffic from the client is sent to the server. You can specify 1-2000 minutes (about 33 hours). Note: The timeout for a source-IP persistent session will not be reset if the timeout in the source-IP persistence template is set to 1 minute. If the timeout is set to 1 minute, sessions will always age out after 1 minute, even if they are active. The configuration does not have a default source-IP persistence template. If you configure one, it has the following defaults:
Note:
Default

incl-sport Disabled
b y
337 of 722

slb template persist ssl-sid
match-type For SLB, by default, traffic from a given client to the
same virtual port is always sent to the same real port. This is the most granular setting. (There is no port keyword.) For FWLB, the default is server and none of the other match-type options are applicable.
netmask 255.255.255.255 timeout 5 minutes
Mode Usage
Configuration mode The normal form of this command creates a source-IP persistence template. The no form of this command removes the template. You can bind only one source-IP persistence template to a virtual port. However, you can bind the same source-IP persistence template to multiple ports. The timeout for a source-IP persistent session will not be reset if the timeout in the source-IP persistence template is set to 1 minute. If the timeout is set to 1 minute, sessions will always age out after 1 minute, even if they are active.
Example
The following commands configure a source-IP persistence template named persist-source and set the granularity to service-group:
AX(config)#slb template persist source-ip persist-source AX(config-source ip persistence template)#match-type service-group
slb template persist ssl-sid

Description Direct clients based on SSL session ID. SSL session-ID persistence directs all client requests for a given virtual port, and that have a given SSL session ID, to the same real server and real port. For example, with SSL session-ID persistence configured, all client requests for virtual port 443 on virtual server 1.2.3.4 that have the same SSL session ID will be directed to the same real server and port. The persistence is based on the SSL session ID, not on the client IP address. Syntax [no] slb template persist ssl-sid template-name Parameter template-name Description Name of the template, 1-31 characters.
338 of 722
b y
D e s i g n

slb template persist ssl-sid This command changes the CLI to the configuration level for the specified persistence template, where the following commands are available. (The other commands are common to all CLI configuration levels. See Config Commands: Global on page 69.) Command [no] donthonor-connrules Description
Ignores connection limit settings configured on real servers and real ports. This option is useful for applications in which multiple sessions (connections) are likely to be used for the same persistent SSL session ID.
[no] timeout timeout-minutes Specifies how many minutes the mapping remains persistent after the last time traffic with the SSL session ID is sent to the server. You can specify 1-250 minutes. Default The configuration does not have a default SSL session-ID persistence template. If you configure one, it has the following defaults:

timeout 5 minutes
Mode Usage
Configuration mode The normal form of this command creates an SSL session-ID persistence template. The no form of this command removes the template. You can bind only one SSL session-ID persistence template to a virtual port. However, you can bind the same SSL session-ID persistence template to multiple ports. To display statistics for SSL session-ID persistence, use the following command: show slb l4
Example
The following commands configure an SSL session-ID persistence template named ssl-persist1 and apply it to virtual port 443 on virtual server vip1:
b y
339 of 722

slb template policy
AX(config)#slb template persist ssl-sid ssl-persist1 AX(config-SSL session ID persistence te...)#exit AX(config)#slb virtual-server vip1 1.2.3.4 AX(config-slb virtual server)#port 443 tcp AX(config-slb virtual server-slb virtua...)#service-group https-sg1 AX(config-slb virtual server-slb virtua...)#template ssl-sid ssl-persist1
slb template policy

Description Syntax Configure a template of Policy-Based SLB (PBSLB) settings. [no] slb template policy template-name This command changes the CLI to the configuration level for the specified PBSLB template, where the following commands are available. (The other commands are common to all CLI configuration levels. See Config Commands: Global on page 69.) Command Description
[no] bw-list id id service {service-groupname | drop | reset} [logging [minutes] [fail]] Specifies the action to take for clients in the black/white list: id Group ID in the black/white list. service-group-name Sends clients to the SLB service group associated with this group ID on the AX device. drop Drops connections for IP addresses that are in the specified group. reset Resets connections for IP addresses that are in the specified group. logging [minutes] [fail] Enables logging. The minutes option specifies how often messages can be generated. This option reduces overhead caused by frequent recurring messages.
340 of 722
b y
D e s i g n

slb template policy Enables logging. The minutes option specifies how often messages can be generated. This option reduces overhead caused by frequent recurring messages. For example, if the logging interval is set to 5 minutes, and the PBSLB rule is used 100 times within a five-minute period, the AX device generates only a single message. The message indicates the number of times the rule was applied since the last message. You can specify a logging interval from 0 to 60 minutes. To send a separate message for each event, set the interval to 0. PBSLB rules that use the service service-groupname option also have a fail option for logging. The fail option configures the AX device to generate log messages only when there is a failed attempt to reach a service group. Messages are not generated for successful connections to the service group. The fail option is disabled by default. The option is available only for PBSLB rules that use the service service-group-name option, not for rules with the drop or reset option, since any time a drop or reset rule affects traffic, this indicates a failure condition. Logging is disabled by default. If you enable it, the default for minutes is 3. [no] bw-list name file-name [no] bw-list over-limit {lockup min | logging min | reset} Binds a black/white list to the virtual ports that use this template.
Specifies the action to take for traffic that is over the limit. The default is drop. lockup min Continues to apply the overlimit action to all new connection attempts from the client, for the specified number of minutes (1-127). logging min Generates a log message when traffic goes over the limit. The min option specifies the log interval and can be 1-255 minutes.
b y
341 of 722

slb template policy reset Resets new connections until the number of concurrent connections on the virtual port falls below the connection limit. [no] bw-list timeout minutes Specifies the number of minutes dynamic black/ white-list client entries can remain idle before aging out. You can specify 1-127 minutes. [no] bw-list usedestination-ip
Matches black/white list entries based on the clients destination IP address, instead of matching by client source address. By default, matching is based on the clients source IP address. Generally, this option is applicable when wildcard VIPs are used.
[no] class-list client-ip {l3-dest | l7-header [header-name]}
Specifies the IP address to use for matching entries in an IP class list. l3-dest Matches based on the destination IP address in packets from clients. l7-header [header-name] Matches based on the IP address in the specified header in packets from clients. The header-name specifies the name of the header to use. If you do not specify a header name, the X-Forwarded-For header is used.
[no] class-list name name [no] class-list lid num
Applies an IP class list to the template. Configures an IP limiting rule for the IP limiting feature. This command changes the CLI to the configuration level for the rule, where the following commands are available: [no] conn-limit num Specifies the maximum number of concurrent connections allowed for a client. You can specify 1-1048575. [no] conn-rate-limit num per num-of-100ms Specifies the maximum number of new connections allowed for a client within the specified limit period. You can specify 1-4294967295 con-
342 of 722
b y
D e s i g n

slb template policy nections. The limit period can be 100-6553500 milliseconds (ms), specified in increments of 100 ms. [no] request-limit num Specifies the maximum number of concurrent Layer 7 requests allowed for a client. Maximum number of concurrent Layer 7 requests allowed for a client. You can specify 1-1048575. [no] request-rate-limit num per num-of-100ms Specifies the maximum number of Layer 7 requests allowed for the client within the specified limit period. You can specify 1-4294967295 connections. The limit period can be 1006553500 milliseconds (ms), specified in increments of 100 ms. [no] over-limit-action [forward | reset] [lockout minutes] [log minutes] Specifies the action to take when a client exceeds one or more of the limits. The command also configures lockout and enables logging. The action can be one of the following: drop The AX device drops that traffic. If logging is enabled, the AX device also generates a log message. (There is no drop keyword. This is the default action.) forward The AX device forwards the traffic. If logging is enabled, the AX device also generates a log message. reset For TCP, the AX device sends a TCP RST to the client. If logging is enabled, the AX device also generates a log message. The lockout option specifies the number of minutes during which to apply the over-limit action after the client exceeds a limit. The lockout period is activated when a client exceeds any limit. The lockout period can be 1-1023 minutes. The logging option generates log messages when clients exceed a limit. When you enable logging, a separate message is generated for each overlimit occurrence, by default. You can specify a logging period, in which case the AX device holds onto the repeated messages for the specified period, then sends one message at the end of
343 of 722

slb template policy the period for all instances that occurred within the period. The logging period can be 0-255 minutes. The default is 0 (no wait period). [no] geolocation full-domaintree
Checks the current connection count not only for the clients specific geo-location, but for all geolocations higher up in the domain tree.
Note:
It is recommended to enable or disable this option before enabling GSLB. Changing the state of this option while GSLB is running can cause the related statistics counters to be incorrect. [no] geolocation overlap
Enables overlap matching mode. If there are overlapping addresses in the black/white-list or class list, use this option to enable the AX device to find the most precise match. Enables sharing of PBLSB statistics counters for all virtual servers and virtual ports that use the template. This option causes the following counters to be shared: Permit Deny Connection number Connection limit
[no] geolocation share
Note:
It is recommended to enable or disable this option before enabling GSLB. Changing the state of this option while GSLB is running can cause the related statistics counters to be incorrect. The AX device does not have a default PBSLB template. When you configure one, the template has the following default settings:
bw-list id None. Logging is disabled by default. If you enable it, the
Default
default for minutes is 3.

bw-list name None bw-list over-limit drop bw-list timeout 5
344 of 722
b y
D e s i g n

slb template policy
bw-list use-destination-ip Disabled. By default, the AX device
matches by client source IP address.

class-list client-ip Clients IP address is used. class-list name not set class-list lid Not set. When you create one, the limiting rule has the
following default values: conn-limit Not set conn-rate-limit Not set request-limit Not set request-rate-limit Not set over-limit-action Drop. There is no default lockout period. Logging is disabled by default. The default logging period is 0 (no wait period).
geo-location full-domain-tree disabled geo-location overlap disabled geo-location share disabled
Mode Usage
Configuration mode The normal form of this command creates a PBSLB template. The no form of this command removes the template. You can bind only one PBSLB template to a virtual port. However, you can bind the same PBSLB template to multiple ports. PBSLB configuration on a virtual port can be set either using a template or by configuring the individual settings on the port. Individual PBSLB settings and a PBSLB template can not be configured on the same virtual port. The following commands configure a PBSLB template and bind it to a virtual port:
AX(config)#slb template policy bw1 AX(config-policy)#bw-list name bw1 AX(config-policy)#bw-list id 2 service srvcgroup2 AX(config-policy)#bw-list id 4 drop AX(config-policy)#exit AX(config)#slb virtual-server PBSLB_VS1 10.10.10.69 AX(config-slb virtual server)#port 80 http AX(config-slb virtual server-slb virtua...)#template policy bw1
b y
345 of 722

slb template port
slb template port

Description Syntax Configure a template of SLB settings for service ports on real servers. [no] slb template port template-name Parameter template-name Description Name of the template, 1-31 characters.
This command changes the CLI to the configuration level for the specified real port template, where the following commands are available. (The other commands are common to all CLI configuration levels. See Config Commands: Global on page 69.) Command Description
[no] conn-limit max-connections [resume connections] [no-logging] Specifies the maximum number of connections allowed on ports that use this template. The max-connections option specifies the maximum number of concurrent connections, 0-1048575. The resume connections option specifies the maximum number of connections the port can have before the AX device resumes use of the port. You can specify 1-1048575 connections. The no-logging option disables logging for the feature. [no] conn-ratelimit connections [per {100ms | 1sec}] [no-logging] Limits the rate of new connections the AX device is allowed to send to ports that use this template. When a real port reaches its connection limit, the AX device stop selecting the port to serve client requests.
346 of 722
b y
D e s i g n

slb template port connections Maximum of new connections allowed on the port. You can specify 1-1048575 connections. per {100ms | 1sec} Specifies whether the connection rate limit applies to one-second intervals or 100-ms intervals. The default is onesecond intervals (1sec). The no-logging option disables logging for the feature. [no] dest-nat Enables destination Network Address Translation (NAT) on ports that use this template. Destination NAT is enabled by default, but is automatically disabled in Direct Server Return (DSR) configurations. You can re-enable destination NAT on individual ports for deployment of mixed DSR configurations, which use backup servers across Layer 3 (in different subnets). [no] dscp number Sets the differentiated services code point (DSCP) value in the IP header of a client request before sending the request to ports that use this template. The number specifies the DSCP value and can be 1-63. By default, DSCP is not set by the AX device.
[no] dynamicmember-priority num decrement delta Configure service-group priority settings for ports on dynamically created servers. The num option sets the initial TTL for dynamically created service-group members, and can be 1-16. The delta option specifies how much to decrement the TTL if the IP address is not included in the DNS reply, and can be 0-7. When configuring the service group, add the port template to the member. [no] healthcheck [monitor-name]
Enables health monitoring of ports that use this template. The monitor-name specifies the name of a configured health monitor.
b y
347 of 722

slb template port [no] inbandhealth-check [retry maximumretries] [reassign maximumreassigns] Supplements the standard Layer 4 health checks by using client-server traffic to check the health of service ports. retry maximum-retries Each client-server session has its own retry counter. The AX device increments a sessions retry counter each time a SYN ACK is late. If the retry counter exceeds the configured maximum number of retries allowed, the AX device sends the next SYN for the session to a different server. The AX device also resets the retry counter to 0. You can set the retry counter to 0-7 retries. reassign maximum-reassigns Each real port has its own reassign counter. Each time the retry counter for any session is exceeded, the AX device increments the reassign counter for the server port. If the reassign counter exceeds the configured maximum number of reassignments allowed, the AX device marks the port down. In this case, the port remains down until the next time the port successfully passes a standard health check. Once the port passes a standard health check, the AX device starts using the port again and resets the reassign counter to 0. You can set the reassign counter to 0-255 reassignments. The default is 25 reassignments. Note: A10 Networks recommends that you continue to use standard Layer 4 health monitoring even if you enable in-band health monitoring. Without standard health monitoring, a server port marked down by an in-band health check remains down.
348 of 722
b y
D e s i g n

slb template port [no] slow-start [from startingconn-limit] [times scalefactor | add conn-incr] [every interval] [till endingconn-limit] Provides time for real ports that use the template to ramp-up after TCP/UDP service is enabled, by temporarily limiting the number of new connections on the ports. from starting-conn-limit Maximum number of concurrent connections to allow on the service port after it first comes up. You can specify from 1-4095 concurrent connections. The default is 128. times scale-factor | add conn-incr Amount by which to increase the maximum number of concurrent connections allowed. You can use one of the following methods to specify the increment: times scale-factor The scale factor is the number by which to multiply the starting connection limit. For example, if the scale factor is 2 and the starting connection limit is 128, the AX device increases the connection limit to 256 after the first ramp-up interval. The scale factor can be 2-10. The default is 2. add conn-incr As an alternative to specifying a scale factor, you can instead specify how many more concurrent connections to allow. You can specify 1-4095 new connections. every interval Number of seconds between each increase of the number of concurrent connections allowed. For example, if the ramp-up interval is 10 seconds, the number of concurrent connections to allow is increased every 10 seconds. The ramp-up interval can be 1-60 seconds. The default is 10 seconds. till ending-conn-limit Maximum number of concurrent connections to allow during the final
349 of 722

slb template port ramp-up interval. After the final ramp-up interval, the slow start is over and does not limit further connections to the server. You can specify from 1-65535 connections. The default is 4096. Note: If a normal runtime connection limit is also configured (for example, by the conn-limit command), and the normal connection limit is smaller than the slow-start ending connection limit, the AX device limits slow-start connections to the maximum allowed by the normal connection limit. source-nat pool-name Specifies the IP NAT pool to use for assigning source IP addresses to client traffic sent to ports that use this template. When the AX device performs NAT for a port that is bound to the template, the device selects an IP address from the pool. Specifies the load-balancing preference for ports that use this template. You can specify 1-100. A higher weight gives more favor to the server and port relative to the other servers and ports. Default is 1. This option applies only to the weighted-leastconnection, service-weighted-least-connection, and weighted-rr (weighted round robin) loadbalancing methods. Default The AX device has a default real port template, called default. The default port template has the same default settings as the individual parameters you can configure in the template. Here are the defaults:
conn-limit 8000000 (8 million) conn-rate-limit Not set; when enabled, the default sampling rate is
[no] weight number
per 1-sec.
dest-nat Not set dscp Not set dynamic-member-priority priority 16 and delta 0
350 of 722
b y
D e s i g n

slb template port
health-check If you omit this command or you enter it without the
monitor-name option, the default TCP or UDP health monitor is used: TCP Every 30 seconds, the AX device sends a connection request (TCP SYN) to the specified TCP port on the server. The port passes the health check if the server replies to the AX device by sending a TCP SYN ACK. UDP Every 30 seconds, the AX device sends a packet with a valid UDP header and a garbage payload to the UDP port. The port passes the health check if the server either does not reply, or replies with any type of packet except an ICMP Error message.
inband-health-check Disabled. When enabled, the feature has the fol-
lowing defaults: maximum-retries 2; maximum-reassigns 25.

slow-start Not set source-nat Not set weight 1
Mode Usage
Configuration mode The normal form of this command creates a real port template. The no form of this command removes the template. You can bind only one real port template to a real port. However, you can bind the real port template to multiple real ports. Some of the parameters that can be set using a template can also be set or changed on the individual port.
If a parameter is set (or changed from its default) in both a template and
on the individual port, the setting on the individual port takes precedence.
If a parameter is set (or changed from its default) in a template but is not
set or changed from its default on the individual port, the setting in the template takes precedence. If you change the connection limiting configuration on a virtual port or virtual server that has active sessions, or in a virtual-port or virtual-server template bound to the virtual server or virtual port, the current connection counter for the virtual port or server in show command output and in the GUI may become incorrect. To avoid this, do not change the connection limiting configuration until the virtual server or port does not have any active connections.
b y
351 of 722

slb template server Example The following commands configure a real port template named commonrpsettings, enable slow-start in the template, and bind the template to a real port:
AX(config)#slb template port common-rpsettings AX(config-rport)#slow-start from 256 AX(config-rport)#exit AX(config)#slb server rs1 10.1.1.2 AX(config-real server)#port 80 tcp AX(config-real server-node port)#template port common-rpsettings
slb template server

Syntax [no] slb template server template-name Parameter template-name Description Name of the template, 1-31 characters.
This command changes the CLI to the configuration level for the specified real server template, where the following commands are available. (The other commands are common to all CLI configuration levels. See Config Commands: Global on page 69.) Command Description
[no] conn-limit max-connections [resume connections] [no-logging] Specifies the maximum number of connections allowed on real servers that use this template. The max-connections option specifies the maximum number of concurrent connections, 01048575. The resume connections option specifies the maximum number of connections the server can have before the AX device resumes use of the server. You can specify 1-1048575 connections. The no-logging option disables logging for the feature.
352 of 722
b y
D e s i g n

slb template server [no] conn-ratelimit connections [per {100ms | 1sec}] [no-logging] Limits the rate of new connections the AX device is allowed to send to servers that use this template. When a real server reaches its connection limit, the AX device stops selecting the server for client requests. connections Maximum of new connections allowed on a server. You can specify 1-1048575 connections. per {100ms | 1sec} Specifies whether the connection rate limit applies to one-second intervals or 100-ms intervals. The no-logging option disables logging for the feature. [no] dns-queryinterval minutes Specifies how often the AX device sends DNS queries for the IP addresses of dynamic real servers. You can specify 1-1440 minutes (one day). [no] dynamicserver-prefix string
Specifies the prefix added to the front of dynamically created servers. You can specify a string of 1-3 characters.
[no] healthcheck [monitor-name]
Enables health monitoring of ports that use this template. The monitor-name specifies the name of a configured health monitor. If you omit this command or you enter it without the monitor-name option, the default ICMP health monitor is used: an ICMP ping (echo request) is sent every 30 seconds. If the ping fails 2 times consecutively, the AX device sets the server state to DOWN.
b y
353 of 722

slb template server [no] maxdynamic-server num
Specifies the maximum number of dynamic real servers that can be created for a given hostname. You can specify 1-1023. Specifies the minimum initial value for the TTL of dynamic real servers. The AX device multiplies this value by the TTL in the DNS reply to calculate the minimum TTL value to assign to the dynamically created server. The min-ttl-ratio can be 2-15.
[no] min-ttlratio num
[no] slow-start [from startingconn-limit] [times scalefactor | add conn-incr] [every interval] [till endingconn-limit] Provides time for real ports that use the template to ramp-up after TCP/UDP service is enabled, by temporarily limiting the number of new connections on the ports. from starting-conn-limit Maximum number of concurrent connections to allow on the server after it first comes up. You can specify from 14095 concurrent connections. The default is 128. times scale-factor | add conn-incr Amount by which to increase the maximum number of concurrent connections allowed. You can use one of the following methods to specify the increment: times scale-factor The scale factor is the number by which to multiply the starting connection limit. For example, if the scale factor is 2 and the starting connection limit is 128, the AX device increases the connection limit to 256 after the first ramp-up interval. The scale factor can be 2-10. The default is 2. add conn-incr As an alternative to specifying a scale factor, you can instead specify how many more concurrent connections to
354 of 722

slb template server allow. You can specify 1-4095 new connections. every interval Number of seconds between each increase of the number of concurrent connections allowed. For example, if the ramp-up interval is 10 seconds, the number of concurrent connections to allow is increased every 10 seconds. The ramp-up interval can be 1-60 seconds. The default is 10 seconds. till ending-conn-limit Maximum number of concurrent connections to allow during the final ramp-up interval. After the final ramp-up interval, the slow start is over and does not limit further connections to the server. You can specify from 1-65535 connections. The default is 4096. Note: If a normal runtime connection limit is also configured on the server (for example, by the conn-limit command), and the normal connection limit is smaller than the slow-start ending connection limit, the AX device limits slow-start connections to the maximum allowed by the normal connection limit. The AX device has a default real server template, called default. The default server template has the same default settings as the individual parameters you can configure in the template. Here are the defaults:
Default
per 1-sec.
dns-query-interval 10 minutes dynamic-server-prefix DRS (for Dynamic Real Servers) health-check If you omit this command or you enter it without the
monitor-name option, the default ICMP health monitor is used. An ICMP ping (echo request), sent every 30 seconds. If the ping fails 2 times consecutively, the AX device sets the server state to DOWN.
max-dynamic-server 255 min-ttl-ratio 2 slow-start Not set
Mode
Configuration mode
b y
355 of 722

slb template server Usage The normal form of this command creates a real server template. The no form of this command removes the template. You can bind only one real server template to a real server. However, you can bind the real server template to multiple real servers. Some of the parameters that can be set using a template can also be set or changed on the individual server.
on the individual server, the setting on the individual server takes precedence.
set or changed from its default on the individual server, the setting in the template takes precedence. If you change the connection limiting configuration on a virtual port or virtual server that has active sessions, or in a virtual-port or virtual-server template bound to the virtual server or virtual port, the current connection counter for the virtual port or server in show command output and in the GUI may become incorrect. To avoid this, do not change the connection limiting configuration until the virtual server or port does not have any active connections. Example The following commands configure a real server template called rstmplt1 and bind the template to two real servers:
AX(config)#slb template server rs-tmplt1 AX(config-rserver)#health-check ping2 AX(config-rserver)#conn-limit 500000 AX(config-rserver)#exit AX(config)#slb server rs1 10.1.1.99 AX(config-real server)#template server rs-tmplt1 AX(config-real server)#exit AX(config)#slb server rs2 10.1.1.100 AX(config-real server)#template server rs-tmplt1
Example
The following commands configure hostname server parameters in a server port template and a server template:
AX(config)#slb template port temp-port AX(config-rport)#dynamic-member-priority 12 AX(config-rport)#exit AX(config)#slb template server temp-server AX(config-rserver)#dns-query-interval 5 AX(config-rserver)#min-ttl-ratio 3 AX(config-rserver)#max-dynamic-server 16 AX(config-rserver)#exit
356 of 722
b y
D e s i g n

slb template server-ssl
slb template server-ssl

Description Syntax Configure the AX device to validate real servers based on their certificates. [no] slb template server-ssl template-name Parameter template-name Description Name of the template, 1-31 characters.
This command changes the CLI to the configuration level for the specified server-SSL template, where the following commands are available. (The other commands are common to all CLI configuration levels. See Config Commands: Global on page 69.) Command [no] ca-cert certificatename [no] cipher Description
Name of the CA certificate. Specifies the cipher suite to support for certificates from servers: SSL3_RSA_DES_192_CBC3_SHA SSL3_RSA_DES_40_CBC_SHA SSL3_RSA_DES_64_CBC_SHA SSL3_RSA_RC4_128_MD5 SSL3_RSA_RC4_128_SHA SSL3_RSA_RC4_40_MD5 TLS1_RSA_AES_128_SHA TLS1_RSA_AES_256_SHA TLS1_RSA_EXPORT1024_RC4_56_MD5 TLS1_RSA_EXPORT1024_RC4_56_SHA
Default
The configuration does not have a default server-side SSL template. If you create one, all the cipher suite options listed in the Syntax section are enabled by default. Configuration mode The normal form of this command creates a server-SSL configuration template.
b y
Mode Usage
357 of 722

slb template sip (SIP over UDP) The no form of this command removes the template. The certificate must be imported onto the AX Series. To import a certificate, use the import or slb ssl-load command. They are equivalent. (See import on page 57 or slb ssl-load on page 300.) You can bind only one server-SSL template to a virtual port. However, you can bind the same server-SSL template to multiple ports. If you add, remove, or replace a certificate in a server-SSL template that is already bound to a VIP, the AX device does not use the changes. To change the certificates in a server-SSL template, unbind the template from the VIP and delete the template. Configure a new template with the changed certificates and bind the new template to the VIP.
slb template sip (SIP over UDP)

Description Configure separate load balancing of Session Initiation Protocol (SIP) registration traffic and non-registration traffic for SIP clients. Note: Except for the timeout command, none of the commands in this section are applicable to SIP over TCP/TLS. To configure a template for SIP over TCP/TLS, see slb template sip (SIP over TCP/TLS) on page 360. [no] slb template sip template-name Parameter template-name Description Name of the template, 1-31 characters.
Syntax
This command changes the CLI to the configuration level for the specified SIP template, where the following commands are available: Command [no] headererase string Description Erases the specified SIP header from the SIP request before sending it to a SIP Registrar. Header names can be 1-255 characters long. Inserts the specified SIP header into the SIP request before sending it to a SIP Registrar. Header names can be 1-255 characters long.
[no] headerinsert string
358 of 722
b y
D e s i g n

slb template sip (SIP over UDP) [no] headerreplace string new-string
Replaces the specified SIP header in the SIP request before sending it to a SIP Registrar Header names can be 1-255 characters long.
[no] pass-realserver-ip-foracl acl-id Disables reverse NAT based on the IP addresses in an extended ACL. This command is useful in cases where a SIP server needs to reach another server, and the traffic must pass through the AX device. [no] registrar service-group group-name [no] timeout minutes
Specifies the name of a service group of SIP Registrar servers. Specifies the number of minutes a call can remain idle before the AX Series terminates it. You can specify 1-250 minutes.
Default
The configuration does not have a default SIP over UDP template. If you create one, the default timeout is 30 minutes. The other parameters are unset by default. Configuration mode The normal form of this command creates a SIP configuration template. The no form of this command removes the template. You can bind only one SIP template to a virtual port. However, you can bind the same SIP template to multiple ports.
Mode Usage
Example
The following commands configure a SIP template named Registrar_template:
AX(config)#slb template sip Registrar_template AX(config-SIP LB template)#registrar service-group Registrar_gp AX(config-SIP LB template)#header-insert Max-Forwards:22 AX(config-SIP LB template)#header-replace Max-Forwards 15 AX(config-SIP LB template)#header-erase Contact
b y
359 of 722

slb template sip (SIP over TCP/TLS)
slb template sip (SIP over TCP/TLS)

Description Configure separate load balancing of Session Initiation Protocol (SIP) registration traffic and non-registration traffic for SIP over TCP/TLS. Note: Except for the timeout command, none of the commands in this section are applicable to SIP over UDP. To configure a template for SIP over UDP, see slb template sip (SIP over UDP) on page 358. [no] slb template sip template-name Parameter template-name Description Name of the template, 1-31 characters.
Syntax
This command changes the CLI to the configuration level for the specified SIP template, where the following commands are available: Command [no] clientkeep-alive Description Enables the AX device to respond to SIP pings from clients on behalf of SIP servers. When this option is enabled, the AX device responds to a SIP ping from a client with a pong. This option is disabled by default.
Note:
If connection reuse is configured, even if client keepalive is disabled, the AX device will respond to a client SIP ping with a pong. [no] excludetranslation {body | header string | start-line}
Disables translation of the virtual IP address and virtual port in specific portions of SIP messages: body Does not translate virtual IP addresses and virtual ports in the body of the message. header string Does not translate virtual IP addresses and virtual ports in the specified header. start-line Does not translate virtual IP addresses and virtual ports in the SIP request line or status line.
Note:
Regardless of the settings for this option, the AX device never translates addresses in Call-ID or X-Forwarded-For headers.
360 of 722

slb template sip (SIP over TCP/TLS) [no] insertclient-ip Inserts an X-Forwarded-For: IP-address:port header into SIP packets from the client to the SIP server. The header contains the client IP address and source protocol port number. The AX device uses the header to identify the client when forwarding a server reply. This option is disabled by default.
[no] selectclient-fail {string | drop} Specifies the AX response when selection of a SIP client fails. You can specify one of the following: string Message string to send to the server; for example: 480 Temporarily Unavailable. If the message string contains a blank, use double quotation marks around the string. drop Drops the traffic. [no] serverkeep-alive seconds
For configurations that use a connection-reuse template, this option specifies how often the AX device sends a SIP ping on each persistent connection. The AX device silently drops the servers reply. If the server does not reply to a SIP ping within the connection-reuse timeout, the AX device closes the persistent connection. (The connection-reuse timeout is configured by the timeout command at the configuration level for the connection-reuse template. See slb template connection-reuse on page 315.) You can specify 5-300 seconds.
Note:
This option is applicable only if the configuration includes a connectionreuse template. [no] selectserver-fail {string | drop} Specifies the AX response when selection of a SIP server fails. You can specify one of the following: string Message string to send to the client; for example: 504 Server Time-out. If the message
b y
361 of 722

slb template sip (SIP over TCP/TLS) string contains a blank, use double quotation marks around the string. drop Drops the traffic. [no] timeout minutes Specifies the number of minutes a SIP session can remain idle before the AX device terminates it. You can specify 1-250 minutes.
Default
The configuration does not have a default SIP over TCP/TLS template. If you create one, the template has the following default settings, for the parameters that are applicable to SIP over TCP/TLS:
client-keep-alive Disabled exclude-translation Not set. The AX device does not translate
addresses in any header except the top Via header.

insert-client-ip Disabled select-client-fail Not set. The AX device resets the connection. server-keep-alive 30 select-server-fail Not set. The AX device resets the connection. timeout 30
Mode Usage
Configuration mode The normal form of this command creates a SIP configuration template. The no form of this command removes the template. You can bind only one SIP template to a virtual port. However, you can bind the same SIP template to multiple ports.
Example
The following commands configure a SIP over TCP/TLS template:
AX(config)#slb template sip siptls-tmplt AX(config-SIP LB template)#insert-client-ip AX(config-SIP LB template)#client-keep-alive AX(config-SIP LB template)#select-client-fail "480 Temporarily Unavailable" AX(config-SIP LB template)#select-server-fail "504 Server Time-out" AX(config-SIP LB template)#exclude-translation header Authentication
362 of 722
b y
D e s i g n

slb template smtp
slb template smtp

Description Configure STARTTLS support for Simple Mail Transfer Protocol (SMTP) clients. [no] slb template smtp template-name Parameter template-name Description Name of the template, 1-31 characters long.
Syntax
This command changes the CLI to the configuration level for the specified SMTP template, where the following commands are available. (The other commands are common to all CLI configuration levels. See Config Commands: Global on page 69.) Command [no] clientdomainswitching {starts-with | contains | ends-with} string service-group group-name Description
Selects a service group based on the domain of the client. You can specify all or part of the client domain name. This command is applicable when you have multiple SMTP service groups. starts-with string matches only if the clients domain name starts with string. contains string matches if the string appears anywhere within the domain name of the client. ends-with string matches only if the clients domain name ends with string.
[no] commanddisable [vrfy] [expn] [turn]
Disables support of the specified SMTP commands. If a client tries to issue a disabled SMTP command, the AX sends the following message to the client: 502 - Command not implemented
b y
363 of 722

slb template smtp If you enter this command without specifying a command name, all the listed SMTP commands (VRFY, EXPN, and TURN) are disabled. [no] serverdomain name Specifies the email server domain. This is the domain for which the AX Series device provides SMTP load balancing.
[no] serviceready-message string
Specifies the text of the SMTP service-ready message sent to clients. The complete message sent to the client is constructed as follows: 200 smtp-domain service-ready-string 200 - smtp-domain service-ready-string
starttls {disable | optional | enforced}
Specifies whether use of STARTTLS by clients is required: disable Clients cannot use STARTTLS. Use this option if you need to disable STARTTLS support but you do not want to remove the configuration. optional Clients can use STARTTLS but are not required to do so. enforced Before any mail transactions are allowed, the client must issue the STARTTLS command to establish a secured session. If the client does not issue the STARTTLS command, the AX sends the following message to the client: "530 - Must issue a STARTTLS command first
Default
The configuration has a default SMTP template, with the following settings:
client-domain-switching Not set. All client domains match, and any
service group can be used.

command-disable VRFY, EXPN, and TURN are enabled. server-domain mail-server-domain service-ready-message "ESMTP mail service ready" starttls disabled
364 of 722
b y
D e s i g n

slb template smtp To display the default SMTP template settings, use the show slb template smtp default command. Usage The normal form of this command creates an SMTP template. The no form of this command removes the template. You can bind only one SMTP template to a virtual port. However, you can bind the same SMTP template to multiple ports. The starts-with, contains, and ends-with options are always applied in the following order, regardless of the order in which the commands appear in the configuration. The service group for the first match is used.
starts-with contains ends-with
If a template has more than one command with the same option (startswith, contains, or ends-with) and a client domain matches on more than one of them, the most-specific match is always used. If a contains rule and an ends-with rule match on exactly the same string, the ends-with rule is used, because it has the more specific match. Here is an example of a set of client-domain-switching rules in an SMTP template. The numbers to the right indicate the precedence of the rules when matching on client domain name localhost. In this case, the last rule is the best match and will be used.
client-domain-switching contains localhost service-group sg-a client-domain-switching contains local service-group sg-b client-domain-switching ends-with host service-group sg-c client-domain-switching ends-with localhost service-group sg-d client-domain-switching starts-with local service-group sg-e client-domain-switching starts-with localhost service-group sg-f (4) (5) (6) (3) (2) (1)
Example
The following commands configure an SMTP template named securemail. The template enforces use of STARTTLS by mail clients, disables client use of certain SMTP commands, and directs clients to a service group based on client domain.
template smtp secure-mail template)#starttls enforced template)#command-disable expn turn vrfy template)#client-domain-switching contains hq service-group template)#client-domain-switching contains northdakota service-
AX(config)#slb AX(config-SMTP AX(config-SMTP AX(config-SMTP smtp-sg1 AX(config-SMTP group smtp-sg2
b y
365 of 722

slb template streaming-media Example The following commands configure an SMTP template called smtpdomain. The template uses client domain switching to select a service group based on the email clients domain. Clients from any domain that starts with smb are sent to service group smtp-sg1. Clients whose domain name does not start with smb and whose domain name contains company1 are sent to service group smtp-sg2. Clients whose domain name does not match on the starts-with or contains strings and ends with .com are sent to service group smtp-sg3.
template smtp smtp-domain template)#client-domain-switching starts-with smb service-group template)#client-domain-switching contains company1 servicetemplate)#client-domain-switching ends-with .com service-group
AX(config)#slb AX(config-SMTP smtp-sg1 AX(config-SMTP group smtp-sg2 AX(config-SMTP smtp-sg3
slb template streaming-media

Description Syntax Configure load balancing of multimedia content. [no] slb template streaming-media template-name Parameter template-name Description Name of the template, 1-31 characters long.
This command changes the CLI to the configuration level for the specified streaming-media template, where the following commands are available. (The other commands are common to all CLI configuration levels. See Config Commands: Global on page 69.) Command [no] uriswitching stream uri-string service-group group-name Description
Specifies the service group to which to send requests for the URI.
Note: Default
This option is supported only for Windows Media Server. The configuration does not have a default streaming-media template.
366 of 722
b y
D e s i g n

slb template tcp If the URI string in a request does not match any uri-switching stream commands in the template, by default the request is sent to the service group that is bound to the virtual port. Mode Usage Configuration mode The normal form of this command creates a streaming-media template. The no form of this command removes the template. You can bind only one streaming-media template to a virtual port. However, you can bind the same streaming-media template to multiple ports. Example The following command creates a streaming-media template named media1:
AX(config)#slb template streaming-media media1 AX(config-Streaming-media-template)#
slb template tcp

Description Syntax Configure TCP connection settings. [no] slb template tcp template-name Parameter template-name Description Name of the template, 1-31 characters.
This command changes the CLI to the configuration level for the specified TCP template, where the following commands are available. (The other commands are common to all CLI configuration levels. See Config Commands: Global on page 69.) Command Description
[no] halfclose-idletimeout seconds Enables aging of half-closed TCP sessions. A half-closed TCP session is a session in which the server sends a FIN but the client does not reply with an ACK. You can set the timeout to 60-15000 seconds. [no] idletimeout seconds Specifies the number of seconds a connection can remain idle before the AX Series device ter-
b y
367 of 722

slb template tcp minates it. You can specify 60-120000 seconds (about 33 hours). Enter a value that is a multiple of 60 (60, 120, 1200, and so on). If you enter a value that is not a multiple of 60, the AX device rounds to the nearest multiple of 60. For example, if you enter 70, the actual timeout is 60 seconds. [no] initialwindow-size bytes
Sets the initial TCP window size in SYN ACK packets to clients. The TCP window size in a SYN ACK or ACK packet specifies the amount of data that a client can send before it needs to receive an ACK. You can set the initial TCP window size to 1-65535 bytes. The initial TCP window size applies only to the SYN ACKs sent to the client. After the SYN ACK, the AX device does not modify the TCP window size for any other packets in the session.
[no] reset-fwd [no] reset-rev
Sends a TCP RST to the real server after a session times out. Sends a TCP RST to the client after a session times out.
Note:
If the server is Down, the reset-rev option immediately sends the RST to the client and does not wait for the session to time out. The configuration has a default TCP template, with the following default settings:
half-close-idle-timeout Not set. The AX device keeps half-closed ses-
Default
sions open indefinitely.

idle-timeout 120 seconds initial-window-size By default, the AX device uses the TCP window
size set by the client or server. The initial TCP window size applies to SYN ACKs generated by the AX device and sent to clients. By default, the AX device uses the TCP window size in the clients SYN. Note: If SYN cookies are enabled, either globally or on the virtual service port, the AX device acts as a TCP proxy even though the service type is not normally proxied. In this case, the behavior is the same as for any of the other service types TCP proxied by the AX device.
368 of 722
b y
D e s i g n

slb template tcp-proxy
reset-fwd Disabled reset-rev Disabled
Mode Usage
Configuration mode The normal form of this command creates a TCP configuration template. The no form of this command removes the template. You can bind only one TCP template to a virtual port. However, you can bind the same TCP template to multiple ports. In AX releases prior to 2.2.2, the reset-rev option sent a RST to a client if a server selection failure occurred. In AX Release 2.2.2 and later, the resetrev option does not send an RST if a server selection failure occurs. Instead, use the reset-on-server-selection-fail option at the configuration level for the service group or virtual port.
Example
The following commands change the idle timeout in TCP template tcptmpl2 to 120 seconds:
AX(config)#slb template tcp tcp-tmpl2 AX(config-L4 TCP LB template)#idle-timeout 120
Example
The following commands configure a TCP template named test that sets the TCP window size to 1460 bytes, and bind the template to virtual service port 22 on virtual server vs1:
AX(config)#slb template tcp test AX(config-L4 TCP LB template)#initial-window-size 1460 AX(config-L4 TCP LB template)#exit AX(config)#slb virtual-server vs1 1.1.1.1 AX(config-slb virtual server)#port 22 tcp AX(config-slb virtual server-slb virtua...)#template tcp test
slb template tcp-proxy

Description Syntax Configure TCP/IP stack parameters. [no] slb template tcp-proxy template-name Parameter template-name Description Name of the template, 1-31 characters.
This command changes the CLI to the configuration level for the specified TCP-proxy template, where the following commands are available.
b y
369 of 722

slb template tcp-proxy (The other commands are common to all CLI configuration levels. See Config Commands: Global on page 69.) Command Description
[no] fintimeout seconds Specifies the number of seconds that a connection can be in the FIN-WAIT or CLOSING state before the AX Series terminates the connection. You can specify 1-60 seconds. [no] halfclose-idletimeout seconds Enables aging of half-closed TCP sessions. A half-closed TCP session is a session in which the server sends a FIN but the client does not reply with an ACK. You can set the timeout to 60-15000 seconds. [no] idletimeout seconds Specifies the number of minutes that a connection can be idle before the AX Series terminates the connection. You can specify 60-120000 seconds (about 33 hours). Enter a value that is a multiple of 60 (60, 120, 1200, and so on). If you enter a value that is not a multiple of 60, the AX device rounds to the nearest multiple of 60. For example, if you enter 70, the actual timeout is 60 seconds. [no] initialwindow-size bytes
Sets the initial TCP window size in SYN ACK packets to clients. The TCP window size in a SYN ACK or ACK packet specifies the amount of data that a client can send before it needs to receive an ACK. You can set the initial TCP window size to 1-65535 bytes. The initial TCP window size applies only to the SYN ACKs sent to the client. After the SYN ACK, the AX device does not modify the TCP window size for any other packets in the session.
[no] nagle
Enables Nagle congestion (described in RFC 896).
compression
370 of 722
b y
D e s i g n

slb template tcp-proxy [no] receivebuffer number Maximum number of bytes addressed to the port that the AX Series will buffer. You can specify 12147483647 bytes.
[no] retransmitretries number
Maximum number of times the AX Series can retransmit a data segment for which the AX Series does not receive an ACK. You can specify 1-20. Maximum number of times the AX Series can retransmit a SYN for which the AX Series does not receive an ACK. You can specify 1-20. Specifies the number of seconds that a connection can be in the TIME-WAIT state before the AX Series transitions it to the CLOSED state. You can specify 1-60 seconds. Maximum number of bytes sent by the port that the AX Series will buffer. You can specify 1-2147483647 bytes.
[no] synretries number
[no] timewait number
[no] transmitbuffer number
Default
The configuration has a default TCP template, with the following default settings:
fin-timeout 5 seconds half-close-idle-timeout Not set. The AX device keeps half-closed ses-
sions open indefinitely.

idle-timeout 600 seconds initial-window-size By default, the AX device uses the TCP window
size set by the client or server. If the virtual port is one of the service types that is proxied by the AX device, initial TCP window size applies to SYN ACKs generated by the AX device and sent to clients. By default, the AX device uses the TCP window size in the clients SYN. The following service types are proxied by the AX device: http, https, fast-http, sslproxy, and smtp If the virtual port is not one of the service types that is proxied by the AX device (for example, the tcp service type), initial TCP window size applies to SYN ACKs generated by servers and forwarded
b y
371 of 722

slb template udp by the AX device to clients. By default, the AX device uses the TCP window size in the servers SYN ACK. Note: If SYN cookies are enabled, either globally or on the virtual service port, the AX device acts as a TCP proxy even though the service type is not normally proxied. In this case, the behavior is the same as for any of the other service types TCP proxied by the AX device.
mss 538 nagle disabled receive-buffer 87380 bytes retransmit-retries 3 syn-retries 5 timewait 5 seconds transmit-buffer 16384 bytes
Mode Usage
Configuration mode The normal form of this command creates a TCP-proxy configuration template. The no form of this command removes the template. You can bind only one TCP-proxy template to a virtual port. However, you can bind the same TCP-proxy template to multiple ports.
Example
The following commands create a TCP-proxy template named ftp-proxy and set the idle timeout to 240 minutes:
AX(config)#slb template tcp-proxy ftp-proxy AX(config-TCP proxy template)#idle-timeout 240
slb template udp

Description Syntax Configure UDP connection settings. [no] slb template udp template-name Parameter template-name Description Name of the template, 1-31 characters.
This command changes the CLI to the configuration level for the specified UDP template, where the following commands are available.
372 of 722
b y
D e s i g n

slb template udp (The other commands are common to all CLI configuration levels. See Config Commands: Global on page 69.) Command aging {immediate | short [seconds]} Description
Specifies how quickly sessions are terminated when the request is received. immediate short (See Usage below.)
Note:
It is recommended to explicitly set the aging in UDP templates used for DNS virtual ports. [no] idletimeout seconds Specifies the number of seconds a connection can remain idle before the AX Series terminates it. You can specify 60-120000 seconds (about 33 hours). Enter a value that is a multiple of 60 (60, 120, 1200, and so on). If you enter a value that is not a multiple of 60, the AX device rounds to the nearest multiple of 60. For example, if you enter 70, the actual timeout is 60 seconds. [no] re-selectif-server-down Configures the AX device to select another real server if the server that is bound to an active connection goes down. Without this option, another server is not selected.
Default
The configuration has a default UDP template. The template has the following defaults:
aging Not set. The idle-timeout value in the template is used instead. idle-timeout 120 seconds re-select-if-server-down disabled
Mode Usage
Configuration mode The normal form of this command creates a UDP configuration template. The no form of this command removes the template.
b y
373 of 722

slb template virtual-port You can bind only one UDP template to a virtual port. However, you can bind the same UDP template to multiple ports. UDP Session Aging Table 3 describes UDP session aging in the current release and previous releases. Note: You can configure aging short or aging immediate, or leave aging unset. Aging short and aging immediate can not both be enabled.
TABLE 3
UDP Session Aging

Aging Short Response Received Session is terminated within 1 second. No Response Session is terminated after configured short aging period. Aging Immediate Response Received Session is terminated within 1 second. No Response Idle timeout value in UDP template is used. Not Set (Default) Response Received Session is terminated within 1 second. No Response Idle timeout value in UDP template is used.
Aging Configuration
Current Release
If you enable short aging, you can set the aging interval to 1-6 seconds. The default short aging period is 3 seconds. Example The following commands create a UDP template named udp-quickterm and set session termination to occur immediately after a response is received:
AX(config)#slb template udp udp-quickterm AX(config-L4 UDP LB template)#aging immediate
slb template virtual-port

Description Syntax Configure a template of SLB settings for virtual service ports. [no] slb template virtual-port template-name Parameter template-name Description Name of the template, 1-31 characters.
This command changes the CLI to the configuration level for the specified virtual port template, where the following commands are available. (The other commands are common to all CLI configuration levels. See Config Commands: Global on page 69.)
374 of 722
b y
D e s i g n

slb template virtual-port Command Description
[no] conn-limit max-connections [reset] [no-logging] Specifies the maximum number of connections allowed on virtual ports that use this template. The max-connections option specifies the maximum number of concurrent connections, 0-8000000. The reset option specifies the action to take for connections after the connection limit is reached on the virtual server port. By default, excess connections are dropped. If you change the action to reset, the connections are reset instead. Excess connections are dropped by default. The no-logging option disables logging for the feature. [no] conn-ratelimit connections [per {100ms | 1sec}] [reset] [no-logging] Limits the rate of new connections the AX device is allowed to send to virtual service ports that use this template. When a virtual service port reaches its connection limit, the AX device stop selecting the port to serve client requests. connections Maximum of new connections allowed on the virtual service port. You can specify 1-1048575 connections. per {100ms | 1sec} Specifies whether the connection rate limit applies to one-second intervals or 100-ms intervals. The default is onesecond intervals (1sec). reset Send a reset (RST) to a client after the connection rate has been exceeded. By default (without this option), the AX device silently drops the request. If you configure a limit for a virtual server and also for an individual virtual service port, the AX device uses the lower limit. The no-logging option disables logging for the feature.
375 of 722

slb template virtual-port [no] ignoretcp-msl Immediately reuse TCP sockets after session termination, without waiting for the SLB Maximum Session Life (MSL) time to expire. This option is disabled by default. Enables sending of a TCP Reset (RST) in response to a session mismatch. A session mismatch occurs when the AX device receives a TCP packet for a TCP session that is not in the active session table on the AX device. (For more information, see the TCP Reset Option for Session Mismatch section in the Server and Port Templates chapter of the AX Series Configuration Guide.)
[no] resetunknown-conn
Default
The AX device has a default virtual port template, called default. The default virtual port template has the same default settings as the individual parameters you can configure in the template. Here are the defaults:
per 1-sec. Mode Usage Configuration mode The normal form of this command creates a virtual service port template. The no form of this command removes the template. You can bind only one virtual service port template to a virtual service port. However, you can bind the virtual service port template to multiple virtual service ports. Some of the parameters that can be set using a template can also be set or changed on the individual virtual port.
on the individual virtual port, the setting on the individual virtual port takes precedence.
set or changed from its default on the individual virtual port, the setting in the template takes precedence. If you change the connection limiting configuration on a virtual port or virtual server that has active sessions, or in a virtual-port or virtual-server template bound to the virtual server or virtual port, the current connection
376 of 722
b y
D e s i g n

slb template virtual-server counter for the virtual port or server in show command output and in the GUI may become incorrect. To avoid this, do not change the connection limiting configuration until the virtual server or port does not have any active connections. Example The following commands configure a virtual service port template named common-vpsettings, set the connection limit, and bind the template to a virtual port:
AX(config)#slb template virtual-port common-vpsettings AX(config-Virtual port template)#conn-limit 500000 AX(config-Virtual port template)#exit AX(config)#slb virtual-server vip1 10.10.10.99 AX(config-slb vserver)#port 80 http AX(config-slb vserver-vport)#template virtual-port common-vpsettings
slb template virtual-server

Syntax [no] slb template virtual-server template-name Parameter template-name Description Name of the template, 1-31 characters.
This command changes the CLI to the configuration level for the specified virtual server template, where the following commands are available. (The other commands are common to all CLI configuration levels. See Config Commands: Global on page 69.) Command Description
[no] conn-limit max-connections [reset] [no-logging] Specifies the maximum number of connections allowed on virtual servers that use this template. The max-connections option specifies the maximum number of concurrent connections, 0-8000000. The reset option specifies the action to take for connections after the connection limit is reached on the virtual server. By default, excess connections are dropped. If you change the action to reset, the connections are reset instead. Excess connections are dropped by default.
b y
377 of 722

slb template virtual-server The no-logging option disables logging for the feature. [no] conn-ratelimit connections [per {100ms | 1sec}] [reset] [no-logging] Limits the rate of new connections the AX device is allowed to send to servers that use this template. When a real server reaches its connection limit, the AX device stop selecting the server for client requests. connections Maximum of new connections allowed on a server. You can specify 1-1048575 connections. per {100ms | 1sec} Specifies whether the connection rate limit applies to one-second intervals or 100-ms intervals. The default is onesecond intervals (1sec). reset Send a reset (RST) to a client after the connection rate has been exceeded. By default (without this option), the AX device silently drops the request. If you configure a limit for a server and also for an individual port, the AX device uses the lower limit. The no-logging option disables logging for the feature. [no] icmp-ratelimit normalrate lockup max-rate lockup-time Configures ICMP rate limiting for the virtual server, to protect against denial-of-service (DoS) attacks. normal-rate Maximum number of ICMP packets allowed per second. If the virtual server receives more than the normal rate of ICMP packets, the excess packets are dropped until the next one-second interval begins. The normal rate can be 1-65535 packets per second.
378 of 722
b y
D e s i g n

slb template virtual-server lockup max-rate Maximum number of ICMP packets allowed per second before the AX device locks up ICMP traffic to the virtual server. When ICMP traffic is locked up, all ICMP packets are dropped until the lockup expires. The maximum rate can be 1-65535 packets per second. The maximum rate must be larger than the normal rate. lockup-time Number of seconds for which the AX device drops all ICMP traffic to the virtual server, after the maximum rate is exceeded. The lockup time can be 1-16383 seconds. [no] subnetgratuitous-arp Enable gratuitous ARPs for all VIPs in subnet VIPs. A subnet VIP is a range of VIPs created from a range of IP addresses within a subnet.
Note:
This option applies only to VIPs that are created using a range of subnet IP addresses. The option has no effect on VIPs created with a single IP address. The AX device has a default virtual server template, called default. The default virtual server template has the same default settings as the individual parameters you can configure in the template. Here are the defaults:
Default
per 1-sec.
icmp-rate-limit Not set. If you enable it, specifying a maximum rate
(lockup rate) and lockup time is optional. If you do not specify them, lockup does not occur.
subnet-gratuitous-arp Disabled. The AX device sends gratuitous
ARPs for only the first IP address in a subnet VIP. Mode Usage Configuration mode The normal form of this command creates a virtual server template. The no form of this command removes the template. You can bind only one virtual server template to a virtual server. However, you can bind the virtual server template to multiple virtual servers. Some of the parameters that can be set using a template can also be set or changed on the individual virtual server.
b y
379 of 722

slb template virtual-server
on the individual virtual server, the setting on the individual virtual server takes precedence.
set or changed from its default on the individual virtual server, the setting in the template takes precedence. If you change the connection limiting configuration on a virtual port or virtual server that has active sessions, or in a virtual-port or virtual-server template bound to the virtual server or virtual port, the current connection counter for the virtual port or server in show command output and in the GUI may become incorrect. To avoid this, do not change the connection limiting configuration until the virtual server or port does not have any active connections. Example The following commands configure a virtual server template called vstmplt1 that sets ICMP rate limiting, and bind the template to a virtual server:
AX(config)#slb template virtual-server vs-tmplt1 AX(config-vserver)#icmp-rate-limit 25000 lock 30000 60 AX(config-vserver)#exit AX(config)#slb virtual-server vip1 10.10.10.2 AX(config-slb virtual server)#template virtual-server vs-tmplt1
380 of 722
b y
D e s i g n

conn-limit
Config Commands: SLB Servers

This chapter describes the commands for configuring SLB servers. To access this configuration level, enter the slb server server-name command at the global Config level. To display configured servers, use the show slb server command. Note: The commands in this chapter apply to real servers, not to virtual servers. To configure virtual servers, see Config Commands: SLB Virtual Servers on page 403. This CLI level also has the following commands, which are available at all configuration levels:
conn-limit
Description Specify the maximum number of concurrent connections allowed on a real server. [no] conn-limit max-connections Parameter Description
Syntax
max-connections Maximum number of concurrent connections allowed on the server. You can specify 1-1000000 (one million). Default 1000000 (one million).
b y
381 of 722

conn-resume Mode Usage Real server If you set a connection limit, A10 Networks recommends that you also set the conn-resume interval. (See conn-resume on page 382.) You also can set the connection limit on individual protocol ports. In this case, the limit specified for the port overrides the limit set at the server level. Example The following command sets the connection limit to 10,000:
AX(config-real server)#conn-limit 10000
conn-resume
Description Specify the maximum number of connections the server can have before the AX device resumes use of the server. Use does not resume until the number of connections reaches the configured maximum or less. [no] conn-resume connections Parameter connections Description Maximum number of connections the server can have before the AX device resumes use of the server. You can specify 1-1000000 (1 million) connections.
Syntax
Default
By default, this option is not set. The AX device is allowed to start sending new connection requests to the server as soon as the number of connections on the server falls back below the connection limit threshold set by the conn-limit command. Real server You also can set the conn-resume value on individual protocol ports. In this case, the value specified for the port overrides the value set at the server level. The following command sets the conn-resume option to 500,000 connections:
Mode Usage
Example
AX(config-real server)#conn-resume 500000
382 of 722
b y
D e s i g n

disable
disable
Description Syntax Default Mode Example Disable a real server. [no] disable Enabled Real server The following commands disable a server named rs123:
AX(config)#slb server rs123 AX(config-real server)#disable
enable
Description Syntax Default Mode Example Re-enable a real server. [no] enable Enabled Real server The following commands re-enable a disabled server named rs123:
AX(config)#slb server rs123 AX(config-real server)#enable
external-ip
Description Assign an external Network Address Translation (NAT) IP address to the server. The external IP address allows a server that has an internal IP address to be reached from outside the internal network. [no] external-ip ipaddr None Real server The following commands configure external IP address 192.168.10.11 on real server rs123:
Syntax Default Mode Example
b y
383 of 722

ha-priority-cost
AX(config)#slb server rs123 AX(config-real server)#external-ip 192.168.10.11
ha-priority-cost
Description Syntax Enable HA priority changes based on the health status of the server. [no] ha-priority-cost weight [ha-group group-id] Parameter weight Description Specifies the amount to subtract from the HA groups priority value, if this server or ports health status changes to Down. You can specify 1-255. Specifies the HA group from which to subtract the weight. If you do not specify an HA group ID, the weight is subtracted from all HA groups.
ha-group group-id
Default Mode Usage
None Real server If the server or ports status changes back to Up, the weight value is added back to the HA groups priority value. If the HA priority of a group falls below the priority of the same group on the other AX device, HA failover can be triggered.
The lowest HA priority value a server or port can have is 1. If HA weights for an HA group are assigned to both the server and an
individual port, and both health checks are unsuccessful, only the server weight is subtracted from the HA groups priority.
For failover to occur due to HA priority changes, the HA pre-emption
option must be enabled.
health-check
Description Syntax Enable health monitoring for a server. [no] health-check [monitor-name]
384 of 722
b y
D e s i g n

ipv6 Parameter monitor-name Description Name of a configured health monitor. If you omit this command or you enter it without the monitor-name option, the default ICMP health monitor is used. (See below.) Default ICMP ping (echo request), sent every 5 seconds. If the ping fails 4 times consecutively (the first attempt followed by 3 retries), the AX device sets the server state to DOWN. Real server Entering the command at this level enables Layer 3 health checking. The monitor you specify must use the ICMP method. The following command sets a server to use the RUthere health monitor:
Mode Usage
Example
AX(config-real server)#health-check RUthere
ipv6
Description Syntax Default Mode Assign an IPv6 address to the real server for GSLB.
[no] ipv6 ipv6-addr
None Real server
port
Description Syntax Configure a TCP or UDP port on a server. [no] port port-num {tcp | udp} Parameter port-num Description Protocol port number, 0-65534. Note: Port number 0 is a wildcard port used for IP protocol load balancing. (For more information, see the IP Protocol Load Balancing chapter of the AX Series Configuration Guide.) tcp | udp Protocol type.
b y
385 of 722

port This command changes the CLI to the configuration level for the specified port, where the following port-related commands are available: Command [no] conn-limit number Description Specifies the maximum number of concurrent connections allowed on the server for this port, 0-1000000 (one million). The default is 1000000. Specifies the maximum number of connections the service port can have before the AX device resumes use of the port. Use does not resume until the number of connections reaches the configured maximum or less. You can specify 1-1000000 (1 million) connections. By default, this option is not set. The AX device is allowed to start sending new connection requests to the service port as soon as the number of connections on the port falls back below the connection limit threshold set by the conn-limit command. [no] disable [no] enable [no] hapriority-cost weight [ha-group group-id] Disables the port. Re-enables the port.
[no] connresume minutes
Enable HA priority changes based on the health status of the port. The weight option specifies the amount to subtract from the HA groups priority value, if this server or ports health status changes to Down. You can specify 1-255. The HA group ID can be 1-31. If you do not specify an HA group ID, the weight applies to all HA groups. By default, this option is not set. (For more information, see Usage under ha-priority-cost on page 384.)
386 of 722
b y
D e s i g n

port [no] healthcheck [monitor-name] [follow-port port-num]
Enables health monitoring of the port. The monitor-name specifies the name of a configured health monitor. If you omit this command or you enter it without the monitor-name option, the default TCP or UDP health monitor is used: TCP Every 5 seconds, the AX device sends a connection request (TCP SYN) to the specified TCP port on the server. The port passes the health check if the server replies to the AX device by sending a TCP SYN ACK. UDP Every 5 seconds, the AX device sends a packet with a valid UDP header and a garbage payload to the UDP port. The port passes the health check if the server either does not reply, or replies with any type of packet except an ICMP Error message. The follow-port port-num option specifies another real port upon which to base this ports health status. Both the real port and the port to use for the real ports health status must be the same type, TCP or UDP. By default, this option is not set.
[no] no-ssl
Disables SSL for server-side connections. This command is useful if a server-SSL template is bound to the virtual port that uses this real port, and you want to disable encryption on this real port. Encryption is disabled by default, but it is enabled for server-side connections when the real port is used by a virtual port that is bound to a server-SSL template. Using the double-negative form of the command (no no-ssl) enables SSL for server-side connections.
b y
387 of 722

port stats-datadisable | stats-dataenable [no] template port templatename
Disable or enable statistical data collection for the port.
Binds a port template to the port. The parameter settings in the template are applied to the port. The real port template named default is bound to real ports by default. The parameter settings in the default real port template are automatically applied to the port, unless you bind a different real port template to the port. If a parameter is set individually on this port and also is set in a port template bound to this port, the individual setting on this port is used instead of the setting in the template. To configure a port template, see slb template port on page 346.
[no] weight number
Specifies the load-balancing preference for this port, 1-100. A higher weight gives more favor to this server for this port relative to the other servers. Default is 1. This option applies only to the service-weighted-least-connection load-balancing method.
Default
No ports are configured by default. The defaults for the command options are described with the options, above. Statistical data collection of load-balancing resources is enabled by default. Real server The no form of this command resets the ports connection limit, health monitoring, or weight to its default value. To collect statistical data for a load-balancing resource, statistical data collection also must be enabled globally. (See stats-data-enable on page 159.)
Mode
Example
The following commands configure server terap and add TCP port 69 to the server. The health-check command is not entered, so by default the AX device will check the service ports health by sending a connection request to 69 on terap every 30 seconds.
388 of 722

slow-start
AX(config)#slb server terap 10.2.4.69 AX(config-real server)#port 69 tcp AX(config-real server-node port)#
slow-start
Description Enable slow-start for a server. Slow start allows time for a server to ramp up after the server is enabled or comes online, by temporarily limiting the number of new connections on the server. Note: It is recommended to configure this feature in the real server template or real port template instead. See the Behavior When Slow Start Is Also Configured on the Real Server Itself section in the Server and Port Templates chapter of the AX Series Configuration Guide. [no] slow-start Disabled Real server Slow-start allows a maximum of 128 new connections during the first 10 seconds. During each subsequent 10-second interval, the total number of concurrent connections allowed to the server is doubled. Thus, during the first 20 seconds, the server is allowed to have a total of 256 concurrent connections. After 59 seconds, slow-start ends the ramp-up and no longer limits the number of concurrent connections. After the ramp-up period ends, the number of new connections is controlled by the conn-limit setting. (See conn-limit on page 381 and the description of conn-limit in port on page 385.) Slow-start is also configurable in server and port templates. (See slb template server on page 352 and slb template port on page 346.) Example The following command enables slow-start:
AX(config-real server)#slow-start
spoofing-cache
Description Enable support for a spoofing cache server. A spoofing cache server uses the clients IP address instead of its own as the source address when obtaining content requested by the client.
b y
389 of 722

stats-data-disable Syntax Default Mode Usage [no] spoofing-cache Disabled Real server This command applies to the Transparent Cache Switching (TCS) feature. For more information about TCS, including additional configuration requirements and examples, see the Transparent Cache Switching chapter in the AX Series Configuration Guide. The following commands configure a real server for a spoofing cache server:
Example
AX(config)#slb server cache-rs 110.110.110.10 AX(config-real server)#spoofing-cache AX(config-real server)#port 80 tcp
stats-data-disable
Description Syntax Default Mode Disable collection of statistical data for the server. stats-data-disable Statistical data collection for load-balancing resources is enabled by default. Real server
stats-data-enable
Description Syntax Default Mode Usage Enable collection of statistical data for the server. stats-data-enable Statistical data collection for load-balancing resources is enabled by default. Real server To collect statistical data for a load-balancing resource, statistical data collection also must be enabled globally. (See stats-data-enable on page 159.)
390 of 722
b y
D e s i g n

template server
template server
Description Syntax Default Bind a a real server template to the server. [no] template server template-name The real server template named default is bound to servers by default. The parameter settings in the default real server template are automatically applied to the new server, unless you bind a different real server template to the server. Real server If a parameter is set individually on this server and also is set in a server template bound to this server, the individual setting on this server is used instead of the setting in the template. To configure a real server template, see slb template server on page 352. Example The following commands configure a real server template called rstmplt1 and bind the template to two real servers:
Mode Usage
AX(config)#slb template server rs-tmplt1 AX(config-rserver)#health-check ping2 AX(config-rserver)#conn-limit 500000 AX(config-rserver)#exit AX(config)#slb server rs1 10.1.1.99 AX(config-real server)#template server rs-tmplt1 AX(config-real server)#exit AX(config)#slb server rs2 10.1.1.100 AX(config-real server)#template server rs-tmplt1
weight
Description Syntax Assign an administrative weight to the server, for weighted load balancing. [no] weight num Parameter num Description Administrative weight assigned to the server. You can specify 1-100.
Default Mode
1 Real server
b y
391 of 722

weight Usage This parameter applies only to the weighted-least-connection and weighted-rr (weighted round robin) load-balancing methods. The following command assigns a weight of 20 to a server:
Example
AX(config-real server)#weight 20
392 of 722
b y
D e s i g n
Config Commands: SLB Service Groups

This chapter describes the commands for configuring SLB service groups. To access this configuration level, enter the slb service-group group-name {tcp | udp} command at the global Config level. To display configured service groups, use the show slb service-group command. This CLI level also has the following commands, which are available at all configuration levels:
b y
393 of 722

health-check
health-check
Description Use a health monitor to check the health of all members of the service group. [no] health-check monitor-name Parameter monitor-name Default Mode Usage None Service group The health monitor is used to test the health of all members of the service group, including any members that are added in the future. Service group health status applies only within the context of the service group. For example, a health check of the same port from another service group can result in a different health status, depending on the resource requested by the health check. Health checks can be applied to the same resource (real server or port) at the following levels:
In a service group that contains the server and port as a member In a server or server port configuration template that is bound to the
Syntax
Description Specifies the health monitor to use.
server or port
Directly on the individual server or port
In cases where health checks are applied at multiple levels, they have the following priority: 1. Health check on real server 2. Health check on real servers port 3. Health check on service group If a health check at the real server level (1) fails, the corresponding real server, real server port, and service group members are marked Down. However, if a health check on the service group level (3) fails, only that service group member in that service group is marked Down. Example The following commands configure a health monitor and apply it to a service group:
394 of 722
b y
D e s i g n

member
AX(config)#health monitor qrs AX(config-health:monitor)#method http url GET /media-qrs/index.html AX(config-health:monitor)#exit AX(config)#slb service-group qrs tcp AX(config-slb svc group)#member media-rs:80 AX(config-slb svc group)#health-check qrs
member
Description Syntax Add a server to a service group. [no] member server-name:portnum [disable | enable] [priority num] [template template-name] [stats-data-disable | stats-data-enable] Parameter servername:portnum disable | enable priority num template template-name stats-dataenable Description Real server name, and protocol port number on the server. Disables or re-enables the server and port, for this service group only. Sets the preference for this server and port, 1-16. Binds a real port template to this member port. Disable or enable statistical data collection for the service-group member.
Default
There are no servers in a service group by default. When you add a server and port to the service group, the default state is enabled and the default priority is 1. Statistical data collection of load-balancing resources is enabled by default. To configure a real port template, see slb template port on page 346.
Mode Usage
Service group The normal form of this command adds a configured server to the service group. The no form of this command removes the server from the group.
b y
395 of 722

method If you disable or re-enable a port, the state change applies only to this service group. The state of the port is unchanged in other service groups. To collect statistical data for a load-balancing resource, statistical data collection also must be enabled globally. (See stats-data-enable on page 159.) Example The following commands add servers slaughterhouse5 and catscradle to service group vonnegut:
AX(config)#slb service-group vonnegut AX(config-slb service group)#member slaughterhouse5:80 AX(config-slb service group)#member catscradle:80
Example
The following command adds a member server and port to a service group and binds a real port template to the port:
AX(config-slb service group)#member rs1:80 template port rptmp1
method
Description Syntax Set the load-balancing method for a service group. [no] method lb-method Parameter lb-method Description Load-balancing method: fastest-response Selects the server with the fastest SYN-ACK response time. least-connection Selects the server that currently has the fewest connections. service-least-connection Selects the server port that currently has the fewest connections. If there is a tie, the port (among those tied) that has the lowest number of request bytes plus response bytes is selected. If there is still a tie, a port is randomly selected from among the ones that are still tied. weighted-least-connection Selects a server based on a combination of the servers administratively assigned weight and the number of connections on the server. (To assign a weight to a server, see weight on page 391.)
396 of 722
b y
D e s i g n

method service-weighted-least-connection Same as weighted-least-connection, but per service. (To assign a weight to a service, see port on page 385. Use the weight option.) least-request Selects the real server port for which the AX device is currently processing the fewest HTTP requests. This method is applicable to HTTP load balancing. weighted-rr Selects servers in rotation, biased by the servers administratively assigned weights. To use this method, you also need to assign weights to the servers. (See weight on page 391.) If the weight value is the same on each server, this load-balancing method simply selects the servers in rotation. round-robin Selects servers in simple rotation. round-robin-strict Provides a more exact round-robin method. The standard, default round robin method is optimized for high performance. Over time, this optimization can result in a slight imbalance in server selection. Server selection is still basically round robin, but over time some servers may be selected slightly more often than others. Note: The following methods apply only to stateless SLB. (See Usage for more information.) stateless-src-ip-hash Balances server load based on a hash value calculated using the source IP address and source TCP or UDP port. stateless-src-dst-ip-hash Balances server load based on a hash value calculated using both the source and destination IP addresses and TCP or UDP ports. stateless-dst-ip-hash Balances server load based on a hash value calculated using the destination IP address and destination TCP or UDP port. stateless-per-pkt-round-robin Balances server load by sending each packet to a
397 of 722

method different server, in rotation. This method is applicable only for UDP DNS traffic. stateless-src-ip-only-hash Calculates a hash value based only on the source IP address of the request, and selects a server based on the hash value. Subsequently, all requests from the same client address are sent to the same server. Default Mode Usage round-robin Service group The fastest-response method takes effect only if the traffic rate on the servers is at least 5 connections per second (per server). If the traffic rate is lower, the first server in the service group usually is selected. To set a servers weight, see weight on page 391. Stateless SLB Stateless SLB conserves system resources by operating without session table entries on the AX device. The stateless SLB methods are valid for the following types of traffic:
Traffic with very short-lived sessions, such as DNS Layer 2 Direct Server Return (DSR) traffic Other types of traffic that do not require features that use session-table
entries. (See list of limitations below.) You can enable stateless SLB on an individual service-group basis, by selecting a stateless SLB load-balancing method for the group. Limitations Stateless SLB is not valid for the following features or traffic types:
Rate limiting ACLs IP source NAT HA session synchronization Application Layer Gateway (ALG) Layer 3 DSR
398 of 722
b y
D e s i g n

min-active-member
SLB-PT IPv6
A given real server can be used in only one stateless SLB service group. A real server that is in a stateless SLB service group can not be used in any other service groups. Graceful transitions between stateful and stateless SLB in a service group are not supported. Mega-proxies may interfere with equal balancing of traffic load among the multiple data CPUs. In this case, for DNS traffic only, try using the stateless-per-pkt-round-robin method. Note: Example The stateless-per-pkt-round-robin method is valid only for DNS traffic. The following example sets the load-balancing method for a service group to least-connection:
AX(config-slb service group)#method least-connection
Example
The following commands configure a stateless SLB service group for UDP traffic:
AX(config)#slb service-group dns-stateless udp AX(config-slb svc group)#member dns1:53 AX(config-slb svc group)#member dns2:53 AX(config-slb svc group)#method stateless-src-dst-ip-hash
min-active-member
Description Syntax Use backup servers even if some primary servers are still up. [no] min-active-member num [skip-pri-set] Parameter num Description Minimum number of primary servers that can still be active (available), before the backup servers are used. You can specify 1-63. There is no default. Specifies whether the remaining primary servers continue to be used. If you use this option, the AX device uses only the backup servers and stops using any of the primary servers.
skip-pri-set
b y
399 of 722

min-active-member Default By default, the servers with the highest priority value are the primary servers. All other servers are backups only, and are used only if all the primary servers are unavailable. When you use this command, the skip-pri-set option is disabled by default, for all load-balancing methods except round-robin. For round-robin (the default), skip-pri-set is always enabled and can not be disabled. Mode Usage Service group Primary and backup servers are designated based on member priority (set with the member command). For example, if a service group contains real servers with the following priority settings, real servers s1, s2, and s3 are the primary servers. Real servers s4 and s5 are backup servers.
s1 priority 16 s2 priority 16 s3 priority 16 s4 priority 8 s5 priority 8
When the minimum number of active members (primary servers) comes back up, the AX device immediately returns to using only the primary servers. Example The following commands add members with different priorities to a service group, and configure promiscuous VIP to begin using backup servers if any of the primary servers becomes unavailable:
AX(config)#slb service-group sg-prom AX(config-slb service group)#method least-connection AX(config-slb service group)#member s1:80 priority 16 AX(config-slb service group)#member s2:80 priority 16 AX(config-slb service group)#member s3:80 priority 16 AX(config-slb service group)#member s4:80 priority 8 AX(config-slb service group)#member s5:80 priority 8 AX(config-slb service group)#member s6:80 priority 4 AX(config-slb service group)#min-active-member 1
400 of 722
b y
D e s i g n

reset-on-server-selection-fail
Description Syntax Default Mode Usage Send a TCP reset (RST) to the client if server selection fails. [no] reset-on-server-selection-fail Disabled Service group The TCP template reset-rev option also can be used to send a RST to clients. In AX releases prior to 2.2.2, the reset-rev option would send a RST in response to a server selection failure. In AX Release 2.2.2 and later, this is no longer true. The reset-on-server-selection-fail option must be used instead.
stats-data-disable
Description Syntax Default Mode Disable collection of statistical data for the service group. stats-data-disable Statistical data collection for load-balancing resources is enabled by default. Service group
stats-data-enable
Description Syntax Default Mode Usage Enable collection of statistical data for the service group. stats-data-enable Statistical data collection for load-balancing resources is enabled by default. Service group To collect statistical data for a load-balancing resource, statistical data collection also must be enabled globally. (See stats-data-enable on page 159.)
b y
401 of 722

stats-data-enable
402 of 722
b y
D e s i g n

arp-disable
Config Commands: SLB Virtual Servers

This chapter describes the commands for configuring SLB virtual servers. To access this configuration level, enter the slb virtual-server vipaddr vipname command at the global Config level. To display configured virtual servers, use the show slb virtual-server command. Note: The commands in this chapter apply to virtual servers (also called VIPs), not to real servers. To configure real servers, see Config Commands: SLB Servers on page 381. This CLI level also has the following commands, which are available at all configuration levels:
arp-disable
Description Syntax Default Mode Usage Disable ARP replies from a virtual server. [no] arp-disable ARP replies are enabled by default. Virtual server Use this command if you do not want the AX Series device to reply to ARP requests to the virtual servers IP address. For example, you can use this
b y
403 of 722

disable command to put a VIP out of service on one AX device and use that device as a switch or router for another AX device providing SLB for the VIP. When you disable ARP replies for a VIP, redistribution of routes to the VIP is automatically disabled. Example The following command disables ARP replies:
AX(config-slb virtual server)#arp-disable
disable
Description Syntax Disable a virtual server. [no] disable [when-all-ports-down] Parameter Description
when-all-portsdown Automatically disables the virtual server if all its service ports are down. If OSPF redistribution of the VIP is enabled, the AX device also withdraws the route to the VIP in addition to disabling the virtual server. Default Virtual servers are enabled by default. The when-all-ports-down option is disabled by default. Virtual server The following commands disable virtual server vs1:
Mode Example
AX(config)#slb virtual-server vs1 AX(config-slb virtual server)#disable
enable
Description Syntax Default Mode Enable a virtual server. [no] enable Enabled Virtual server
404 of 722
b y
D e s i g n

ha-dynamic Example The following commands re-enable virtual server vs1:
AX(config)#slb virtual-server vs1 AX(config-slb virtual server)#enable
ha-dynamic
Description Syntax Enable VIP-based failover. [no] ha-dynamic server-weight Parameter server-weight Description Amount to subtract from the HA groups priority value for each real server that becomes unavailable. The weight can be 1-255.
Not set Virtual server The following commands assign virtual server VIP2 to HA group 6 and enable VIP-based failover for the virtual server.
AX(config)#slb virtual VIP2 192.168.10.22 AX(config-slb virtual server)#ha group 6 AX(config-slb virtual server)#ha-dynamic 10
ha-group
Description Syntax Default Mode Example Add a virtual server to a High-Availability (HA) group. [no] ha-group group-id None. Virtual server The following commands assign virtual server vs1 to HA group 1:
AX(config)#slb virtual-server vs1 AX(config-slb virtual server)#ha-group 1
b y
405 of 722

port
port
Description Syntax Configure a virtual port on a virtual server. [no] port port-number service-type Parameter port service-type Description Port number, 0-65534. Service type of the port: fast-http Streamlined Hypertext Transfer Protocol (HTTP) service ftp File Transfer Protocol http HTTP https Secure HTTP (SSL) mms Microsoft Media Server rtsp Real Time Streaming Protocol sip Session Initiation Protocol (SIP) over UDP sip-tcp SIP over TCP sips SIP over TCP / TLS smtp Simple Mail Transfer Protocol ssl-proxy SSL proxy service tcp Transmission Control Protocol udp User Datagram Protocol others Wildcard port used for IP protocol load balancing. (For more information, see the IP Protocol Load Balancing chapter of the AX Series Configuration Guide.) Default Mode Usage N/A Virtual server The normal form of this command creates a new or edits an existing virtual port. The CLI changes to the configuration level for the virtual port. (See Config Commands: SLB Virtual Server Ports on page 411.) The no form of this command removes the specified virtual port from current virtual server.
406 of 722
b y
D e s i g n

redistribution-flagged The maximum number of virtual service ports allowed and the maximum number per virtual server depend on the AX model. The AX device allocates processing resources to HTTPS virtual ports when you bind them to an SSL template. This results in increased CPU utilization, regardless of whether traffic is active on the virtual port. Note: Fast-HTTP is optimized for very high performance information transfer in comparison to regular HTTP. Due to this optimization, fast-HTTP does not support all the comprehensive capabilities of HTTP such as header insertion and manipulation. It is recommended not to use fast-HTTP for applications that require compete data transfer integrity. The following example creates a new (or edits an existing) virtual port:
Example
AX(config-slb virtual server)#port 443 https AX(config-slb virtual server-slb virtua...)#
redistribution-flagged
Description Syntax Default Flag this VIP to selectively enable or disable redistribution of it by OSPF. [no] redistribution-flagged Not set. The VIP is automatically redistributed if VIP redistribution is enabled in
OSPF.
Mode Usage
Virtual server Use this option if you want to redistribute only some of the VIPs rather than all of them. Selective VIP redistribution also requires configuration in OSPF. See the description of the vip option in redistribute on page 264.
stats-data-disable
Description Syntax Default Mode
Disable collection of statistical data for the virtual server. stats-data-disable Statistical data collection for load-balancing resources is enabled by default. Virtual server
b y
407 of 722

stats-data-enable
stats-data-enable
Description Syntax Default Mode Usage Enable collection of statistical data for the virtual server. stats-data-enable Statistical data collection for load-balancing resources is enabled by default. Virtual server To collect statistical data for a load-balancing resource, statistical data collection also must be enabled globally. (See stats-data-enable on page 159.)
template policy
Description Syntax Default Mode Usage Bind a a PBSLB policy template to the virtual server. [no] template policy template-name None Virtual server This command is applicable only for PBSLB policy templates configured for IP limiting. (See the IP Limiting chapter in the AX Series Configuration Guide.)
template virtual-server
Description Syntax Default Bind a a virtual server template to the virtual server. [no] template virtual-server template-name The virtual server template named default is bound to virtual servers by default. The parameter settings in the default virtual server template are automatically applied to the new virtual server, unless you bind a different virtual server template to the virtual server. Virtual server If a parameter is set individually on this virtual server and also is set in a virtual server template bound to this virtual server, the individual setting on this virtual server is used instead of the setting in the template.
Mode Usage
408 of 722

template virtual-server To configure a virtual server template, see slb template virtual-server on page 377. Example The following commands configure a virtual server template called vstmplt1 that sets ICMP rate limiting, and bind the template to a virtual server:
AX(config)#slb template server vs-tmplt1 AX(config-vserver)#icmp-rate-limit 25000 lock 30000 60 AX(config-vserver)#exit AX(config)#slb virtual-server vip1 10.10.10.2 AX(config-slb virtual server)#template virtual-server vs-tmplt1
b y
409 of 722

template virtual-server
410 of 722
b y
D e s i g n

access-list
Config Commands: SLB Virtual Server Ports

This chapter describes the commands for configuring virtual ports. To access this configuration level, enter the port port-num port-type command at the configuration level for a virtual server. This CLI level also has the following commands, which are available at all configuration levels:
access-list
Description Syntax Apply an Access Control List (ACL) to a virtual server port. [no] access-list {acl-num | name acl-name} [source-nat-pool {pool-name | pool-group-name} [sequence-number num]] Parameter acl-num | name acl-name Description Number of a configured IPv4 ACL (acl-num), or the name of a configured IPv6 ACL (name acl-name).
b y
411 of 722

access-list source-nat-pool pool-name | pool-group-name [sequencenumber num] Name of a configured IP source NAT pool or pool group. Use this option if you are configuring policy-based source NAT. Source NAT is required if the real servers are in a different subnet than the VIP. The sequence-number num option specifies the position of this ACL in the sequence of ACLs that are associated with IP source NAT pools and which are assigned to this virtual port. The sequence number is important because the AX device will use the IP addresses in the pool associated with the first ACL that matches the traffic. By default, the ACL sequence is based on the order in which you apply them to the virtual port. The first ACL has sequence number 1, the second ACL has sequence number 2, and so on. You can specify 1-32 as the sequence number. To view the sequence, use the show running-config command to view the configuration for this virtual port. Default Mode Usage N/A Virtual port The ACL must be configured before you can apply it to an interface. To configure an ACL, see access-list (standard) on page 69 and access-list (extended) on page 72. To permit or deny traffic on the virtual port, specify an ACL but do not specify a NAT pool. To configure policy-based source NAT, specify an ACL and a NAT pool. Use an extended ACL. The source IP address must match on the client address. The destination IP address must match on the real server address. The action must be permit. The NAT pool is used only for traffic that matches the ACL. This configuration allows the virtual port to have multiple pools, and to select a pool based on the traffic.
412 of 722
b y
D e s i g n

aflex Example The following commands configure a standard ACL to deny traffic from subnet 10.10.10.x, and apply the ACL to the inbound traffic direction on virtual port 8080 on virtual server slb1:
AX(config)#access-list 99 deny 10.10.10.0 0.0.0.255 AX(config)#slb server slb1 AX(config-slb virtual server)#port 8080 http AX(config-slb virtual server-slb virtua...)#access-list 99
Example
The following commands configure policy-based source NAT, by binding ACLs to NAT pools on the virtual port.
AX(config)#slb virtual-server vs1 10.10.10.100 AX(config-slb virtual server)#port 80 tcp AX(config-slb virtual server-slb virtua...)#access-list 30 source-nat-pool pool1 AX(config-slb virtual server-slb virtua...)#access-list 50 source-nat-pool pool2
aflex
Description Syntax Apply an aFleX policy to a virtual port. [no] aflex policy-name Parameter policy-name. Default Mode Usage N/A Virtual port The normal form of this command applies the specified aFleX policy to the port. The no form of this command removes the aFleX policy from the port. For more information about aFleX policies, see the AX Series aFleX Scripting Language Reference Guide. Example The following command applies aFleX policy aflex1 to a virtual port: Description Name of a configured aFleX policy.
AX(config-slb virtual server-slb virtua...)#aflex aflex1
b y
413 of 722

conn-limit
conn-limit
Description Syntax Set the connection limit for a virtual port. [no] conn-limit number [reset] [no-logging] Parameter number reset Description Connection limit, 0-8000000 (8 million); 0 means no limit. Sends a connection reset to the client, if the connection limit has been reached. If you omit this option, the connection is silently dropped and no reset is sent to the client. Disables logging for this feature.
no-logging Default
Not set. If you set a limit, the default action for any new connection request after the limit has been reached is to silently drop the connection, without sending a reset to the client. Logging is enabled by default. Virtual port The normal form of this command changes the current ports connection limit. The no form of this command resets the ports connection limit to its default value. The connection limit puts a hard limit on the number of concurrent connections supported by the port. No more connections will be put on the port if its number of current connections is already equal to or bigger than the limit. If you change the connection limiting configuration on a virtual port or virtual server that has active sessions, or in a virtual-port or virtual-server template bound to the virtual server or virtual port, the current connection counter for the virtual port or server in show command output and in the GUI may become incorrect. To avoid this, do not change the connection limiting configuration until the virtual server or port does not have any active connections.
Mode Usage
Example
The following command changes a virtual ports connection limit to 10000:
AX(config-slb virtual server-slb virtua...)#conn-limit 10000
414 of 722
b y
D e s i g n

def-selection-if-pref-failed
def-selection-if-pref-failed
Description Configure SLB to continue checking for an available server in other service groups if all of the servers are down in the first service group selected by SLB. [no] def-selection-if-pref-failed Enabled Virtual port During SLB selection of the preferred server to use for a client request, SLB checks the following configuration areas, in the order listed: 1. Layer 3-4 configuration items: a. aFleX policies triggered by Layer 4 events b. Policy-based SLB (black/white lists). PBSLB is a Layer 3 configuration item because it matches on IP addresses in black/white lists. 2. Layer 7 configuration items: a. Cookie switching b. aFleX policies triggered by Layer 7 events c. URL switching d. Host switching 3. Default service group. If none of the items above results in selection of a server, the default service group is used.
If the configuration uses only one service group, this is the default
service group. If the configuration uses multiple service groups, the default service group is the one that is used if none of the templates used by the configuration selects another service group instead. For example, if the CLIENT_ACCEPTED event triggers the aFleX policy, the policy is consulted first. Similarly, if the HTTP_REQUEST event triggers the aFleX policy, the policy is consulted only if none of the Layer 4 configuration items results in selection of a server. The first configuration area that matches the client or VIP (as applicable) is used, and the client request is sent to a server in the service group that is applicable to that configuration area. For example, if the client's IP address is in a black/white list, the service group specified by the list is used for the client request.
415 of 722

disable When the def-selection-if-pref-failed option is enabled, SLB continues to check for an available server in other service groups if all servers are down in the first service group selected by SLB. If Policy-Based SLB (PBSLB) is also configured on the same virtual port, PBSLB server-selection failures are not logged. This limitation does not affect failures that occur because a client is over their PBSLB connection limit. These failures are still logged. Example The following command enables this option:
AX(config-slb virtual server-slb virtua...)#def-selection-if-pref-failed
disable
Description Syntax Default Mode Example Disable a virtual port. [no] disable Enabled Virtual port The following command disables a virtual port: AX(config-slb virtual server-slb virtua...)#disable
enable
Description Syntax Default Mode Example Enable a virtual port. [no] enable Enabled Virtual port The following command re-enables a virtual port:
AX(config-slb virtual server-slb virtua...)#enable
gslb-enable
Description Enable a DNS port to function as a proxy for Global Server Load Balancing (GSLB) for this virtual port.
416 of 722

ha-conn-mirror Note: This command applies only to UDP ports and only for a virtual server that will be used as a DNS proxy on the GSLB AX Series device. [no] gslb-enable Disabled Virtual port Additional configuration is required for GSLB. See the Global Server Load Balancing chapter in the AX Series Configuration Guide. The following commands enable virtual server "DNS_SrvA" to be a DNS proxy:
Example
AX(config)#slb virtual-server DNS_SrvA 10.10.10.100 AX(config-slb virtual-server)#port 53 udp AX(config-slb virtual server-slb virtua...)#gslb-enable
ha-conn-mirror
Description Syntax Default Mode Usage Enable connection mirroring (session synchronization) for the virtual port. [no] ha-conn-mirror Disabled. Virtual port Connection mirroring applies to HA configurations. When connection mirroring is enabled, the Active AX Series device sends information about active client connections to the Standby AX Series device. If a failover occurs, the newly Active AX device continues service for the session. The client perceives very brief or no interruption. When connection mirroring is disabled, client session information is lost. Clients must establish new connections. In HA deployments, HA session synchronization is required for persistent sessions (source-IP persistence, and so on), and is therefore automatically enabled for these sessions by the AX device. Persistent sessions are synchronized even if session synchronization is disabled in the configuration. Example The following command enables connection mirroring:
AX(config-slb virtual server-slb virtua...)#ha-conn-mirror
b y
417 of 722

no-dest-nat
no-dest-nat
Description Syntax Default Mode Usage Disable destination NAT. [no] no-dest-nat Destination NAT is enabled by default. Virtual port Disabling destination NAT enables Direct Server Return (DSR). In the current release, for IPv4 VIPs, DSR is supported on virtual port types (service types) TCP, UDP, FTP, and RTSP. For IPv6 VIPs, DSR is supported on virtual port types TCP, UDP, and RTSP. VIP redistribution is not supported for VIPs on which destination NAT has been disabled. For example, VIP redistribution is not supported for VIPs that are configured for Direct Server Return (DSR). Example The following command enables DSR:
AX(config-slb virtual server-slb virtua...)#no-dest-nat
pbslb
Description Syntax Syntax Configure settings for Policy-based SLB (PBSLB). [no] pbslb bw-list name [no] pbslb id id {service service-group-name | drop | reset} [logging [minutes] [fail]]] [no] pbslb over-limit {drop | reset} Parameter bw-list name id id {service service-groupname | drop | reset} Description Binds a black/white list to the virtual port.
Syntax
Specifies the action to take for clients in the black/white list:
418 of 722
b y
D e s i g n

pbslb id Group ID in the black/white list. service-group-name Name of an SLB service group on the AX Series device. drop Drops new connections until the number of concurrent connections on the virtual port falls below the ports connection limit. (The connection limit is set in the black/white list.) reset Resets new connections until the number of concurrent connections on the virtual port falls below the connection limit. logging [minutes] [fail]]
Enables logging. The minutes option specifies how often messages can be generated. This option reduces overhead caused by frequent recurring messages. For example, if the logging interval is set to 5 minutes, and the PBSLB rule is used 100 times within a five-minute period, the AX device generates only a single message. The message indicates the number of times the rule was applied since the last message. You can specify a logging interval from 0 to 60 minutes. To send a separate message for each event, set the interval to 0. PBSLB rules that use the service service-groupname option also have a fail option for logging. The fail option configures the AX device to generate log messages only when there is a failed attempt to reach a service group. Messages are not generated for successful connections to the service group. The fail option is disabled by default. The option is available only for PBSLB rules that use the service service-group-name option, not for rules with the drop or reset option, since any time a drop or reset rule affects traffic, this indicates a failure condition.
Note:
If the def-selection-if-pref-failed option is enabled on the virtual port, log messages will never be generated for server-selection failures. To ensure that messages are generated to log server-selection failures, disable the def-selection-if-pref-failed option on the virtual port. This limitation does not affect failures that occur because a client is over their PBSLB connection limit. These failures are still logged.
b y
419 of 722

reset-on-server-selection-fail Default bw-list N/A id N/A logging Disabled. When logging is enabled, the default for minutes is 3. over-limit drop Mode Usage Virtual port The black/white list specified by bw-list name must already be imported onto the AX Series device. To import a black/white list file, see bw-list on page 92. If you use the logging option, the AX device uses a log rate limiting mechanism and load balances logging among multiple log servers, if more than one is configured. For more information, see the Log Rate Limiting section in the Traffic Security Features chapter of the AX Series Configuration Guide. Example The following commands bind black/white list sample-bwlist to the virtual port, assign clients in group 2 to service group srvcgroup2, and drop clients in group 4:
AX(config-slb virtual server-slb virtua...)#pbslb bw-list sample-bwlist AX(config-slb virtual server-slb virtua...)#pbslb id 2 service srvcgroup2 AX(config-slb virtual server-slb virtua...)#pbslb id 4 drop
Description Syntax Default Mode Usage Send a TCP reset (RST) to the client if server selection fails. [no] reset-on-server-selection-fail Disabled Service group The TCP template reset-rev option also can be used to send a RST to clients. In AX releases prior to 2.2.2, the reset-rev option would send a RST in response to a server selection failure. In AX Release 2.2.2 and later, this is no longer true. The reset-on-server-selection-fail option must be used instead.
420 of 722
b y
D e s i g n

service-group
service-group
Description Syntax Bind a virtual port to a service group. [no] service-group group-name Parameter group-name Default Mode Usage N/A Virtual port The normal form of this command binds the virtual port to the specified service group. The no form of this command removes the binding. One virtual port can be associated with one service group only, while one service group can be associated with multiple virtual ports. The type of service group and type of virtual port should match. For example, a UDP service group can not be bound to an HTTP virtual port. Example The following examples bind a service group to a virtual port, then remove the binding, respectively. Description Service-group name.
AX(config-slb virtual server-slb virtua...)#service-group tcp-grp AX(config-slb virtual server-slb virtua...)#no service-group tcp-grp
snat-on-vip
Description Syntax Default Mode Usage Enable IP NAT support for the virtual port. [no] snat-on-vip Disabled Virtual port Source IP NAT can be configured on a virtual port in the following ways: 1. ACL-based source NAT (access-list command at virtual port level) 2. VIP source NAT (slb snat-on-vip command at global configuration level)
b y
421 of 722

source-nat 3. aFleX policy (aflex command at virtual port level) 4. Non-ACL source NAT (source-nat command at virtual port level) These methods are used in the order shown above. For example, if IP source NAT is configured using an ACL on the virtual port, and the slb snat-onvip command is also used, then a pool assigned by the ACL is used for traffic that is permitted by the ACL. For traffic that is not permitted by the ACL, VIP source NAT can be used instead. Note: The current release does not support source IP NAT on FTP or RTSP virtual ports.
source-nat
Description Enable source NAT. Source NAT is required if the real servers are in a different subnet than the VIP. Note: Syntax This command is not applicable to the mms or rtsp service types. [no] source-nat pool {pool-name | pool-group-name} Sub-Command pool-name Description Specifies the name of an IP pool of addresses to use as source addresses.
pool-group-name Specifies the name of a group of IP address pools to use as source addresses. Default Mode Usage Disabled. Virtual port By default, source NAT is disabled. This command enables source NAT. This command enables source NAT using a single NAT pool or pool group, for all source addresses. If you want the AX device to select from among multiple pools based on source IP address, configure policy-based source NAT instead. See access-list on page 411. Example The following example enables source NAT for the virtual port:
AX(config-slb virtual server-slb virtua...)#source-nat pool pool2
422 of 722
b y
D e s i g n

stats-data-disable
stats-data-disable
Description Syntax Default Mode Disable collection of statistical data for the virtual port. stats-data-disable Statistical data collection for load-balancing resources is enabled by default. Virtual port
stats-data-enable
Description Syntax Default Mode Usage Enable collection of statistical data for the virtual port. stats-data-enable Statistical data collection for load-balancing resources is enabled by default. Virtual port To collect statistical data for a load-balancing resource, statistical data collection also must be enabled globally. (See stats-data-enable on page 159.)
syn-cookie
Description Enable software-based SYN cookies for a virtual port. SYN cookies provide protection against TCP SYN flood attacks. [no] syn-cookie [sack] Sub-Command sack Description Enables clients to acknowledge receipt of individual TCP/IP packets. Using this information, a server does not need to resend an entire segment of packets and can instead resend only the missing packets.
Syntax
Note:
This option applies only to the following service types: TCP, FTP, MMS, RTSP, and fast-HTTP. Disabled.
Default
b y
423 of 722

template Mode Usage Virtual port If hardware-based SYN cookies are enabled, software-based SYN cookies are not needed and are not used. (Hardware-based SYN cookies are enabled at the global configuration level. See syn-cookie on page 160.) Without the sack option, the efficiency of packet acknowledgement and retransmission typically is constrained by the timeout period between transmission of a packet from the server and acknowledgement from the client. The timeout generally is calculated based on the round-trip time between sending a packet and receiving an acknowledgement. If an acknowledgement is not received, the server might resend an entire segment of packets, without knowledge of exactly which packets are missing. If you use the sack option, the AX does the following for client traffic containing the SACK option:
Includes the SACK option in the SYN-ACK. Send the SACK option to the server, following success of the SYN
cookie check. SACK support is available for the following virtual port service types: TCP, FTP, MMS, RTSP, and fast-HTTP. Example The following command enables SYN cookies for a virtual port:
AX(config-slb virtual server-slb virtua...)#syn-cookie sack
template
Description Syntax Applies an SLB configuration template to a virtual port. [no] template template-type template-name Parameter template-type Description Type of template: cache client-ssl connection-reuse dns http persist cookie
424 of 722
b y
D e s i g n

template persist destination-ip persist source-ip persist ssl-id policy server-ssl sip smtp streaming-media tcp tcp-proxy udp virtual-port template-name Default Name of the template.
If the AX device has a default template that is applicable to the service type, the default template is automatically applied. The AX device has a default virtual-port template, which is applied to a virtual port when you create it. Virtual port The normal form of this command applies the specified template to the virtual port. The no form of this command removes the template from the virtual port but does not delete the template itself. A virtual port can be associated with only one template of a given type. However, the same template can be associated with more than one virtual port. To bind a virtual-port template to the port, see template virtual-port on page 426.
Mode Usage
Example
The following example applies connection reuse template reuse-template to a virtual port:
AX(config-slb virtual server-slb virtua...)#template connection-reuse
reuse-template
b y
425 of 722

template virtual-port
template virtual-port
Description Syntax Default Bind a a virtual service port template to the virtual port. [no] template virtual-port template-name The virtual port template named default is bound to virtual ports by default. The parameter settings in the default virtual port template are automatically applied to the new virtual port, unless you bind a different virtual port template to the virtual port. Virtual port If a parameter is set individually on this virtual port and also is set in a virtual port template bound to this virtual port, the individual setting on this port is used instead of the setting in the template. To configure a virtual port template, see slb template virtual-port on page 374. Example The following commands configure a virtual service port template named common-vpsettings, set the connection limit, and bind the template to a virtual port:
Mode Usage
AX(config)#slb template virtual-port common-vpsettings AX(config-Virtual port template)#conn-limit 500000 AX(config-Virtual port template)#exit AX(config)#slb virtual-server vip1 10.10.10.99 AX(config-slb vserver)#port 80 http AX(config-slb vserver-vport)#template virtual-port common-vpsettings
use-default-if-no-server
Description Syntax Default Mode Usage Forward client traffic at Layer 3, if SLB server selection fails. [no] use-default-if-no-server Disabled. If SLB server selection fails, the traffic is dropped. Virtual port This command applies only to wildcard VIPs (VIP address 0.0.0.0).
426 of 722
b y
D e s i g n

use-rcv-hop-for-resp
Description Force the AX Series device to send replies to clients back through the last hop on which the request for the virtual port's service was received. [no] use-rcv-hop-for-resp Disabled. Virtual port Last hop information is not included in the information sent to the Standby AX device during HA session synchronization. If an HA failover occurs, the last hop might not be used for the reply. The following command enables this option:
Example
AX(config-slb virtual server-slb virtua...)#use-rcv-hop-for-resp
b y
427 of 722

428 of 722
b y
D e s i g n

gslb active-rtt
Config Commands: Global Server Load Balancing

The commands in this chapter configure Global Server Load Balancing (GSLB) parameters. In some cases, the commands create a GSLB configuration item and change the CLI to the configuration level for that item. This CLI level also has the following commands, which are available at all configuration levels:
gslb active-rtt
Description Syntax Configure global active-RTT settings. [no] gslb active-rtt { domain domain-name | interval seconds | retry num | sleep seconds | timeout ms | track seconds } Parameter domain domainname Description Specifies the query domain. To measure the active round-trip time (RTT) for a client, the site AX device sends queries for the domain name to a clients local DNS. An RTT sample consists of
b y
429 of 722

gslb active-rtt the time between when the site AX device sends a query and when it receives the response. Only one active-RTT domain can be configured. It is recommended to use a domain name that is likely to be in the cache of each clients local DNS. The AX device averages multiple active-RTT samples together to calculate the active-RTT measurement for a client. (See the description of track below.) interval seconds retry num Specifies the number of seconds between queries. You can specify 1-120 seconds. Specifies the number of times GSLB will resend a query if there is no response. You can specify 0-16. Specifies the number of seconds GSLB stops tracking active-RTT data for a client after a query fails. You can specify 1-300 seconds. Specifies the number of milliseconds GSLB will wait for a reply before resending a query. You can specify 1-1023 ms. Specifies the number of seconds during which the AX device collects samples for a client. The samples collected during the track time are averaged together, and the averaged value is used as the active RTT measurement for the client. You can specify 15-3600 seconds. The averaged RTT measurement is used until it ages out. The aging time for averaged RTT measurements is 10 minutes by default and is configurable on individual sites, using the active-rtt aging-time command. Default This command has the following default settings:
domain google.com interval 1 second retry 3 sleep 3 seconds
sleep seconds
timeout ms
track seconds
430 of 722
b y
D e s i g n

gslb dns action
timeout 1000 ms track 60 seconds
Mode
Configuration mode
gslb dns action

Description Syntax Globally drop or reject DNS queries from the local DNS server. [no] gslb dns action {drop | reject} Parameter drop reject Description Drops DNS queries that do not match any zone service. Rejects DNS queries that do not match any zone service, and returns the Refused message in replies.
Default Mode
Not set Configuration mode
gslb dns logging

Description Globally set DNS logging parameters. When this option is enabled, the GSLB DNS log messages appear in the AX log. [no] gslb dns logging { both | query | response | none } Parameter both | query | response none Default Mode Disabled Configuration mode Description Specifies the types of messages to log. Logs nothing.
Syntax
b y
431 of 722

gslb geo-location
gslb geo-location
Description Configure a global geographic location, by assigning a location name to a client IP address range. GSLB forwards client requests from addresses within the specified IP address range to the GSLB site that servers the location. [no] gslb geo-location location-name start-ip-addr [mask ip-mask] [end-ip-addr] Parameter location-name start-ip-addr mask ip-mask end-ip-addr Default Mode Usage N/A Configuration mode Geographic location also can be configured in a GSLB policy. In this case, the policy specifies whether to use the globally configured geographic location or the location configured in the policy. (See geo-location on page 473 and geo-location match-first on page 474.) You can use manually configured geo-location mappings or load a database of mappings. To load a geo-location databases, see gslb geo-location load on page 433.
If you manually map a geo-location to an GSLB site, GSLB uses the
Syntax
Description Name of the location, up to 127 alphanumeric characters. Beginning IP address for the range. Network mask. Ending IP address for the range.
mapping.
If no geo-location is configured for a GSLB site, GSLB automatically
maps the service-ip to a geo-location in the loaded geo-location database.

If a service-ip cannot be mapped to a geo-location, GSLB maps the site
AX device to a geo-location. Example The following example configures geographic location US.CA.SanJose for IP address range 100.1.1.1 through 100.1.1.125:
AX(config)#gslb geo-location US.CA.SanJose 100.1.1.1 100.1.1.125
432 of 722
b y
D e s i g n

gslb geo-location delete
gslb geo-location delete

Description Syntax Default Usage Delete or replace a custom geo-location database from the AX device. gslb geo-location delete file-name N/A This command is available only if you have already imported a geo-location database file. This command can replace a loaded geo-location database file but does not unload one without replacing it. To unload a geo-location database file without replacing it, see gslb geo-location load on page 433. Configuration mode
Mode
gslb geo-location load

Description Load a geo-location database into GSLB. Loading a pre-configured geolocation database provides a convenient alternative to manually configuring each geo-location separately. [no] gslb geo-location load {iana | file-name csv-template-name} Parameter iana Description Loads the Internet Assigned Numbers Authority (IANA) database. The IANA database contains the geographic locations of the IP address ranges and subnets assigned by the IANA. The IANA database is included in the AX system software. However, it is unloaded (not used) by default.
Syntax
file-name csv-templatename
Loads a custom database. You can load a custom geo-location database from a file in comma-separated-values (CSV) format. This option requires configuration of a CSV template on the AX device. When you load the CSV file, the data is formatted based on the template. (To configure a CSV template, see gslb template csv on page 445.)
Note:
The file-name option is available only if you have already imported a geolocation database file.
b y
433 of 722

gslb ip-list Default Mode Usage The IANA database is loaded by default. Configuration mode You can load more than one geo-location database. When you load a new database, if the same IP address or IP address range already exists in a previously loaded database, the address or range is overwritten by the new database. The following command loads the IANA database:
Example
AX(config)#gslb geo-location load iana
Example
The following command loads geo-location data from a CSV file:
AX(config)#gslb geo-location load test1.csv test1-tmplte
gslb ip-list
Description Configure a list of IP addresses and group IDs to use as input to other GSLB commands. [no] gslb ip-list list-name The command changes the CLI to the configuration level for the list, where the following IP-list-related commands are available: (The other commands are common to all CLI configuration levels. See Config Commands: Global on page 69.) Command [no] ip ipaddr {subnet-mask | /mask-length} id group-id Description
Syntax
Creates an IP entry in the list. Based on the subnet mask or mask length, the entry can be a host address or a subnet address. The id option adds the entry to a group. The group-id can be 0-31. Loads the entries from a black/white list into the IP list. For information on configuring a black/ white list, see the Policy-Based SLB (PBSLB) section in the Traffic Security Features chapter of the AX Series Configuration Guide.
[no] load bwlist-name
Default
None
434 of 722

gslb ping Mode Usage Configuration mode You can configure an IP list in either of the following ways:
Use a text editor on a PC or use the AX GUI to configure a black/white
list, then load the entries from the black/white list into an IP list.
Use this command to configure individual IP list entries.
Example
The following commands configure a GSLB IP list and use the list to exclude IP addresses from active-RTT data collection:
AX(config)#gslb ip-list iplist1 AX(config-gslb ip-list)#ip 192.168.1.0 /24 id 3 AX(config-gslb ip-list)#ip 10.10.10.10 /32 id 3 AX(config-gslb ip-list)#ip 10.10.10.20 /32 id 3 AX(config-gslb ip-list)#ip 10.10.10.30 /32 id 3 AX(config-gslb ip-list)#exit AX(config)#gslb policy pol1 AX(config-gslb policy)#ip-list iplist1 AX(config-gslb policy)#active-rtt ignore-id 3
gslb ping
Description Syntax Test GSLB connectivity from the GSLB AX device to a site AX device. ping {site-name | ipaddr} site-name | ipaddr GSLB site name or the IP address of the site AX device.
Mode
Configuration mode
gslb policy
Description Syntax Configure a GSLB policy. [no] gslb policy {default | policy-name} Parameter default Description The default GSLB policy included in the software.
b y
435 of 722

gslb protocol policy-name Name of the policy, up to 31 alphanumeric characters.
This command changes the CLI to the configuration level for the specified GSLB policy. For information about the commands available at the GSLB policy level, see Config Commands: GSLB Policy on page 457. Default Mode Example N/A Configuration mode The following example creates a GSLB policy called gslb-policy2:
AX(config)#gslb policy gslb-policy2 AX(config gslb-policy)#
gslb protocol
Description Syntax Enable the GSLB protocol or set protocol options. [no] gslb protocol {enable {controller | device [no-passive-rtt]} | status-interval seconds} Parameter enable {controller | device [no-passivertt]} Description
Enables the GSLB protocol: controller Use this option on the AX device on which GSLB is configured. device Use this option on the AX devices that are SLB devices at the GSLB sites. The no-passive-rtt option disables collection of passive RTT data for the site AX device.
status-interval seconds Changes the number of seconds between GSLB status messages. You can specify 1-300 seconds.
436 of 722
b y
D e s i g n

gslb protocol Default The GSLB protocol options have the following defaults:
enable Disabled. If you enable the GSLB protocol with the device
option (instead of the controller option), collection of passive RTT data is enabled by default.
status-interval 30 seconds.
Mode Usage
Configuration mode The A10 Networks GSLB protocol uses port 4149. The protocol is registered on this port for both TCP and UDP. AX devices use the GSLB protocol for GSLB management traffic. The protocol is required to be enabled on the GSLB controller. The protocol is recommended on site AX devices but is not required. However, some GSLB policy metrics require the protocol to be enabled on the site AX devices as well as the GSLB controller:
session-capacity active-rtt passive-rtt connection-load num-session least-response
The GSLB protocol is required in order to collect the site information provided for these metrics. The GSLB protocol is also required for the health-check metric, if the default health checks are used. If you modify the health checks, the GSLB protocol is not required. Example The following command enables the GSLB protocol on a GSLB AX Series device:
AX(config)#gslb protocol enable controller
Example
The following command enables the GSLB protocol on a site AX Series device:
AX(config)#gslb protocol enable device
b y
437 of 722

gslb protocol limit
gslb protocol limit

Description Syntax Change RTT message limits. [no] gslb protocol limit { artt-query num-msgs | artt-response num-msgs | artt-session num-sessions | prtt-response num-msgs | conn-response num-msgs | response num-msgs | message num-msgs } See the online help. Configuration mode
Default Mode
gslb service-ip
Description Configure a service IP, which can be a virtual servers or real servers IP address. [no] gslb service-ip service-name [ipaddr] Parameter service-name ipaddr Description Name of the service, up to 31 alphanumeric characters. IP address of the virtual server or real server. You can specify an IPv4 or IPv6 address. (If you are changing the configuration of a GSLB service that is already configured, this parameter is not required.) This command changes the CLI to the configuration level for the specified service, where the following GSLB-related commands are available: Command [no] adminpreference preference Description
Syntax
Assigns an administrative preference to the DNS CNAME record for the service. The preference
438 of 722

gslb service-ip can be 0-255. A higher value is preferred over a lower value. The default is 0 (not set). disable enable [no] external-ip ipaddr Disables GSLB for the service IP address. Enables GSLB for the service IP address. Assigns an external IP address to the service IP. The external IP address allows a service IP that has an internal IP address to be reached from outside the internal network. Configures monitoring of the service IP address. If you enter the command without any options, the default Layer 3 health monitor (ICMP ping) is used. monitor-name The service is checked using the specified Layer 3, 4 or 7 health monitor. follow-port portnum The health of the service port is based on the health of another port. Specify the other port number. gateway Enables health checking of the site gateway. A gateway health check is a Layer 3 health check (ping) sent to the gateway router for an SLB site. This option is enabled by default. port port-num port-num [...] Configures multiple port health checking for the service. The service IP is marked Up if any of the ports passes the health check. It is not required for all ports to pass the health check. You can specify up to 64 ports. protocol Enables or disables use of the GSLB protocol for health checking of the service. By default, the protocol option is enabled. If the GSLB protocol is enabled and can reach the service, health checking is performed over the GSLB protocol. Otherwise, health checking is performed using standard network traffic instead. [no] ipv6 ipv6-addr Maps the specified IPv6 address to an IPv4 service IP. This option also requires IPv6 DNS AAAA support to be enabled in the GSLB policy. (See the ipv6-mapping option in dns on page 466.)
[no] healthcheck [option]
b y
439 of 722

gslb service-ip
[no] port num
{tcp | udp}
Adds a service port to the service IP address. The command also changes the CLI to the configuration level for the specified service port, where the following service port-related commands are available: disable Disables GSLB for the service port on this service IP address. enable Enables GSLB for the service port on this service IP address. [no] health-check [monitor-name] Enables or disables health monitoring for the service port. If you do not specify a health monitor, the default health monitor is used. (See Usage below.)
[no] weight num
Assigns a weight to the DNS CNAME record for the service. Use this option if you plan to use the Weighted Alias metric.
Default
No services are configured by default. When you configure a service, the service is enabled by default. The default health monitor for a service is the default Layer 3 health monitor (ICMP ping). The default health monitor for a service port is the default TCP or UDP monitor, depending on the transport protocol. (For more on health checking, see Usage below.) Configuration mode If you leave the health monitor for a service left at its default setting (the default ICMP ping health check), the health checks are performed within the GSLB protocol. If you use a custom health monitor, or you explicitly apply the default Layer 3 health monitor to the service, the GSLB protocol is not used for any of the health checks. If you use a custom health monitor for a service port, the port number specified in the service configuration is used instead of the port number specified in the health monitor configuration. The following policy metric options are not supported for IPv6 service IPs:
active-rtt ip-list passive-rtt
Mode Usage
440 of 722
b y
D e s i g n

gslb site
dns external-ip dns ipv6 mapping geo-location
Example
The following example creates a GSLB service IP address named gslbsrvc2 with IP address 192.160.20.99:
AX(config)#gslb service-ip gslb-srvc2 192.168.20.99 AX(config-gslb service-ip)#
gslb site
Description Syntax Configure a GSLB site. [no] gslb site site-name Parameter site-name Description Name for the site, up to 31 alphanumeric characters.
This command changes the CLI to the configuration level for the specified site, where the following site-related commands are available: Command [no] active-rtt option Description Configures options for the active RTT metric: aging-time minutes Specifies the maximum amount of time a stored active-RTT result can be used. You can specify 1-60 minutes. The default is 10 minutes. bind-geoloc Stores the active-RTT measurements on a per geo-location basis. Without this option, the measurements are stored on a per site-SLB device basis. ignore-count num Specifies the ignore count if RTT is out of range. You can specify 115. The default is 5. limit num Specifies the maximum RTT allowed for the site. If the RTT measurement for a site exceeds the configured limit, GSLB does not eliminate the site. Instead, GSLB moves to
b y
441 of 722

gslb site the next metric in the policy. You can specify 0-16383 milliseconds (ms). The default is 16383. mask {/mask-length | mask-ipaddr} Specifies the IPv4 client subnet mask length. The default mask length is 32. range-factor num Specifies the maximum percentage a new active-RTT measurement can differ from the previous measurement. If the new measurement differs from the previous measurement by more than the allowed percentage, the new measurement is discarded and the previous measurement is used again. For example, if the range-factor is set to 25 (the default), a new measurement that has a value from 75% to 125% of the previous value can be used. A measurement that is less than 75% or more than 125% of the previous measurement can not be used. You can specify 1-1000. The default is 25. smooth-factor num Blends the new measurement with the previous one, to smoothen the measurements. For example, if the smooth-factor is set to 10 (the default), 10% of the new measurement is used, along with 90% of the previous measurement. Similarly, if the smooth-factor is set to 50, 50% of the new measurement is used, along with 50% of the previous measurement. You can specify 1-100. The default is 10. (For information about the active RTT metric, see active-rtt on page 457.) [no] bw-cost options Configures options for the bw-cost metric: limit num Specifies the maximum amount the SNMP object queried by the GSLB AX device can increment since the previous query, in order for the site to remain eligible for selection as the best site. You can specify 0-2147483647. There is no default. If a site becomes ineligible due to being over the limit, the percentage parameter is used. In order to become eligible for selection again, the sites
442 of 722
b y
D e s i g n

gslb site limit value must not increment more than limit*threshold-percentage. You can specify 0-100. There is no default. threshold percentage For a site to regain eligibility when bw-cost is being compared, the SNMP objects incremental value must be below the threshold-percentage of the limit value. For example, if the limit value is 80000 and the threshold is 90, the limit value must increment by 72000 or less, in order for the site to become eligible again based on bandwidth cost. Once a site again becomes eligible, the SNMP objects value is again allowed to increment by as much as the bandwidth limit value (80000, in this example). (For information about the bw-cost metric, see bw-cost on page 462.) [no] geolocation location-name
Associates this site with a specific geographic location. (To configure a location, use the gslb geo-location command.) Associates a real server with this site. Note: Generally, virtual servers rather than real servers are associated with a site. To associate a virtual server with a site, use the vip-server option of the slb-dev command.
[no] ip-server service-ip
[no] passive-rtt option
Configures options for the passive RTT metric. The options are the same as those for active-rtt. (See above.) (For information about the passive RTT metric, see passive-rtt on page 481.)
[no] slb-dev device-name ip-addr
Specifies the device that provides SLB for the site. The IP address must be reachable by the GSLB AX Series when the GSLB protocol is enabled. This command changes the CLI to the configuration level for the SLB device. At this CLI level,
b y
443 of 722

gslb site the following optional GSLB-related commands are available: [no] admin-preference num Assigns a preference value to the SLB device. If the adminpreference metric is enabled in the policy and all metrics before this one result in a tie, the SLB device with the highest admin-preference value is preferred. You can specify from 0 255. The default is 100. [no] gateway ipaddr Specifies the gateway that the SLB device will use to reach the GLSB local DNS for collecting active RTT measurements. [no] gateway health-check Enables gateway health checking. A gateway health check is a Layer 3 health check (ping) sent to the gateway router for an SLB site. This option is enabled by default. [no] max-client num Specifies the maximum number of clients for which the GSLB AX device (controller) saves data such as active and passive RTT measurements for each of the clients. You can specify 1-2147483647. The default is 32768. [no] passive-rtt-timer num For passive RTT, specifies the number of seconds during which samples are collected during each sampling period. You can specify 1-255. The default is 3. To prevent samples from being taken for this device, use the no passive-rtt-timer command. [no] proto-aging-fast | proto-aging-time seconds Please contact A10 Networks for information. [no] vip-server name Maps this SLB site to a globally configured GSLB service IP address. The name must be the name of a configured service IP. (To configure the service IP, use the gslb service-ip command. See gslb serviceip on page 438.) [no] template template-name Binds a template to the site. To use the bw-cost metric, use this option to bind a GSLB SNMP template to the site.
444 of 722

gslb system wait [no] weight num Assigns a weight to the site. If the weighted-site metric is enabled in the policy and all metrics before weighted-site result in a tie, the site with the highest weight is preferred. The weight can be from 1 100. The default is 1.
See above. Configuration mode The following example creates a site named NY-site and adds SLB AX Series site-ax-1 with IP address 10.10.10.10 to the site:
AX(config)#gslb site NY-site AX(config gslb-site)#slb-dev site-ax-1 10.10.10.10
gslb system wait

Description Syntax Delay startup of GSLB following startup of the AX device. [no] gslb system wait seconds Parameter seconds Default Mode 0 seconds (no delay) Configuration mode Description Length of the delay, 0-16384 seconds.
gslb template csv

Description Configure a template for extracting geo-location data from an imported CSV file. [no] gslb template csv template-name Parameter template-name Description Name of the template, 1-63 characters.
Syntax
This command changes the CLI to the configuration level for the specified template, where the following commands are available. (The other commands are common to all CLI configuration levels. See Config Commands: Global on page 69.)
445 of 722

gslb template csv Command [no] delimiter {character | ASCII-code} Description
Specifies the character used in the file to delimit fields. You can type the character or enter its decimal ASCII code (0-255). The num option specifies the field position within the CSV file. You can specify from 1-64. The following options specify the type of geolocation that is located in the field position: ip-from Specifies the beginning IP address in the range or subnet. ip-to-mask Specifies the ending IP address in the range, or the subnet mask. continent Specifies the continent where the IP address range or subnet is located. country Specifies the country where the IP address range or subnet is located. state Specifies the state where the IP address range or subnet is located. city Specifies the city where the IP address range or subnet is located.
[no] field num type-of-data
Default
There is no default CSV template. When you configure one, the field locations are not set. The default delimiter character is a comma ( , ). Configuration mode To load a geo-location data file and use the CSV template to extract the data, see gslb geo-location load on page 433. The following commands configure a CSV template called test1-tmplte:
Mode Usage
Example
AX(config)#gslb template csv test1-tmplte AX(config-gslb template csv)#field 1 ip-from AX(config-gslb template csv)#field 2 ip-to-mask AX(config-gslb template csv)#field 5 continent AX(config-gslb template csv)#field 3 country
446 of 722
b y
D e s i g n

gslb template snmp
gslb template snmp

Description Syntax Configure an SNMP template to query data for use by the bw-cost metric. [no] gslb template snmp template-name Parameter template-name Description Name of the template, 1-63 characters.
This command changes the CLI to the configuration level for the specified template, where the following commands are available. (The other commands are common to all CLI configuration levels. See Config Commands: Global on page 69.) Command [no] auth-key string Description Specifies the authentication key. The key string can be 1-127 characters long. This command is applicable if the security level is auth-no-priv or auth-priv. Specifies the authentication protocol. This command is applicable if the security level is authno-priv or auth-priv.
[no] auth-proto {sha | md5}
[no] community communitystring [no] contextengine-id id [no] contextname id
For SNMPv1 or v2c, specifies the community string required for authentication. Specifies the ID of the SNMPv3 protocol engine running on the site AX device. Specifies an SNMPv3 collection of management information objects accessible by an SNMP entity. Specifies the IP address of the site AX device. Specifies the SNMP interface ID.
[no] host ipaddr [no] interface id
b y
447 of 722

gslb template snmp [no] interval seconds Specifies the amount of time between each SNMP GET to the site AX devices. You can specify 1-999 seconds. The default is 3. Specifies the interface MIB object to query on the site AX device.
[no] oid oid-value
Note:
If the object is part of a table, make sure to append the table index to the end of the OID. Otherwise, the AX device will return an error. [no] port portnum Specifies the protocol port on which the site AX devices listen for the SNMP requests from the GSLB AX device. You can specify 1-65535. The default is 161. Specifies the encryption key. The key string can be 1-127 characters long. This command is applicable only if the security level is auth-priv. Specifies the privacy protocol used for encryption. This command is applicable only if the security level is auth-priv. Specifies the ID of the SNMPv3 security engine running on the site AX device. For each command, the ID is a string 1-127 characters long.
[no] priv-key string
[no] priv-proto {aes | des}
[no] securityengine-id id
[no] securitylevel {no-auth | auth-no-priv | auth-priv}
Specifies the SNMPv3 security level: no-auth Authentication is not used and encryption (privacy) is not used. This is the default. auth-no-priv Authentication is used but encryption is not used. auth-priv Both authentication and encryption are used.
[no] username name
Specifies the SNMPv3 username required for access to the SNMP agent on the site AX device.
448 of 722
b y
D e s i g n

gslb zone [no] version {v1 | v2c | v3} Specifies the SNMP version running on the site AX device.
Default Mode Usage
See above. Configuration mode The community command applies only to SNMPv1 or v2c. Most of the other commands, with the exception of the version, interval, port, and interface commands, apply to SNMPv3. The following commands configure a GSLB SNMP template for SNMPv2c:
Example
AX(config)#gslb template snmp snmp-1 AX(config-gslb template snmp)#version v2c AX(config-gslb template snmp)#host 192.168.214.124 AX(config-gslb template snmp)#oid .1.3.6.1.2.1.2.2.1.16.12 AX(config-gslb template snmp)#community public AX(config-gslb template snmp)#exit
Example
The following commands configure a GSLB SNMP template for SNMPv3. In this example, authentication and encryption are both used.
AX(config)#gslb template snmp snmp-2 AX(config-gslb template snmp)#security-level auth-priv AX(config-gslb template snmp)#host 192.168.214.124 AX(config-gslb template snmp)#username read AX(config-gslb template snmp)#oid .1.3.6.1.2.1.2.2.1.16.12 AX(config-gslb template snmp)#priv-proto des AX(config-gslb template snmp)#auth-key 12345678 AX(config-gslb template snmp)#priv-key 12345678
gslb zone
Description Configure a GSLB zone, which identifies the top-level URL for the services load balanced by GSLB. [no] gslb zone zone-url Parameter zone-url Description URL of the zone, up to 127 alphanumeric characters.
Syntax
b y
449 of 722

gslb zone You can use lower case characters and upper case characters. However, since Internet domain names are case-insensitive, the AX device internally converts all upper case characters in GSLB zone names to lower case. This command changes the CLI to the configuration level for the specified zone, where the following zone-related commands are available: Command [no] dns-mxrecord name priority Description
Configures a DNS Mail Exchange (MX) record for the zone. The name is the fully-qualified domain name of the mail server for the zone. If more than MX record is configured for the same zone, the priority specifies the order in which the mail server should attempt to deliver mail to the MX hosts. The MX with the lowest priority value has the highest priority and is tried first. The priority can be 0-65535. There is no default. MX records configured on a zone are used only for services on which MX records are not configured.
Note:
If you want the GSLB AX device to return the IP address of the mail service in response to MX requests, you must configure Address records for the mail service. [no] dns-nsrecord domain-name [no] dns-soarecord dnsserver-name mailbox-name [expire seconds] [refresh seconds] [retry seconds] [serial num] [ttl seconds]
Configures a DNS name server record for the specified domain.
Configures a DNS start of authority (SOA) record for the GSLB zone.
450 of 722

gslb zone The refresh option specifies the number of seconds other DNS servers wait before requesting updated information for the GSLB zone. The retry option specifies how many seconds other DNS servers wait before resending a refresh request, if GSLB does not respond to the previous request. The expire option specifies how many seconds GSLB can remain unresponsive to a refresh request before the other DNS server drops responding to queries for the zone. The serial option specifies the initial serial number of the SOA record. This number is automatically incremented each time a change occurs to any records for the GSLB zone. You can specify 0-2147483647. The default is based on the current system time on the GSLB AX device when you create the SOA record. The ttl option specifies the number of seconds GSLB will cache and reuse negative replies (NXDOMAIN messages). A negative reply is an error message indicating that a requested domain does not exist. You can specify 0-2147483647secodns. The default is the value of the zone TTL when you create the SOA record. Note: The ttl option is equivalent to the minimum option in BIND 9. [no] policy policy-name [no] service port [service-name] Applies the specified GSLB policy to the zone.
Adds a service to the zone. The port option specifies the service port and can be a well-known name recognized by the CLI or a port number from 1 to 65535. The service-name can be 1-31 alphanumeric characters or * (wildcard character matching on all service names). For the same reason described for zone names, the AX device converts all upper case characters in GSLB service names to lower case. This command changes the CLI to the configuration level for the service, where the following GSLB-related commands are available:
b y
451 of 722

gslb zone action action-type Specifies the action to perform for DNS traffic: drop Drops DNS queries from the local DNS server. reject Rejects DNS queries from the local DNS server and returns the Refused message in replies. forward {both | query | response} Forwards requests or queries, as follows: forward both Forwards queries to the Authoritative DNS server, and forwards responses to the local DNS server. forward query Forwards queries to the Authoritative DNS server, but does not forward responses to the local DNS server. forward response Forwards responses to the local DNS server, but does not forward queries to the Authoritative DNS server. Note: Use of the actions configured for services also must be enabled in the GSLB policy, using the dns action command at the configuration level for the policy. See dns on page 466. dns-a-record {service-name | service-ipaddr} {as-replace | no-resp | static | ttl num | weight num} Configures a DNS Address (A) record for the service, for use with the DNS replace-ip option in the GSLB policy. (See dns on page 466.) as-replace This option is used with the ip-replace option in the policy. When both options are set (as-replace here and ipreplace in the policy), the client receives only the IP address set here by service-ip. no-resp Prevents the IP address for this site from being included in DNS replies to clients. static This option is used with the dns server option in the policy. When both options are set (static here and dns server in
452 of 722
b y
D e s i g n

gslb zone the policy), the GSLB AX device acts as the DNS server for the IP address set here by service-ip. ttl num Assigns a TTL to the service, 0-2147483647. By default, the TTL of the zone is used. This option can be used with the dns server option in the policy, or with DNS proxy mode enabled in the policy. weight num Assigns a weight to the service. If the weighted-ip metric is enabled in the policy and all metrics before weighted-ip result in a tie, the service on the site with the highest weight is selected. The weight can be 1-100. By default, the weight is not set. Note: The no-resp option is not valid with the static or as-replace option. If you use no-resp, you cannot use static or as-replace. dns-cname-record alias [as-backup] [alias ...] Configures DNS Canonical Name (CNAME) records for the service. The as-backup option specifies that the record is a backup record. dns-mx-record name priority Configures a DNS Mail Exchange (MX) record for the service. The name is the fully-qualified domain name of the mail server for the service. If more than MX record is configured for the same service, the priority specifies the order in which the mail server should attempt to deliver mail to the MX hosts. The MX record with the lowest priority number has the highest priority and is tried first. The priority can be 0-65535. There is no default. Note: If you want the GSLB AX device to return the IP address of the mail service in response to MX requests, you must configure A records for the mail service. dns-ns-record domain-name [as-backup] Configures a DNS name server record. The as-backup option specifies that the record is a backup record. To use the asbackup option, you also must use the dns backup-alias command in the policy. (See dns on page 466.)
453 of 722

gslb zone dns-ptr-record domain-name Configures a DNS pointer record. dns-srv-record domain-name priority [port portnum] [weight num] Configures a DNS service record. The priority can be 0-65535. There is no default. The port portnum specifies the protocol port to return to the client, and can be 0-65534. There is no default. If you do not specify the port, GSLB finds the port for the SRV record and sends it to the client. If you do specify the port, GSLB sends the specified port to the client. The weight num specifies the weight and can be 0-65535. The default is 10. geo-location location-name {action action | alias url | policy policy-name} Configures geolocation settings. The location must already be configured. (See gslb geo-location on page 432.) action action Specifies the action to perform for DNS traffic. The action options are the same as those for the action command described above. alias url Maps an alias configured with the alias option (see above) to the specified location for this service. policy policy-name Applies the specified GSLB to clients from the geo-location. health-check {gateway | port portnum [...]} Please contact A10 Networks for information. ip-order {service-name | service-ipaddr} [...] Specifies the order in which to list the service IP addresses in the DNS reply. The configured order is used by the ordered-ip metric during selection of the best IP addresses to send to a client in DNS replies.
454 of 722
b y
D e s i g n

gslb zone policy policy-name Applies the specified GSLB policy to the service. [no] ttl seconds Changes the TTL of each DNS record contained in DNS replies received from the DNS for which the AX Series is a proxy, for this zone. You can specify from 0 to 1000000 (1,000,000) seconds. This TTL setting overrides the TTL setting in the GSLB policy.
Default
policy The default GSLB policy is used, unless you configure another policy and apply it to the zone. The GSLB policy applied to the zone is also applied to the services in that zone. If no policy is applied to the zone, the default GSLB policy is applied to the services. ttl 10 Note: The TTL of the DNS reply can be overridden in two different places in the GSLB configuration: 1. If a GSLB policy is assigned to the individual service, the TTL set in that policy is used. 2. If no policy is assigned to the individual service, but the TTL is set in the zone, then the zones TTL setting is used. (This is the level set by the ttl command shown in this section.) None of the other parameters have a default setting.
Mode Example
Configuration mode The following example creates a zone named ax-gslb-zone:
AX(config)#gslb zone ax-gslb-zone AX(config gslb-zone)#
b y
455 of 722

gslb zone
456 of 722
b y
D e s i g n

active-rtt
Config Commands: GSLB Policy

The commands in this chapter configure Global Server Load Balancing (GSLB) policies. The CLI changes to this level when you enter the gslb policy policy-name command from the global Config level. This CLI level also has the following commands, which are available at all configuration levels:
active-rtt
Description Configure the active round-trip time (RTT) metric. Active RTT measures the round-trip-time for a DNS query and reply between a site AX device and the GSLB local DNS. Syntax [no] active-rtt [difference num] [fail-break] [ignore-id group-id] [keep-tracking] [limit ms] [samples num-samples] [single-shot] [skip count] [timeout seconds] [tolerance num-percentage]
b y
457 of 722

active-rtt Parameter difference num fail-break Description Number from 0 to 1023 specifying the round-trip time difference. Enables GSLB to stop if the configured RTT limit in a policy is reached. The fail-break action depends on whether the GSLB controller is running in proxy mode or server mode: Server mode: If a backup-alias is configured, the GSLB controller returns the backup-alias to the client; otherwise, the controller returns a SERVFAIL error to the client. Proxy mode: If a backup-alias is configured, the GSLB controller returns the backup-alias to the client; otherwise, the controller returns the response from the backend DNS server. Note: To configure the RTT limit, use the limit option (describe below). To configure GSLB to return a CNAME record as a backup, enable the backup-alias option using the dns backup-alias command at the configuration level for the policy. To configure the backup alias for a service within a zone, use the following command at the configuration level for the service: dns-cname-record alias-name as-backup ignore-id group-id Excludes the IP addresses in the specified IP list from active-RTT data collection. (To configure an IP list, see gslb ip-list on page 434.) Continues tracking of active RTT for clients after the track time expires. By default, GSLB stops collecting active-RTT samples for a client (stops tracking the client) after the number of seconds specified by the global active-RTT track setting. Specifies the RTT limit for the policy. This option is useful for applying site selection based on RTT limits and geo-location. This option is required if you plan to use the DNS geoloc-policy option. You can specify 0-16383 ms. To configure active-RTT limit by geo-location: 1. Enable the active-rtt bind-geoloc option on each GSLB site. 2. Enable the dns geoloc-policy option in the default GSLB policy, and enable the active-rtt
keep-tracking
limit ms
458 of 722
b y
D e s i g n

active-rtt option in the policies for geo-locations. If applicable, configure the active-RTT limit. 3. On the service within the zone, enable the geolocation option and specify the GSLB policy to use for that location. samples num-samples single-shot Number from 1 to 8 specifying the number of samples to collect. Collects a single sample only. For single-shot, you can configure the following options: skip count Number of site AX devices that can exceed their single-shot timeouts, without the active RTT metric itself being skipped by the GSLB AX device during site selection. You can skip from 1-31 sites. By default, there is no limit. Any number of the sites can time out, without invalidating the active RTT metric. timeout seconds Number of seconds each site AX device should wait for the DNS reply. If the reply does not arrive within the specified timeout, the site becomes ineligible for selection, in cases where selection is based on the active RTT metric. You can specify 1-255 seconds. tolerance num-percentage Specifies how much the active RTT values must differ in order for GSLB to prefer one geo-location or site over another based on active RTT.
Default
Disabled. When you enable the active RTT metric, it has the following default settings:
difference 0 fail-break disabled ignore-id not set keep-tracking disabled limit 16383 ms samples 5
b y
459 of 722

active-servers
single-shot Disabled. Multiple samples are taken at regular intervals. skip 3 timeout 3 seconds tolerance 10 percent.
Mode Usage
GSLB Policy This metric requires the GSLB protocol to be enabled both on the GSLB controller and on the site AX devices. The following command enables the active RTT metric:
Example
AX(config gslb-policy)#active-rtt
active-servers
Description Configure the active-servers metric, which prefers the VIP with the highest number of active servers. Active-servers is a measure of the number of active real servers bound to a Virtual IP address (VIP) residing on a GSLB site. The GSLB AX Series uses the active-servers metric to select the best IP address for the client. The VIP with the highest number of active servers is the IP address preferred by this metric. Syntax [no] active-servers [fail-break] Parameter fail-break Description Enables GSLB to stop if the number of active servers for all services is 0. The fail-break action depends on whether the GSLB controller is running in proxy mode or server mode: Server mode: If a backup-alias is configured, the GSLB controller returns the backup-alias to the client; otherwise, the controller returns a SERVFAIL error to the client. Proxy mode: If a backup-alias is configured, the GSLB controller returns the backup-alias to the client; otherwise, the controller returns the response from the backend DNS server. Default Mode Disabled GSLB Policy
460 of 722

admin-preference Usage Use this command to eliminate inactive real servers from being eligible for selection by GSLB as the best IP address to send at the top of the IP address list in DNS replies to clients. The following command enables the active-servers metric:
Example
AX(config gslb-policy)#active-servers
admin-preference
Description Enable or disable the admin-preference metric, which prefers the site whose SLB device has the highest administratively set weight. [no] admin-preference Disabled GSLB Policy To set the GSLB admin-preference for a site, use the admin-preference command at the configuration level for the SLB device within the site. (See gslb site on page 441.) The following command enables the admin-preference metric:
Example
AX(config gslb-policy)#admin-preference
alias-admin-preference
Description Enable or disable the Alias Admin Preference metric, which selects the DNS CNAME record with the highest administratively set preference. This metric is similar to the Admin Preference metric, but applies only to DNS CNAME records. [no] alias-admin-preference Disabled GSLB Policy Metric order does not apply to this metric. When enabled, this metric always has high priority.
b y
461 of 722

bw-cost To configure the Alias Admin Preference metric: 1. At the configuration level for the GSLB service, use the admin-preference preference command to assign an administrative preference to the DNS CNAME record for the service. (See gslb service-ip on page 438.) 2. At the configuration level for the GSLB policy:
Use the alias-admin-preference command to enable the Alias
Admin Preference metric. Enable one or both of the following DNS options, as applicable to your deployment: DNS backup-alias DNS geoloc-alias (See dns on page 466.) 3. If using the backup-alias option, use the dns-cname-record as-backup option on the service. (See gslb service-ip on page 438.)
bw-cost
Description Configure the bw-cost metric. This mechanism queries the bandwidth utilization of each site, and selects the site(s) whose bandwidth utilization has not exceeded a configured threshold during the most recent query interval. [no] bw-cost [fail-break] Parameter fail-break Description Enables GSLB to stop if the current bw-cost value is over the limit. The fail-break action depends on whether the GSLB controller is running in proxy mode or server mode: Server mode: If a backup-alias is configured, the GSLB controller returns the backup-alias to the client; otherwise, the controller returns a SERVFAIL error to the client. Proxy mode: If a backup-alias is configured, the GSLB controller returns the backup-alias to the client; otherwise, the controller returns the response from the backend DNS server. Default Mode Disabled GSLB Policy
Syntax
462 of 722

capacity Example The following command enables the bw-cost metric:
AX(config gslb-policy)#bw-cost
capacity
Description Configure the TCP/UDP session-capacity metric. This mechanism provides a way to shift load away from a site before the site becomes congested. A site AX Series is eligible to be the best site only if its session utilization is below the specified value. Example: Site As maximum session capacity is 800,000 and Site Bs maximum session capacity is 500,000. If the session-capacity threshold is set to 90, then for Site A the capacity threshold is 90% of 800,000, which is 720,000. Likewise, the capacity threshold for Site B is 90% of 500,000, which is 450,000. Syntax [no] capacity [threshold num] [fail-break] Parameter threshold num Description Number from 0 to 100 specifying the maximum percentage of a site AX Series session table that can be used. If the session table utilization is greater than the specified percentage, the GSLB AX Series prefers other sites over this site. Enables GSLB to stop if the session utilization on all site SLB devices is over the threshold. The fail-break action depends on whether the GSLB controller is running in proxy mode or server mode: Server mode: If a backup-alias is configured, the GSLB controller returns the backup-alias to the client; otherwise, the controller returns a SERVFAIL error to the client. Proxy mode: If a backup-alias is configured, the GSLB controller returns the backup-alias to the client; otherwise, the controller returns the response from the backend DNS server. Default Disabled. When you enable the capacity metric, the default threshold is 90 percent.
fail-break
b y
463 of 722

connection-load Mode Usage GSLB Policy This metric requires the GSLB protocol to be enabled both on the GSLB controller and on the site AX devices. The following command enables the capacity metric at the default value of 90% utilization of TCP/UDP session capacity:
Example
AX(config gslb-policy)#capacity
connection-load
Description Configure the connection-load metric, which prefers sites that have not exceeded their thresholds for new connections. [no] connection-load [limit number-of-connections] | [samples number-of-samples interval seconds] [fail-break] Parameter limit numberof-connections Description Number that specifies the maximum average number of new connections per second the site AX Series can have. You can specify from 1 to 999999999 (999,999,999).
Syntax
samples numberof-samples interval seconds Number of samples for the SLB device (the site AX Series) to collect, and the number of seconds between each sample. You can specify 1-8 samples and an interval of 1-60 seconds. fail-break Enables GSLB to stop if the connection load for all sites is over the limit. The fail-break action depends on whether the GSLB controller is running in proxy mode or server mode: Server mode: If a backup-alias is configured, the GSLB controller returns the backup-alias to the client; otherwise, the controller returns a SERVFAIL error to the client. Proxy mode: If a backup-alias is configured, the GSLB controller returns the backup-alias to
464 of 722
b y
D e s i g n

connection-load the client; otherwise, the controller returns the response from the backend DNS server. Default Disabled. When you enable the connection-load metric, the default limit is not set (unlimited). The default number of samples is 5 and the default interval is 5 seconds. GSLB Policy This command applies only to GSLB selection of a site. The command does not affect the number of connections the site AX Series itself allows. This metric requires the GSLB protocol to be enabled both on the GSLB controller and on the site AX devices. Example The following command sets the connection load limit to 1000 new connections:
Mode Usage
AX(config gslb-policy)#connection-load limit 1000
b y
465 of 722

dns
dns
Description Syntax Configure DNS parameters for the policy. [no] dns { action | active-only | addition-mx | backup-alias | best-only [max-answers] | cache [aging-time {seconds | ttl}] | cname-detect | external-ip | geoloc-action | geoloc-alias | geoloc-policy | ip-replace | ipv6 options | logging {both | query| response | none } [geo-location name | ip ipaddr] | server [addition-mx] [authoritative [full-list]] [mx] [ns [auto-ns]] [ptr [auto-ptr]] [srv] | sticky [/prefix-length] [aging-time minutes] [ipv6-mask mask-length] | ttl num } Parameter action Description Enable GSLB to perform the DNS actions specified in the service configurations.
Note:
To configure the DNS action for a service, use the action action-type command at the configuration level for the service. See gslb zone on page 449. active-only Removes IP addresses from DNS replies when those addresses fail health checks. Note: If none of the IP addresses in the DNS reply pass the health check, the GSLB AX Series does not use this metric, since it would result in an empty IP address list. addition-mx Appends MX records in the Additional section in replies for A records, when the device is configured for DNS proxy or cache mode.
466 of 722
b y
D e s i g n

dns backup-alias Returns the alias CNAME record configured for the service, if GSLB does not receive an answer to a query for the service and no active DNS server exists. This option is valid in server mode or proxy mode. To configure the backup alias for a service within a zone, use the following command at the configuration level for the service: dns-cname-record alias-name as-backup best-only [max-answers] Removes all IP addresses from DNS replies except for the address selected as the best address by the GSLB policy metrics. It is possible for more than one address to be the best address. The max-answers option specifies the maximum number of best addresses allowed, 1-128. By default, max-answers is not set. There is no limit to the number of answers.
cache [aging-time seconds| ttl]
Enables the GSLB AX device to cache DNS replies. The AX device uses information in the cached DNS entries when replying to clients, instead of sending a new DNS request for every client query. By default, the AX device caches a DNS reply for the duration of the TTL in the reply. You can override the entry TTL by setting the cache aging time. You can specify 1-1,000,000,000 seconds (nearly 32 years). Do not type commas when you enter the number. If you change the aging time but later decide to restore it to its default value, use the ttl option instead of seconds.
cname-detect
Enables GSLB for CNAME records. For example, if the GSLB AX Series receives a DNS reply that contains the CNAME record Alias = www1.a10networks.com, Actual name = www.a10networks.com, and the zone and application name "www.a10networks.com" have been configured on the GSLB-AX, the GSLB-AX will apply the GSLB policy to the CNAME record.
b y
467 of 722

dns external-ip Returns the external IP address configured for a service IP. If this option is disabled, the internal address is returned instead. The external IP address must be configured on the service IP. (Use the external-ip command at the configuration level for the service IP.) geoloc-action Performs the DNS traffic handling action specified for the clients geo-location. The action is specified as part of service configuration in a zone.
Note:
To configure the DNS action for a service, use the geo-location locationname action-type command at the configuration level for the service. See gslb zone on page 449. geoloc-alias Returns the alias name configured for the clients geo-location. (This option does the same thing as the alias-geoloc option, which is deprecated in AX Release 2.0.) Uses the GSLB policy assigned to the clients geo-location. Replaces the IP addresses in the DNS reply with the service IP addresses configured for the service. (To configure the service IP addresses, use the service-ip command at the configuration level for the service. See gslb zone on page 449.) Enables support for IPv6 AAAA records. The following options are supported: mapping {addition | answer | exclusive | replace} Specifies the actions in response to an IPv6 DNS query. You can enable one or more of these options. addition Append AAAA records in the DNS Addition section of replies. answer Append AAAA records in the DNS Answer section of replies. exclusive Replace A records (IPv4 address records) with AAAA records. replace Reply with AAAA records only.
geoloc-policy ip-replace
ipv6 options
468 of 722
b y
D e s i g n

dns Note: The current release has the following limitations:
Health checks and the GSLB protocol use IPv4 only. IP address-related metrics such as RTT are always based on IPv4. Virtual servers for GSLB service IPs are required to have both an IPv4
and an IPv6 address. mix Enables GSLB to return both AAAA and A records in the same answer. smart Enables IPv6 return by query type. For the ipv4-ipv6 mapping records, an A query (IPv4) will return an A record and an AAAA query (IPv6) will return an AAAA record. logging options Configures DNS logging. The both | query | response | none option specifies the types of messages to log. To restrict logging to a specific geo-location or IP address, use one of the following options: server [options] Enables the GSLB AX device to act as a DNS server, for specific service IPs in the GSLB zone. When you enable the server option, the GSLB AX directly responds to Address queries for specific service IP addresses in the GSLB zone. The AX device still forwards other types of queries to the DNS server. If you use the server option, you do not need to use the cname-detect option. When a client requests a configured alias name, GSLB applies the policy to the CNAME records. To place the server option into effect, you also must enable the static option on the individual service IP. (To configure the service IP addresses, use the service-ip command at the configuration level for the service. See gslb zone on page 449.) addition-mx Enables the GSLB AX device to provide the A record containing the mail servers IP address in the Additional section, when the device is configured for DNS server mode. authoritative [full-list] Makes the AX device the authoritative DNS server
469 of 722

dns for the GSLB zone, for the service IPs in which you enable the static option. (See below.) If you omit the authoritative option, the AX device is a non-authoritative DNS server for the zone domain. The fulllist option appends all A records in the Authoritative section of DNS replies. mx Provides the MX record in the Answer section, and the A record for the mail server in the Additional section, when the device is configured for DNS server mode. ns [auto-ns] Provides the name server record. The auto-ns option causes the policy to provide A records for NS records automatically. ptr [auto-ptr] Provides the pointer record. The auto-ptr option causes the policy to provide pointer records automatically. srv Provides the service record. Note: The server option is not valid with the ip-replace option. They are mutually exclusive. sticky [/prefixlength] [aging-time minutes] [ipv6-mask mask-length]
Sends the same service IP address to a client for all requests from that client for the service address. Sticky DNS ensures that, during the aging-time, a client is always directed to the same site. /prefix-length Adjusts the granularity of the feature. The default prefix length is 32, which causes the AX device to maintain separate stickiness information for each local DNS server. For example, if two clients use DNS 10.10.10.25 as their local DNS server, and two other clients use DNS 10.20.20.99 as their local DNS server, the AX maintains separate stickiness information for each set of clients, by maintaining separate stickiness information for each of the local DNS servers.
470 of 722

dns aging-time minutes Specifies how many minutes a DNS reply remains sticky. You can specify 1-65535 minutes. ipv6-mask mask-length Adjusts the granularity of the feature for IPv6. The default mask length is 128. Note: If you enable the sticky option, the sticky time must be as long or longer than the zone TTL. (Use the ttl command at the configuration level for the zone. See gslb zone on page 449.) ttl num Changes the TTL of each DNS record contained in DNS replies received from the DNS for which the AX Series is a proxy. You can specify 01000000 (1,000,000) seconds.
Default
This command has the following defaults: action disabled active-only disabled addition-mx disabled backup-alias disabled best-only disabled cache disabled; when you enable this option, the default aging time for a cached DNS reply is the TTL set by the DNS server in the reply cname-detect enabled external-ip enabled geoloc-action disabled geoloc-alias disabled geoloc-policy disabled ip-replace disabled ipv6 all options disabled logging disabled server disabled sticky disabled; when you enable this option, the default prefix is /32 and the default aging time is 5 minutes ttl num 10 seconds
Mode
GSLB Policy
b y
471 of 722

dns Usage If more than one of the following options are enabled, GSLB uses them in the order listed, beginning with sticky: 1. 2. 3. 4. sticky server cache proxy (The command does not have a separately configurable proxy option. The proxy option is automatically enabled when you configure the DNS proxy.)
The site address selected by the first option that is applicable to the client and requested service is used. Example The following command enables CNAME detection:
AX(config gslb-policy)#dns cname-detect
Example
The following configuration excerpt uses the ipv6 mix option to enable mixing of IPv4 and IPv6 service-ip addresses in DNS answers. Both A and AAAA records will be included in replies to either A or AAAA requests from clients.
gslb service-ip ip1 20.20.20.100 port 80 tcp gslb service-ip ip2 20.20.20.102 port 80 tcp gslb service-ip ipv61 fe80::1 port 80 tcp gslb service-ip ipv62 fe80::2 port 80 tcp gslb service-ip ipv63 fe80::3 port 80 tcp gslb policy p8 dns ipv6 mix dns server gslb zone a8.com policy p8 service http www dns-a-record ip2 static dns-a-record ip1 static dns-a-record ipv61 static dns-a-record ipv62 static dns-a-record ipv63 static
Example
The following configuration excerpt uses the ipv6 smart option. For IPv4IPv6 mapping records, an A query will be answered by an A record and an AAAA query will be answered by an AAAA record. More specifically, if a client sends an A query, GSLB returns A records in the answer section, and AAAA records in the additional section. If a client sends an AAAA query,
472 of 722
b y
D e s i g n

geo-location GSLB returns AAAA records in the answer section, and A records in the additional section.
gslb service-ip ip1 20.20.20.100 ipv6 ffff::1 port 80 tcp gslb service-ip ip2 20.20.20.102 ipv6 ffff::2 port 80 tcp gslb policy p8 dns ipv6 mapping addition dns ipv6 smart dns server gslb zone a8.com policy p8 service http www dns-a-record ip2 static dns-a-record ip1 static
geo-location
Description Configure a geographic location. GSLB forwards client requests from IP addresses within the locations range to the GSLB site that serves the location. [no] geo-location location-name start-ip-addr [mask ip-mask] [end-ip-addr] Parameter location-name start-ip-addr mask ip-mask end-ip-addr Default Mode Usage None. GSLB Policy To prefer the location configured with this command over a globally configured location, use the gslb policy geo-location match-first policy command. (See geo-location match-first on page 474.) Description Name of the location, up to 31 alphanumeric characters. Beginning IP address for the range. Network mask. Ending IP address for the range.
Syntax
b y
473 of 722

geo-location full-domain-share Example The following example configures geographic location CN.BeiJing for IP address range 200.1.1.1 through 200.1.1.253:
AX(config gslb-policy)#geo-location CN.BeiJing 200.1.1.1 200.1.1.253
geo-location full-domain-share
Description Enable full-domain checking for connection limits. When full-domain checking is enabled, the AX device checks the current connection count not only for the clients specific geo-location, but for all geo-locations higher up in the domain tree. [no] geo-location full-domain-tree Disabled. When a client requests a connection, the AX device checks the connection count only for the specific geo-location level of the client. If the connection limit for that specific geo-location level has not been reached, the clients connection is permitted. GSLB Policy When this option is enabled, the connection permit counter is incremented for all applicable levels of the domain tree, not just the domain level requested by the client. It is recommended to enable or disable this option before enabling GSLB. Changing the state of this option while GSLB is running can cause the related statistics counters to be incorrect.
Syntax Default
Mode Usage
geo-location match-first
Description Configure the policy to prefer either the globally configured geo-location or the one configured in this policy. If a client IP address matches the IP ranges in a globally configured location and in a location configured in this policy, the geo-location match-first command specifies which matching geo-location to use. [no] geo-location match-first {global | policy} Parameter global policy Description GSLB prefers globally configured locations over locations configured in this policy. GSLB prefers locations configured in this policy over globally configured locations.
Syntax
474 of 722

geo-location overlap Default Mode Example global GSLB Policy The following command configures the GSLB AX Series to prefer locations configured in this policy:
AX(config gslb-policy)#geo-location match-first policy
geo-location overlap
Description Enable overlap matching mode. If there are overlapping addresses in the geo-location database, use this option to enable the AX device to find the most precise match. [no] geo-location overlap Disabled GSLB Policy
Syntax Default Mode
geographic
Description Enable or disable the geographic metric. The geographic metric prefers sites that are within the geographic location of the client. [no] geographic Enabled GSLB Policy You must configure the geographic location, by configuring a geo-location name, then assigning the geo-location to a GSLB site. To configure a geolocation, assign a client IP address range to a location name. (See gslb geolocation on page 432 and geo-location on page 473.) To assign the geolocation to a site, use the geo-location command at the site configuration level. (See gslb site on page 441.) The following command disables the geographic metric:
Example
AX(config gslb-policy)#no geographic
b y
475 of 722

health-check
health-check
Description Enable or disable the health-check metric. The health-check metric prefers sites that pass their health checks. [no] health-check Enabled GSLB Policy This metric requires the GSLB protocol to be enabled both on the GSLB controller and on the site AX devices, if the default health checks are used on
the service IPs.
If you use a custom health monitor, or you explicitly apply the default Layer 3 health monitor to the service, the GSLB protocol is not used for any of the health checks. In this case, the GSLB protocol is not required to be enabled on the site AX devices, although use of the protocol is still recommended. Example The following command disables the health-check metric:
AX(config gslb-policy)#no health-check
ip-list
Description Syntax Default Usage Example Use an IP list to exclude a set of IP addresses from active-RTT polling. [no] gslb ip-list list-name None To configure an IP list, see gslb ip-list on page 434. The following commands configure a GSLB IP list and use the list to exclude IP addresses from active-RTT data collection:
AX(config)#gslb ip-list iplist1 AX(config-gslb ip-list)#ip 192.168.1.0 /24 id 3 AX(config-gslb ip-list)#ip 10.10.10.10 /32 id 3 AX(config-gslb ip-list)#ip 10.10.10.20 /32 id 3 AX(config-gslb ip-list)#ip 10.10.10.30 /32 id 3 AX(config-gslb ip-list)#exit AX(config)#gslb policy pol1
476 of 722
b y
D e s i g n

least-response
AX(config-gslb policy)#ip-list iplist1 AX(config-gslb policy)#active-rtt ignore-id 3
least-response
Description Enable or disable the least-response metric, which prefers VIPs that have the fewest hits. [no] least-response Disabled GSLB Policy This metric requires the GSLB protocol to be enabled both on the GSLB controller and on the site AX devices. The following command enables the least-response metric:
Example
AX(config gslb-policy)#least-response
metric-fail-break
Description Syntax Default Mode Enable GSLB to stop if there are no valid service IPs. [no] metric-fail-break Disabled GSLB Policy
metric-force-check
Description Syntax Default Force the GSLB controller to always check all metrics in the policy. [no] metric-force-check By default, the GSLB controller stops evaluating metrics for a site once a metric comparison definitively selects or rejects a site. GSLB Policy
Mode
b y
477 of 722

metric-order
metric-order
Description Syntax Configure the order in which the GSLB metrics in this policy are used. [no] metric-order metric [metric ...] Parameter metric [metric ...] Description One or more of the following metrics: active-rtt active-servers admin-preference alias-admin-preference bw-cost capacity connection-load geographic health-check least-response num-session ordered-ip passive-rtt weighted-alias weighted-ip weighted-site Default By default, metrics are used in the following order: 1. 2. 3. 4. 5. 6. 7. 8. 9. weighted-ip weighted-site capacity active-servers passive-rtt active-rtt geographic connection-load num-session
478 of 722

num-session 10. admin-preference 11. bw-cost 12. least-response 13. ordered-ip 14. round-robin The health-check, geographic and round-robin metrics are enabled by default. Metric order does not apply to the alias-admin-preference or weighted-alias metrics. Mode Usage GSLB Policy The first metric you specify with this command becomes the primary metric. If you specify additional parameters, they are used in the priority you specify. All remaining metrics are prioritized to follow the metrics you specify. For example, if you specify only the ordered-ip metric with the command, this metric becomes the first metric instead of the 13th metric. The healthcheck metric becomes the 2nd metric, weighted-ip becomes the 3rd metric, and so on. The GSLB AX Series uses each metric, in the order specified, to compare the IP addresses returned in DNS replies to clients. If a metric is disabled, the metric order does not change. The GSLB AX Series skips the metric and continues to the next enabled metric. The round-robin metric can not be re-ordered. To display the metric order used in a policy, see show gslb policy on page 562. Example The following command sets the ordered-ip metric as the highest-priority metric.
AX(config gslb-policy)#metric-order ordered-ip
num-session
Description Configure the num-session metric, which evaluates a site based on available session capacity and tolerance threshold compared to another site. Sites that are at or below their thresholds of current available sessions are preferred over sites that are above their thresholds.
b y
479 of 722

ordered-ip Example: Site A has 800,000 sessions available and Site B has 600,000 sessions available. The difference between the two sites is 200,000 available sessions. If num-session is set to 10, then Site A is preferred because 200,000 is larger than 10% of 800,000, which is 80,000. Syntax [no] num-session [tolerance num] Parameter num Description Number from 1 to 100 specifying the percentage by which the number of available sessions on site SLB devices can differ without causing the numsession metric to select one site device over another. (See the Usage description.)
Default
Disabled. When you enable the num-session metric, the default tolerance is 10 percent. GSLB Policy The GSLB AX Series considers site SLB devices to be equal if the difference in the number of available sessions on each device does not exceed the tolerance percentage. The tolerance percentage ensures that minor differences in available sessions do not cause frequent, unnecessary, changes in site preference. This metric requires the GSLB protocol to be enabled both on the GSLB controller and on the site AX devices.
Mode Usage
Example
The following command changes the available-session tolerance threshold to 70 percent:
AX(config gslb-policy)#num-session tolerance 70
ordered-ip
Description Configure the ordered-ip metric, which re-orders the IP addresses in DNS replies. [no] ordered-ip [top-only] Parameter top-only Description Returns only the first (top) IP address in the IP list. By default, GSLB sends all IP addresses in
Syntax
480 of 722

passive-rtt the list that are allowed by all higher-priority metrics in the policy. Default Mode Usage Disabled GSLB Policy The prioritized list is sent to the next metric for further evaluation. If ordered-ip is the last metric, the prioritized list is sent to the client. To configure the ordered list of IP addresses for a service, use the ip-order command at the service configuration level for the GSLB zone. See See gslb zone on page 449. Example The following command enables the ordered-ip metric:
AX(config gslb-policy)#ordered-ip
passive-rtt
Description Configure the passive round-trip time (RTT) metric. Passive RTT measures the round-trip-time between when the site AX device receives a clients TCP connection (SYN) and the time when the site AX device receives acknowledgement (ACK) back from the client for the connection. Syntax [no] passive-rtt [difference num] [limit num] [samples num-samples] [tolerance num-percentage] [fail-break] Parameter difference num limit num samples num-samples Description Number from 0 to 1023 specifying the round-trip time difference. Number from 1 to 16383 specifying the RTT limit. Number of samples to collect, 1-8.
b y
481 of 722

passive-rtt tolerance num-percentage Specifies how much the RTT values of sites must differ in order for GSLB to prefer one site over the other based on passive RTT. Enables GSLB to stop if the configured RTT limit in a policy is reached. The fail-break action depends on whether the GSLB controller is running in proxy mode or server mode: Server mode: If a backup-alias is configured, the GSLB controller returns the backup-alias to the client; otherwise, the controller returns a SERVFAIL error to the client. Proxy mode: If a backup-alias is configured, the GSLB controller returns the backup-alias to the client; otherwise, the controller returns the response from the backend DNS server. Default Disabled. When you enable the passive RTT metric, it has the following default settings:
samples 5 tolerance 10 percent
fail-break
Mode Usage
GSLB Policy Sites with faster passive round-trip times (RTTs) between a client and the site are preferred over sites with slower times. The passive RTT is the time between when the site AX device receives a clients TCP connection (SYN) and the time when the site AX device receives acknowledgement (ACK) back from the client for the connection. RTT measurements are taken for client addresses in each /24 subnet range. Example: Site As RTT value is 0.3 seconds and Site Bs RTT value is 0.32 seconds. If the RTT tolerance is 10% then the two sites are treated as having the same RTT preference. This metric requires the GSLB protocol to be enabled both on the GSLB controller and on the site AX devices.
Example
The following command enables the passive RTT metric:
AX(config gslb-policy)#passive-rtt
482 of 722
b y
D e s i g n

round-robin
round-robin
Description Syntax Default Mode Usage Configure the round-robin metric, which selects sites in sequential order. [no] round-robin Enabled GSLB Policy If all the enabled metrics in the policy result in a tie (do not definitively select a single site as the best site), the AX device uses round-robin to select a site. This is true even if the round-robin metric is disabled in the GSLB policy. Note: If the last metric is ordered-ip, and round-robin is disabled, the prioritized list of IP addresses is sent to the client. Round-robin is not used. The following command disables the round-robin metric:
Example
AX(config gslb-policy)#no round-robin
weighted-alias
Description Enable the Weighted Alias metric, which prefers CNAME records with higher weight values over CNAME records with lower weight values. This metric is similar to Weighted-IP, but applies only to DNS CNAME records. [no] weighted-alias Disabled GSLB Policy Metric order does not apply to this metric. To configure the Weighted Alias metric: 1. At the configuration level for the GSLB service, use the weight command to assign a weight to the DNS CNAME record for the service. (See gslb service-ip on page 438.) 2. At the configuration level for the GSLB policy:
Enable the Weighted Alias metric. Enable one or both of the following DNS options, as applicable to
your deployment:
483 of 722

weighted-ip
DNS backup-alias DNS geoloc-alias
(See dns on page 466.) 3. If using the backup-alias option, use the dns-cname-record as-backup option on the service. (See gslb service-ip on page 438.)
weighted-ip
Description Configure the weighted-ip metric, which uses service IP addresses with higher weight values more often than addresses with lower weight values. [no] weighted-ip [total-hits] Parameter total-hits Description First sends requests to the service IP addresses that have fewer hits. After all service IP addresses have the same number of hits, GSLB sends requests based on weight. This option is disabled by default.
Syntax
Default Mode Usage
Disabled GSLB Policy As a simple example, assume that the weighted-ip metric is the only enabled metric, or at least always ends up being the tie breaker. The total-hits option is disabled. IP address 10.10.10.1 has weight 4 and IP address 10.10.10.2 has weight 2. During a given session aging period, the first 4 requests go to 10.10.10.1, the next 2 requests go to 10.10.10.2, and so on, (4 to 10.10.10.1, then 2 to 10.10.10.2). Here is an example using the same two servers and weights, with the totalhits option enabled. IP address 10.10.10.1 has weight 4 and total hits 8, and IP address 10.10.10.2 has weight 2 and total hits 0. In this case, the first 4 requests go to 10.10.10.2, then the requests are distributed according to weight. Four requests go to 10.10.10.1, then two requests go to 10.10.10.2, and so on. To display the total hits for a service IP address, use the show gslb service-ip command. (See show gslb service-ip on page 572.) To assign a weight to a service IP address, use the following command at the configuration level for the zone service: dns-a-record name weight num
484 of 722
b y
D e s i g n

weighted-site Example The following command disables the weighted-ip metric:
AX(config gslb-policy)#no weighted-ip
weighted-site
Description Configure the weighted-site metric, which uses sites with higher weight values more often than sites with lower weight values. [no] weighted-site [total-hits] Parameter total-hits Description First sends requests to the sites that have fewer hits. After all service sites have the same number of hits, GSLB sends requests based on weight. This option is disabled by default.
Syntax
Default
Disabled. When you enable the weighted-site metric, the default weight of each site is 1. GSLB Policy As a simple example, assume that the weighted-site metric is the only enabled metric, or at least always ends up being the tie breaker. Site A has weight 4 and site B has weight 2. During a given session aging period, the first 4 requests go to site A, the next 2 requests go to site B, and so on, (4 to A, then 2 to B). Here is an example using the same two sites and weights, with the total-hits option enabled. Site A has weight 4 with total hits 8, and site B has weight 2 with total hits 0. In this case, the first 4 requests go to site B, then requests are sent as described above. Four requests go to site A, then 2 requests go to site B, and so on. To assign a weight to a site, use the following command at the configuration level for the site: weight num
Mode Usage
Example
The following command disables the weighted-site metric:
AX(config gslb-policy)#no weighted-site
b y
485 of 722

weighted-site
486 of 722
b y
D e s i g n

fwlb node
Config Commands: Firewall Load Balancing

The commands in this chapter configure Firewall Load Balancing (FWLB) parameters. In some cases, the commands create an FWLB configuration item and change the CLI to the configuration level for that item.
fwlb node
Description Syntax Configure a firewall. [no] fwlb node fwall-name [ipaddr] Parameter fwall-name ipaddr Description Firewall name, 1-63 characters. IP address of the firewall, in either IPv4 or IPv6 format. The address is required only if you are creating a new firewall.
This command changes the CLI to the configuration level for the firewall, where the following FWLB-related commands are available: Command [no] disable [no] healthcheck monitorname Description Disables load balancing of traffic to the firewall.
Enables health checking of the firewall path. The path through the firewall to the AX Series on the other side of the firewall is checked. monitor-name Name of a configured health monitor. The monitor must use the ICMP method and the transparent option. (See method on page 496.)
stats-datadisable | stats-dataenable
Disable or enable statistical data collection for the firewall node.
b y
487 of 722

fwlb service-group Default No firewalls are configured by default. When you create a firewall, it is enabled by default. No health monitor is assigned by default. Statistical data collection of load-balancing resources is enabled by default. Configuration mode The normal form of this command creates a new or edits an existing firewall. The CLI changes to the configuration level for the firewall. The IP address of the firewall can be in either IPv4 or IPv6 format. The AX Series recognizes both address formats. The no form of this command removes an existing firewall. To collect statistical data for a load-balancing resource, statistical data collection also must be enabled globally. (See stats-data-enable on page 159.) Example The following command creates a new firewall named fw1 with an IPv4 address:
Mode Usage
AX(config)#fwlb node fw1 10.10.20.44 AX(config-firewall node)#
Example
The following command creates a new firewall named fw2 with an IPv6 address:
AX(config)#fwlb node fw2 2001:db8::9 AX(config-firewall node)#
fwlb service-group
Description Syntax Configure an FWLB service group. [no] fwlb service-group group-name Parameter group-name Description Name of the group, 1-63 characters.
This command changes the CLI to the configuration level for the firewall group, where the following FWLB-related commands are available:
488 of 722
b y
D e s i g n

fwlb service-group Command [no] member fwallname [priority num] Description
Adds the specified firewall to the firewall service Adds the specified firewall to the firewall service group. The priority num option specifies the priority of the firewall. This option enables you to establish a set of primary firewalls (high priority) and backup firewalls (low priority). When priorities are assigned to firewall nodes, the AX device always uses the firewalls with the highest priority when available, and uses those with lower priorities only if the firewalls with the highest priority are unavailable. The priority can be 1-10. The default is 1.
stats-datadisable | stats-dataenable [no] method leastconnection
Disable or enable statistical data collection for the firewall service group.
Uses the least-connection load-balancing method instead of the round robin method. Round robin selects firewalls in rotation. Leastconnection selects the firewall that currently has the fewest connections.
Default
There are no firewall service groups configured by default. When you create one, it contains no members and the default load-balancing method is round robin. Statistical data collection of load-balancing resources is enabled by default. Configuration mode The normal form of this command creates a new or edits an existing firewall group. The CLI changes to the configuration level for the group. The firewall nodes must already be configured. To configure a firewall node, see fwlb node on page 487.
Mode Usage
b y
489 of 722

fwlb virtual-firewall To collect statistical data for a load-balancing resource, statistical data collection also must be enabled globally. (See stats-data-enable on page 159.) Example The following example configures firewall group fwsg and adds firewalls fw1 and fw2 to it:
AX(config)#fwlb service-group fwsg AX(config-fwlb service group)#member fw1 AX(config-fwlb service group)#member fw2
fwlb virtual-firewall
Description Syntax Configure a virtual firewall. [no] fwlb virtual-firewall default Parameter default Description The virtual firewall name. (In the current release, this is the only name that is supported.)
This command changes the CLI to the configuration level for the virtual firewall, where the following FWLB-related commands are available: Command [no] disable [no] ha-connmirror Description Disables the virtual firewall. This disables FWLB. Enables session synchronization (connection mirroring) for sessions through the virtual firewall. Specifies the HA group ID.
[no] ha-group group-num
[no] port portnumber {tcp | udp} Specifies a service port that is being protected by the firewall. This is the virtual port configured on the VIP in the SLB configuration. (This command is optional. See Usage below.) This command changes the CLI to the configuration level for the virtual port, where the following FWLB-related commands are available: disable Disables the virtual port.
490 of 722
b y
D e s i g n

fwlb virtual-firewall enable Enables the virtual port. [no] ha-conn-mirror Enables session synchronization (connection mirroring) for sessions through the virtual port. [no] idle-timeout seconds Sets the TCP/UDP idle timeout on an individual virtual firewall port, 60-15000 seconds (a little over 4 hours). [no] service-group group-name Binds the virtual port to the specified FWLB service group. If you specify a firewall group at this level, the firewall group specified here takes precedence over the firewall group specified at the firewall level. stats-data-disable | stats-dataenable Disables or enables statistical data collection for the virtual port. [no] template persist source-ip template-name Uses a configured sourceIP persistence template to send all traffic from a given source address to the same firewall. If a source-IP persistence template also is specified at the firewall level, the template at the individual port level overrides the other template, for this service port. [no] servicegroup groupname stats-datadisable | stats-dataenable
Binds the virtual firewall to the specified firewall service group.
Disables or enables statistical data collection for the virtual firewall.
[no] tcp-idletimeout seconds Specifies how long a TCP session through the firewall can remain idle before timing out, 6015000 seconds. (But see Usage below.)
b y
491 of 722

fwlb virtual-firewall [no] template persist sourceip templatename Uses a configured source-IP persistence template to send all traffic from a given source address to the same firewall. You also can specify a source-IP persistence template on individual service ports. If you specify a template at each level, the template specified for the individual service port takes precedence. Note: Setting the match-type option in source-IP persistence templates is not applicable to FWLB. The match type for FWLB is always server, which sets the granularity of source-IP persistence to individual firewalls, not firewall groups or individual service ports. [no] udp-idletimeout seconds Specifies how long a UDP session through the firewall can remain idle before timing out, 6015000 seconds. (But see Usage below.) Default No virtual firewalls are configured by default. When you create one, it is enabled by default and has the following default settings:
ha-conn-mirror disabled ha-group not set service-group not set port none configured; when you configure a virtual port, it has the fol-
lowing default settings: enable | disable enabled ha-conn-mirror disabled idle-timeout 300 seconds service-group not set stats-data-disable | stats-data-enable enabled (stats-dataenable) template not set
stats-data-disable | stats-data-enable enabled (stats-data-enable) tcp-idle-timeout 300 seconds template not set udp-idle-timeout 300 seconds
Mode
Configuration mode
492 of 722

fwlb virtual-firewall Usage The normal form of this command creates a virtual firewall. The no form of this command removes an existing virtual firewall. The port command is optional. To apply FWLB to all traffic types, do not configure any virtual ports on the virtual firewall. To apply FWLB only to traffic for specific services, create a virtual port for each service. Session Idle Timeout By default, the AX device allows TCP or UDP connections through a firewall to be idle for 300 seconds (5 minutes). The idle timeout for a TCP or UDP session through a firewall is determined as follows:
For service-type UDP (Layer 4), if the idle-timeout is set on the virtual
firewall or the UDP virtual firewall port, that idle-timeout is used. Otherwise, if the UDP idle-timeout is not set in FWLB, the idle-timeout in the default SLB UDP template is used. Unless the default template has been changed, the idle-timeout is 120 seconds.
For service-type TCP (Layer 4), the idle-timeout in the default SLB
TCP template is used. Unless the default template has been changed, the idle-timeout is 120 seconds.
For service-type HTTP (Layer 7), the idle-timeout in the default SLB
TCP-proxy template is used. Unless the default template has been changed, the idle-timeout is 600 seconds. Note: In the current release, the TCP idle-timeout settings in FWLB are never used. The AX device allows you to configure them but they are not used. Statistical Data Collection To collect statistical data for a load-balancing resource, statistical data collection also must be enabled globally. (See stats-data-enable on page 159.) Example The following commands configure a virtual firewall:
AX(config)#fwlb virtual-firewall default AX(config-fwlb vfw)#ha-group 1 AX(config-fwlb vfw)#port 80 tcp AX(config-fwlb vfw-vport)#service-group fwsg AX(config-fwlb vfw-vport)#ha-conn-mirror
b y
493 of 722

fwlb virtual-firewall
494 of 722
b y
D e s i g n

disable-after-down
Config Commands: SLB Health Monitors

The commands in this chapter configure SLB health monitors. To access this configuration level, enter the health monitor monitor-name command at the global config level. For more information about health monitors, see the Health Monitoring chapter of the AX Series Configuration Guide. This CLI level also has the following commands, which are available at all configuration levels:
disable-after-down
Description Syntax Default Mode Usage Disable the target of a health check if the target fails the health check. [no] disable-after-down Disabled Health monitor configuration This command applies to all servers, ports, or service groups that use the health monitor. When a server, port, or service group is disabled based on this command, the server, port, or service groups state is changed to disable in the running-config. If you save the configuration while the server, port, or service group is disabled, the state change is written to the startupconfig.
b y
495 of 722

method The server, port, or service group remains disabled until you explicitly enable it.
method
Description Syntax Configure a health method. [no] method method-options method-options compound sub monitor-name [sub monitorname ...] Booleanoperators Description
Configures a compound health monitor. A compound health monitor consists of a set of health monitors joined in a Boolean expression (AND / OR / NOT). For more information, see the Compound Health Monitors section in the Health Monitoring chapter of the AX Series Configuration Guide.
dns {ipaddr | domain domainname} [options]
Sends a lookup request to the specified port number for the specified domain name. By default, expects reply with code 0. You can specify a domain name or a server IP address as the target of the health check. You also can configure the following options: expect response-code code-list Specifies a list of response codes, in the range 0-15, that are valid responses to a health check. The DNS server can respond with any of the expected response codes. By default, the expect list is empty, in which case the AX device expects status code 0 (No error condition). port port-num Specifies the protocol port number on which the DNS server listens for DNS queries. Use this option if the server is not using the default DNS port, 53.
496 of 722

method recurse {enabled | disabled} Specifies whether the tested DNS server is allowed to send the health checks request to another DNS server if the tested server can not fulfill the request using its own database. Recursion is enabled by default. type {A | CNAME | SOA | PTR | MX | TXT | AAAA} For health checks sent to a domain name, specifies the record type the responding server is expected to send in reply to health checks. You can specify one of the following record types: A IPv4 address record CNAME Canonical name record for a DNS alias SOA Start of authority record PTR Pointer record for a domain name MX Mail Exchanger record TXT Text string AAAA IPv6 address record By default, the AX device expects the DNS server to respond to the health check with an A record. external [port port-num] program program-name [arguments argumentstring]
Runs an external program (for example, a Tcl script) and bases the health status on the outcome of the program. See Usage below for more information on health check using an external program.
ftp [[username name password string] port port-num]
Sends an FTP login request to the specified port. Expects OK message, or Password message followed by OK message. Unless you use anony-
b y
497 of 722

method mous login, the username and password must be specified in the health check configuration. http [options] Sends an HTTP request to the specified TCP port and URL. Expects OK message (200). You can specify the following options: expect {string | response-code code-list} Specifies a response code or string expected from the server, in which case this value is also expected. To specify a range of response codes, use a dash ( - ) between the low and high numbers of the range. Use commas to delimit individual code numbers or separate ranges. By default, the AX device expects response code 200 (OK). maintenance-code code-list Specifies a response code that indicates the server needs to be placed into maintenance mode. If the AX device receives the specified status code in response to a health check, the AX device changes the servers health status to Maintenance. When a servers health status is Maintenance, the server will accept new requests on existing cookie-persistent or source-IP persistent connections, but will not accept any other requests. To leave maintenance mode, the server must do one of the following: Successfully reply to a health check by sending the expected string or response code, but without including the maintenance code. In this case, the servers health status changes to Up. Fail a health check. In this case, the servers status changes to Down. The Maintenance health status applies to server ports and service-group members. When a ports status changes to Maintenance, this change applies to all service-group members that use the port. Note: The expect maintenance-code option applies only to servers in cookiepersistence or source-IP persistence configurations, and can be used only for HTTP and HTTPS ports.
498 of 722
b y
D e s i g n

method host {ipv4-addr | ipv6-addr | domain-name} [:port-num] Replaces the information in the Host field of the request sent to the real server. By default, the real servers IP address is placed in the field. port port-num Specifies the protocol port on which the server listens for HTTP traffic. Use this option if the server does not use the default HTTP port, 80. url string Specifies the request type and the page (url-path) to which to send the request. By default, GET requests are sent for / , the index.html page. You can specify one of the following: GET url-path HEAD url-path POST url-path postdata string POST / postfile filename Note: In a postdata string, use = between a field name and the value you are posting to it. If you post to multiple fields, use & between the fields. For example: postdata fieldname1=value&fieldname1=value. The string can be up to 255 bytes long. To use POST data longer than 255 bytes, you must import a POST data file and use the POST / postfile filename option. (See health postfile on page 113.) username name Specifies the username required for HTTP access to the server. Unless anonymous login is used, the username must be specified. https [options] Similar to an HTTP health check, except SSL is used to secure the connection. The default port is 443. icmp [transparent ipaddr]
Sends an ICMP echo request to the server. Expects ICMP echo reply message. The transparent ipaddr option applies only to specific configurations, where the health check must check the path through a device: In DSR, the ipaddr specifies the virtual IP address.
b y
499 of 722

method In FWLB, the ipaddr specifies the IP address of the AX device on the other side of the firewall, or the floating IP address of the HA group on the other side of the firewall. ldap [port port-num] [binddn name password string] [overssl]
Sends an LDAP Bind request. Expects reply containing result code 0. The binddn option species the Distinguished Name and the password option specifies the password for the Distinguished Name. The overssl option uses SSL (TLS) for the health check. Sends an NTP client message to UDP port 123. Expects a standard NTP 48-byte reply packet.
ntp
pop3 port port-num username name password string Sends a POP3 user login request with the specified username and password. Expects reply with OK message. radius port port-num secret string username name password string Sends a Password Authentication Protocol (PAP) request to the specified port to authenticate the specified username. Expects Access Accepted message (reply code 2). The secret option specifies the shared secret required by the RADIUS server. rtsp port port-num rtspurl string
Sends a request to the specified port for information about the file specified by rtspurl. Expects reply with information about the specified file.
sip [register [port portnum]] [tcp]
Sends a SIP request to the SIP port. Expects 200 OK in response. The request is an OPTION
500 of 722

method request, unless you use the register option to send a REGISTER request instead. The tcp option configures the health method for SIP over TCP/TLS. Without this option, the health method is for SIP over UDP. smtp port port-num domain domainname
Sends an SMTP Hello message to the specified server in the specified domain. Expects reply with OK message (reply code 250).
snmp [port port-num] [community string] [oid oid-name] [operation {get | getnext}]
Sends an SNMP Get or Get Next request to the specified OID, from the specified community. Expects reply with the value of the OID. The OID can be sysDescr, sysUpTime, sysName, or another name in ASN.1 style.
tcp port port-num [halfopen]
Sends a connection request (TCP SYN) to the specified TCP port on the server. Expects TCP SYN ACK in reply. By default, the AX Series responds to the SYN ACK by sending an ACK. To configure the AX Series to send a RST (Reset) instead, use the halfopen option.
udp port port-num
Sends a packet with a valid UDP header and a garbage payload to the specified UDP port on the server. Expects either of the following: server reply from the specified UDP port, with any type of packet. server does not reply at all. The server fails the health check only if the server replies with an ICMP Error message.
Default
The configuration has a default ping health monitor that uses the icmp method. The AX device applies the ping monitor by default. The AX device
b y
501 of 722

method also applies the TCP or UDP health monitor by default, depending on the port type. These default monitors are used even if you also apply configured monitors to a service port. To use differently configured ping or TCP/UDP monitors, configure new monitors with the ICMP, TCP, or UDP method and apply those monitors instead. When specifying a protocol port number, specify the port number on the real server, not the port number of the virtual port. By default, the wellknown port number for the service type of the health monitor is used. For example, for LDAP, the default port is 389 (or 636 if the overssl option is used). If you specify the protocol port number in the health monitor, the protocol port number configured in the health monitor is used if you send an ondemand health check to a server without specifying the protocol port. (See health-test on page 43.) After you bind the health monitor to a real server port, health checks using the monitor are addressed to the real server port number instead of the port number specified in the health monitors configuration. In this case, you can override the IP address or port using the override commands described later in this chapter. Mode Usage Health monitor configuration To use a health method, you must do the following: 1. Configure a health monitor, by assigning a name to it and by assigning one of the health methods listed above to it. Use the health monitor command at the global Config level to create and name the monitor. (See health monitor on page 112.) Use the method command at the monitor configuration level to assign a health method to the monitor. Note: To configure a health monitor that uses a script, use the health external command to create it, instead of using the health monitor command. (See health external on page 109 and the external health check example below.) 2. Apply the health monitor to a real server or real server port, using the health-check command at the configuration level for the server or the server port. Apply monitors that use the ICMP method to real servers. (See health-check on page 384.) Apply monitors that use any of the other types of methods to individual server ports. (See port on page 385.) Example The following commands apply health monitor ping to server rs0. The ping monitor is included in the AX Series devices configuration by default, so you do not need to configure it.
502 of 722

method
AX(config)#slb server rs0 10.2.3.4 AX(config-real server)#health-check ping
Example
The following commands configure health monitor hm1 to use the TCP health method, and apply the monitor to a TCP port on real server rs1. The TCP health checks are sent to TCP port 23 on the server.
AX(config)#health monitor hm1 AX(config-health:monitor)#method tcp port 23 AX(config-health:monitor)#exit AX(config)#slb server rs1 1.1.1.1 AX(config-real server)#port 23 TCP AX(config-real server-node port)#health-check hm1
Example
The following commands configure health monitor hm2 and set it to use the HTTP method. The health monitor is applied to port 80 on real server rs1.
AX(config)#health monitor hm2 AX(config-health:monitor)#method http AX(config-health:monitor)#exit AX(config)#slb server rs1 2.2.2.2 AX(config-real server)#port 80 http AX(config-real server-node port)#health-check hm2
Example
External Health Check Example Besides internal health checks, which use a predefined health check method, you can use external health checks with any of the following types of scripts are supported:
Perl Shell TCL
Utility commands such as ping, ping6, wget, dig, and so on are supported. For Tcl scripts, the health check parameters are transmitted to the script through the predefined TCL array ax_env. The array variable ax_env(ServerHost) is the server IP address and ax_env(ServerPort) is the server port number. Set ax_env(Result) 0 as pass and set the others as fail. TCL script filenames must use the .tcl extension. To use the external method, you must import the program onto the AX Series device. The script execution result indicates the server status, which must be stored in ax_env(Result).
b y
503 of 722

method The following commands import external program ext.tcl from FTP server 192.168.0.1, and configure external health method hm3 to use the imported program to check the health of port 80 on the real server:
AX(config)#health external import "checking HTTP server" ftp://192.168.0.1/ ext.tcl AX(config)#health monitor hm3 AX(config-health:monitor)#method external port 80 program ext.tcl
Here is the ext.tcl file: # Init server status to "DOWN" set ax_env(Result) 1 # Open a socket if {[catch {socket $ax_env(serverHost) $ax_env(serverPort)} sock]} { puts stderr "$ax_env(serverHost): $sock" } else { fconfigure $sock -buffering none -eofchar {} # Send the request puts $sock "GET /1.html HTTP/1.0\n" # Wait for the response from http server set line [read $sock] if { [ regexp "HTTP/1.. (\[0-9\]+) " $line match status] } { puts "server $ax_env(serverHost) response : $status" # Check exit code if { $status == 200 } { # Set server to be "UP" set ax_env(Result) 0 } } close $sock }
For additional information and more examples, see the External Health Method Examples section in the Health Monitoring chapter of the AX Series Configuration Guide.
504 of 722
b y
D e s i g n

override-ipv4
override-ipv4
Description Send the health check to a specific IPv4 address, instead of sending the health check to the IP address of the real server or GSLB service IP to which the health monitor is bound. This command and the other override commands are particularly useful for testing the health of remote links. [no] override-ipv4 ipaddr By default, a health check is addressed to the real server IP address of the server to which the health monitor is bound. Health monitor configuration The following commands configure a health monitor to check 192.168.1.1:
Syntax Default
Mode Example
AX(config)#health monitor site1-hm AX(config-health:monitor)#method icmp AX(config-health:monitor)#override-ipv4 192.168.1.1
override-ipv6
Description Send the health check to a specific IPv6 address, instead of sending the health check to the IP address of the real server to which the health monitor is bound. [no] override-ipv6 ipv6addr By default, a health check is addressed to the real server IP address of the server to which the health monitor is bound. Health monitor configuration The following commands configure a health monitor to check 2001:db8::1521:31ab:
Syntax Default
Mode Example
AX(config)#health monitor site2-hm AX(config-health:monitor)#method icmp AX(config-health:monitor)#override-ipv6 2001:db8::1521:31ab
override-port
Description Send the health check to a specific protocol port, instead of sending the health check to the server port to which the health monitor is bound.
b y
505 of 722

strictly-retry-on-server-error-response Syntax Default [no] override-port portnum By default, a health check is addressed to the protocol port number to which the health monitor is bound. Health monitor configuration The following commands configure a health monitor to check port 8081 on 192.168.1.1:
Mode Example
AX(config)#health monitor site3-hm AX(config-health:monitor)#method http AX(config-health:monitor)#override-ipv4 192.168.1.1 AX(config-health:monitor)#override-prt 8081
strictly-retry-on-server-error-response
Description Force the AX device to wait until all retries are unsuccessful before marking a server or port Down. [no] strictly-retry-on-server-error-response Disabled. For some health method types, the AX device marks the server or port Down after the first failed health check attempt, even if the retries option for the health monitor is set to higher than 0. Health monitor configuration This command is applicable only to some types of health monitors, such as HTTP health monitors. For example, this command applies to HTTP health monitors that expect a string in the server reply. By default, if the servers HTTP port does not reply to the first health check attempt with the expected string, the AX device immediately marks the port Down. The following commands configure an HTTP health monitor that checks for the presence of testpage.html, and enable strict retries for the monitor.
Syntax Default
Mode Usage
Example
AX(config)#health monitor http-exhaust AX(config-health:monitor)#method http url GET /testpage.html AX(config-health:monitor)#strictly-retry-on-server-error-response
506 of 722
b y
D e s i g n

ha arp-retry
Config Commands: High Availability

The commands in this chapter configure global High Availability (HA) parameters. (Also see floating-ip on page 108.) Note: This chapter provides reference information for individual commands. For information about how HA works and how to configure it, see the AX Series Configuration Guide. This CLI level also has the following commands, which are available at all configuration levels:
page 40.
ha arp-retry
Description Change the number of additional gratuitous ARPs, in addition to the first one, an AX sends after transitioning from Standby to Active in an HA configuration. These ARPs are sent at intervals of 500 milliseconds. [no] ha arp-retry num Parameter num Description Specifies the number of additional gratuitous ARPs to send, after sending the first one. You can specify 1-255.
Syntax
b y
507 of 722

ha check gateway Default The AX device sends 4 additional gratuitous ARPs by default, for a total of 5. Configuration mode The following command increases the number of additional gratuitous ARPs to 9, for a total of 10 ARPs:
Mode Example
AX(config)#ha arp-retry 9
ha check gateway
Description Configure an AX device to detect the status of its gateway routers, and change HA status based on gateway status changes. [no] ha check gateway ipaddr Parameter ipaddr Default Mode Usage Not set Configuration mode This feature uses health monitors to check the availability of the gateways. If any of the active AX devices gateways fails a health check, the AX device changes its HA status to Down. If the HA status of the other AX device is higher than Down, a failover occurs. Likewise, if the gateway becomes available again and all gateways pass their health checks, the AX device recalculates its HA status according to the HA interface counts. If the new HA status of the AX device is higher than the other AX devices HA status, a failover occurs. Configuration of gateway-based failover requires the following steps: 1. Configure a health monitor that uses the ICMP method. (See health monitor on page 112.) 2. Configure the gateway as an SLB real server and apply the ICMP health monitor to the server. (See method on page 496.) 3. Enable HA checking for the gateway, using the command described in this section. Example The following commands configure gateway-based failover for gateway 10.10.10.1: Description IP address of the gateway.
Syntax
508 of 722
b y
D e s i g n

ha check route
AX(config)#health monitor gatewayhm1 AX(config-health:monitor)#method icmp AX(config-health:monitor)#exit AX(config)#slb server gateway1 10.10.10.1 AX(config-real server)#health-check gatewayhm1 AX(config-real server)#exit AX(config)#ha check gateway 10.10.10.1
ha check route
Description Reduces the HA priority of all HA groups on the AX device, if the specified route is missing from the IPv4 or IPv6 route table. For IPv4 routes: [no] ha check route destination-ipaddr /masklength priority-cost weight [gateway ipaddr] [protocol {static | dynamic}] [distance num] For IPv6 routes: [no] ha check route destination-ipv6addr/mask-length priority-cost weight [gateway ipv6addr] [protocol {static | dynamic}] [distance num] Parameter destinationipaddr /mask-length destinationipv6addr/masklength priority-cost weight Description
Syntax
Specifies the destination IPv4 subnet of the route.
Specifies the destination IPv6 address of the route. Specifies the value to subtract from the HA priority of each HA group, if the IP route table does not have a route to the destination subnet.
b y
509 of 722

ha check route gateway ipaddr protocol {static | dynamic} Specifies the next-hop gateway for the route.
Specifies the source of the route: static The route was added by an administrator. dynamic The route was added by a routing protocol. (This includes redistributed routes.)
distance num Default Mode Usage None Configuration mode
Specifies the metric value (cost) of the route.
This feature applies only to routes in the data route table. The feature does not apply to routes in the management route table. For failover to occur due to HA priority changes, the HA pre-emption option must be enabled. You can configure this option for up to 100 IPv4 routes and up to 100 IPv6 routes. This option is valid for all types of IP routes supported in this release (static and OSPF). If the priority of an HA group falls below the priority for the same group on the other AX device in an HA pair, a failover can be triggered. Omitting an optional parameter matches on all routes. For example, if you do not specify the next-hop gateway, routes that match based on the other parameters can have any next-hop gateway.
Example
The following command configures HA route awareness for a default IPv4 route. If this route is not in the IP route table, 255 is subtracted from the HA priority of all HA groups.
AX(config)#ha check route 0.0.0.0 /0 priority-cost 255
Note:
The lowest possible HA priority value is 1. Deleting 255 sets the HA priority value to 1, regardless of the original priority value. The following command configures HA route awareness for a dynamic route to subnet 10.10.10.x with route cost 10. If the IP route table does not have a dynamic route to this destination with the specified cost, 10 is subtracted from the HA priority value for each HA group.
Example
AX(config)#ha check route 10.10.10.0 /24 priority-cost 10 protocol dynamic distance 10
510 of 722
b y
D e s i g n

ha check vlan Example The following commands configure HA route awareness for an IPv6 route to 3000::/64. Based on the combination of these commands, if the IPv6 route table does not contain any routes to the destination, 105 is subtracted from the HA priority of each HA group. If the IPv6 route table does contain a static route to the destination, but the next-hop gateway is not 2001::1, the AX device subtracts only 5 from the HA priority of each HA group.
AX(config)#ha check route 3000::/64 priority-cost 100 AX(config)#ha check route 3000::/64 priority-cost 5 protocol static gateway 2001::1
ha check vlan
Description Configure an AX device to detect the status of its VLANs, and change HA status based on VLAN status changes. [no] ha check vlan vlan-id timeout seconds Parameter vlan-id seconds Description VLAN ID. Number of seconds a VLAN can be inactive before a failover is triggered. The timeout can be 2-600 seconds. You must specify the timeout. Although there is no default, A10 recommends trying 30 seconds.
Syntax
Default Mode Usage
Not set Configuration mode When HA checking is enabled for a VLAN, the active AX device in the HA pair monitors traffic activity on the VLAN. If there is no traffic on the VLAN for half the duration of a configurable timeout, the AX device attempts to generate traffic by issuing ping requests to servers if configured, or broadcast ARP requests through the VLAN. If the AX device does not receive any traffic on the VLAN before the timeout expires, a failover occurs. This HA checking method provides a passive means to detect network health, whereas heartbeat messages are an active mechanism. You can use either or both methods to check VLAN health. If you use both methods on a
b y
511 of 722

ha conn-mirror VLAN, A10 recommends that you specify an HA checking interval (timeout) that is much longer than the heartbeat interval. Example The following command enables VLAN-based failover for VLAN 10 and sets the timeout to 30 seconds:
AX(config)#ha check vlan 10 timeout 30
ha conn-mirror
Description Set the peer IP address to use for session synchronization (also called connection mirroring) and config sync. [no] ha conn-mirror ip ipaddr Parameter ipaddr Description Specifies the IP address of the other AX in the HA configuration.
Syntax
Default Mode Usage
None Configuration mode This command sets the IP address to which to mirror sessions. However, you also must use the ha-conn-mirror command on individual virtual ports to enable connection mirroring on the virtual ports. (See ha-conn-mirror on page 417.) Connection mirroring is required for config sync. Config sync uses the connection mirroring link. HA session synchronization applies primarily to Layer 4 sessions. HA session synchronization does not apply to DNS sessions. Since these sessions are typically very short lived, there is no benefit to synchronizing them. Likewise, session synchronization does not apply to static NAT sessions. Synchronization of these sessions is not needed since the newly Active AX device will create a new flow for the session following failover.
Example
The following command sets the session synchronization address to 10.10.10.66, the IP address of the other AX in this HA pair:
AX(config)#ha conn-mirror ip 10.10.10.66
512 of 722
b y
D e s i g n

ha force-self-standby
ha force-self-standby
Description Syntax Force HA groups to change from Active to Standby status. [no] ha force-self-standby [group-id] Parameter group-id Description Specifies the group ID. Only the specified group is forced to change from Active to Standby. If you do not specify a group ID, all Active groups are forced to change to Standby status.
Default Mode Usage
N/A Configuration mode This command provides a simple method to force a failover, without the need to change HA group priorities and enable pre-emption. The command is not added to the configuration and does not persist across reboots. The following command forces HA group 1 to change from Active to Standby status:
Example
AX(config)#ha force-self-standby 1
ha forward-l4-packet-on-standby
Description Syntax Default Mode Enable Layer 2/3 forwarding of Layer 4 traffic on the Standby AX device. [no] ha forward-l4-packet-on-standby Disabled. Layer 4 traffic is dropped by the Standby AX device. Configuration mode
ha group
Description Syntax Configure an HA group and set its priority. [no] ha group group-id priority num
b y
513 of 722

ha id Parameter
group-id
Description HA group ID, 1-31. Number from 1 (low priority) to 255 (high priority).
num
Default
The configuration does not have a default HA group. HA groups do not have a default priority. You must set the priority. Configuration mode In Active-Standby configurations, configure only one HA group. Use the same group ID on each AX device. In Layer 3 Active-Active configurations, to make one AX active for some virtual servers and make the other AX active for the other virtual servers, configure multiple HA groups and give them different priorities. Use the same group IDs for the same virtual servers on each AX.
Mode Usage
Example
The following command configures HA group 1 and sets its priority to 100:
AX(config)#ha group 1 priority 100
ha id
Description Syntax Enable HA. [no] ha id {1 | 2} [set-id num] Parameter 1 | 2 set-id num Default Mode Usage Neither parameter is set. Configuration mode Use HA ID 1 on one of the AX Series devices in the HA pair. Use HA ID 2 on the other AX Series device in the HA pair. The set-id option allows you to use multiple HA pairs. The set ID must be unique for each AX pair. Example
AX(config)#ha id 1
Description HA ID for the AX device. HA set ID, 1-7.
The following command enables HA with ID 1:
514 of 722
b y
D e s i g n

ha inline-mode
ha inline-mode
Description Enable blocking of Layer 2 loops in a transparent (Layer 2) hot-standby HA configuration. [no] ha inline-mode [preferred-port port-num] Parameter port-num Description Specifies the port to use for session synchronization and for management traffic between the AX Series devices in the HA pair. For example, if you use the CLI on one AX to ping the other AX device, the ping packets are sent only on the preferred HA port. Likewise, the other AX device sends the ping reply only on its preferred HA port. Management traffic between AX Series devices includes any of the following types of traffic: Telnet, SSH, or Ping. Default Disabled. If you enable inline mode but you do not specify the preferred port, the preferred port is selected as follows: 1. The first HA interface that comes up on the AX is used as the preferred HA port. 2. If the preferred HA port selected above goes down, the HA interface with the lowest port number is used. If that port also goes down, the HA interface with the next-lowest port number is used, and so on. This selection mechanism is also used if the preferred port is configured but goes down. Note: The preferred port must be added as an HA interface and heartbeat messages must be enabled on the interface. Configuration mode Inline support applies specifically to network topologies where inserting a pair of AX Series devices would cause a Layer 2 loop. In this type of topology, inline mode enables you to deploy the AX Series devices in an HA pair without the need to enable Spanning Tree Protocol (STP) on any of the devices in the network. Inline mode is designed for one HA group in Hot-Standby mode. Do not configure more than one HA group on an AX running in inline mode.
Syntax
Mode Usage
b y
515 of 722

ha interface Example The following command enables HA inline mode and sets the preferred port to Ethernet port 5:
AX(config)#ha inline-mode preferred-port 5
ha interface
Description Syntax Configure an HA interface. [no] ha interface ethernet port-num [router-interface | server-interface | both] [no-heartbeat | vlan vlan-id] Parameter port-num routerinterface | serverinterface | both Description Specifies the HA interface.
Identifies the type of device connected to the HA interface: router-interface The HA interface is connected to an upstream router. server-interface The HA interface is connected to a real server. both The HA interface is connected to an upstream router and a real server.
no-heartbeat | vlan vlan-id
Disables HA heartbeat messages on the HA interface, or enables them only on the specified VLAN. If the port is tagged and heartbeat messages are enabled, you must specify the VLAN.
Default
No HA interfaces are set by default. When you set an HA interface, the device type is not set by default. Heartbeat messages are enabled on the interface by default. Configuration mode At least one HA interface must be specified and at least one HA interface must have heartbeat messages enabled. If the interface is tagged, a VLAN ID must be specified if heartbeat messages are enabled on the interface.
Mode Usage
516 of 722

ha l3-inline-mode Note: The maximum number of HA interfaces you can configure is the same as the number of Ethernet data ports on the AX device. If the heartbeat messages from one AX device to the other will pass though a Layer 2 switch, the switch must be able to pass UDP IP multicast packets. Set each interface connected to the real servers or clients (for example, connected through upstream routers) as an HA interface. Also set the interface that connects an AX Series device to its HA peer (the other AX device in the HA pair) as an HA interface. Setting the device type increases the granularity of the HA state.
If the device type is not set, the HA state of the AX device can be one of
the following: Up All configured interfaces are up. Down At least one of the HA interfaces is down.
If you set the device type, the HA status of the AX device is based on
the status of the AX link with the real server or upstream router: Up All configured HA router and server interfaces are up. Partially Up Some HA router or server interfaces are down but at least one server link and one router link are up. Down All router interfaces, or all server interfaces, or both are down. The status also is Down if neither router interfaces nor server interfaces are configured and an HA interface goes down. If both types of interfaces (router interfaces and server interfaces) are configured, the HA interfaces for which a type has not been configured are not included in the HA interface status determination. Example The following command configures Ethernet port 2 as an HA interface, indicates that it is connected to a router, and disables heartbeat messages on the interface:
AX(config)#ha interface ethernet 2 router-interface no-heartbeat
ha l3-inline-mode
Description Enable blocking of traffic loops in a gateway (Layer 3) hot-standby HA configuration. [no] ha l3-inline-mode Disabled. Configuration mode
b y
Syntax Default Mode

517 of 722

ha link-event-delay Usage Layer 3 inline support applies specifically to network topologies where inserting a pair of AX Series devices would cause a traffic loop. In this type of topology, Layer 3 inline mode enables you to deploy the AX Series devices in an HA pair without the need to change the network topology or enable Spanning Tree Protocol (STP) on any of the devices in the network. Inline mode is designed for one HA group in Hot-Standby mode. Do not configure more than one HA group on an AX running in inline mode. Example The following command enables Layer 3 inline mode:
AX(config)#ha l3-inline-mode
ha link-event-delay
Description Change the delay waited by the AX device before changing the HA state (Up, Partially Up, or Down) in response to link-state changes on HA interfaces. [no] ha link-event-delay 100-ms-unit Parameter 100-ms-unit Description Specifies how many 100-ms units (one tenth of a second units) to use for the delay. You can set the delay to a value from 100 milliseconds (ms) to 10000 ms, in increments of 100 ms.
Syntax
Default Mode Usage
3000 ms (3 seconds) Configuration mode This command applies only to inline mode (Layer 2 or Layer 3). The delay is applicable in the following situations:
The AX device is Active and a link goes down. The AX device is Standby and a link comes up. (There is an additional
10-20 second delay in this case.) The delay helps prevent HA flapping. Example The following command changes the HA state change delay to 5 seconds:
AX(config)#ha link-event-delay 50
518 of 722
b y
D e s i g n

ha ospf-inline vlan
ha ospf-inline vlan
Description In HA Layer 3 inline mode, leave OSPF enabled on the Standby AX device, on the specified VLAN. [no] ha ospf-inline vlan vlan-id Enabled for all VLANs. Configuration mode When this option is enabled, OSPF on the Standby AX device will always participate in OSPF routing. There is no additional time gap when failover happens. To limit OSPF adjacency formation to a specific VLAN only, explicitly configure adjacency formation for that VLAN. In this case, OSPF adjacency formation does not occur for any other VLANs.
ha preemption-enable
Description Allow the high-priority HA group to take over from the currently active one. This command enables you to force HA failovers based on HA configuration changes. [no] ha preemption-enable Pre-emption is disabled by default. By default, a failover occurs only in the following cases:
The Standby AX device stops receiving HA heartbeat messages from
Syntax Default
the other AX device in the HA pair.

The HA interface state changes give the Standby AX device a better HA
state than the Active AX device. By default, failover does not occur due to HA configuration changes to the HA priority. Note: To force failover without changing HA group priorities or enable preemption, see ha force-self-standby on page 513. Configuration mode
Mode
b y
519 of 722

ha restart-port-list Example The following command enables HA pre-emption mode:
AX(config)#ha preemption-enable
ha restart-port-list
Description Configure HA interfaces on the previously Active AX device to toggle (shut down and restart) following HA failover. [no] ha restart-port-list ethernet port-list Parameter port-list Note: Description Specifies the HA interfaces to restart.
Syntax
You must omit at least one port connecting the AX devices from the restart port-list, and heartbeat messages must be enabled on the port. This is so that heartbeat messages between the AX devices are maintained; otherwise, flapping might occur. On model AX 2000 or AX 2100, A10 recommends that you do not include Fiber ports in the restart port list. Disabled. HA interfaces are not restarted after a failover. Configuration mode Use this command in inline mode configurations to cause the router connected to the AX Series device to relearn MACs, including MACs for the real servers. Without this command, the router might continue to try to reach the real servers through the AX Series device that becomes the Standby AX device after a failover. HA port restart toggles a specified set of ports on the formerly Active AX by disabling the ports, waiting for a specified number of milliseconds, then re-enabling the ports. Toggling the ports causes the links to go down, which in turn causes the devices on the other ends of the links to flush their learned MAC entries on the links. The devices then can relearn MACs through links with the newly Active AX.
Note:
Default Mode Usage
Example
The following command enables restart of HA interfaces 1 and 2, to occur if the AX Series device transitions to Standby:
AX(config)#ha restart-port-list ethernet 1 to 2
520 of 722
b y
D e s i g n

ha restart-time
ha restart-time
Description Configure the amount of time HA interfaces remain disabled following a failover. [no] ha restart-time 100-msec-units Parameter 100-msec-units Description Amount of time to keep the HA interfaces disabled. You can specify 1-100 units of 100 ms (from 0.1 seconds to 10 seconds).
Syntax
Default
The default is 20 units of 100 milliseconds (ms) each, for a total of 2 seconds. Configuration mode This command applies only to HA interfaces in a restart port list configured by the ha restart-port-list command. (See ha restart-port-list on page 520.) The following command changes the restart interval to 4 seconds:
Mode Usage
Example
AX(config)#ha restart-time 40
ha sync
Description Synchronize the Layer 4-7 configuration information of the standby AX Series device with the active AX device in an HA pair. ha sync all {to-startup-config [with-reload] | to-running-config} [all-partitions | partition partition-name] ha sync startup-config {to-startup-config [with-reload] | to-running-config} [all-partitions | partition partition-name] ha sync running-config {to-startup-config [with-reload] | to-running-config} [all-partitions | partition partition-name]
Syntax
Syntax
Syntax
b y
521 of 722

ha sync Syntax ha sync data-files [all-partitions | partition partition-name] Parameter all Description Synchronizes data files and the running-config. (See Usage for a list of the types of data files that are synchronized.) You can synchronize the running-config to one of the following on the other AX Series device: startup-config Replaces the startup-config on the other AX device with the running-config on this device. For information about the with-reload option, see Usage below. Note: If the HA status is Standby for all the HA groups on the other AX device, the AX device is reloaded anyway, even if the with-reload option is not used. running-config Replaces the runningconfig on the other AX device with the runningconfig on this device. data-files Synchronizes data files but not the running-config or startup-config. (See Usage for a list of the types of data files that are synchronized.) Synchronizes the running-config. You can synchronize it to one of the following on the other AX Series device: startup-config Replaces the startup-config on the other AX device with the running-config on this device. For information about the with-reload option, see Usage below. running-config Replaces the runningconfig on the other AX device with the runningconfig on this device. startup-config Synchronizes the startup-config. See above for descriptions of the options. You can synchronize it to one of the following on the other AX Series device: startup-config Replaces the startup-config on the other AX device with the startup-config on this device. For information about the with-reload option, see Usage below.
running-config
522 of 722
b y
D e s i g n

ha sync running-config Replaces the runningconfig on the other AX device with the startupconfig on this device. all-partitions partition partition-name Synchronizes the configuration for all partitions. Synchronizes the configuration only for the specified partition.
Default Mode Usage
N/A Configuration mode Connection mirroring is required for config sync. Config sync uses the connection mirroring link. (See ha conn-mirror on page 512.) SSH management access must be enabled on both ends of the link. (See enable-management on page 105.) The following configuration items are backed up during HA config sync:
Admin accounts and settings Floating IP addresses IP NAT configuration Access control lists (ACLs) Health monitors Policy-based SLB (black/white lists) SLB FWLB GSLB Data Files: aFleX files External health check files SSL certificate and private-key files Black/white-list files
b y
523 of 722

ha sync The following configuration items are not backed up during HA config sync:
Management access settings (the ones described in enable-manage-
ment on page 105)

AX Hostname MAC addresses Management IP addresses Trunks or VLANs Interface settings OSPF settings ARP entries or settings
This command does not have a no form. Reload of the target AX device following synchronization In certain cases, the target AX device is automatically reloaded, but in other cases, reload is either optional or is not allowed. Table 4 lists the cases in which reload is automatic, optional, or not allowed. TABLE 4 Reload of Target AX Device After Config-Sync
Status of Target AX Standby Active Target Config startup-config running-config startup-config running-config startup-config running-config startup-config running-config Reload? Automatic Automatic Optional1 Not reloaded by default Automatic Not Allowed Not Allowed Not Allowed Not Allowed
Admin Role Root or Super User (Read-Write)
Partition Write
Standby Active
1. If the target AX device is not reloaded, the GUI Save button on the Standby AX device does not blink to indicate unsaved changes. It is recommended to save the configuration if required to keep the running-config before the next reboot.
An admin who is logged on with Root or Read-Write (Super Admin) privileges can synchronize for all Role-Based Administration (RBA) partitions or for a specific partition.
524 of 722
b y
D e s i g n

ha sync An admin who is logged on with Partition Write privileges can synchronize only for the partition to which the admin is assigned, and can only synchronize to the startup-config on the other device. The with-reload and to-running-config options are not available to Partition Write admins. Data that is synchronized from a Standby AX device to an Active AX device is not available on the Active AX device until that device is rebooted or the software is reloaded. Synchronization on an AX Device configured for RBA The all-partitions and partition partition-name options are applicable on AX devices that are configured for Role-Based Administration (RBA). If you omit both options, only the resources in the shared partition are synchronized. (If RBA is not configured, all resources are in the shared partition, so you can omit both options.) The all-partitions option is applicable only to admins with Root, Readwrite, or Read-only privileges. (See show admin on page 528 for descriptions of the admin privilege levels.) Note: If you plan to synchronize the Active AX devices running-config to the Standby AX devices running-config, make sure to use one of the following synchronization options. Performing any one of these options ensures that new private partitions appear correctly in the Standby AX devices configuration. Synchronize all partitions Synchronize the shared partition to the startup-config first, then synchronize the private partition to the running-config. On the Active AX device, synchronize the shared partition to the running-config first. Log onto the Standby AX device and save the shared partition (write memory partition shared). Then, on the Active AX device, synchronize the private partition to the running-config. Example The following command synchronizes the running-config and data files by copying them from this AX Series device to the other one in the HA pair. The running-config is copied to the other AX devices startup-config, and the other AX device is then reloaded:
AX(config)#ha sync all startup-config
Example
The following commands synchronize the Active AX devices running-config with the Standby AX devices running-config, for AX devices that are configured for Role-Based Administration (RBA):
AX(config)#ha sync running-config to-running-config partition shared AX(config)#ha sync running-config to-running-config all-partitions
b y
525 of 722

ha time-interval
ha time-interval
Description Syntax Configure the interval between HA heartbeat messages. [no] ha time-interval 100-msec-units Parameter 100-msec-units Description Amount of time between sending each heartbeat message. You can specify 1-255 units of 100 ms each.
200 milliseconds Configuration mode The following command changes the HA time interval to 400 ms:
AX(config)#ha time-interval 4
ha timeout-retry-count
Description Configure the number of HA heartbeat intervals the Standby AX Series device will wait for a heartbeat message from the Active AX device before failing over. [no] ha timeout-retry-count num Parameter num Description Number of times the HA time interval can expire before the Standby AX device fails over to become the Active AX device. You can specify 2-255.
Syntax
5 Configuration mode The following command changes the HA timeout retry count to 10:
AX(config)#ha timeout-retry-count 10
526 of 722
b y
D e s i g n

show access-list
Show Commands
The show commands display configuration and system information. In addition to the command options provided with some show commands, you can use output modifiers to search and filter the output. See Searching and Filtering CLI Output on page 36. To automatically re-enter a show command at regular intervals, see repeat on page 62. Note: The show slb commands are described in a separate chapter. See SLB Show Commands on page 653.
show access-list
Description Display the configured Access Control Lists (ACLs). The output lists the configuration commands for the ACLs in the running-config. show access-list [ipv4 | ipv6] [acl-id] Parameter ipv4 | ipv6 acl-id Mode Example All The following command displays the configuration commands for ACL 1: Description IP address type. ACL name or number.
Syntax
AX#show access-list ipv4 1 access-list 1 permit 198.162.11.0 0.0.0.255 Hits: 3 access-list 1 deny 198.162.12.0 0.0.0.255 Hits: 1
Note:
The ACL Hits counter is not applicable to ACLs applied to the management port.
show active-partition
Description Show the active partition, which is the system partition the CLI session is currently managing. Partitions are used by Role-Based Administration (RBA).
527 of 722

show admin Syntax Mode Example show active-partition All The following command shows that the partition currently being managed by the CLI session is the shared partition:
AX#show active-partition Currently active partition: shared
show admin
Description Syntax Display the administrator accounts. show admin [admin-name] [detail | session] Parameter admin-name detail session Mode Example
AX(config)#show admin UserName admin admin2 compAadmin compBadmin Status Enabled Enabled Enabled Enabled Privilege Partition Root Read/Write P.R/W P.R/W companyA companyB -------------------------------------------------------
Description Administrator name. Shows detailed information about the admin account. Shows the current management sessions.
Privileged EXEC mode and configuration mode The following command lists the admins configured on an AX device:
Table 5 describes the fields in the command output. TABLE 5

Field UserName Status
show admin fields

Description Name of the AX admin. Administrative status of the account.
528 of 722
b y
D e s i g n

show admin TABLE 5
Field Privilege
show admin fields (Continued)

Description Access privilege level for the account: Root Allows access to all levels of the system. This account is the admin account called admin and cannot be deleted. This is the only privilege level that can configure other admin accounts. Read/Write Allows access to all levels of the system. This account is not the admin account and can be deleted. Read only Allows monitoring access to the system but not configuration access. In the CLI, this account can only access the User EXEC and Privileged EXEC levels, not the configuration levels. In the GUI, this account cannot modify configuration information. P.R/W The admin has read-write privileges within the private partition to which the admin has been assigned. The admin has read-only privileges for the shared partition. P.R The admin has read-only privileges within the private partition to which the admin has been assigned, and read-only privileges for the shared partition. P.RS Op The admin is assigned to a private partition but has permission only to view service port statistics for real servers in the partition, and to disable or re-enable the real servers or their service ports. Note: The P (partition) privilege levels apply to RoleBased Administration (RBA). See the Role-Based Administration chapter of the AX Series Configuration Guide. Private partition to which the admin is assigned. Note: A partition name appears only for admins with P.R/W, P.R, or P.RS Op privileges. For other privilege levels, this field is blank.
Partition
Example
The following command lists details for the admin account:

admin Enabled Root Any No
AX#show admin admin detail User Name ...... Status ...... Privilege ...... Partition ...... Trusted Host(Netmask) ...... Lock Status ...... Lock Time ...... Unlock Time ...... Password Type ...... Password ......
Encrypted $1$6334ba07$CKbWL/LuSNdY12kcE.KdS0
b y
529 of 722

show admin Table 6 describes the fields in the command output. TABLE 6
Field User Name Status Privilege
show admin detail fields

Description Name of the AX admin. Administrative status of the account. Access privilege level for the account: Root Allows access to all levels of the system. This account is the admin account called admin and cannot be deleted. Read/Write Allows access to all levels of the system. This account is not the admin account and can be deleted. Read only Allows monitoring access to the system but not configuration access. In the CLI, this account can only access the User EXEC and Privileged EXEC levels, not the configuration levels. In the GUI, this account cannot modify configuration information. Partition-write The admin has read-write privileges within the private partition to which the admin has been assigned. The admin has read-only privileges for the shared partition. Partition-read The admin has read-only privileges within the private partition to which the admin has been assigned, and read-only privileges for the shared partition. Partition-enable-disable The admin is assigned to a private partition but has permission only to view service port statistics for real servers in the partition, and to disable or re-enable the real servers and their service ports. Private partition to which the admin is assigned. Note: A partition name appears only for admins with Partition-write, Partition-read, or Partition-enable-disable privileges. For other privilege levels, this field is blank. IP host or subnet address from which the admin must log in. Indicates whether the admin account is currently locked. If the account is locked, indicates how long the account has been locked. If the account is locked, indicates how long the account will continue to be locked. Indicates whether the password is encrypted when displayed in the CLI or GUI and in the startup-config and running-config. The admins password.
Partition
Trusted Host(Netmask) Lock Status Lock Time Unlock Time Password Type
Password
530 of 722
b y
D e s i g n

show aflex Example
AX#show admin session
Id User Name Start Time Source IP Type Partition --------------------------------------------------------------------------1 admin 14:48:17 PST Wed Jan 16 2008 192.168.1.152 CLI shared *2 admin 15:34:15 PST Wed Jan 16 2008 192.168.1.144 CLI shared 3 admin 15:32:33 PST Wed Jan 16 2008 192.168.1.144 WEB shared Cfg Yes No No
The following command lists all the currently active admin sessions:

Field Id User Name Start Time Source IP Type Partition Cfg
show admin session fields

Description Admin session ID assigned by the AX device. The ID applies only to the current session. Admin name. System time when the admin logged onto the AX device to start the current management session. IP address from which the admin logged on. Management interface through which the admin logged on. Role-Based Administration (RBA) partition that is currently active for the management session. Indicates whether the admin is at the configuration level.
show aflex
Description Syntax Display the configured aFleX policies. show aflex [aflex-name] [all-partitions | partition name] All To display the aFleX policies for a specific Role-Based Administration (RBA) partition only, use the partition name option.
Mode Usage
b y
531 of 722

show arp Example The following command shows the aFleX policies on an AX Series device:
AX#show aflex Total aFleX number: 6 Name Syntax Virtual port -----------------------------------------------------------aFleX_Remote No No aFleX_check_agent No No aFleX_relay_client Check No bugzilla_proxy_fix Check Bind http_to_https Check No louis No No

Field Total aFleX number Name Syntax
show aflex fields

Description Total number of aFleX policies on the AX Series. Name of the aFleX policy. Indicates whether the aFleX policy has passed the syntax check performed by the AX device: Check The aFleX policy passed the syntax check. No The aFleX policy did not pass the syntax check. Indicates whether the aFleX policy is bound to a virtual port.
Virtual port
show arp
Description Syntax Mode Example Display ARP table entries. show arp [all | ipaddr] All The following command lists the ARP entry for host 192.168.1.144:
AX#show arp 192.168.1.144 Total arp entries: 1 Age time: 300 secs IP Address MAC Address Type Age Interface Vlan --------------------------------------------------------------------------192.168.1.144 0011.2F7C.1A75 Dynamic 293 Management 1
532 of 722
b y
D e s i g n

show audit Table 9 describes the fields in the command output. TABLE 9 show arp fields
Description Total number of entries in the ARP table. This total includes static and learned (dynamic) entries. Number of seconds a dynamic ARP entry can remain in the table before being removed. IP address of the device. MAC address of the device. Indicates whether the entry is static or dynamic. For dynamic entries, the number of seconds since the entry was last used. AX interface through which the device that has the displayed MAC address and IP address can be reached. VLAN through which the device that has the MAC address can be reached.
Field Total arp entries Age time IP Address MAC Address Type Age Interface Vlan
show audit
Description Syntax Mode Usage Show the command audit log. show audit [all-partitions | partition name] All The audit log is maintained in a separate file, apart from the system log. The audit log is RBA-aware. The audit log messages that are displayed for an admin depend upon the admins role (privilege level). Admins with Root, Read Write, or Read Only privileges who view the audit log can view all the messages, for all system partitions. To display the messages for a specific Role-Based Administration (RBA) partition only, use the partition name option. Admins who have privileges only within a specific partition can view only the audit log messages related to management of that partition. Partition Real Server Operator admins can not view any audit log entries.
show axdebug file

Description Syntax
Display AX debug capture files or their contents. show axdebug file [filename]
533 of 722

show axdebug filter Mode Example All The following command displays the list of AX debug capture files on the device:
AX(axdebug)#show axdebug file ------------------------------------+--------------+---------------------------Filename | Size(Byte) | Date ------------------------------------+--------------+---------------------------file1 | 58801 | Tue Sep 23 22:49:07 2008 file123 | 192 | Fri Sep 26 17:06:51 2008 ------------------------------------+--------------+---------------------------Total: 2 Maximum file number is: 100
Example
The following command displays the packet capture data in file file123:
AX(axdebug)#show axdebug file file123 Parse file for cpu #1:
Parse file for cpu #2: 15:16:05.788530 IP 10.10.11.30.http > 30.30.31.30.13649: S 2111796945:2111796945(0) ack 3775149588 win 5792 <mss 1460,sackOK,timestamp 1368738447 524090233,nop,wscale 7> 15:16:05.788530 IP 10.10.11.30.http > 30.30.31.30.13649: S 2111796945:2111796945(0) ack 3775149588 win 5792 <mss 1460,sackOK,timestamp 1368738447 524090233,nop,wscale 7> 15:16:05.788530 IP 10.10.11.30.http > 30.30.31.30.13649: . ack 150 win 54 <nop,nop,timestamp 1368738447 524090233> 15:16:05.788530 IP 10.10.11.30.http > 30.30.31.30.13649: . ack 150 win 54 <nop,nop,timestamp 1368738447 524090233> 15:16:05.788530 IP 10.10.11.30.http > 30.30.31.30.13649: P 1:192(191) ack 150 win 54 <nop,nop,timestamp 1368738447 524090233> 15:16:05.788530 IP 10.10.11.30.http > 30.30.31.30.13649: P 1:192(191) ack 150 win 54 <nop,nop,timestamp 1368738447 524090233> 15:16:05.788530 IP 10.10.11.30.http > 30.30.31.30.13649: F 192:192(0) ack 151 win 54 <nop,nop,timestamp 1368738448 524090234>
show axdebug filter

Description Syntax Mode Display the configured AXdebug output filters. show axdebug filter [filter-num] All
534 of 722
b y
D e s i g n

show axdebug status
show axdebug status

Description Syntax Mode Display per-CPU packet capture counts for AXdebug. show axdebug status [cpu-num [...]] All
show bootimage
AX#show bootimage (* = Default) Version ----------------------------------------------Hard disk primary 1.2.0.153 (*) Hard disk secondary 1.2.1.24 Compact flash primary 1.1.1.68 (*) Compact flash secondary 1.1.1.51
Display the software images stored on the AX Series device. show bootimage All The following command shows the software images on an AX Series device:
The asterisk ( * ) indicates the default image for each boot device (hard disk and compact flash). The default image is the one that the AX Series device will try to use first, if trying to boot from that boot device. (The order in which the AX tries to use the image areas is controlled by the bootimage command. See bootimage on page 89.)
show bpdu-fwd-group
Description Syntax Display the configured BPDU forwarding groups. show bpdu-fwd-group [number] Option number Description Displays the configuration of the specified BPDU forwarding group. If you omit this option,
b y
535 of 722

show bridge-vlan-group all configured BPDU forwarding groups are shown. Mode Example All The following command shows all configured BPDU forwarding groups:
ethernet 1 to 3 ethernet 9 to 12
AX#show bpdu-fwd-group BPDU forward Group 1 members: BPDU forward Group 2 members:
show bridge-vlan-group
Description Syntax Mode Display information for a bridge VLAN group. show bridge-vlan-group [group-id] All
show bw-list
Description Syntax Show black/white list information. show bw-list [name [detail | ipaddr]] Parameter name detail ipaddr Default Mode Example N/A Config The following command shows all the black/white lists on an AX Series device: Description Name of a black/white list. Displays the IP addresses contained in a black/ white list. IP address within the black/white list.
AX#show bw-list Name Url Size(Byte) Date ---------------------------------------------------------------------------bw1 tftp://192.168.1.143/bwl.txt 106 Jan/22 12:48:01 bw2 tftp://192.168.1.143/bw2.txt 211 Jan/23 10:02:44 bw3 tftp://192.168.1.143/bw3.txt 192 Feb/11 08:02:01
536 of 722
b y
D e s i g n

show bw-list
bw4 Total: 4 Local 82 Dec/12 21:01:05
Example
Name: URL: Size: Date: Update period: Update times: Content
The following command shows the IP addresses in black/white list test:

test tftp://192.168.20.143/bwl_test.txt 226 120 seconds 2 bytes May/11 12:04:00
AX#show bw-list test detail
-----------------------------------------------------------------------------1.1.1.0 #13 1.1.1.1 #13 1.1.1.2 #13 1.1.1.3 #13 1.1.1.4 #13 9.9.99.9 9 1.2.3.4/32 31 4.3.2.1/24 4 10.1.2.1/32 1 10.1.2.2/32 2 10.1.2.3/32 3 10.1.2.4/32 4 10.3.2.1/32 3 10.3.2.2/32 4 10.5.2.1/32 5 10.5.2.2/32 6 128.0.0.0/1 11
b y
537 of 722

show class-list
show class-list
Description Syntax Display information for IP class lists. show class-list [name [ipaddr]] Parameter name [ipaddr] Description Specifies the class list name or an IP address in the class list. If you omit both options, the list of configured class lists is displayed instead.
Mode Example
AX#show class-list Name test user-limit Total: 2
All The following command displays the class-list files on the AX device:
IP 4 14 Subnet 3 4 Location file config
Table 7 describes the fields in the command output. TABLE 10 show class-list fields
Field Name IP Subnet Location Description Name of the class list. Number of host IP addresses in the class list. Number of subnets in the class list. Indicates whether the class list is in the startup-config or in a standalone file: config Class list is located in the startup-config. Total file Class list is located in a standalone file. Total number of class lists on the AX device.
538 of 722
b y
D e s i g n

show clock The following command shows details for a class list:
AX#show class-list test Name: Total single IP: Total IP subnet: Content: 1.1.1.1 /32 glid 1 2.2.2.2 /32 glid 2 10.1.2.1 /32 lid 1 10.1.2.2 /32 lid 2 20.1.1.0 /24 lid 1 20.1.2.0 /24 lid 2 0.0.0.0 /0 lid 31 test 4 3
The following commands show the closest matching entries for specific IP addresses in class list test:
AX#show class-list test 1.1.1.1 1.1.1.1 /32 glid 1 AX#show class-list test 1.1.1.2 0.0.0.0 /0 lid 31
The class list contains an entry for 1.1.1.1, so that entry is shown. However, since the class list does not contain an entry for 1.1.1.2 but does contain a wildcard entry (0.0.0.0), the wildcard entry is shown.
show clock
Description Syntax Display the time, timezone, and date. show clock [detail] Parameter detail Description Shows the clock source, which can be one of the following: Time source is NTP Time source is user configuration Mode All
b y
539 of 722

show core Example The following command shows clock information for an AX Series device:
AX#show clock detail 20:27:16 Europe/Dublin Sat Apr 28 2007 Time source is NTP
Example
If a dot appears in front of the time, the AX Series has been configured to use NTP but NTP is not synchronized. The clock was in sync, but has since lost contact with all configured NTP servers.
AX#show clock .20:27:16 Europe/Dublin Sat Apr 28 2007
Example
If an asterisk appears in front of the time, the clock is not in sync or has never been set.
AX#show clock *20:27:16 Europe/Dublin Sat Apr 28 2007
show core
Description Syntax Display core dump statistics. show core [process] Parameter process Description Shows core dump statistics for AX processes. Without this option, system core dump statistics are shown instead.
Mode Example
All The following command shows system core dump statistics:
AX#show core It has been rebooted 1 time. It has been crashed 0 time. The process is up 71048 sec.
540 of 722
b y
D e s i g n

show cpu
show cpu
Description Syntax Display CPU statistics. show cpu [interval seconds] Parameter interval seconds Description Automatically refreshes the output at the specified interval. If you omit this option, the output is shown one time. If you use this option, the output is repeatedly refreshed at the specified interval until you press ctrl+c.
Mode Example
All The following command shows CPU statistics on an AX 2000, in 10-second intervals:
AX#show cpu interval 10 Cpu Usage: (press ^C to quit) 1Sec 5Sec 10Sec 30Sec 60Sec -------------------------------------------------------Time: 16:28:57 PST Wed Jan 16 2008 Control 2% 2% 2% 2% 2% Data0 0% 0% 0% 0% 0% Data1 0% 0% 0% 0% 0% Time: 16:29:07 PST Wed Jan 16 2008 Control 2% 2% 2% Data0 0% 0% 0% Data1 0% 0% 0% ... <ctrl+c> AX#
2% 0% 0%
2% 0% 0%
Table 11 describes the fields in the command output. TABLE 11 show cpu fields
Field Time Control Data0-7 1Sec-60sec Description System time when the statistics were gathered. Control CPU. Data CPU. The number of data CPUs depends on the AX model. Time intervals at which statistics are collected.
b y
541 of 722

show debug
show debug
Description This command applies to debug output. It is recommended to use the AXdebug subsystem commands instead of the debug commands. See the following:
AX Debug Commands on page 707 show axdebug file on page 533 show axdebug filter on page 534 show axdebug status on page 535
show disk
Description Syntax Mode Example Display status information for the AX hard disks. show disk All The following command shows hard disk information for an AX Series device:
AX#show disk Total(MB) Used Free Usage ----------------------------------------154104 5895 148209 4.0% Device Primary Disk Secondary Disk ---------------------------------------------md0 Active Active md1 Active Active
Table 12 describes the fields in the command output. TABLE 12 show disk fields
Field Total(MB) Description Total amount of data the hard disk can hold. Note: The hard disk statistics apply to a single disk. This is true even if your AX device contains two disks. In systems with two disks, the second disk is a hot standby for the primary disk and is not counted separately in the statistics. Number of MB used. Number of MB free.
Used Free
542 of 722
b y
D e s i g n

show dns TABLE 12 show disk fields (Continued)
Field Usage Device Description Percentage of the disk that is in use. Virtual partition on the disk: md0 The boot partition Primary Disk md1 The A10 data partition Status of the left hard disk in the redundant pair: Active The disk is operating normally. Inactive The disk has failed and must be replaced. Contact your A10 Networks representative. Synchronizing The disk has just been installed and is synchronizing itself with the other disk. Status of the right hard disk in the redundant pair.
Secondary Disk
show dns
AX#show dns statistics DNS statistics for SLB: ----------------------No. of requests: 510 No. of responses: 508 No. of request retransmits: 0 No. of requests with no response: 2 No. of responses with no matching session: 0 No. of resource failures: 0 DNS statistics for IP NAT: -------------------------No. of requests: 0 No. of responses: 0 No. of request retransmits: 0 No. of requests with no response: 0 No. of responses with no matching session: 0 No. of resource failures: 0
Show DNS statistics. show dns statistics All The following command displays DNS statistics:
b y
543 of 722

show dns-cache-stat
show dns-cache-stat
Description Syntax Mode Example Display DNS caching statistics. show dns-cache-stat All The following command shows DNS caching statistics:
AX#show dns-cache-stat Total query: 100 Total server response: 55 Total cache hit: 49 Query not passed: 0 Response not passed: 0 Query encoded: 0 Response encoded: 0 Query with multiple questions: 0 Response with multiple questions: 0 Total aged out: 0
Table 13 describes the fields in the command output. TABLE 13 show dns-cache-stat fields
Field Total Query Total Server Response Total Cache Hit Query Not Passed Response Not Passed Query Encoded Response Encoded Query With Multiple Questions Response With Multiple Questions Description Total number of DNS queries received by the AX device. Total number of responses form DNS servers received by the AX device. Total number of times the AX device was able to use a cached reply in response to a query. Number of queries that did not pass a packet sanity check. Number of responses that did not pass a packet sanity check. The AX device checks the DNS header and question in the packet, but does not parse the entire packet. Number of queries that were not cached because the domain name in the question was encoded in the DNS query packet. Number of queries that were not cached because the domain name in the question was encoded in the DNS response packet. Number of queries that were not cached because they contained multiple questions. Number of responses that were not cached because they contained answers for multiple questions.
544 of 722
b y
D e s i g n

show dumpthread TABLE 13 show dns-cache-stat fields (Continued)
Field Total Aged Out Description Total number of DNS cache entries that have aged out of the cache.
show dumpthread
Description Syntax Mode Example Show status information about the SLB process. show dumpthread All The following command shows status information for the SLB process:
AX#show dumpthread It has been rebooted 1 time. It has been crashed 0 time. The process is up 101102 sec.
show environment
Description Syntax Mode Example Display temperature, fan, and power supply status. show environment All The following command shows environment information for an AX Series device:
AX#show environment Physical System temperature: 56C / 132F Fan1 speed: 2576 RPM Fan2 speed: 2576 RPM Fan3 speed: 2576 RPM Upper Power Unit State: On Lower Power Unit State: On
b y
545 of 722

show errors
show errors
Description Show error information for the system. This command provides a simple way to quickly view system status and error statistics. show errors [ application [sub-options] | critical [detail] | detail | informational [detail] | system [sub-options] ] Option application [sub-options] Description Displays error information for AX applications. The following sub-options are available. critical [detail] detail ha [critical [detail]] [detail] [informational [detail]] hw-compression [critical [detail]] [detail] [informational [detail]] informational [detail] ipnat [critical [detail]] [detail] [informational [detail]] l2-l3-forward [critical [detail]] [detail] [informational [detail]]
Syntax
546 of 722
b y
D e s i g n

show errors ram-cache [critical [detail]] [detail] [informational [detail]] slb [critical [detail]] [detail] [health-monitor [critical [detail]] [detail] [informational [detail]] [informational [detail]] [layer4 [critical [detail]] [detail] [informational [detail]] [tcp [critical [detail]] [detail] [informational [detail]] [udp [critical [detail]] [detail] [informational [detail]] [layer7 [critical [detail]] [detail] [fast-http [critical [detail]] [detail] [informational [detail]] [http [critical [detail]] [detail] [informational [detail]] [informational [detail]] [sip [critical [detail]] [detail] [informational [detail]] [smtp [critical [detail]] [detail] [informational [detail]]
547 of 722

show errors [ssl-slb [critical [detail]] [detail] [informational [detail]] [persist [cookie [critical [detail]] [detail] [informational [detail]] [critical [detail]] [dest-ip [critical [detail]] [detail] [informational [detail]] [detail] [informational [detail] [source-ip [critical [detail]] [detail] [informational [detail]] [ssl-sid [critical [detail]] [detail] [informational [detail]] [url-hash [critical [detail]] [detail] [informational [detail]] ssl [critical [detail]] [detail] [informational [detail]] critical [detail] detail informational [detail] system [sub-options] Displays information about critical errors only. Displays detailed error information only. Displays informational output only. Displays system-level errors. The following suboptions are available. critical [detail] detail
548 of 722
b y
D e s i g n

show errors hardware [critical [detail]] [detail] [informational [detail]] informational [detail] software [critical [detail]] [detail] [informational [detail]] Mode Example
AX#show errors Hardware components status =========================== Physical System temperature: 36C / 96F CPU Fan1 speed: 5818 RPM CPU Fan2 speed: 5720 RPM Upper Power Unit State: On Lower Power Unit State: Off
All The following shows high-level error information for the system:
Total(MB) 157065 Device md0 md1
Used 5777 Primary Disk Active Active
Free 151287
Usage 3.6%
-----------------------------------------
------------------------------
System Memory Usage: Total(KB) 2074308 Free 316048 Shared 0 Buffers 37324 Cached 256232 Usage 72.4% ---------------------------------------------------------------------------
b y
549 of 722

show errors
Time: 21:22:12 IST Mon May 17 2010 1Sec Control Data1 Data2 Data3 Data4 Data5 31% 0% 0% 0% 0% 0% 5Sec 30% 0% 0% 0% 0% 0% 10Sec 25% 0% 0% 0% 0% 0% 30Sec 25% 0% 0% 0% 0% 0% 60Sec 26% 0% 0% 0% 0% 0% --------------------------------------------------------
System software Error Counters ========================================== Error packets drops: : 16 Hardware compression device is not installed. L2-L3 Fwd (Switch) Error Counters ========================================== Link Down Drop VLAN Flood Health Monitor Error Counters ========================================== Send packet failed: Retries: Timeouts: : 1741315 : 28982 : 9 : 57 : 175313
Example
The following command shows detailed system-software error statistics:
AX#show errors system software detail System software Error Counters ========================================== buff alloc failed: buff alloc from sys failed: Error packets drops: Packet drops: : 0 : 0 : 16 : 0
Example
The following command shows detailed error statistics for SLB health monitoring:
550 of 722
b y
D e s i g n

show fwlb node
AX#show errors application slb health-monitor detail Health Monitor Error Counters ========================================== Open socket failed: Send packet failed: Receive packet failed: Unexpected error: Retries: Timeouts: : 0 : 1742518 : 0 : 0 : 29002 : 9
show fwlb node

Description Syntax Show statistics or configuration information for firewall nodes. show fwlb node [fwall-name] [config] Option fwall-name config Mode Usage All To display configuration information for the firewall, use the config option. To display statistics instead, do not use the config option. The following command shows configuration information for firewall fw1: Description Specifies the firewall name. Displays configuration information.
Example
AX#show fwlb node fw1 config Total Number of Services configured on server fw1: 0 H-check = Health check Max conn = Max. Connection Wgt = Weight Service Address H-check Status Max conn Wgt -----------------------------------------------------------------------------fw1 20.1.1.1 tsping Enable 1000000 1
b y
551 of 722

show fwlb node Table 14 describes the fields in the command output. TABLE 14 show fwlb node config fields
Field Total Number of Services configured on server Service Address H-check Status Max conn Wgt Description Total number of individual service ports configured on the firewall. If the number is 0, then FWLB applies to all services on the firewall. Firewall or service name. IP address of the firewall. Health check assigned to the firewall path or service. Status of the firewall service. Maximum number of connections allowed through the firewall or service. Administrative weight assigned to the firewall or service.
Example
The following command shows statistics for firewall fw1:
AX#show fwlb node fw1 Total Number of Services configured on server fw1: 0 Current = Current Connections, Total = Total Connections Req-pkt = Request packets, Resp-pkt = Response packets Service Current Total Req-pkt Resp-pkt State -----------------------------------------------------------------------------Firewall: fw1 Request packets: 635567690 Response packets: 400297636 Request bytes: 48917119727 Response bytes: 38054947415 Current connections: 0 Persistent connections: 0 Total connections: 228870394
Table 15 describes the fields in the command output. TABLE 15 show fwlb node fields
Field Total Number of Services configured on server Service Current Total Req-pkt Resp-pkt State Description Total number of individual service ports configured on the firewall. If the number is 0, then FWLB applies to all services on the firewall. Firewall or service name. Current number of connections through the firewall. Total number of connections through the firewall. Number of request packets sent through the firewall. Number of server response packets received from the real servers on the other side of the firewall. State of the firewall or service.
552 of 722
b y
D e s i g n

show fwlb service-group TABLE 15 show fwlb node fields (Continued)
Field Request packets Response packets Request bytes Response bytes Current connections Persistent connections Total connections Description Number of request packets for the service. Number of response packets from the service. Number of request bytes for the service. Number of response bytes for the service. Current number of connections through the firewall for the service. Number of persistent connections through the firewall. Total number of connections to the service through the firewall.
show fwlb service-group

Description Syntax Display statistics or configuration information for firewall service groups. show fwlb service-group [group-name] [config] Option group-name config Mode Usage All To display configuration information for the firewall group, use the config option. To display statistics instead, do not use the config option. The following command shows configuration information for firewall group fwsg: Description Specifies the firewall group name. Displays configuration information.
Example
AX#show fwlb service-group fwsg config Service group name: fwsg Type: firewall Distribution: Least Conn Member Count:2 Member2: fw1 Priority: 1 Member1: fw2 Priority: 1
b y
553 of 722

show fwlb service-group Table 16 describes the fields in the command output. TABLE 16 show fwlb service-group config fields
Field Service group name Type Distribution Member Count Member1-n Priority Description Name of the service group. Type of service group. For FWLB, the type is firewall. Load-balancing method used to select firewalls in the group. Number of firewalls in the group. Member number, assigned by the AX Series for use in this show commands output. Priority value assigned to the firewall when it was added to the service group.
Example
The following command shows statistics for firewall group fwsg:
AX#show fwlb service-group fwsg Service group name: fwsg Service: fw1 Request packets: 635567690 Response packets: 400297636 Request bytes: 48917119727 Response bytes: 38054947415 Current connections: 0 Persistent connections: 0 Total connections: 228870394 Service: fw2 Request packets: 428798001 Response packets: 276924317 Request bytes: 32857592179 Response bytes: 26113303646 Current connections: 0 Persistent connections: 0 Total connections: 196184503
Table 17 describes the fields in the command output. TABLE 17 show fwlb service-group fields
Field Service group name Service Request packets Response packets Request bytes Response bytes Current connections Persistent connections Description Name of the service group. Firewall or service name. Number of request packets for the service. Number of response packets from the service. Number of request bytes for the service. Number of response bytes for the service. Current number of connections through the firewall for the service. Number of persistent connections through the firewall.
554 of 722
b y
D e s i g n

show fwlb virtual-firewall TABLE 17 show fwlb service-group fields (Continued)
Field Total connections Description Total number of connections to the service through the firewall.
show fwlb virtual-firewall

Description Syntax Display statistics or configuration information for a virtual firewall. show fwlb virtual-firewall [config] Option config Mode Usage All To display configuration information for the virtual firewall, use the config option. To display statistics instead, do not use the config option. The following command shows configuration information for a virtual firewall: Description Displays configuration information.
Example
AX#show fwlb virtual-firewall config Total Number of Virtual Services configured: 1 Virtual Firewall Name -----------------------------------------------default member0:fwsg 80/tcp HA conn mirror enabled
Table 18 describes the fields in the command output. TABLE 18 show fwlb virtual-firewall config fields
Field Total Number of Virtual Services configured Virtual Firewall Name Member0-n HA conn mirror Description Total number of services configured on the virtual firewall. If no individual service ports were configured, the number is 1. Name of the virtual firewall. Service group and service port bound to the virtual firewall. State of connection mirroring for the virtual firewall or individual service port.
b y
555 of 722

show gslb cache Example The following command shows statistics for a virtual firewall:
AX#show fwlb virtual-firewall Total Number of Virtual Services configured: 1 Virtual Firewall Name Current Total Request Response Service-Group Service connection connection packets packets ----------------------------------------------------------------------------default fwsg 80/tcp 0 425054897 10643656 6772219 Total received conn attempts on this port: 0
Table 19 describes the fields in the command output. TABLE 19 show fwlb virtual-firewall fields
Field Total Number of Virtual Services configured Virtual Firewall Name Service-Group Service Current connection Request packets Response packets Description Total number of services configured on the virtual firewall. If no individual service ports were configured, the number is 1. Name of the virtual firewall. Firewall service group bound to the virtual firewall or service. Service port number and transport protocol, TCP or UDP. Current number of connections through the firewall to the service. Number of request packets sent through the firewall to the service. Number of response packets received through the firewall from the service.
show gslb cache

Description Show the DNS messages cached on the GSLB AX device. The GSLB AX device caches DNS replies if either of the following GSLB policy options are enabled:
DNS caching Active RTT metric (if the single-shot option is used)
Syntax
show gslb cache [service-name ...] [zone zone-name]
556 of 722
b y
D e s i g n

show gslb cache Option zone-name service-name Description Displays cached DNS messages for the specified zone. Displays cached DNS messages for the specified service.
Mode Example
All The following command displays cached DNS messages for service www.testme.com:http:
AX#show gslb cache www.testme.com:http QD = Question Records, AN = Answer Records NS = Authority Records, AR = Additional Records Flag = DNS Flag, Len = Cache Length A = Authoritative Answer, D = Recursion Desired R = Recursion Available Zone: testme.com Service Alias Len TTL Flag QD AN NS AR --------------------------------------------------------------------------www.testme.com:http 96 3055 DR 1 4 0 0
Table 20 describes the fields in the command output. TABLE 20 show gslb cache fields
Field Zone Service Alias Len TTL Description GSLB zone name. GSLB service. Alias, if configured, that maps to the DNS Canonical Name (CNAME) for the service. Length of the DNS message, in bytes. Number of seconds for which the cached message is still valid.
b y
557 of 722

show gslb geo-location
show gslb geo-location

Description Syntax Show the status of GSLB geo-location mappings. show gslb geo-location { [db [geo-location-name] [[statistics] ip-range range-start range-end] [[statistics] depth num] [[statistics] directory num] [[statistics] top num [percent [global]]] [statistics]] [file [file-name]] [ip ipaddr] [rtt [passive [geo-location-name ...] [site site-name] [depth num] | [active [geo-location-name ...] [site site-name] [depth num] | [both [geo-location-name ...] [site site-name] [depth num]] Option db [options] Description Displays the geo-location database. If you specify a geo-location name, only the entries for that geo-location are shown. Otherwise, entries for all geo-locations are shown. ip-range Displays entries for the specified IP address range. depth num Specifies how many nodes within the geo-location data tree to display. For example, to display only continent and country entries and hide individual state and city entries, specify depth 2. By default, the full tree (all nodes) is displayed. directory num Please contact A10 Networks for information. top num [percent [global]] Please contact A10 Networks for information. statistics Displays client statistics for the specified geo-location.
558 of 722
b y
D e s i g n

show gslb geo-location file [file-name] Displays the geo-location database files on the AX device, and their load status. (Data from a geo-location database file does not enter the geolocation database until you load the file. See gslb geo-location load on page 433.) Displays geo-location database entries for the specified IP address. Displays RTT data for geo-locations. You can use the following options: passive Displays data for passive RTT. active Displays data for active RTT. both Displays data for passive RTT and active RTT. geo-location-name Displays RTT data only for the specified GSLB geo-location. site site-name Displays RTT data only for the specified GSLB site. depth num Specifies how many nodes within the geo-location data tree to display. For example, to display only continent and country entries and hide individual state and city entries, specify depth 2. By default, the full tree (all nodes) is displayed. Mode Usage All The matched client IP address and the hits counter indicate the working status of the geo-location configuration. The following command shows the status of a geo-location named pc:
ip ipaddr rtt [options]
Example
AX#show gslb geo-location pc Last = Last Matched Client, Hits = Count of Client matched Sub = Count of Sub Geo-location T = Type, G(global)/P(policy), P-Name = Policy name Geo-location: pc From To Last Hits Sub T P-Name ----------------------------------------------------------------------------1.2.2.0 1.2.2.255 (empty) 0 0 P default
b y
559 of 722

show gslb geo-location Table 21 describes the fields in the command output. TABLE 21 show gslb geo-location fields
Field Geo-location From To Last Description Name of the geo-location. Beginning address in the address range assigned to the geolocation. Ending address in the address range assigned to the geo-location. Client IP address that most recently matched the geo-location. If the value is empty, no client addresses have matched. Total number of client IP addresses that have matched the geo-location. Number of sublocations within the geo-location. For example, if you configure the following geo-locations, geo-location pc has two sublocations, pc.office and pc.lab. geo-location pc 10.1.0.0 mask /16 geo-location pc.office 10.1.1.0 mask /24 T geo-location pc.lab 10.1.2.0 mask /24 Type of geo-location: G The geo-location is configured at the global level in the AX Series configuration. P-Name P The geo-location is configured within a GSLB policy. Name of the GSLB policy where the geo-location is configured.
Hits Sub
Example
The following command shows the load status information for a geo-location database file:
AX(config)#show gslb geo-location file test1 T = T(Template)/B(Built-in), Per = Percentage of loading Filename T Template Per Lines Success Error -----------------------------------------------------------------------------test1 T t1 98% 11 10 0
Example
The following command displays entries in the geo-location database:
AX(config)#show gslb geo-location db Last = Last Matched Client, Hits = Count of Client matched T = Type, Sub = Count of Sub Geo-location G(global)/P(policy), S(sub)/R(sub range) M(manually config) Global
560 of 722
b y
D e s i g n

show gslb ip-list
Name From To Last Hits Sub T -----------------------------------------------------------------------------NA (empty) (empty) (empty) 0 1 G Geo-location: NA, Global Name From To Last Hits Sub T -----------------------------------------------------------------------------US (empty) (empty) (empty) 0 10 GS Geo-location: NA.US, Global Name From To Last Hits Sub T -----------------------------------------------------------------------------69.26.125.0 69.26.125.255 (empty) 0 0 GR 69.26.126.0 69.26.126.255 (empty) 0 0 GR 69.26.127.0 69.26.127.255 (empty) 0 0 GR ...
show gslb ip-list

Description Syntax Display information for GSLB IP lists. show gslb ip-list [ brief | list-name | id num | ip ipaddr | statistics ] All
Mode
show gslb memory

Description Syntax Display memory allocation information for GSLB. show gslb memory [mem-loc-id [...]] [interval seconds] All
Mode
b y
561 of 722

show gslb policy
show gslb policy

Description Syntax Mode Example Show GSLB metric settings for GSLB policies. show gslb policy [policy-name] All The following command shows the configuration of GSLB policy www:
AX#show gslb policy www Policy name: www MO = Metric Order, En-Value = Enabled or Value Type | MO| Option | En-Value | Description ================================================================================ DNS | | action | no | Action | | active-only | no | Only return active service-IP(s) | | best-only | no | Only return best service-IP(s) | | cname-detect| yes | Apply policy on CNAME records | | external-ip | yes | Return external IP | | IPv6 Mapping| no | | | IPv6 Mix | no | Both IPv6 and IPv6 Server | | IPv6 Smart | no | Return IPv6 Server by Qeury Type | | ip-replace | no | Replace DNS server's service-IPs | | GL-alias | no | Return CNAME Records by Geo-loc | | GL-action | no | Action by Geo-location | | GL-policy | no | Policy by Geo-location | | Bak-alias | no | Return Alias when fail | | cache | no | Cache DNS proxy response | | addition-mx | no | Addition MX Records | | server | no | Run GSLB in DNS server mode | | sticky | no | Stick to DNS Record | | ttl | 10 | TTL value, unit: sec | | Log | global | DNS Logging -------------------------------------------------------------------------------Metric | | Force-Check | no | Check Service-IP for all metrics | | Fail-Break | no | Break if no valid service-IP -------------------------------------------------------------------------------health-check | 1 | | yes | Service-IP's health geographic | 8 | | yes | Geographic round-robin | 15| | yes | Round robin selection -------------------------------------------------------------------------------weighted-ip | 2 | | no | Service-IP's weight | | total-hits | no | Weighed IP by total hits weighted-site | 3 | | no | Site's weight | | total-hits | no | Weighed Site by total hits capacity | 4 | | no | Session capacity of SLB device | | threshold | 90 | Threshold of session capacity | | fail-break | no | Break when exceed threshold active-servers | 5 | | no | Active servers of SLB device | | fail-break | no | Break when no active server passive-rtt | 6 | | no | Passive Round trip time | | tolerance | 10 | RTT tolerance | | difference | 0 | RTT Difference
562 of 722
b y
D e s i g n

show gslb policy
| | samples | 5 | Count of RTT samples | | limit | 16383 | Limit of usable RTT | | fail-break | no | Break when no valid RTT active-rtt | 7 | | no | Active Round trip time | | tolerance | 10 | RTT tolerance | | difference | 0 | RTT Difference | | samples | 5 | Count of RTT samples | | limit | 16383 | Limit of usable RTT | | fail-break | no | Break when no valid RTT | | single-shot | no | Wait for A-RTT Samples | | timeout | 3 | Timeout of single-shot | | skip | 3 | Skip query if no samples | | keep-track | no | Keep tracking clients | | ignore-id | no | Ignore IP Address by group ID connection-load | 9 | | no | Service-IP's connection load | | limit | unlimit | Limit of connection load | | fail-break | no | Break when exceed limit | | number | 5 | Number of conn-load samples | | interval | 5 | Interval between two samples num-session | 10| | no | Session number of SLB device | | tolerance | 10 | Tolerance of session number admin-preference| 11| | no | Admin preference of SLB device bw-cost | 12| | no | Cost of Bandwidth | | fail-break | no | Break when exceed limit least-response | 13| | no | Least response service-IP ordered-ip | 14| | no | Service-IPs' order | | top-only | no | Highest priority server only -------------------------------------------------------------------------------alias-admin-pf | | | no | Admin preference of alias name weighted-alias | | | no | Weight of alias name -------------------------------------------------------------------------------geo-location | | match-first | global | Geo-location table to use first | | overlap | no | Geo-location overlap matching
Table 22 describes the fields in the command output. TABLE 22 show gslb policy fields
Field Policy name Type MO Option En-Value Description Description Name of the GSLB policy. Name of the GSLB metric. For GSLB metrics, indicates the order in which the metrics are used. Metric or option name. For metric, indicates whether they are enabled (yes or no). For options, indicates the value. Description of the metric or option.
b y
563 of 722

show gslb protocol
show gslb protocol

Description Show the status of the GSLB protocol on the GSLB AX Series and the SLB devices (site AX Series). show gslb protocol [[geo-location-name] port portnum] All The following command shows GSLB protocol status information on an AX device acting as a GSLB controller:
Syntax
Mode Example
AX#show gslb protocol
Passive RTT is disabled, required by 0 controller(s). GSLB site: aapg slb-dev: ax (127.0.0.1) Established Session ID: 26702 Connection succeeded: 1 |Connection failed: Open packet sent: 1 |Open packet received: Open session succeeded: 1 |Open session failed: Sessions Dropped: 0 |Update packet received: Keepalive packet sent: 1408 |Keepalive packet received: Notify packet sent: 0 |Notify packet received: Message Header Error: 0 GSLB site: abc slb-dev: ax1 (127.0.0.2) Established Session ID: 65410 Connection succeeded: 1 |Connection failed: Open packet sent: 1 |Open packet received: Open session succeeded: 1 |Open session failed: Sessions Dropped: 0 |Update packet received: Keepalive packet sent: 1408 |Keepalive packet received: Notify packet sent: 0 |Notify packet received: Message Header Error: 0 ...
0 1 0 34411 1407 0
0 1 0 34411 1407 0
564 of 722
b y
D e s i g n

show gslb rtt
show gslb rtt

Description Syntax Show RTT data. show gslb rtt [geo-location [passive [geo-location-name ...] [site site-name] [depth num] | [active [geo-location-name ...] [site site-name] [depth num] | [both [geo-location-name ...] [site site-name] [depth num]] [slb-device [passive [geo-location-name ...] [ip ipaddr [...]]] | [active [geo-location-name ...] [ip ipaddr [...]]] | [both [geo-location-name ...] [ip ipaddr [...]]] | [local-info] Option geo-location slb-device local-info passive active both site site-name depth num Description Displays RTT data based on geo-location. Displays RTT data based on SLB device. Displays local RTT data on a site AX device. Displays data for passive RTT. Displays data for active RTT. Displays data for passive RTT and active RTT. Displays RTT data only for the specified GSLB site. Specifies how many nodes within the geo-location data tree to display. For example, to display only continent and country entries and hide individual state and city entries, specify depth 2. By default, the full tree (all nodes) is displayed.
ip ipaddr [...] Displays RTT data only for the specified clients. Mode All
b y
565 of 722

show gslb rtt Usage All of the options except local-info are applicable when you enter the command on a GSLB AX device. To display local RTT data on a site AX device, enter the command on the site AX device and use the local-info option. Here is an example of the output for this command when entered on the GSLB AX device:
Example
AX#show gslb rtt
TTL = Time to live(Unit: min), T = Type, A(active)/P(passive) Device: site1/remote IP 10.10.10.2 20.20.20.21 192.168.217.1 192.168.217.11 TTL 10 10 10 10 T| A| A| A| A| 1 0 41 38 41 2 0 40 54 40 3 0 29 46 29 4 0 46 50 46 5 0 38 43 38 6 0 42 38 42 34 30 7 0 34 8 0 30 ------------------------------------------------------------------------------
Device: site2/local IP 10.10.10.2 20.20.20.21 192.168.217.1 192.168.217.11 TTL 10 10 10 10 T| A| A| A| A| 1 35 20 16 20 2 52 20 44 20 3 35 16 20 16 4 40 16 16 16 5 54 20 20 20 6 56 16 18 16 20 18 7 44 20 8 48 18 ------------------------------------------------------------------------------
T = Type: A(active)/P(passive), TS = Time Stamp(unit: min) Geo-location cn.sh cn.bj jp us Site site1 site2 site1 site2 site1 site2 site1 site2 T RTT A 38 A 18 A 30 A 18 A 30 A 18 A 0 A 48 TS 10 10 10 10 10 10 10 10
------------------------------------------------------------------------------
This example shows the default display (with no additional options). The TTL results are organized by site AX device, then by geo-location.
566 of 722
b y
D e s i g n

show gslb samples conn Table 23 describes the fields in the command output. TABLE 23 show gslb rtt fields
Field Device IP TTL T Description Site AX device. IP address at the other end of the RTT exchange. Time-to-live for the RTT entry. RTT type: A Active RTT, which measures the round-trip-time for a DNS query and reply between a site AX device and the GSLB local DNS. P Passive RTT, which measures the round-trip-time between when the site AX device receives a clients TCP connection (SYN) and the time when the site AX device receives acknowledgement (ACK) back from the client for the connection. Individual TTL measurements. RTTs are measured in seconds. Geo-location name for which RTT measurements have been taken. GSLB site name within the geo-location. RTT type. (See descriptions above.) Individual TTL measurements. RTTs are measured in seconds. System time stamp of the RTT measurement.
1-8 Geo-location Site T RTT TS
show gslb samples conn

Description Syntax Show the number of connections that are currently on a virtual port. show gslb samples conn {service-name | vipaddr} port-num [range-start] [range range-start range-end] Option service-name | vipaddr port-num range-start Description Specifies the service name or service IP. Specifies the virtual port. Specifies the range start.
b y
567 of 722

show gslb samples conn-load range range-start range-end
Collects samples only for the specified range of service port numbers.
Mode Usage
All The number of connections on the site is sampled based on the GSLB status interval. (This is configurable using the gslb protocol command. See gslb protocol on page 436.) Samples are listed row by row. The first 7 samples appear on row 1, the second 7 samples appear on row 2, and so on. If you disable the GSLB protocol, the data is cleared.
Example
The following example shows connection activity for virtual port 80 on virtual server china.
AX#show gslb samples conn china 80 0 | 1 2 3 4 5 6 7 ---------------------------------------------------------------------------1 | 15000 25000 35000 45000 55000 65000 75000 2 | 85000 95000 105000
show gslb samples conn-load

Description Syntax Show the number of connections on each virtual server. show gslb samples conn-load num-samples interval [service-name | vipaddr] [port-num] Option num-samples num-samples service-name | vipaddr port-num Description Number of connection-load samples to collect and display. Number of seconds to wait between collection of each sample. Collects samples only for the specified service IP. Collects samples only for the specified service port number.
Mode
All
568 of 722
b y
D e s i g n

show gslb samples conn-load Example The following command shows 5 connection-load samples, collected at 5second intervals:
AX#show gslb samples conn-load 5 5 ip1:80, average is: 36 | 1 2 3 4 5 6 7 ---------------------------------------------------------------------------1 | 0 0 11 1 168 ip2:80, average is: 38 | 1 2 3 4 5 6 7 ---------------------------------------------------------------------------1 | 0 0 22 2 168 ip3:80, average is: 60 | 1 2 3 4 5 6 7 ---------------------------------------------------------------------------1 | 120 0 0 0 180 ip4:80, average is: 86 | 1 2 3 4 5 6 7 ---------------------------------------------------------------------------1 | 240 0 0 0 192
In this example, five samples, taken at 5-second intervals, are shown for each of four services (ip1:80 to ip4:80). The services are listed by service IP and service port. In each section, the numbers across the top are column numbers. The numbers along the leftmost column are row numbers. The other numbers are the actual connection load data. For example, for ip1:80 (service port 80 on service IP ip1), there were no connections during the first or second data samples, and 11 connections during the third sample.
b y
569 of 722

show gslb samples rtt
show gslb samples rtt

Description Syntax Show the round-trip time (RTT) between the GSLB AX Series and a client. show gslb samples rtt [geo-location-name [passive [geo-location-name ...] [site site-name] [depth num] | [active [geo-location-name ...] [site site-name] [depth num] | [both [geo-location-name ...] [site site-name] [depth num]] [slb-device [passive [geo-location-name ...] [site site-name] [depth num] | [active [geo-location-name ...] [site site-name] [depth num] | [both [geo-location-name ...] [site site-name] [depth num]] [local-info] Option geo-locationname slb-device local-info passive active both site site-name depth num Description Displays RTT data only for the specified GSLB geo-location. Displays RTT data only for the specified SLB device. Displays local RTT data on a site AX device. Displays data for passive RTT. Displays data for active RTT. Displays data for passive RTT and active RTT. Displays RTT data only for the specified GSLB site. Specifies how many nodes within the geo-location data tree to display. For example, to display only continent and country entries and hide individual state and city entries, specify depth 2. By default, the full tree (all nodes) is displayed.
Mode
All
570 of 722

show gslb service Usage Eight RTT samples are displayed for each device. Times are shown in 10-millisecond (ms) increments. In the example below, the first RTT time for Device1 is 50 ms. If you disable the GSLB protocol, the data is cleared.
show gslb service

Description Syntax Show the configuration information for services. show gslb service {cache | dns-a-record | dns-cname-record | dns-mx-record | dns-ns-record | dns-ptr-record | dns-srv-record | session} [service-name ...] [zone zone-name] [ip ipaddr {subnet-mask | /mask-length}] Option cache dns-a-record dns-cnamerecord dns-mx-record dns-ns-record dns-ptr-record dns-srv-record session service-name zone zone-name ip ipaddr {subnet-mask | /mask-length} Description Displays service information in the GSLB DNS cache. Displays Address records for GSLB services. Displays CNAME records for GSLB services. Displays MX records for GSLB services. Displays name server records for GSLB services. Displays pointer records for GSLB services. Displays service records for GSLB services. Displays current GSLB sessions for services. Specifies a service name. Specifies a zone name.
Specifies a client host or subnet address. (This option applies only to the session option.)
Mode
All
b y
571 of 722

show gslb service-ip Example The following example shows CNAME information for zone a10.com:
AX#show gslb service dns-cname-record a10.com Zone: a10.com Alias = Alias Name, Geoloc = Geo-location G-Geoloc = Matched Global Geo-location P-Geoloc = Matched Policy Geo-location Service Alias Geoloc G-Geoloc P-Geoloc -----------------------------------------------------------------------------http:www http.a10.com pc1 (empty) (empty) ftp:ftp ftpp.a10.com pc1 (empty) pc1
show gslb service-ip

Description Shows information for a GSLB service. show gslb service-ip {service-name | vipaddr | local-info} Option service-name | vipaddr local-info Example Description Specifies the service name or VIP address. Shows local SLB virtual-server information.
The following command shows information for the beijing service:
AX#show gslb service-ip beijing V = Is Virtual server, E = Enabled P-Cnt = Count of Service Ports Service-IP IP V E State P-Cnt Hits -----------------------------------------------------------------------------:Device1:beijing 2.1.1.10 Y Y UP 3 0
Table 24 describes the fields in the command output. TABLE 24 show gslb service-ip fields
Field Service-IP IP V E State P-Cnt Hits Description Device name and service IP name. IP address of the service. Indicates whether the service IP is a virtual server IP address (Y) or a real server IP address (N). Indicates whether the service IP is enabled. Indicates the service IP state: UP or DOWN. Number of service ports on the service IP. Number of times the service IP has been selected.
572 of 722
b y
D e s i g n

show gslb service-port
show gslb service-port

Description Syntax Show information about the GSLB service ports configured on the sites. show gslb service-port [local-info] Option local-info Mode Example All The following command shows information about all the configured GSLB service ports. Description Shows local SLB virtual-port information.
AX#show gslb service-port Attrs = Attributes, Act-Svrs = Active Real Servers Curr-Conn = Current Connections D = Disabled, P = GSLB Protocol, L = Local Protocol Service-Port Attrs State Act-Svrs Curr-Conn -----------------------------------------------------------------------------10.77.27.222:80 L DOWN 0 0 10.10.10.1:80 DOWN 0 0 67.67.6.84:80 UP 1 0 67.67.6.82:21 UP 1 0 192.168.100.6:80 DOWN 0 0
Table 25 describes the fields in the command output. TABLE 25 show gslb service-port fields
Field Service-Port Attrs State Act-Svrs Curr-Conn Description Service IP address and service port number. Indicates whether the service port is reached using the GSLB protocol or the local (SLB) protocol. Indicates the service state: IP or DOWN. Number of active real servers for the service. Current number of connections to the service.
show gslb session

Description Show cached GSLB policy selections. Selections are cached on a zone:service basis. While a cached GSLB policy selection is valid (that is, before it ages out), the cached selection is used for subsequent requests from the same client for the same zone and service.
573 of 722

show gslb session Syntax show gslb session [service-name ...] [zone zone-name] [ip ipaddr {subnet-mask | /mask-length}] Option service-name zone zone-name ip ipaddr {subnet-mask | /mask-length} Mode Example All The following example shows GSLB sessions: Description Specifies a service name. Specifies a zone name.
Specifies a client host or subnet address.
AX#show gslb session Best = Best Service-IP for sticky TTL = DNS TTL, Time until next query(unit: min) Upd = Update Time(unit: sec), Init = Init Time(unit: sec) Service: www.abc.com:http Total Number of Sessions: 1 Client Best Mode Hits TTL Upd Init -----------------------------------------------------------------------------192.168.217.11 10.10.10.100 Server 2 71582784 1364 1364 Service: www.xyz.com:http Total Number of Sessions: 1 Client Best Mode Hits TTL Upd Init -----------------------------------------------------------------------------192.168.217.11 10.10.10.100 Cache 2 57 1397 1396 Service: www.a10.com:http Total Number of Sessions: 1 Client Best Mode Hits TTL Upd Init -----------------------------------------------------------------------------192.168.217.11 10.10.10.100 Proxy 2 59 1521 1521 Service: ftp.a10.com:ftp Total Number of Sessions: 1 Client Best Mode Hits TTL Upd Init -----------------------------------------------------------------------------192.168.217.11 10.10.10.102 Proxy 2 WAIT_QUERY 1615 1614
In this example, there is 1 client session with the HTTP service on www.testme.com.
574 of 722
b y
D e s i g n

show gslb session Table 26 describes the fields in the command output. TABLE 26 show gslb session fields
Field Client Best Mode Description Client IP address. IP address selected by the GSLB policy as the best address. DNS mode in use for the session and can contain one of the following values: Proxy The GSLB AX device is configured to be a DNS proxy for the service. The GSLB AX device intercepts DNS queries for the zone and service, sends them to the DNS server, and modifies the replies to contain the best IP address based on the GSLB policy, before sending the replies to clients. Note: This is the default DNS mode, which takes effect after the DNS proxy is configured on the GSLB AX device. Cache The GSLB AX device is configured to cache DNS replies. This mode is enabled by the DNS cache option in the GSLB policy. Server The GSLB AX device is configured to directly reply to DNS queries for the GSLB zone, without sending the queries to an external DNS server. This mode is enabled by the DNS cache option in the GSLB policy. Number of times the cache entry was used to direct the client's request for the zone and service to the address in the Best column. Number of seconds for which the cached selection entry is still valid. In Proxy mode, this column displays the DNS TTL configured from the DNS server. If the TTL less than 1 minute, WAIT_QUERY is displayed. Upd In Server mode, the value can be quite large. This is normal. Number of seconds between startup of the GSLB process (TS = 0) and the most recent use of the cache entry (the most recent Hit). Number of seconds between startup of the GSLB process (TS = 0) and initialization of this session.
Hits
TTL
Init
b y
575 of 722

show gslb site
show gslb site

Description Syntax Show GSLB site information. show gslb site [site-name ...] [bw-cost] [statistics] Option site-name bw-cost statistics Mode Example All The following command shows information for GSLB site Site1: Description Displays information only for the specified site. Displays bw-cost information. Displays statistics.
AX#show gslb site Site1 Site Device/server VIP Vport State Hits ------------------------------------------------------------------Site1 Device1 (device) 2.1.1.10 Up 0 1.2.2.2 21 Up 23 Up 80 Up 2.1.1.11 Up 0 21 Up 80 Up 2.1.1.12 Up 0 21 Up 23 Up 80 Up serverB (server) Up 0 3.1.1.10 80 Up
Table 27 describes the fields in the command output. TABLE 27 show gslb site fields
Field Site Device/server VIP Vport State Hits Description GSLB site name. Device name and device IP address or real server name and real server IP address. Virtual IP address for the service. Virtual port number. Virtual port state. Number of times the service IP was selected.
576 of 722
b y
D e s i g n

show gslb site Table 28 describes the fields in the command output when the bw-cost option is used. TABLE 28 show gslb site bw-cost fields
Field Site Template Current Highest Limit U Type Len Value TI Description GSLB site name. SNMP template name. Current value of the SNMP object used for measurement. Highest value of the SNMP object used for measurement. Limit configured for the bw-cost metric. Indicates whether the site is usable, based on the bw-cost measurement. Data type of the SNMP object. Data length of the SNMP object. Value of the SNMP object. Time interval between measurements.
Example
The following command shows GSLB site statistics:
AX#show gslb site statistics Site Hits Last ----------------------------------------------------------------------------site1 14 2.1.1.10 site2 0 (empty) site3 0 (empty) site4 0 (empty)
Table 29 describes the fields in the command output when the statistics option is used. TABLE 29 show gslb site statistics fields
Field Site Hits Last Description GSLB site name. Number of times the site was selected. Site that was most recently selected.
b y
577 of 722

show gslb slb-device
show gslb slb-device

Description Syntax Show information about an SLB device used by GSLB. show gslb slb-device [ device-name | local-info | rtt {passive [device-name ... | ip ipaddr ...] | active [device-name ... | ip ipaddr ...] | both [device-name ... | ip ipaddr ...]} ] Option device-name local-info rtt options Description Displays information only for the specified SLB device. Displays local SLB device information on a site SLB device. Displays RTT data. You can use the following options: passive Displays data for passive RTT. active Displays data for active RTT. both Displays data for passive RTT and active RTT. device-name Displays RTT data only for the specified SLB device. ip ipaddr Displays RTT data only for the specified client IP address(es). Mode Example All The following command shows information about SLB device Device1:
AX#show gslb slb-device Device1 APF = Administrative Preference, Sub-Cnt = Count of Service-IPs Sesn-Uzn = Session Utilization Sesn-Num = Number of Available Sessions Device IP APF Sesn-Uzn Sesn-Num Sub-Cnt -----------------------------------------------------------------------------site1:Device1 1.2.2.2 200 0% 0 3
578 of 722
b y
D e s i g n

show gslb state Table 30 describes the fields in the command output. TABLE 30 show gslb site fields
Field Device IP APF Sesn-Uzn Sesn-Num Sub-Cnt Description Site name and device name. SLB devices IP address. Administrative preference for the device. Current session utilization on the device. Number of sessions available on the device. Number of service IPs on the device.
show gslb state

Description Syntax Mode Usage Show GSLB state information collected by GSLB debugging. show gslb state All To collect state information, enable GSLB debugging and use the state option. (See the example below.) The following commands enable GSBL debugging with retention of state information, and initiate display of the state information:
site-ax-1(config)#debug gslb state site-ax-1(config)#show gslb state
Example
show gslb statistics

Description Syntax Mode Usage Show statistics for the GSLB protocol, for sites, or for zones. show gslb statistics {message | site | zone} All The show gslb statistics message command shows the same output as the show gslb protocol command. Similarly, the show gslb statistics site command shows the same output as the show gslb site statistics command, and the show gslb statistics zone command shows the same output as the show gslb zone statistics command.
b y
579 of 722

show gslb zone Example The following command shows statistics for the GSLB protocol:
AX#show gslb statistics message GSLB site: site1 slb-dev: remote (20.20.20.2) Established Session ID: 40576 Connection success: 4 |Connection failure: Open packet sent: 4 |Open packet received: Open session success: 1 |Open session failure: Dropped sessions: 0 |Update packet received: Keepalive packet sent: 1219 |Keepalive packet received: Notify packet sent: 0 |Notify packet received: Message Header Error: 0 | GSLB site: site2 slb-dev: local (192.168.217.2) Established Session ID: 104 Connection success: 1 |Connection failure: Open packet sent: 1 |Open packet received: Open session success: 1 |Open session failure: Dropped sessions: 0 |Update packet received: Keepalive packet sent: 2 |Keepalive packet received: Notify packet sent: 0 |Notify packet received: Message Header Error: 0 | GSLB controller: 192.168.217.2 Established Session ID: 104 Connection success: 0 |Connection failure: Open packet sent: 1 |Open packet received: Open Sent 1 |Open session failure: Dropped sessions: 0 |Update packet sent: Keepalive packet sent: 2 |Keepalive packet received: Notify packet sent: 0 |Notify packet received: Message Header Error: 0 |
0 1 3 5101 1218 0 0
1 1 0 22 1 0 0
0 1 0 22 1 0 0
show gslb zone

Description Syntax Show GSLB zone information. show gslb zone [zone-name] [dns-mx-record] [dns-ns-record] [dns-soa-record] [statistics] Option zone-name dns-mx-record dns-ns-record dns-soa-record Description Displays information only for the specified zone. Displays the MX records for the zone(s). Displays the name server records for the zone(s). Displays the start-of-authority records for the zone(s).
580 of 722

show gslb zone statistics Mode Example All The following example shows information for zone a10.com: Displays statistics for the zone(s).
AX#show gslb zone a10.com Zone Service Policy TTL -----------------------------------------------------------------------------a10.com www 20 http:www www 20 ftp:ftp ftp 30
Table 31 describes the fields in the command output. TABLE 31 show gslb zone fields
Field Zone Service Policy TTL Description Zone name. Service type and service name. GSLB policy name. DNS TTL value set by GSLB in DNS replies to queries for the zone address.
Example
The following command shows MX records for zones:
AX#show gslb zone dns-mx-record Pri = Priority, Last = Last Server Owner MX-Record Pri Hits Last -----------------------------------------------------------------------------mail.abc.com:smtp mail1.abc.com 0 0 mail2.xyz.com 10
Table 32 describes the fields in the command output. TABLE 32 show gslb zone dns-mx-record fields
Field Owner MX-Record Pri Hits Last Description Zone and service name to which the MX record belongs. Name of the MX record. Priority (preference) set for the MX record. Number of times the record has been used. Most recent time the record was used.
b y
581 of 722

show ha Example The following command shows GSLB zone statistics:
AX(config-gslb zone-gslb service)#show gslb zone example.com statistics GSLB Zone example.com: Total Number of Services configured: 1 Rcv-query = Received Query, Sent-resp = Sent Response M-Proxy = Proxy Mode, M-Cache = Cache Mode M-Svr = Server Mode, M-Sticky = Sticky Mode Service Rcv-query Sent-resp M-Proxy M-Cache M-Svr M-Sticky ----------------------------------------------------------------------------http:www 16 15 3 0 0 12 Total 16 15 3 0 0 12
Table 33 describes the fields in the command output. TABLE 33 show gslb zone statistics fields
Field GSLB Zone Total Number of Services configured Service Rcv-query Sent-resp M-Proxy M-Cache Description Zone name. Number of GSLB services configured for the zone.
M-Svr
M-Sticky
Service type and service name. Number of DNS queries received for the service. Number of DNS replies sent to clients for the service. Number of DNS replies sent to clients by the AX device as a DNS proxy for the service. Number of cached DNS replies sent to clients by the AX device for the service. (This statistic applies only if the DNS cache option is enabled in the policy.) Number of DNS replies sent to clients by the AX device as a DNS server for the service. (This statistic applies only if the DNS server option is enabled in the policy.) Number of DNS replies sent to clients by the AX device to keep the clients on the same site. (This statistic applies only if the DNS sticky option is enabled in the policy.)
show ha
Description Show the status of each HA group. The output shows information for the AX device on which you enter the command, and the devices HA peer. show ha [config | detail]
Syntax
582 of 722
b y
D e s i g n

show ha Parameter config detail Mode Example
AX#show ha Local Unit: HA Group 1 2 UP Unit Local Peer Local Peer
Description Shows the HA configuration commands in the running-config. Shows HA statistics.
All The following command shows basic HA information:

Peer Unit: State Active Standby Active Standby UP Priority 200 100 255 100
Example
AX#show ha detail Local Unit: UP HA Group Unit 1 Local Peer Active 2 559826
The following command shows basic HA information along with HA statistics:

Peer Unit: State Active Standby Standby 2 568 2 806870 2039 Router Ports Received Received 2 397769 0 UP Priority 200 100
Transitions Pkts processed Connectivity: HA packets: Conn Sync: HA errors: Dup HA ID Version Mismatch Missed Heartbeat HA Port 1 3 4 5 6 9
Server Ports Sent Sent
0 0 6 Sent 0 0 403435 0 0 403435
Invalid Group SetId Mismatch Timer Msgs Recvd 0 0 0 0 0 397769
0 0 0 Missed Heartbeat 0 0 0 0 0 6
Inline L2 HA Peer Port: 9
b y
583 of 722

show ha
Misc Packet statistics: Self packets MAC: Packets for AX Broadcast: Active mode stats: IP 20092 Non-peer port 20821 Standby mode stats: IP 3 Non-peer port 101 0 0 MAC: 0 IP: IP: 0 235
Table 34 describes the fields in the command output. TABLE 34 show ha detail fields
Field Local Unit Peer Unit Description Shows the HA operational status of this AX device. Shows the HA operational status of the other AX device. Note: If the status is Incompatible Version, the AX devices are running different software versions and the HA feature is not compatible between the two versions. This message is normal during upgrade, after one of the AX devices has been upgraded and before the other device is upgraded. If the devices are not being upgraded, it is recommended to upgrade one of the devices so that they both are running the same software version. Shows HA group information: Unit Indicates whether the information below is for this AX device (Local) or the other AX device (Peer). State Indicates whether the AX device is active or is a standby. Priority HA priorities configured for this group on this AX device and on its peer AX device. Number of times this AX device has transitioned to the active or standby state. (Inline mode only) Shows the number of packets processed by the HA inline handler when in active or standby mode. Shows the number of HA interfaces designated as server or router interfaces that are currently up. Shows the number of HA hello (heartbeat) packets sent or received by this AX device. Shows the number of HA connection synchronization (session mirroring) packets sent or received by this AX device.
HA Group
Transitions Pkts processed Connectivity HA packets Conn Sync
584 of 722
b y
D e s i g n

show ha TABLE 34 show ha detail fields (Continued)
Field HA errors Description Shows HA error statistics: Dup HA ID Number of incoming HA hello (heartbeat) packets that had the same HA ID as the HA ID of this AX device (the local AX device). Invalid Group Number of incoming HA hello packets that had an invalid group ID. Version Mismatch Number of incoming HA hello packets that had a packet version mismatch. SetId Mismatch Number of incoming HA hello packets that had an HA set ID mismatch. Missed Heartbeat Total number of heartbeat (hello) packets expected from the peer HA device that were not received. Timer Msgs Number of times HA internal timers detected a variance. Shows statistics for each HA interface: Sent Number of hello (heartbeat) messages sent on the interface. Recvd Number of hello messages received on the interface. Missed Heartbeat Number of hello messages that were expected to be received on the interface but that did to arrive. (Inline mode only) Shows the interface number used to communicate with the peer HA device. These fields show internal statistics used by A10 Customer Support.
HA Port
Inline L2 HA Peer Port Misc Packet statistics Active mode stats Standby mode stats
Example
The following command shows the HA commands in the running-config:
AX#show ha config ha id 1 ha group 1 priority 255 ha group 2 priority 255 ha time-interval 3 ha preemption-enable ha conn-mirror ip 172.22.66.2
b y
585 of 722

show ha mac
show ha mac
Description Syntax Mode Usage
AX#show ha mac HA Group 1 2 MACs 021f.a000.0021 021f.a000.0022
Show the virtual MAC addresses associated with HA groups. show ha mac All The following command shows the virtual MAC addresses for configured HA groups 1 and 2:
show health
Description Syntax Show status information for health monitors. show health {monitor [name] | external [name] | postfile [name] | stat} [all-partitions | partition name] Parameter monitor [name] Description Shows configuration settings and status for the specified health monitor.
external [name] Shows configuration settings for the specified external health monitoring program. postfile [name] Shows the files used for POST requests in HTTP/ HTTPS health checks. stat Shows health monitoring statistics. The statistics apply to all health monitoring activity on the AX Series device.
Mode Usage
All To display health monitor information for a specific Role-Based Administration (RBA) partition only, use the partition name option. The following command shows configuration settings and status for health monitor ping:
Example
586 of 722

show health
AX#show health Monitor Name: Interval: Max Retry: Timeout: Status: Method: monitor ping ping 30 3 5 In use ICMP
The output shows the method used for the monitor, and the settings for each of the parameters that are configurable for that method. Example The following command shows the configuration settings of external health monitoring program http.tcl:
AX#show health external http.tcl External Program Description http.tcl check http method !!! Content Begin !!! set ax_env(Result) 1 # Open a socket if {[catch {socket $ax_env(ServerHost) $ax_env(ServerPort)} sock]} { puts stderr "$ax_env(ServerHost): $sock" } else { fconfigure $sock -buffering none -eofchar {} # Send the request puts $sock "GET / HTTP/1.0\n" # Wait for the response from http server set line [read $sock] if { [ regexp "HTTP/1.. (\[0-9\]+) " $line match status] } { puts "server $ax_env(ServerHost) response : $status" } close $sock # Check exit code if { $status == 200 } { set ax_env(Result) 0 } } !!! Content End !!!
b y
587 of 722

show health Example The following command shows health monitoring statistics:
AX#show health stat Health monitor statistics Total run time: Number of burst: Number of timer adjustment: Timer offset: Opened socket: Open socket failed: Close socket: Send packet: Send packet failed: Receive packet: Receive packet failed Retry times: Timeout: Unexpected error:
: : : : : : : : : : : : : :
2 hours 1345 seconds 0 0 0 1140 0 1136 0 259379 0 0 4270 0 0
IP address Port Health monitor Status Cause(Up/Down/Retry) PIN -------------------------------------------------------------------------------10.10.10.99 default Down 0 /48 /854 2 /0 4.4.4.4 default Down 0 /48 /854 2 /0 8.4.3.2 default Down 0 /48 /854 2 /0 99.99.99.99 default Down 0 /48 /854 2 /0 10.10.10.88 default Down 0 /48 /854 2 /0 10.10.10.88 80 qrs Down 0 /34 /0 2 /0 10.10.10.88 80 tuv Down 0 /34 /0 2 /0 10.10.10.88 80 wxyz Down 0 /34 /0 2 /0
Table 35 describes the fields in the command output. TABLE 35 show health stat fields
Field Total run time Number of burst Description Time elapsed since the health monitoring process started. Number of times the system detected that a health check would leave the AX device as a traffic burst, and remedied the situation. Number of times the system made internal time keeping adjustments to synchronize with the system clock. Offset of internal time keeping from the system clock, in microseconds. Number of sockets opened. Number of failed attempts to open a socket. Number of sockets closed. Number of health check packets sent to the target of the health monitor. Number of sent health check packets that failed. (This is the number of times a target server or service failed its health check.) P e r f o r m a n c e b y D e s i g n
Number of timer adjustment Timer offset Opened socket Open socket failed Close socket Send packet Send packet failed
588 of 722

show history TABLE 35 show health stat fields (Continued)
Field Receive packet Receive packet failed Retry times Timeout Unexpected error IP address Port Health monitor Description Number of packets received from the target in reply to health checks. Number of failed receive attempts. Number of times a health check was resent because the target did not reply. Number of times a response was not received before the health check timed out. Number of unexpected errors that occurred. IP address of the real server. Protocol port on the server. Name of the health monitor. If the name is default, the default health monitor settings for the protocol port type are being used. (See health-check on page 384 for Layer 3 health checks or port on page 385 for Layer 4-7 health checks.) Indicates whether the service passed the most recent health check. Up and Down show internal codes for the reasons the health check reported the server or service to be up or down. (See show health stat Up / Down Causes on page 717.) For Retry, shows the number of retries. Indicates the following: Current number of retries Displayed to the left of the slash ( / ). The number of times the most recent health check was retried before a response was received or the maximum number of retries was used. Current successful up-retries Displayed to the right of the slash ( / ). Number of successful health check replies received for the current health check. This field is applicable if the up-retry option is configured for the health check. (See health monitor on page 112.)
Status Cause (Up/Down/ Retry) PIN
show history
Description Syntax Mode Usage Show the CLI command history for the current session. show history All Commands are listed starting with the oldest command, which appears at the top of the list.
b y
589 of 722

show icmp Example The following example shows commands entered by the tech writer while drafting this chapter:
AX#show history enable show version show access-list show admin show admin admin show admin detail show admin session show admin admin detail show arp show arp 192.168.1.144 show aflex show bootimage show bw-list sample-bw-list 1.1.1.1 show bw-list show clock show clock detail show core show cpu interval 1 show cpu interval 10 show debug show disk show dumpthread --MORE--
show icmp
Description Syntax Mode Example Show ICMP rate limiting configuration settings and statistics. show icmp All The following command shows ICMP rate limiting settings, and the number of ICMP packets dropped because the threshold has been exceeded:
5 10 20 0 0 0 0 0
AX(config)#show icmp Global rate limit: Global lockup rate limit: Lockup period: Current global rate: Global rate limit drops: Interfaces rate limit drops: Virtual server rate limit drops: Total rate limit drops:
590 of 722
b y
D e s i g n

show interfaces
show interfaces
Description Syntax Display interface configuration and status information. show interfaces [brief] | [ethernet [port-num]] | [ve [vlan-id]] | [loopback num] | [management] | [statistics] All The following example shows brief interface information:
Mode Example
AX#show interfaces brief Port Link Dupl Speed Trunk Vlan MAC IP Address Total IPs ----------------------------------------------------------------------------mgmt Up Full 100 N/A N/A 0090.0b0a.a594 192.168.20.241/24 1 1 Up Full 1000 None 1 0090.0b0a.a596 10.10.10.241/24 5 2 Up Full 1000 None 1 0090.0b0a.a597 20.20.20.241/24 1 3 Down None None None 1 0090.0b0a.a598 0.0.0.0/0 0 4 Down None None None 1 0090.0b0a.a599 0.0.0.0/0 0 5 Disb None None None 1 0090.0b0a.a59a 0.0.0.0/0 0 6 Disb None None None 1 0090.0b0a.a59b 0.0.0.0/0 0 7 Up Full 1000 None 1 0090.0b0a.a59c 70.70.70.241/24 4 8 Disb None None None 1 0090.0b0a.a59d 0.0.0.0/0 0 ... ve4 Down N/A N/A N/A 4 0090.0b0a.a597 60.60.60.241/24 2 ve6 Up N/A N/A N/A 5 0090.0b0a.a597 99.99.99.241/24 1 lo2 Up N/A N/A N/A N/A N/A 68.67.65.64/23 3
Example
The following example shows information for Ethernet port 1:
AX#show interfaces ethernet 1 Ethernet 1 is up, line protocol is up Hardware is GigabitEthernet, Address is 0090.0b0a.a596 Internet address is 10.10.10.241, Subnet mask is 255.255.255.0 Internet address is 10.10.10.242, Subnet mask is 255.255.255.0 Internet address is 10.10.10.243, Subnet mask is 255.255.255.0 Internet address is 10.10.10.244, Subnet mask is 255.255.255.0 Internet address is 10.10.11.244, Subnet mask is 255.255.255.0 Configured Speed auto, Actual 1Gbit, Configured Duplex auto, Actual fdx Member of L2 Vlan 1, Port is Untagged Flow Control is enabled, IP MTU is 1500 bytes Port as Mirror disabled, Monitoring this Port disabled 0 packets input, 0 bytes Received 0 broadcasts, Received 0 multicasts, Received 0 unicasts 0 input errors, 0 CRC 0 frame 0 runts 0 giants 0 packets output 0 bytes P e r f o r m a n c e D e s i g n Document No.: D-030-01-00-0003 - Ver. 2.4.3-P2 11/3/2010 b y
591 of 722

show ip dns
Transmitted 0 broadcasts 0 multicasts 0 unicasts 0 output errors 0 collisions 300 second input rate: 158073232 bits/sec, 154368 packets/sec, 15% utilization 300 second output rate: 35704 bits/sec, 5 packets/sec, 0% utilization
Example
The following example shows information for loopback interface 8:
AX#show interfaces loopback 8 Loopback 8 is up, line protocol is up Hardware is Loopback Internet address is 10.10.10.55, Subnet mask is 255.255.255.0
show ip dns
Description Syntax Mode Example Display the DNS configuration. show ip dns All The following command shows the DNS configuration on an AX Series device:
AX#show ip dns DNS suffix: org Primary server: 192.168.1.50 Secondary server: None
show {ip | ipv6} fib

Description Note: Display Forwarding Information Base (FIB) entries. This command is applicable only on AX Series devices that are configured in route mode. The command returns an error if you enter it on a device configured for transparent mode. show {ip | ipv6} fib All The following command shows the IPv4 FIB entries on an AX Series device configured in route mode:
Syntax Mode Example
592 of 722
b y
D e s i g n

show ip helper-address
AX#show ip fib Prefix Next Hop Interface Distance -----------------------------------------------------------------------0.0.0.0 /0 192.168.20.1 ve10 0 192.168.20.0 /24 0.0.0.0 ve10 0 Total routes = 2
Example
The following command shows IPv6 FIB entries:
AX(config)#show ipv6 fib Prefix Next Hop Interface Metric Index ---------------------------------------------------------------------------b101::/64 :: Ethernet 6 256 0 Total routes = 1
Description Syntax Mode Example Display DHCP relay information. show ip helper-address [detail] All The following command shows summary DHCP relay information:
TX -----------0 1668 1668 0 0 No-Relay -----------0 0 0 0 0 Drops -----------0 1 0 0 0
AX3200(config)#show ip helper-address Interface Helper-Address RX --------- -------------- -----------eth1 100.100.100.1 0 ve5 100.100.100.1 1669 ve7 1668 ve8 100.100.100.1 0 ve9 20.20.20.102 0
Table 7 describes the fields in the command output. TABLE 36 show ip helper-address fields
Field Interface Description AX interface. Interfaces appear in the output in either of the following cases: A helper address is configured on the interface. Helper-Address RX TX DHCP packets are sent or received on the interface. Helper address configured on the interface. Number of DHCP packets received on the interface. Number of DHCP packets sent on the interface.
b y
593 of 722

show ip helper-address TABLE 36 show ip helper-address fields (Continued)
Field No-Relay Description Number of packets that were examined for DHCP relay but were not relayed, and instead received regular Layer 2/3 processing. Generally, this counter increments in the following cases: DHCP packets are received on an interface that does not have a helper address and the packets are not destined to the relay. DHCP packets are received on an interface that does have a helper address, but the packets are unicast directly from the client to the server and do not need relay intervention. Number of packets that were ineligible for relay and were dropped.
Drops
Example
IP Interface: eth1 ------------
The following command shows detailed DHCP relay information:
AX#show ip helper-address detail
Helper-Address: 100.100.100.1 Packets: RX: 0 BootRequest Packets : 0 BootReply Packets TX: 0 BootRequest Packets : 0 BootReply Packets No-Relay: 0 Drops: Invalid BOOTP Port Invalid IP/UDP Len Invalid DHCP Oper Exceeded DHCP Hops Invalid Dest IP Exceeded TTL No Route to Dest : 0 : 0 : 0 : 0 : 0 : 0 : 0 : 0 : 0
Dest Processing Err : 0
594 of 722
b y
D e s i g n

IP Interface: ve5 -----------Helper-Address: 100.100.100.1 Packets: RX: 16 BootRequest Packets : 16 BootReply Packets TX: 14 BootRequest Packets : 0 BootReply Packets No-Relay: 0 Drops: Invalid BOOTP Port Invalid IP/UDP Len Invalid DHCP Oper Exceeded DHCP Hops Invalid Dest IP Exceeded TTL No Route to Dest : 0 : 0 : 0 : 0 : 0 : 0 : 2 : 14 : 0
Dest Processing Err : 0 IP Interface: ve7 -----------Helper-Address: None Packets: RX: 14 BootRequest Packets : 0 BootReply Packets TX: 14 BootRequest Packets : 14 BootReply Packets No-Relay: 0 Drops: Invalid BOOTP Port Invalid IP/UDP Len Invalid DHCP Oper Exceeded DHCP Hops Invalid Dest IP Exceeded TTL No Route to Dest : 0 : 0 : 0 : 0 : 0 : 0 : 0 : 0 : 14
Dest Processing Err : 0 P e r f o r m a n c e D e s i g n Document No.: D-030-01-00-0003 - Ver. 2.4.3-P2 11/3/2010 b y
595 of 722

show ip helper-address Table 37 describes the fields in the command output. TABLE 37 show ip helper-address detail fields
Field IP Interface Helper-Address Packets Description AX interface. IP address configured on the AX interface as the DHCP helper address. DHCP packet statistics: RX Total number of DHCP packets received on the interface. BootRequest Packets Number of DHCP boot request packets (Op = BOOTREQUEST) received on the interface. BootReply Packets Number of DHCP boot reply packets (Op = BOOTREPLY) received on the interface. TX Total number of DHCP packets sent on the interface. BootRequest Packets Number of DHCP boot request packets (Op = BOOTREQUEST) sent on the interface. BootReply Packets Number of DHCP boot reply packets (Op = BOOTREPLY) sent on the interface. Number of packets that were examined for DHCP relay but were not relayed, and instead received regular Layer 2/3 processing. Generally, this counter increments in the following cases: DHCP packets are received on an interface that does not have a helper address and the packets are not destined to the relay. DHCP packets are received on an interface that does have a helper address, but the packets are unicast directly from the client to the server and do not need relay intervention.
No-Relay
596 of 722
b y
D e s i g n

show {ip | ipv6} interfaces TABLE 37 show ip helper-address detail fields (Continued)
Field Drops Description Lists the following counters for packets dropped on the interface: Invalid BOOTP Port Number of packets dropped because they had UDP destination port 68 (BOOTPC). Invalid IP/UDP Len Number of packets dropped because the IP or UDP length of the packet was shorter than the minimum required length for DHCP headers. Invalid DHCP Oper Number of packets dropped because the Op field in the packet header did not contain BOOTREQUEST or BOOTREPLY. Exceeded DHCP Hops Number of packets dropped because the number in the Hops field was higher than 16. Invalid Dest IP Number of packets dropped because the destination was invalid for relay. Exceeded TTL Number of packets dropped because the TTL value was too low (less than or equal to 1). No Route to Dest Number of packets dropped because the relay agent (AX device) did not have a valid forwarding entry towards the destination. Dest Processing Err Number of packets dropped because the relay agent experienced an error in sending the packet towards the destination.
show {ip | ipv6} interfaces

Description Display IP interfaces. show {ip | ipv6} interfaces [ethernet port-num] | [ve ve-num] | [loopback lb-num] | [management] Mode Example All The following command shows the IPv4 interfaces configured on Ethernet interface 1:
AX#show ip interfaces ethernet 1 IP addresses on ethernet 1: ip 10.10.10.241 netmask 255.255.255.0 (Primary) ip 10.10.10.242 netmask 255.255.255.0 ip 10.10.10.243 netmask 255.255.255.0 P e r f o r m a n c e D e s i g n Document No.: D-030-01-00-0003 - Ver. 2.4.3-P2 11/3/2010 b y
597 of 722

show {ip | ipv6} isis
ip 10.10.10.244 netmask 255.255.255.0 ip 10.10.11.244 netmask 255.255.255.0 AX(config-if:ethernet1)#show ip interfaces ve Port IP Netmask PrimaryIP --------------------------------------------------------------------------------------------------ve4 60.60.60.241 255.255.255.0 Yes 50.60.60.241 255.255.252.0 No -------------------------------------------------ve6 99.99.99.241 255.255.255.0 Yes
The PrimaryIP column indicates whether the address is the primary IP address for the interface. (For more information, see ip address on page 186.)
show {ip | ipv6} isis

Description This command is used only for testing and is not supported in this release.
show ip nat
Description Syntax Display NAT information. show ip nat option Option alg pptp {statistics | status} Description
Shows information for NAT Application Layer Gateway (ALG) for Point-to-Point Tunneling Protocol (PPTP). statistics Shows statistics. status Shows whether the feature is enabled.
interfaces lsn pool [pool-name] [statistics]
Shows the NAT direction enabled on each interface. See show ip nat lsn on page 602.
Shows pool information.
598 of 722
b y
D e s i g n

show ip nat pool-group [pool-groupname] range-list range-name static-binding [ipaddr] | [statistics [ipaddr]] statistics template logging timeouts translations Mode Example All The following command shows the NAT interface settings:
Shows pool group information. Shows configured static NAT ranges.
Shows configuration information or statistics for static NAT bindings. Shows NAT statistics. Shows information for external logging templates, if configured. Shows the timer settings. Shows currently active NAT translations.
AX#show ip nat interfaces Total IP NAT Interfaces configured: 2 Interface NAT Direction ----------------------------ve10 outside ve11 inside
Example
The following command shows the configured NAT pools:
AX#show ip nat pool Total IP NAT Pools: 6 Pool Name Start Address End Address Mask Gateway HA Group ----------------------------------------------------------------------------172.pool1 192.168.66.201 192.168.66.201 /24 0.0.0.0 1 172.pool3 192.168.66.215 192.168.66.217 /24 0.0.0.0 1
Example
The following command shows NAT pool statistics:
AX#show ip nat pool statistics Pool Address Port Usage Total Used Total Freed ---------------------------------------------------------------------------172.pool1 192.168.66.201 0 0 0 Pool Address Port Usage Total Used Total Freed ---------------------------------------------------------------------------172.pool3 192.168.66.215 0 0 0 192.168.66.216 0 0 0 192.168.66.217 0 0 0 P e r f o r m a n c e D e s i g n Document No.: D-030-01-00-0003 - Ver. 2.4.3-P2 11/3/2010 b y
599 of 722

show ip nat In the show ip nat pool statistics output, the Address column lists the source addresses that are bound to NAT addresses. The Port Usage column indicates how many sessions are currently being NATted for each address. Each session counted here uses a unique TCP or UDP protocol port. ICMP traffic does not cause this counter to increment. The Total Used column indicates the total number of sessions that have been NATted for the source address. The Total Freed column indicates how many NATted sessions have been terminated, thus freeing up a port for another session. Example
Source Address 30.30.31.35 30.30.31.36 30.30.31.37 30.30.31.38 30.30.31.39 30.30.31.40
The following command displays statistics for static source NAT bindings:
Port Usage 1727 1799 1793 1829 1738 1774 Total Used 329756 343950 346257 232605 241147 286022 Total Freed 328029 342151 344464 230776 240937 284248
AX#show ip nat static-binding statistics ------------------------------------------------------------------------------
Example
The following command shows NAT statistics:
AX#show ip nat statistics Outside interfaces: ethernet1 Inside interfaces: Hits: 1 Outbound Outbound Inbound Inbound Misses: 0 UDP sessions created: 7 ICMP sessions created: 8 TCP sessions created: 8 UDP sessions created: 2 ethernet3
Outbound TCP sessions created: 6
Dynamic mappings: -- Inside Source access-list 1 pool p2 start 192.168.217.200 end 192.168.217.200 total addresses 1, allocated 0, misses 0
600 of 722
b y
D e s i g n

show ip nat Example The following command shows NAT timeout settings:
AX#show ip nat timeouts NAT Timeout values in seconds: SYN 60 TCP 300 UDP 300 ICMP fast -----------------------Service 53/udp has fast-aging configured
In this example, the output indicates that fast aging is used for IP NATted ICMP sessions, and for IP NATted DNS sessions on port 53. The message at the bottom of the display indicates that the fast aging setting (SLB MSL timeout) will be used for IP NATted UDP sessions on port 53. If the message is not shown in the output, then the timeout shown under UDP will be used instead. The following command displays PPTP NAT ALG statistics.
AX(config-if:ethernet2)#show ip nat alg pptp statistics Statistics for PPTP NAT ALG: ----------------------------Calls In Progress: Call Creation Failure: Truncated PNS Message: Truncated PAC Message: Mismatched PNS Call ID: Mismatched PAC Call ID: Retransmitted PAC Message: Truncated GRE Packets: Unknown GRE Packets: No Matching Session Drops: 10 0 0 0 1 0 3 0 0 4
Table 38 describes the fields in the command output. TABLE 38 show ip nat alg pptp statistics fields
Field Calls In Progress Description Current call attempts, counted by inspecting the TCP control session. This counter will decrease once the first GRE packet arrives. Number of times a call could not be set up because the AX device ran out of memory or other system resources. Number of runt TCP PPTP messages received from clients.
Call Creation Failure Truncated PNS Message
b y
601 of 722

show ip nat lsn TABLE 38 show ip nat alg pptp statistics fields (Continued)
Field Truncated PAC Message Mismatched PNS Call ID Mismatched PAC Call ID Retransmitted PAC Message Truncated GRE Packets Unknown GRE Packets No Matching Session Drops Description Number of runt TCP PPTP messages received from servers. Number of calls that were disconnected because the GRE session had the wrong Call ID. Number of calls that were disconnected because they had the wrong Call ID. Number of TCP packets retransmitted from PAC servers. Number of runt GRE packets received by the AX device. Number of GRE packets that were not used for PPTP and were dropped. Number of GRE PPTP packets sent with no current call.
show ip nat lsn

Description Syntax Show information for Large-Scale NAT (LSN). show ip nat lsn [ full-cone-sessions | pool-statistics | port-reservations | statistics | user-quota-sessions ] Parameter full-conesessions Description Shows currently active full-cone sessions.
pool-statistics Shows statistics related to IP address pools used for LSN. portreservations statistics user-quotasessions Mode Shows configured LSN static port reservations. Shows global statistics related to LSN. Shows currently active user quota sessions.
Privileged EXEC and all configuration levels
602 of 722
b y
D e s i g n

show ip nat lsn Example The following commands display LSN information:
AX(config)#end AX#show class-list list1 Name: list1 Total single IP: 0 Total IP subnet: 2 Content: 192.168.1.0 /24 lsn-lid 2 192.168.0.0 /16 lsn-lid 1
AX#show ip nat lsn full-cone-sessions
LSN Full Cone Sessions: Prot Inside Address NAT Address Conns Pool CPU Age -------------------------------------------------------------------------------------------------UDP 1.0.208.99:1105 6.6.0.158:1345 1 pool1 1 0 UDP 1.4.144.150:1093 6.6.0.140:31573 1 pool1 4 0 UDP 1.0.167.140:1117 6.6.0.145:12277 1 pool1 13 0
AX#show ip nat lsn user-quota-sessions LSN User-Quota Sessions: Inside Address NAT Address ICMP UDP TCP Pool LID --------------------------------------------------------------------------------------1.1.138.159 6.6.0.158 0 3 0 pool1 3 1.0.235.149 6.6.0.134 0 3 0 pool1 3 1.0.35.54 6.6.0.188 0 2 0 pool1 3 AX#show ip nat lsn port-reservations LSN Port Reservations Inside Address Start End NAT Address Start End -------------------------------------------------------------------------------------10.0.0.1 80 1024 172.7.7.30 80 1024 AX#show ip nat lsn pool-statistics
LSN Address Pool Statistics: ---------------------------pool0 Address Users ICMP Freed Total UDP Freed Total Rsvd TCP Freed Total Rsvd -------------------------------------------------------------------------------------------------------172.7.7.20 0 0 0 0 0 0 0 0 0 0 0 0 172.7.7.21 0 0 0 0 0 0 0 0 0 0 0 0 172.7.7.22 0 0 0 0 0 0 0 0 0 0 0 0 172.7.7.23 0 0 0 0 0 0 0 0 0 0 0 0 172.7.7.24 0 0 0 0 0 0 0 0 0 0 0 0 172.7.7.25 0 0 0 0 0 0 0 0 0 0 0 0 172.7.7.26 0 0 0 0 0 0 0 0 0 0 0 0 172.7.7.27 0 0 0 0 0 0 0 0 0 0 0 0 172.7.7.28 0 0 0 0 0 0 0 0 0 3 3 0 172.7.7.29 0 0 0 0 0 0 0 0 0 0 0 0
b y
603 of 722

show ipv6 ndisc Table 39 describes the fields in the show ip nat lsn pool-statistics output. TABLE 39 show ip nat lsn pool-statistics fields
Field Address Users ICMP Freed (ICMP) Total (ICMP) UDP Freed (UDP) Total (UDP) Rsvd (UDP) Description NAT (global) IP address. Number of inside IP addresses currently using the NAT IP address. Number of ICMP identifiers currently in use. Total number of ICMP identifiers freed. Total number of ICMP identifiers allocated. ICMP column + Freed column = Total column. Number of UDP ports currently in use. Total number of UDP ports freed. Total number of UDP ports allocated. UDP column + Freed column = Total column. Total of all UDP reserve settings for each user that is currently using the NAT IP address. For example, if an LID has the setting user-quota udp 100 reserve 50, and there are 50 users using the LID d on the NAT IP address, the Rsvd value is 50*50 = 2500. Number of TCP ports currently in use. Total number of TCP ports freed. Total number of TCP ports allocated. TCP column + Freed column = Total column. Total of all TCP reserve settings for each user that is currently using the NAT IP address. For example, if an LID has the setting user-quota tcp 100 reserve 60, and there are 10 users using the LID d on the NAT IP address, the Rsvd value is 10*60 = 600.
TCP Freed (TCP) Total (TCP) Rsvd (TCP)
show ipv6 ndisc

Description Syntax Display information for IPv6 router discovery. show ipv6 ndisc router-advertisement {ethernet portnum | ve ve-num | statistics} All The following command displays configuration information for IPv6 router discovery on an Ethernet interface. In this example, the interface is VE 10.
Mode
604 of 722

show ipv6 ndisc
AX#show ipv6 ndisc router-advertisement ve 10 Interface VE 10 Send Advertisements: Max Advertisement Interval: Min Advertisement Interval: Advertise Link MTU: Reachable Time: Retransmit Timer: Current Hop Limit: Default Lifetime: HA Group ID: Number of Advertised Prefixes: Prefix 1: Prefix: On-Link: Prefix 2: Prefix: On-Link: 2001:32::/64 True 2001:a::/96 True Enabled 200 150 Disabled 0 0 255 200 None 2
Max Router Solicitations Per Second: 100000
Valid Lifetime: 4400
Valid Lifetime: 2592000
The following command displays router discovery statistics:

AX(config)#show ipv6 ndisc router-advertisement statistics IPv6 Router Advertisement/Solicitation Statistics: -------------------------------------------------Good Router Solicitations (R.S.) Received: Periodic Router Advertisements (R.A.) Sent: R.S. Rate Limited: R.S. Bad Hop Limit: R.S. Truncated: R.S. Bad ICMPv6 Checksum: R.S. Unknown ICMPv6 Code: R.S. Bad ICMPv6 Option: No Free Buffers to send R.A.: 1320 880 2 1 0 0 0 0 0
R.S. Src Link-Layer Option and Unspecified Address: 0
The error counters apply to router solicitations (R.S.) that are dropped by the AX device. The Src Link-Layer Option and Unspecified Address counter indicates the number of times the AX device received a router solicitation with source
605 of 722

show ipv6 neighbor address :: (unspecified IPv6 address) and with the source link-layer (MAC address) option set. Note: In the current release, the AX device does not drop IPCMv6 packets that have bad (invalid) checksums.
show ipv6 neighbor

Description Syntax Mode Example Display information about neighboring IPv6 devices. show ipv6 neighbor [ipv6-addr] All The following command shows IPv6 neighbors:
AX(config)#show ipv6 neighbor Total IPv6 neighbor entries: 2 IPv6 Address MAC Address Type Age State Interface Vlan --------------------------------------------------------------------------------------b101::1112 0007.E90A.4402 Dynamic 30 Reachable ethernet 6 1 fe80::207:e9ff:fe0a:4402 0007.E90A.4402 Dynamic 20 Reachable ethernet 6 1
show {ip | ipv6} ospf

Description Display configuration information and statistics for OSPFv2 processes or OSPFv3 instances. show ip ospf [process-id] show ipv6 ospf [tag] Parameter process-id Description Specifies the OSPFv2 process. If you omit this option, settings for all configured OSPFv2 processes are displayed. Specifies the OSPFv3 instance. If you omit this option, settings for all configured OSPFv3 instances are displayed.
Syntax
tag
Mode Example
Privileged EXEC and all configuration levels The following command shows information for OSPFv2 instance 0:
AX#show ip ospf 0 Routing Process "ospf 0" with ID 1.1.1.1
606 of 722
b y
D e s i g n

show ip ospf border-routers
Process uptime is 3 hours 12 minutes Process bound to VRF default Conforms to RFC2328, and RFC1583 Compatibility flag is disabled Supports only single TOS(TOS0) routes Supports opaque LSA Supports Graceful Restart This router is an ASBR (injecting external routing information) SPF schedule delay min 0.500 secs, SPF schedule delay max 50.0 secs Refresh timer 10 secs Number of incoming current DD exchange neighbors 0/5 Number of outgoing current DD exchange neighbors 0/5 Number of external LSA 0. Checksum 0x000000 Number of opaque AS LSA 0. Checksum 0x000000 Number of non-default external LSA 0 External LSA database is unlimited. Number of LSA originated 2 Number of LSA received 79 Number of areas attached to this router: 1 Area 1 (NSSA) Number of interfaces in this area is 2(2) Number of fully adjacent neighbors in this area is 2 Number of fully adjacent virtual neighbors through this area is 0 Area has no authentication SPF algorithm last executed 02:07:40.860 ago SPF algorithm executed 16 times Number of LSA 10. Checksum 0x06b2fa NSSA Translator State is disabled Shortcutting mode: Default, S-bit consensus: ok
show ip ospf border-routers

Description Syntax Mode Example Display route information for OSPFv2 ABRs and ASBRs. show ip ospf border-routers Privileged EXEC and all configuration levels The following command shows route information for ABRs and ASBRs:
AX#show ip ospf border-routers OSPF process 0 internal Routing Table Codes: i - Intra-area route, I - Inter-area route i 3.3.3.3 [1] via 10.0.0.1, ve 1, ABR, ASBR, Area 0.0.0.1
b y
607 of 722

show ip ospf database
show ip ospf database

Description Note: Displays information about the OSPFv2 databases on the device. The options are different for OSPFv3. See show ipv6 ospf database on page 610. show ip ospf database [ adv-router ipaddr | {asbr-summary | external | network | nssa-external | opaque-area | opaque-as | opaque-link | router | summary} [[ipaddr [adv-router ipaddr] [self-originate]] | [adv-router ipaddr] | [self-originate]] | max-age | self-originate ] Parameter adv-router ipaddr asbr-summary max-age Description Displays LSA information for the specified advertising router. Displays information about ASBR summary LSAs. Displays information for the LSAs that have reached the maximum age allowed, which is 3600 seconds. Displays information for LSAs originated by this OSPF router. Displays information about external LSAs. Displays information about network LSAs. Displays information about NSSA external LSAs. Displays information about Type-10 Opaque LSAs. Type-10 Opaque LSAs are LSAs with local-area scope (link state type 10), and are not flooded outside the local area. Displays information about Type-11 LSAs, which are flooded throughout the Autonomous System (AS).
Syntax
self-originate external network nssa-external opaque-area
opaque-as
608 of 722

show ip ospf database opaque-link Displays information about Type-9 LSAs. Type-9 LSAs have link-local scope, and are not flooded beyond the local network. Displays information about router LSAs. Displays information about summary LSAs.
router summary
The following suboptions are available for the external, network, nssaexternal, opaque-area, opaque-as, opaque-link, router, and summary options: ipaddr adv-router ipaddr self-originate Displays LSA information for a specific linkstate ID (expressed as an IP address). Displays LSA information for the specified advertising router. Displays information for LSAs originated by this OSPF router.
Mode Example
Privileged EXEC and all configuration levels The following command shows the OSPFv2 database:
AX#show ip ospf database Router Link States (Area 0.0.0.1 [NSSA]) Link ID 1.1.1.1 2.2.2.2 3.3.3.3 4.4.4.4 ADV Router 1.1.1.1 2.2.2.2 3.3.3.3 4.4.4.4 Age 1105 638 1998 1717 Seq# 0x800000c9 0x80000008 0x800000cb 0x800000f6 CkSum 0xcb72 0xdb92 0x47c1 0xe1d2 Link count 2 2 2 3
Net Link States (Area 0.0.0.1 [NSSA]) Link ID 10.0.0.1 11.0.0.1 13.0.0.2 14.0.0.1 ADV Router 3.3.3.3 3.3.3.3 4.4.4.4 4.4.4.4 Age 1998 203 1717 1962 Seq# 0x80000006 0x80000005 0x80000006 0x80000004 CkSum 0xec1b 0x14ef 0xbf3c 0xf207
Summary Link States (Area 0.0.0.1 [NSSA]) Link ID 0.0.0.0 ADV Router 3.3.3.3 Age Seq# CkSum Route 1998 0x800000a3 0x99ed 0.0.0.0/0
NSSA-external Link States (Area 0.0.0.1 [NSSA]) Link ID 1.0.100.1 ADV Router 1.1.1.1 b y Age Seq# CkSum Route 1105 0x8000008e 0x942a E2 1.0.100.1/32 Tag 0
609 of 722

show ipv6 ospf database
show ipv6 ospf database

Description Syntax Displays information about the OSPFv3 databases on the device. show ipv6 ospf [instance-id] database [ external | grace | inter-prefix | inter-router | intra-prefix | link | network | router} [adv-router ipaddr] ] Parameter external grace inter-prefix inter-router intra-prefix links network router Description Displays information about external LSAs. Displays information about grace LSAs, used during graceful restart. Displays information about Inter-Area-Prefix LSAs. Displays information about Inter-Area-Router LSAs. Displays information about Intra-Area-Prefix LSAs. Displays information about link LSAs. Displays information about network LSAs. Displays information about router LSAs.
Each option above supports the following suboption: adv-router ipaddr Displays LSA information for the specified advertising router.
Mode
610 of 722
b y
D e s i g n

show ipv6 ospf database Example The following command shows the OSPFv3 database:
AX#show ipv6 ospf database OSPFv3 Router with ID (1.1.1.1) (Process *null*) Link-LSA (Interface ve 1) Link State ID 0.0.0.49 0.0.0.8 ADV Router 1.1.1.1 3.3.3.3 Age Seq# CkSum Prefix 1121 0x8000008a 0xc927 1 1953 0x80000007 0x30cd 1
Link-LSA (Interface ve 2) Link State ID 0.0.0.50 0.0.0.8 ADV Router 1.1.1.1 4.4.4.4 Age Seq# CkSum Prefix 1121 0x80000096 0x08d8 1 1893 0x80000007 0xe638 1
Router-LSA (Area 0.0.0.0) Link State ID 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 ADV Router 1.1.1.1 2.2.2.2 3.3.3.3 4.4.4.4 Age 1114 904 1953 1893 Seq# 0x800000b1 0x800000ab 0x80000094 0x800000a8 CkSum 0xcafa 0x61a6 0xe52a 0x846b Link 2 2 2 2
Network-LSA (Area 0.0.0.0) Link State ID 0.0.0.8 0.0.0.9 0.0.0.8 0.0.0.9 ADV Router 3.3.3.3 3.3.3.3 4.4.4.4 4.4.4.4 Age 1953 179 1893 124 Seq# 0x80000006 0x80000005 0x80000006 0x80000005 CkSum 0xd40b 0xfedc 0xd8fe 0x03d0
Intra-Area-Prefix-LSA (Area 0.0.0.0) Link State ID 0.0.32.0 0.0.36.0 0.0.32.0 0.0.36.0 ADV Router 3.3.3.3 3.3.3.3 4.4.4.4 4.4.4.4 Age 1953 179 1893 124 Seq# 0x80000006 0x80000005 0x80000006 0x80000005 CkSum Prefix 0x9cb3 1 0x90ba 1 0xec58 1 0xe05f 1 Reference Network-LSA Network-LSA Network-LSA Network-LSA
b y
611 of 722

show {ip | ipv6} ospf interface
show {ip | ipv6} ospf interface

Description Syntax Display OSPF information for an interface. show {ip | ipv6} ospf interface {ethernet portnum | loopback num | management | trunk num | udld num | ve ve-num} Privileged EXEC and all configuration levels The following command shows OSPFv2 information for interface VE 1:
Mode Example
AX#show ip ospf interface ve 1 ve 1 is up, line protocol is up Internet Address 10.0.0.2/24, Area 0.0.0.1 [NSSA], MTU 1500 Process ID 0, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 1 Transmit Delay is 1 sec, State Backup, Priority 1 Designated Router (ID) 3.3.3.3, Interface Address 10.0.0.1 Backup Designated Router (ID) 1.1.1.1, Interface Address 10.0.0.2 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:07 Neighbor Count is 1, Adjacent neighbor count is 1 Crypt Sequence Number is 1274173120 Hello received 1218 sent 1158, DD received 3 sent 4 LS-Req received 0 sent 1, LS-Upd received 52 sent 49 LS-Ack received 27 sent 35, Discarded 0
show ip ospf multi-area-adjacencies

Description Syntax Mode Example Display OSPFv2 multi-area adjacency information. show ip ospf multi-area-adjacencies Privileged EXEC and all configuration levels The following command shows multi-area adjacency information:
AX#show ip ospf 1 multi-area-adjacencies Multi-area-adjacency on interface eth1 to neighbor 20.20.20.10 Internet Address 20.20.20.11/24, Area 0.0.0.1, MTU 1500 Process ID 1, Router ID 10.10.10.10, Network Type POINTOPOINT, Cost: 10 Transmit Delay is 1 sec, State Point-To-Point Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:02 Neighbor Count is 0, Adjacent neighbor count is 0 Crypt Sequence Number is 1229928206 Hello received 0 sent 513, DD received 0 sent 0 LS-Req received 0 sent 0, LS-Upd received 0 sent 0 LS-Ack received 0 sent 0, Discarded 0
612 of 722
b y
D e s i g n

show {ip | ipv6} ospf neighbor
show {ip | ipv6} ospf neighbor

Description Syntax Display information about OSPF neighbors. show ip ospf [process-id] neighbor [ipaddr [detail]] | [all] | [detail [all]] | [interface ipaddr] show ipv6 ospf [tag] neighbor [ipaddr [detail]] | [detail [all]] | [interface ipaddr] Note: The all option applies only to OSPFv2. Parameter process-id Description Specifies the OSPFv2 process. If you omit this option, information for all configured OSPFv2 processes are displayed. Specifies the OSPFv3 instance. If you omit this option, information for all configured OSPFv3 instances are displayed.
tag
ipaddr [detail] Displays information for the specified neighbor. For detailed information, use the detail option. For summary information, omit the detail option. all Includes neighbors whose status is Down. Without this option, down neighbors are not included in the output. Displays detailed information for all neighbors. To include down neighbors in the output, use the all option. Displays information for neighbors reachable through the specified IP interface.
detail [all]
interface ipaddr
Mode
b y
613 of 722

show ip ospf redistributed Example
AX#show ip ospf neighbor
OSPF process 0: Neighbor ID Pri 3.3.3.3 1 4.4.4.4 1
The following command shows information for OSPFv2 neighbors:
State Full/DR Full/DR
Dead Time 00:00:31 00:00:30
Address 10.0.0.1 13.0.0.2
Interface Instance ID ve 1 0 ve 2 0
show ip ospf redistributed

Description Syntax Display the routes that are being redistributed into OSPFv2. show ip ospf [process-id] redistributed [ connected | floating-ip | ip-nat | ip-nat-list | ospf [process-id] | selected-vip static | vip ] Note: The bgp, isis, and kernel options are not applicable to the current release and are not supported. Parameter process-id Description Specifies the OSPFv2 process. If you omit this option, information for all configured OSPF instances is displayed. Displays redistributed routes to directly-connected networks. Displays redistributed routes to floating IP addresses. Displays redistributed routes to IP addresses assigned from an IP NAT pool. Displays redistributed routes to IP addresses assigned from an IP NAT range list. Displays redistributed routes from other OSPFv2 processes.
connected floating-ip ip-nat ip-nat-list ospf [process-id]
614 of 722
b y
D e s i g n

show {ip | ipv6} ospf route selected-vip Displays redistributed routes to SLB VIPs that are explicitly flagged for redistribution. This option is applicable if the only-flagged option was used with the redistribute vip command. Displays redistributed static routes. Displays redistributed routes to SLB VIPs that are implicitly flagged for redistribution. This option is applicable if the only-not-flagged option was used with the redistribute vip command.
static vip
Mode Usage
Privileged EXEC and all configuration levels For more information on VIP redistribution, see Usage in redistribute on page 264.
show {ip | ipv6} ospf route

Description Syntax Display information for OSPFv2 routes. show ip ospf [process-id] route show ipv6 ospf [tag] route Parameter process-id Description Specifies the OSPFv2 process. If you omit this option, information for all configured OSPFv2 processes are displayed. Specifies the OSPFv3 instance. If you omit this option, information for all configured OSPFv3 instances are displayed.
tag
Mode Example
Privileged EXEC and all configuration levels The following command shows OSPFv2 routes:
AX#show ip ospf route IA 0.0.0.0/0 [2] via 10.0.0.1, ve 1, Area 0.0.0.1 O 1.0.4.0/24 [2] via 13.0.0.2, ve 2, Area 0.0.0.1 C 10.0.0.0/24 [1] is directly connected, ve 1, Area 0.0.0.1 O 11.0.0.0/24 [2] via 10.0.0.1, ve 1, Area 0.0.0.1 C 13.0.0.0/24 [1] is directly connected, ve 2, Area 0.0.0.1 O 14.0.0.0/24 [2] via 13.0.0.2, ve 2, Area 0.0.0.1
b y
615 of 722

show ipv6 ospf topology
show ipv6 ospf topology

Description Syntax Display OSPFv3 topology information. show ipv6 ospf [tag] topology [area area-id] Parameter tag Description Specifies the OSPFv3 instance. If you omit this option, information for all configured OSPFv3 instances is displayed. Displays OSPFv3 topology information for the specified area.
area area-id
Mode Example
Privileged EXEC and all configuration levels The following command shows the OSPFv3 topology:
AX#show ipv6 ospf topology OSPFv3 Process (*null*) OSPFv3 paths to Area (0.0.0.0) routers Router ID Bits Metric Next-Hop 1.1.1.1 E -2.2.2.2 2 3.3.3.3 4.4.4.4 3.3.3.3 E 1 3.3.3.3 4.4.4.4 E 1 4.4.4.4
Interface ve ve ve ve 1 2 1 2
show {ip | ipv6} ospf virtual-links

Description Syntax Display virtual link information. show ip ospf [process-id] virtual-links show ipv6 ospf [tag] virtual-links Parameter process-id Description Specifies the OSPFv2 process. If you omit this option, information for all configured OSPFv2 processes are displayed. Specifies the OSPFv3 instance. If you omit this option, information for all configured OSPFv3 instances are displayed.
tag
616 of 722
b y
D e s i g n

show {ip | ipv6} protocols Mode Example Privileged EXEC and all configuration levels The following command shows information for OSPFv2 virtual links:
AX(config)#show ip ospf virtual-link Virtual Link VLINK1 to router 143.0.0.143 is up Transit area 0.0.0.1 via interface ethernet 1 Local address 13.0.0.2/32 Remote address 13.0.0.1/32 Transmit Delay is 1 sec, State Point-To-Point, Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:10 Adjacency state Full
show {ip | ipv6} protocols

Description Syntax Show information for dynamic routing protocols. show ip protocols [ospf] show ipv6 protocols Mode All
show ip route
Description Syntax Display the IPv4 routing table. show ip route [ ipaddr[/mask-length] | all | connected | database | floating-ip | ip-nat | ip-nat-list | kernel | mgmt | ospf | selected-vip | static | summary | vip ]
b y
617 of 722

show ipv6 route Mode Usage All The show ip route summary command displays summary information for all IP routes, including the total number of routes. The command output applies to both the data route table and the management route table, which are separate route tables. The following commands display routes for only one of the route tables:
show ip route Shows information for the data route table only. show ip route mgmt Shows information for the management route
table only. The total number of routes listed by the output differs depending on the command you use. For example, the total number of routes listed by the show ip route command includes only data routes, whereas the total number of routes listed by the show ip route summary command includes data routes and management routes. Example The following example shows the IP route table:
AX#show ip route Codes: C - connected, S - static, O - OSPF S* S* C* C* Total 0.0.0.0/0 [1/0] via 192.168.20.1, ve 10 192.168.1.0/24 [1/0] is directly connected, Management 192.168.1.0/24 is directly connected, Management 192.168.19.0/24 is directly connected, ve 10 number of routes : 4
show ipv6 route

Description Syntax Display the IPv6 routing table. show ipv6 route [ ipv6-addr[/mask-length] | connected | database | kernel | mgmt | ospf | static | summary | ] All
Mode
618 of 722

show ipv6 traffic
show ipv6 traffic

Description Syntax Mode Example Display IPv6 traffic statistics. show ipv6 traffic All The following command shows IPv6 traffic statistics:
AX#show ipv6 traffic Traffic Type Received Sent -------------------------------------Neigh Solicit 2 0 Neigh Adverts 2 2 Echo Request 0 0 Echo Replies 5 0 Errors 0 0
show isis
Description This command is for testing only and is not supported in this release.
show key-chain
Description Syntax Show configuration information for an authentication key chain. show key-chain key name [key num] Option name key num Mode Description Name of the key chain. Key number (1-255).
Privileged EXEC and all Config levels
show lid
Description Syntax Mode Show information for IP limiting rules. show lid [num] All
b y
619 of 722

show locale Example
AX#show lid lid 1 conn-limit 100 conn-rate-limit 100 per 10 request-limit 1 request-rate-limit 10 per 10 over-limit-action reset log 1 lid 2 conn-limit 20000 conn-rate-limit 2000 per 10 request-limit 200 request-rate-limit 200 per 1 over-limit-action reset log 3 lid 30 conn-limit 10000 conn-rate-limit 1000 per 1 over-limit-action forward log
The following command the configuration of each standalone IP limiting rule:
Example
AX#show lid 1 lid 1 conn-limit 100
The following command shows the configuration of IP limiting rule 1:
conn-rate-limit 100 per 10 request-limit 1 request-rate-limit 10 per 10 over-limit-action reset log 1
show locale
AX#show locale en_US.UTF-8
Display the configured CLI locale. show locale All The following command shows the locale configured on an AX Series device:
English locale for the USA, encoding with UTF-8 (default)
620 of 722
b y
D e s i g n

show log
show log
Description Display entries in the syslog buffer or display current log settings (policy). Log entries are listed starting with the most recent entry on top. show log [length num] [policy] Option length num Description Shows the most recent log entries, up to the number of entries you specify. You can specify 1-1000000 entries. Shows the log settings. To display log entries, omit this option.
Syntax
policy
Mode Example
All The following command shows the log settings:
AX#show log policy Syslog facility: local0 Flow-control: disable Name Level ---------------------------Console error Buffer debugging Email disable Trap disable Syslog debugging Monitor debugging
Example
The following command shows log entries.
AX#show log Log Buffer: 30000 Jan 17 11:32:02 Warning A10LB HTTP request has p-conn Jan 17 11:31:01 Notice The session [1] is closed Jan 17 11:31:00 Info Load libraries in 0.044 secs Jan 17 11:26:19 Warning A10LB HTTP request has p-conn Jan 17 11:26:19 Warning A10LB HTTP response not beginning of header: m counterType="1" hourlyCount="2396" dailyCount="16295" weeklyCount="16295" monthly Jan 17 11:16:18 Warning A10LB HTTP request has p-conn Jan 17 11:16:01 Notice The session [1] is closed Jan 17 11:16:00 Info Load libraries in 0.055 secs Jan 17 11:15:22 Warning A10LB HTTP request has p-conn Jan 17 11:15:03 Notice The session [1] is closed Jan 17 11:14:33 Warning A10LB HTTP request has p-conn Jan 17 11:14:07 Warning A10LB HTTP request has p-conn Jan 17 11:13:23 Warning A10LB HTTP request has p-conn P e r f o r m a n c e D e s i g n Document No.: D-030-01-00-0003 - Ver. 2.4.3-P2 11/3/2010 b y
621 of 722

show mac-address-table
Jan 17 11:12:47 Info Load libraries in 0.047 secs Jan 17 11:12:47 Notice The session for user admin from 192.168.1.166 is opened. Session ID is [4] Jan 17 11:09:28 Warning A10LB HTTP request has p-conn Jan 17 11:09:18 Warning A10LB HTTP response not beginning of header: 5a8^M p; ^M Korn shell programming la Jan 17 11:01:04 Warning A10LB HTTP request has p-conn --MORE--
show mac-address-table
Description Syntax Display MAC table entries. show mac-address-table [macaddr | port port-num | vlan vlan-id] Option macaddr Description Shows the MAC table entry for the specified MAC address. Enter the MAC address in the following format: aaaa.bbbb.cccc Shows the MAC table entries for the specified Ethernet port. Shows the MAC table entries for the specified VLAN.
port port-num vlan vlan-id
Mode Example
All The following command displays the MAC table entry for MAC address 0013.72E3.C773:
AX#show mac-address-table 0013.72E3.C773 Total active entries: 1 Age time: 300 secs MAC-Address Port Type Index Vlan Age --------------------------------------------------------0013.72E3.C773 1 Dynamic 16 10 90
Table 40 describes the fields in the command output. TABLE 40 show mac-address-table fields
Field Total active entries Age time Description Total number of active MAC entries in the table. An active entry is one that has not aged out. Number of seconds a dynamic (learned) MAC entry can remain unused before it is removed from the table. P e r f o r m a n c e b y D e s i g n
622 of 722

show management TABLE 40 show mac-address-table fields (Continued)
Field MAC-Address Port Type Index Vlan Age Description MAC address of the entry. Ethernet port through which the MAC address is reached. Indicates whether the entry is dynamic or static. The MAC entrys position in the MAC table. VLAN the MAC address is on. Number of seconds since the entry was last used.
show management
Description Show the types of management access allowed on each of the AX Series devices Ethernet interfaces. show management All To configure the management access settings, see enable-management on page 105 and disable-management on page 101. The following command shows the management access settings on an AX Series device.
Syntax Mode Usage
Example
AX#show management PING SSH Telnet HTTP HTTPS SNMP ACL ------------------------------------------------------mgmt on on off on on on 1 on off off off off off 2 on off on off off off 3 on off on off off off 4 on off on off off off 5 on off on off off off 6 on off on off off off 7 on off on off off off 9 on off on off off off 10 on off on off off off 3 ve1 on off on on off off ve2 on off on off off off -
b y
623 of 722

show memory
show memory
Description Syntax Display memory usage information. show memory [cache | system] Option cache system Mode Example All The following command shows summary statistics for memory usage: Description Shows cache statistics. Shows summary statistics for memory usage.
AX#show memory system System Memory Usage: Total(KB) Free Shared Buffers Cached Usage --------------------------------------------------------------------------2070368 751580 0 269560 96756 59.0%
Example
The following command shows memory usage for individual system modules:
AX#show memory Total(KB) Used Free Usage ---------------------------------------------------Memory: 2070368 1222016 848352 59.0%
System memory: Object size(byte) Allocated(#) Max(#) ---------------------------------------------------------------16 195 10240 48 21 10240 112 536 10240 240 20 10240 496 3 10240 1008 1 1280 2032 1 1280 4080 0 1280 aFleX memory: Object size(byte) Allocated(#) Max(#) ---------------------------------------------------------------16 438 10240 48 1204 163840 --MORE--
624 of 722
b y
D e s i g n

show memory
48 112 240 496 1008 2032 4080 1204 759 53 25 10 1 8 163840 163840 320 160 80 40 40
N2 memory: Object size(byte) Allocated(#) Max(#) ---------------------------------------------------------------96 1 10240 224 0 10240 480 0 10240 992 2000 10240 2016 1512 10240 SSL memory: Object size(byte) Allocated(#) Max(#) ---------------------------------------------------------------48 2786 10240 112 72 10240 240 81 10240 --MORE--
Example
The following command shows memory cache information:
AX#show memory cache System block 16: Object size: 16, Total in pool: 10240, Allocated to control: 195 Allocated to 8 data threads: 0, 0, 0, 0, 0, 0, 0, 0, System block 48: Object size: 48, Total in pool: 10240, Allocated to control: -46510 Allocated to 8 data threads: -426, 29556, 17401, 0, 0, 0, 0, 0, System block 112: Object size: 112, Total in pool: 10240, Allocated to control: 24 Allocated to 8 data threads: 512, 0, 0, 0, 0, 0, 0, 0, System block 240: Object size: 240, Total in pool: 10240, Allocated to control: 20 Allocated to 8 data threads: 0, 0, 0, 0, 0, 0, 0, 0, System block 496: Object size: 496, Total in pool: 10240, Allocated to control: 0 Allocated to 8 data threads: 0, 2, 1, 0, 0, 0, 0, 0, System block 1008: Object size: 1008, Total in pool: 1280, Allocated to control: 1 --MORE-P e r f o r m a n c e D e s i g n Document No.: D-030-01-00-0003 - Ver. 2.4.3-P2 11/3/2010 b y
625 of 722

show mirror
show mirror
Description Syntax Mode Example Display port mirroring information. show mirror All The following example shows the port mirroring configuration on an AX Series device:
AX#show mirror Mirror Port : 4 Port monitored at ingress : 2 Port monitored at egress : 2
Table 41 describes the fields in the command output. TABLE 41 show mirror fields
Field Mirror Port Port monitored at ingress Port monitored at egress Description Port to which the traffic is copied. This is the port to which the protocol analyzer should be attached. Port(s) whose inbound traffic is copied to the monitor port. Port(s) whose outbound traffic is copied to the monitor port.
show monitor
Description Syntax Mode Example Display the event thresholds for system resources. show monitor All The following commands set the event threshold for data CPU utilization to 80% and verify the result:
AX(config)#monitor data-cpu 80 AX(config)#show monitor Current system monitoring threshold: Hard disk usage: Memory usage: 85 95 P e r f o r m a n c e b y D e s i g n
626 of 722

show ntp
Control CPU usage: Data CPU usage: 90 80
IO Buffer usage: 60000 Buffer Drop: 100 Warning Temperature: 68
show ntp
Description Syntax Show the Network Time Protocol (NTP) configuration and status. show ntp {servers | status} Option servers Description Shows the NTP configuration and shows whether the AX Series device is synchronized with the NTP server. Shows whether the AX Series device is synchronized with the NTP server.
status
Mode Example
All The following command shows the NTP configuration and the synchronization status:
AX#show ntp servers ( * = The NTP server is currently synchronized with AX system ) Ntp server Sync Interval(minute) Status ----------------------------------------------------------*10.1.4.20 1440 enabled
Table 42 describes the fields in the command output. TABLE 42 show ntp fields
Field NTP server Description IP address of the NTP server. The asterisk ( * ) in front of the address indicates that the AX Series device is synchronized with the NTP server. If there is no asterisk, the device is not synchronized with the NTP server. Number of minutes between each synchronization with the NTP server. Indicates whether NTP is enabled.
Sync Interval Status
b y
627 of 722

show partition Example The following command shows the NTP synchronization status:
AX#show ntp status NTP sync status: success
show partition
Description Show the private partitions, used by Role-Based Administration (RBA), that are configured on the AX device. show partition All To use this command, you must be logged in with an admin account that has Root, Read-write, or Read-only privileges. (See show admin on page 528 for descriptions of the admin privilege levels.) The following command displays the private partitions configured on an AX device:
Syntax Mode Usage
Example
AX(config)#show partition Max Number allowed: 128 Total Number of partitions configured: 2 Partition Name companyA companyB Max. aFleX File Allowed 32 32 # of Admins 2 3 ------------------------------------------------------
Table 43 describes the fields in the command output. TABLE 43 show partition fields
Field Max Number allowed Total Number of partitions configured Partition Name Max. aFleX File Allowed # of Admins Description Maximum number of partitions the AX device can have. Total number of partitions the AX device currently has.
Name of the private partition. Maximum number of aFleX policies that can belong to the partition. Number of admins configured for the partition.
628 of 722
b y
D e s i g n

show pbslb
show pbslb
Description Show configuration information and statistics for Policy-based SLB (PBSLB). show pbslb [name] show pbslb client [ipaddr] show pbslb system show pbslb virtual-server virtual-server-name [port port-num service-type] Option name Description Shows information for virtual servers.
Syntax
client [ipaddr] Shows information for black/white list clients. system Shows statistics for system-wide PBSLB.
virtual-server virtual-servername [port port-num service-type] Shows statistics for IP limiting on the specified virtual server. Mode Example All The following command shows PBSLB information for an AX Series device:
AX#show pbslb Total number of PBSLB configured: 1 Virtual server Port Blacklist/whitelist GID Connection # (Establish Reset Drop) -----------------------------------------------------------------------------PBSLB_VS1 80 sample-bwlist 2 0 0 0 4 0 0 0
Table 44 describes the fields in the command output. TABLE 44 show pbslb fields
Field Total number of PBSLB configured Description Number of black/white lists imported onto the AX Series device.
b y
629 of 722

show process TABLE 44 show pbslb fields (Continued)
Field Virtual server Port Blacklist/ whitelist GID Connection # Establish Connection # Reset Connection # Drop Description SLB virtual server to which the black/white list is bound. Protocol port. Name of the black/white list. Group ID. Number of client connections established to the group and protocol port. Number of client connections to the group and protocol port that were reset. Number of client connections to the group and protocol port that were dropped.
Example
AX#show pbslb vs-22-4
The following command shows PBSLB information for VIP vs-22-4:
GID = Group ID, A = Action, OL = Over-limit GID Establish Reset(A) Drop(A) Reset(OL) Drop(OL) Ser-sel-fail -------+-----------+-----------+-----------+-----------|-----------+-----------Virtual server: vs-22-4 Port: 80 B/W list: test 1 88 0 3 2 0 0 2 112 0 2 0 0 1 3 29 0 0 0 0 0 4 11 1 0 0 0 0
show process
Description Syntax Mode Usage Display the status of system processes. show process system All For descriptions of the system processes, see the AX Software Processes section in the System Overview chapter of the AX Series Configuration Guide. The following command shows the status of system processes on an AX Series device:
Example
AX#show process system a10mon is running syslogd is running a10logd is running a10timer is running a10Stat is running
630 of 722
b y
D e s i g n

show reboot
a10hm is running a10switch is running a10rt is running a10rip is running a10ospf is running a10snmpd is running a10gmpd is running a10wa is running a10lb is running
show reboot
Description Syntax Mode Example Display scheduled system reboots. show reboot All The following command shows a scheduled reboot on an AX Series device:
AX#show reboot Reboot scheduled for 04:20:00 PST Sun Apr 20 2008 (in 63 hours and 16 minutes) by admin on 192.168.1.144 Reboot reason: Outlook_upgrade
show router log file

Description Syntax Show router logs. show router log file [ file-num | nsm [file-num] | ospf6d [file-num] | ospfd [file-num] ] Parameter file-num nsm [file-num] ospf6d [file-num] Description Log file number. Displays the specified Network Services Module (NSM) log file, or all NSM log files. Displays the specified IPv6 OSPFv3 log file, or all OSPFv3 log files.
b y
631 of 722

show running-config ospfd [file-num] Displays the specified IPv4 OSPFv2 log file, or all OSPFv2 log files.
Mode
Any
show running-config
Description Syntax Display the running-config. show running-config [ ha | health-monitor [name] [all-partitions | partition partition-name] | interfaces [ethernet [portnum] | ve [num] | loopback [num] | management | slb [server [name] | service-group [name] | virtual-server [name]] [all-partitions | partition partition-name] | vlan [vlan-id] | all-partitions | partition partition-name ] Option ha Description Shows High Availability configuration commands in the running-config.
health-monitor [name] [all-partitions | partition partition-name] Shows health-monitor configuration commands in the running-config. To display the health monitors for a specific RBA partition, use the partition partition-name option.
632 of 722
b y
D e s i g n

show running-config slb [server [name] | service-group [name] | virtual-server [name]] [all-partitions | partition partition-name] Shows SLB server, service-group, and virtualserver configuration commands in the runningconfig. To display the health monitors for a specific RBA partition, use the partition partition-name option. vlan [vlan-id] all-partitions Shows VLAN configuration commands in the running-config. Shows all resources in all partitions. In this case, the resources in the shared partition are listed first. Then the resources in each private partition are listed, organized by partition. Shows only the resources in the specified partition.
partition partition-name
Mode Usage
All The all-partitions and partition partition-name options are applicable on AX devices that are configured for Role-Based Administration (RBA). If you omit both options, only the resources in the shared partition are shown. (If RBA is not configured, all resources are in the shared partition, so you can omit both options.) The all-partitions option is applicable only to admins with Root, Readwrite, or Read-only privileges. (See show admin on page 528 for descriptions of the admin privilege levels.)
Example
The following command shows the running-config on an AX Series device:
AX#show running-config !Current configuration : 10577 bytes !Configuration last updated at 18:01:01 PST Mon Jan 21 2008 !Configuration last saved at 15:09:41 PST Mon Jan 21 2008 !version 1.2.0 ! hostname AX2K-B ! clock timezone America/Tijuana P e r f o r m a n c e D e s i g n Document No.: D-030-01-00-0003 - Ver. 2.4.3-P2 11/3/2010 b y
633 of 722

show session
! ! ! vlan 10 untagged ethernet 1 router-interface ve 10 ! vlan 11 untagged ethernet 2 router-interface ve 11 ! vlan 20 tagged ethernet 4 router-interface ve 20 --MORE--
show session
Description Display session information. show session [ brief | filter {filter-name | config} | ipv4 [addr-suboptions] | ipv4v6 [addr-suboptions] | ipv6 [addr-suboptions] | persist [persistence-type [addr-suboptions]] | sip [addr-suboptions] ] Parameter brief filter filter-name | config Description Displays summary statistics for all session types.
Displays information about configured session filters. filter-name Displays the specified session filter. config Displays all configured session filters.
ipv4 [addrsuboptions]
Displays information for IPv4 sessions. The following address suboptions are supported: source-addr ipaddr [{subnet-mask | /mask-length}] Displays IPv4
634 of 722
b y
D e s i g n

show session sessions that have the specified source IP address. source-port port-num Displays IPv4 sessions that have the specified source protocol port number, 1-65535. dest-addr ipaddr [{subnet-mask | /mask-length}] Displays IPv4 sessions that have the specified destination IP address. dest-port port-num Displays IPv4 sessions that have the specified destination protocol port number, 1-65535. You can use one or more of the suboptions, in the order listed above. For example, if the first suboption you enter is dest-addr, the only additional suboption you can specify is dest-port. ipv4v6 [addrsuboptions] Displays information for IPv4-IPv6 or IPv6-IPv4 sessions. The following address suboptions are supported: source-addr {ipaddr [{subnet-mask | /mask-length}] | ipv6addr/mask-length} Displays sessions that have the specified IPv4 or IPv6 source IP address. source-port port-num Displays sessions that have the specified source protocol port number, 1-65535. dest-addr {ipaddr [{subnet-mask | /mask-length}] | ipv6addr/mask-length} Displays sessions that have the specified IPv4 or IPv6 destination IP address. dest-port port-num Displays sessions that have the specified destination protocol port number, 1-65535. You can use one or more of the suboptions, in the order listed above. For example, if the first suboption you enter is dest-addr, the only additional suboption you can specify is dest-port.
b y
635 of 722

show session ipv6 [addrsuboptions] Displays information for IPv6 sessions. The following address suboptions are supported: source-addr ipv6addr/mask-length Displays sessions that have the specified IPv6 source IP address. source-port port-num Displays IPv6 sessions that have the specified source protocol port number, 1-65535. dest-addr ipv6addr/mask-length Displays sessions that have the specified IPv6 destination IP address. dest-port port-num Displays IPv6 sessions that have the specified destination protocol port number, 1-65535. You can use one or more of the suboptions, in the order listed above. For example, if the first suboption you enter is dest-addr, the only additional suboption you can specify is dest-port. persist [persistencetype [addrsuboptions]]
Displays information for persistent sessions. The following options are supported: persistence-type Displays sessions of the specified persistence type: dst-ip Displays destination-IP persistent sessions. src-ip Displays source-IP persistent sessions. ssl-id Displays SSl-session-ID persistent sessions. The addr-suboptions are the same as those supported for show session ipv4. (See above.)
sip [addrsuboptions]
Displays information for Session Initiation Protocol (SIP) sessions. The addr-suboptions are the same as those supported for show session ipv4v6. (See above.)
Mode
All
636 of 722

show session Usage For convenience, you can save session display options as a session filter. (See session-filter on page 146.) The following command lists information for all IPv4 sessions:
Example
AX(config)#show session ipv4 Traffic Type Total -------------------------------------------TCP Established 2 TCP Half Open 0 UDP 0 Non TCP/UDP IP sessions 0 Other 0 Reverse NAT TCP 0 Reverse NAT UDP 0 Free Buff Count 0 Curr Free Conn 2007033 Conn Count 10 Conn Freed 8 TCP SYN Half Open 0 Conn SMP Alloc 13 Conn SMP Free 2 Conn SMP Aged 2 Prot Forward Source Forward Dest Reverse Source Reverse Dest Age Hash ---------------------------------------------------------------------------------------------------------Tcp 1.0.4.147:49107 1.0.100.1:21 1.0.3.148:21 1.0.4.147:49107 120 2 Tcp 1.0.16.2:58736 1.0.100.1:21 1.0.3.148:21 1.0.16.2:58736 60 2 Total Sessions: 2
Table 45 describes the fields in the command output. TABLE 45 show session fields
Field TCP Established TCP Half Open Description Number of established TCP sessions. Number of half-open TCP sessions. A half-open session is one for which the AX Series device has not yet received a SYN ACK from the backend server. Number of UDP sessions. Number of IP sessions other than TCP or UDP sessions. This counter applies specifically to IP protocol load balancing. (See the IP Protocol Load Balancing chapter in the AX Series Configuration Guide.)
UDP Non TCP/UDP IP sessions
b y
637 of 722

show session TABLE 45 show session fields (Continued)
Field Other Reverse NAT TCP Reverse NAT UDP Free Buff Count Curr Free Conn Conn Count Conn Freed TCP SYN Half Open Conn SMP Alloc Conn SMP Free Conn SMP Aged Prot Forward Source Description Number of internally used sessions. As an example, internal sessions are used to hold fragmentation information. Number of reverse-NAT TCP sessions. Number of reverse-NAT UDP sessions. Number of IO buffers currently available. Number of Layer 4 sessions currently available. Number of connections. Number of connections freed after use. Number of half-open TCP sessions. These are sessions that are half-open from the clients perspective. Statistics used by A10 Technical Support.
Transport protocol. Client IP address when connecting to a VIP. Note: For DNS sessions, the clients DNS transaction ID is shown instead of a protocol port number. Note: For source-IP persistent sessions, the value shown in the Forward Source column is a combination of the IP address and the port number. The first two bytes of the displayed value are the third and fourth octets of the client IP address. The last two bytes of the displayed value represent the client source port. VIP to which the client is connected. Real servers IP address. Note: If the AX device is functioning as a cache server (RAM caching), asterisks ( * ) in this field and the Reverse Dest field indicate that the AX device directly served the requested content to the client from the AX RAM cache. In this case, the session is actually between the client and the AX device rather than the real server. IP address to which the real server responds. If source NAT is used for the virtual port, this address is the source NAT address used by AX device when connecting to the real server. If source IP NAT is not used for the virtual port, this address is the client IP address. Number of seconds since the session started.
Forward Dest Reverse Source
Reverse Dest
Age
638 of 722
b y
D e s i g n

show shutdown Example The following command displays the IPv4 session for a specific source IP address:
AX(config)#show session ipv4 source-addr 1.0.4.147 Prot Forward Source Forward Dest Reverse Source Reverse Dest Age Hash ---------------------------------------------------------------------------------------------------------Tcp 1.0.4.147:49107 1.0.100.1:21 1.0.3.148:21 1.0.4.147:49107 120 2 Total Sessions: 1
Example
The following commands display source-IP persistent sessions, clear one of the sessions, then verify that the session has been cleared:
AX(config)#show session persist src-ip Prot Forward Source Forward Dest Reverse Source Age -----------------------------------------------------------------------src 1.0.16.2 1.0.100.1:21 1.0.3.148 6000 src 1.0.4.147 1.0.100.1:21 1.0.3.148 6000 Total Sessions: 2 AX(config)#clear sessions persist src-ip source-addr 1.0.16.2 AX(config)#show session persist src-ip Prot Forward Source Forward Dest Reverse Source Age -----------------------------------------------------------------------src 1.0.4.147 1.0.100.1:21 1.0.3.148 5880
Note:
To show both the client IP address and the client protocol port number, the value shown in the Forward Source column is a combination of the IP address and the port number. The first two bytes of the displayed value are the third and fourth octets of the client IP address. The last two bytes of the displayed value represent the client source port.
show shutdown
AX#show shutdown
Display scheduled system shutdowns. show shutdown All The following command shows a scheduled shutdown on an AX Series device:
Shutdown scheduled for 12:00:00 PST Sat Jan 19 2008 (in 358 hours and 23 minutes) by admin on 192.168.1.144 Shutdown reason: Scheduled shutdown
b y
639 of 722

show sip
show sip
AX#show sip
Show SIP SLB statistics. show sip All The following command shows SIP SLB statistics on an AX Series device:
8 12 4 99 12 32 0
Sip current session: Total sip session created: Total sip session deleted: Total sip packet from client: Total sip packet from server: Total sip packet between clients: Total sip server selection failure:
show slb
Description See SLB Show Commands on page 653.
show smtp
AX#show smtp SMTP server address:
Display SMTP information. show smtp All The following command show the SMTP server address: 192.168.1.99
640 of 722
b y
D e s i g n

show startup-config
show startup-config
Description Display a configuration profile or display a list of all the locally saved configuration profiles. show startup-config [ all [cf] | all-partitions | partition {shared | partition-name} | profile profile-name [cf] [all-partitions | partition {shared | partition-name}] ] All Option all [cf] Description Displays a list of the locally stored configuration profiles. The cf option displays all the configuration profiles stored on the compact flash. all-partitions Shows all resources in all partitions. In this case, the resources in the shared partition are listed first. Then the resources in each private partition are listed, organized by partition.
Syntax
Mode
partition {shared | partition-name} Shows only the resources in the specified partition. profile profile-name [options]
Displays the commands that are in the specified configuration profile. The cf option displays the configuration profile on the compact flash rather than the hard disk. If you omit this option, the configuration profile on the hard disk is displayed. The all-partitions option shows all resources in all partitions. The partitions option shows only the resources in the specified partition.
b y
641 of 722

show startup-config Mode Usage All The all-partitions and partition partition-name options are applicable on AX devices that are configured for Role-Based Administration (RBA). If you omit both options, only the resources in the shared partition are shown. (If RBA is not configured, all resources are in the shared partition, so you can omit both options.) The all-partitions option is applicable only to admins with Root, Readwrite, or Read-only privileges. (See show admin on page 528 for descriptions of the admin privilege levels.) When entered without the all or profile-name option, this command displays the contents of the configuration profile that is currently linked to startup-config. Unless you have relinked startup-config, the configuration profile that is displayed is the one that is stored in the image area from which the AX device most recently rebooted. Example The following command shows the configuration profile currently linked to startup-config on an AX Series device:
AX#show startup-config Building configuration... !Current configuration: 10580 bytes !Configuration last updated at 15:01:01 PST Mon Jan 21 2008 !Configuration last saved at 15:09:41 PST Mon Jan 21 2008 !version 1.2.0 ! hostname AX2K-B ! clock timezone America/Tijuana ! ! ! vlan 10 untagged ethernet 1 router-interface ve 10 ! vlan 11 untagged ethernet 2 router-interface ve 11 ! vlan 20 --MORE--
Example
The following command shows a list of the configuration profiles locally saved on the AX device. The first line of output lists the configuration profile that is currently linked to startup-config. If the profile name is
642 of 722
b y
D e s i g n

show statistics default, then startup-config is linked to the configuration profile stored in the image area from which the AX device most recently rebooted.
AX#show startup-config all Current Startup-config Profile: default Profile-Name Size Time -----------------------------------------------------------1210test 1957 Jan 28 18:39 lb-v6 13414 Jan 23 19:19
show statistics
Description Syntax Mode Example Display packet statistics for Ethernet interfaces. show statistics [interface ethernet port-num] All The following command shows brief statistics for all Ethernet interfaces on an AX Series device:
AX#show statistics Port Good Rcv Good Sent Bcast Rcv Bcast Sent Errors --------------------------------------------------------------------------1 3026787 3013699 91573 154220 0 2 0 0 0 0 0 3 0 0 0 0 0 ... XAUI 3171070 3118342 275613 216063 0
Note: Example
The XAUI port is an internal port, not a user-configured interface. The following command shows detailed statistics for Ethernet interface 1:
AX#show statistics interface ethernet 1 Port Link Dupl Speed IsTagged MAC Address --------------------------------------------------1 Up Full 1000 Untagged 0090.0B0A.D860 Port 1 Counters: InPkts InOctets InBroadcastPkts InMulticastPkts InBadPkts OutDiscards InLongOctet InLengthErr P e r f o r m a n c e b y
6926 477802 5573 0 0 0 477802 0
OutPkts OutOctets OutBroadcastPkts OutMulticastPkts OutBadPkts Collisions InAlignErr InOverErr
427659 323788182 62389 359729 0 0 0 0
643 of 722

show switch
InFrameErr InNoBufErr InLongLenErr OutAbortErr OutFifoErr InFlowCtrlXon InFlowCtrlXoff InBufAllocFailed InUtilization 0 InCrcErr 0 InMissErr 0 InShortLenErr 0 OutCarrierErr 0 OutLateCollisions 0 OutFlowCtrlXon 0 OutFlowCtrlXoff 0 15 OutUtilization 0 48 0 0 0 0 0 0
show switch
Description Note: Display internal system information for troubleshooting. This command is applicable only to models AX 2200, AX 3100, AX 3200, AX 5100, and AX 5200. The command does not appear in the CLI on other models. show switch bridge-egress-filtering show switch bridge-global show switch cascading-header-insertion show switch debug show switch dump-all show switch fdb-global show switch ingress-drop-counter show switch ingress-port-bridge port-num show switch mac-table show switch phy-10g-reg port port-num register number-hex show switch phy-10g-reg-ext device number port port-num register number-hex show switch phy-dump port port-num show switch phy-reg port port-num register numberhex
Syntax
644 of 722
b y
D e s i g n

show system resource-usage show switch port-counter port-num show switch port-mib-counters port-num show switch port-vlan-register port-num show switch register number-hex [bitmask number] [field-offset number field-length number] show switch route-table show switch trunk-table show switch unicast-routing-engine show switch vlan-table show switch xfp-temp Mode Usage All Some options apply only to certain models. Only the mac-table, vlan-table, and xfp-temp options are supported on models AX 5100 and AX 5200.
show system resource-usage

Description Display the minimum and maximum numbers of each type of system resource that can be configured or used, the default maximum number allowed by the configuration, and the number currently in use. For example, the l4-session-count row of the output shows the number of Layer 4 sessions that are currently in use, as well as the maximum number currently supported by the configuration (the default maximum), and the range of values that can be assigned to the default maximum. Syntax Mode Usage show system resource-usage All To change system resource usage settings, see system resource-usage on page 165 command.
b y
645 of 722

show tacacs-server Example The following command shows system resource usage:
AX#show system resource-usage Resource Current Default Minimum Maximum -------------------------------------------------------------------------l4-session-count 8388608 8388608 524288 33554432 nat-pool-addr-count 500 500 500 4000 real-server-count 1024 1024 512 2048 real-port-count 2048 2048 512 4096 service-group-count 512 512 512 1024 virtual-port-count 512 512 256 1024 virtual-server-count 512 512 512 1024 http-template-count 256 256 32 1024 proxy-template-count 128 128 32 128 conn-reuse-template-count 256 256 32 1024 fast-tcp-template-count 256 256 32 1024 fast-udp-template-count 256 256 32 1024 client-ssl-template-count 256 256 32 1024 server-ssl-template-count 256 256 32 1024 stream-template-count 256 256 32 1024 persist-cookie-template-count 256 256 32 1024 persist-srcip-template-count 256 256 32 1024
show tacacs-server
Description Syntax Mode Example Display TACACS statistics. show tacacs-server [hostname | ipaddr] All The following command shows information for TACACS server 5.5.5.5:
AX#show tacacs-server 5.5.5.5 TACACS+ server : 5.5.5.5:49 Socket opens: Socket closes: Socket aborts: Socket errors: Socket timeouts: Failed connect attempts: Total packets recv: Total packets send:
0 0 0 0 0 0 0 0
646 of 722
b y
D e s i g n

show techsupport
show techsupport
Description Syntax Display or export system information for use when troubleshooting. show techsupport [export [use-mgmt-port] url] [page] Option Description
export [use-mgmt-port] url Exports the output to a remote server. The url specifies the file transfer protocol, username (if required), and directory path. You can enter the entire URL on the command line or press Enter to display a prompt for each part of the URL. If you enter the entire URL and a password is required, you will still be prompted for the password. To enter the entire URL: tftp://host/file ftp://[user@]host[:port]/file scp://[user@]host/file rcp://[user@]host/file page Shows the information page by page. Without this option, all the commands output is sent to the terminal at once.
Mode
All
show terminal
Description Syntax Mode Example Show the terminal settings. show terminal All The following command shows the terminal settings.
AX#show terminal Idle-timeout is 00:10:00 Length: 24 lines, Width: 80 columns
b y
647 of 722

show tftp Editing is enabled History is enabled, history size is 256 Auto size is enabled Terminal monitor is off
show tftp
Description Syntax Mode Example Display the currently configured TFTP block size. show tftp All The following command shows the TFTP block size.
AX(config)#show tftp TFTP client block size is set to 512
show trunk
Description Syntax Show information about a trunk group. show trunk num Option num Mode Example
AX#show trunk 1 Trunk ID Trunk Status Members Cfg Status Oper Status Ports-Threshold Working Lead : 1 : Up : 1 : Up : 6 : 1 2 Up 3 Up 4 Up 5 Up 6 Up 7 Up 8 Up : Enb Enb Enb Enb Enb Enb Enb Enb Timer: 10 sec(s) Running: No Member Count: 8
Description Trunk number
All The following command shows information for trunk group 1:
Table 46 describes the fields in the command output.
648 of 722
b y
D e s i g n

show version TABLE 46 show trunk fields
Field Trunk ID Member Count Trunk Status Members Cfg Status Oper Status Ports-Threshold Description ID assigned to the trunk by the admin who configured it. Number of ports in the trunk. Indicates whether the trunk is up. Port numbers in the trunk. Configuration status of the port. Operational status of the port. Indicates the minimum number of ports that must be up in order for the trunk to remain up. If the number of up ports falls below the configured threshold, the AX automatically disables the trunks member ports. The ports are disabled in the running-config. The AX device also generates a log message and an SNMP trap, if these services are enabled. Indicates how many seconds the AX device waits after a port goes down before marking the trunk down, if the ports threshold is exceeded. Indicates whether the ports-threshold timer is currently running. When the timer is running, a port has gone down but the state change has not yet been applied to the trunks state. Port number used for responding to ARP requests and for Layer 2 processing. Note: If the lead port number shown is 0, the trunk interface is down.
Timer
Running
Working Lead
show version
Description Syntax Mode Example Display software, hardware, and firmware version information. show version All The following command shows version information for an AX 2200:
AX#show version AX Series Advanced Traffic Manager AX2600 Copyright 2007-2010 by A10 Networks, Inc. All A10 Networks products are protected by one or more of the following US patents and patents pending: 7716378, 7675854, 7647635, 7552126, 20090049537, 20080229418, 20080040789, 20070283429, 20070271598, 20070180101 Advanced Core OS (ACOS) version 2.4.3-P1, build 9 (Jun-17-2010,12:06) Booted from NFS Serial Number: AX**************
b y
649 of 722

show vlans
Firmware version 7.11 aFleX version: 2.0.0 Last configuration saved at Jun-18-2010, 18:36 Hardware: 4 CPUs(Stepping 6), Dual 70G Hard disks Memory 2074 Mbyte, Free Memory 937 Mbyte Current time is Jun-21-2010, 19:30 The system has been up 3 days, 20 hours, 15 minutes
show vlans
Description Syntax Mode Example AX#show vlans Total VLANs: 2 VLAN 1: Untagged Ports: Display the configured VLANs. show vlans [vlan-id] All The following command lists all the VLANs configured on an AX Series device:
Tagged Ports: VLAN 199: Untagged Ports: Tagged Ports:
2 3 10 11 19 20 None
4 12
5 13
6 14
7 15
8 17
9 18
1 16 None
show web-service
AX#show web-service AX Web server: Idle time: Http port: Https port:
Show settings for Web-management access. show web-service All The following command shows the settings for access to the management GUI on an AX Series device:
10 minutes 80 443
650 of 722

show web-service Auto redirect: Https: aXAPI Idle time: Enabled Enabled 5 minutes
Table 47 describes the fields in the command output. TABLE 47 show web-service fields
Field Idle time HTTP port HTTPS port Auto redirect HTTPS aXAPI Idle time Description Number of minutes a web management session can remain idle before the AX device terminates the session. HTTP port number on which the AX device listens for connections to the management GUI. HTTPS port number on which the AX device listens for connections to the management GUI. Indicates whether requests for the HTTP port are automatically redirected to the HTTPS port. State of the HTTPS port on the AX device. Number of minutes an aXAPI session can remain idle before bering terminated. Once the aXAPI session is terminated, the session ID generated by the AX device for the session is no longer valid.
b y
651 of 722

show web-service
652 of 722
b y
D e s i g n

show slb cache
SLB Show Commands

The show slb commands display information for Server Load Balancing (SLB). To automatically re-enter a show slb command at regular intervals, see repeat on page 62. In addition to the command options provided with some show commands, you can use output modifiers to search and filter the output. See Searching and Filtering CLI Output on page 36. Note: For information about other show commands, see Show Commands on page 527.
show slb cache

Description Syntax Display statistics and other information for RAM caching. show slb cache [entries vip-name port-num | memory-usage | replacement vip-name port-num | stats [vip-name port-num]] Option entries vip-name port-num memory-usage replacement vip-name port-num stats [vip-name port-num] Description
Shows a list of the cached objects. Shows memory usage for RAM caching.
Shows replacement information for the specified virtual port on the specified virtual server.
Lists RAM caching statistics by VIP. If you specify a VIP or port number, statistics are displayed only for that VIP or port number.
Mode
All
b y
653 of 722

show slb cache Usage If you do not use any of the optional parameters, RAM caching statistics are displayed. This is equivalent to entering the show slb cache stats command. The following command shows RAM caching statistics:
0 6 27648 0 6 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 220 37 0 0 383579 0 0 0 0
Example
AX#show slb cache Cache Hits Cache Misses Memory Used Bytes Served Entries Cached Entries Replaced Entries Aged Out Entries Cleaned Total Requests Cacheable Requests No-cache Requests No-cache Responses IMS Requests 304 Responses Revalidation Successes Revalidation Failures Policy URI nocache Policy URI cache Policy URI invalidate Content Too Big Content Too Small Srvr Resp - Cont Len Srvr Resp - Chnk Enc Srvr Resp - 304 Status Srvr Resp - Other Cache Resp - No Comp Cache Resp - Gzip Cache Resp - Deflate Cache Resp - Other Entry create failures
Table 48 describes the fields in the command output. TABLE 48 show slb cache fields
Field Cache Hits Cache Misses Memory Used Description Number of times a requested page was found in the cache and served from the cache. Number of times a requested page was not found in the cache. Amount of RAM currently used by cached content. P e r f o r m a n c e b y D e s i g n
654 of 722

show slb cache TABLE 48 show slb cache fields (Continued)
Field Bytes Served Entries Cached Entries Replaced Entries Aged Out Entries Cleaned Total Requests Cacheable Requests No-cache Requests No-cache Responses IMS Requests 304 Responses Revalidation Successes Revalidation Failures Policy URI nocache Policy URI cache Policy URI invalidate Content Too Big Description Number of bytes served. Number of objects currently in the cache. Number of cached items that were removed to make room for newer entries, per the replacement policy. Number of entries that were removed because they are older than their expiration time. Number of cached objects that have aged out and therefore been removed from the cache. Total number of requests received on all virtual server ports on which caching is configured. Number of requests that are potentially cacheable. Number of requests with no-cache header directives. Number of responses with no-cache header directives. Number of requests that contained an If-Modified-Since header. Number of 304 Not Modified responses sent to clients. Number of entries that were successfully revalidated by the server. Number of times revalidation failed. Number of times requested content was not cached due to a URI policy. Number of times a request was cached due to a URI policy. Number of times a request was invalidated due to a URI policy. Number of cacheable items that were not cached because the file size was larger than the configured maximum content size. Number of cacheable items that were not cached because the file size was smaller than the configured minimum content size. Number of responses that contained Content-Length headers. Number of responses that were chunk encoded. Number of responses that had status code 304. Number of responses that were of other types. Object is uncompressed.
Content Too Small Srvr Resp Cont Len Srvr Resp Chnk Enc Srvr Resp 304 Status Srvr Resp Other Cache Resp No Comp P e r f o r m a n c e b y
655 of 722

show slb cache TABLE 48 show slb cache fields (Continued)
Field Cache Resp Gzip Description Object was compressed using gzip. Gzip is an encoding format produced by the file compression program gzip (GNU zip) as described in RFC 1952 (Lempel-Ziv coding [LZ77] with a 32 bit CRC). Object was compressed using deflate. Deflate is the zlib format defined in RFC 1950 in combination with the deflate compression mechanism described in RFC 1951. Object was compressed using compress. Compress is the encoding format produced by the common UNIX file compression program compress (adaptive Lempel-Ziv-Welch coding [LZW]). Counter used by A10 technical support for troubleshooting.
Cache Resp Deflate Cache Resp Other
Entry create failures
Example
The following command shows cached objects:
AX#show slb cache entries vs-cookie-cache 80 vs-cookie-cache:80 Host Object URL Bytes Type Status Expires in --------------------------------------------------------------------------------------10.20.0.120 /static2/1000.txt 1365 CL,No FR 3410 s 10.20.0.120 /static2/10000.txt 10366 CL,No FR 3490 s 10.20.0.120 /static2/1000000.txt 636152 CE,Gz FR 3594 s 10.20.0.120 /static2/1000000.txt 1000368 CL,No FR 2719 s 10.20.0.120 /ewen/index.html 1479 CL,Mo FR -57 s
Table 49 describes the fields in the command output. TABLE 49 show slb cache entries fields
Field cached-vip Host Object URL Bytes Description Virtual port number on which RAM caching is enabled. IP address of the content server. URL from which the cached object was obtained by the AX device. Length of the cached object.
656 of 722
b y
D e s i g n

show slb cache TABLE 49 show slb cache entries fields (Continued)
Field Type Description Indicates whether the cached object has a Content-Length header, is compressed, or is chunk-encoded. The value after the comma indicates the type of compression used: No Object is uncompressed. Gz Object was compressed using gzip. Gzip is an encoding format produced by the file compression program gzip (GNU zip) as described in RFC 1952 (Lempel-Ziv coding [LZ77] with a 32 bit CRC). Cm Object was compressed using compress. Compress is the encoding format produced by the common UNIX file compression program compress (adaptive LempelZiv-Welch coding [LZW]). Df Object was compressed using deflate. Deflate is the zlib format defined in RFC 1950 in combination with the deflate compression mechanism described in RFC 1951. Status of the entry: FR Fresh ST Stale IN Incomplete FA Failed UN Unknown Expires in R The entry must be revalidated. Number of seconds the object can remain unused before it ages out.
Status
Example
The following command shows RAM caching memory usage:
AX#show slb cache memory-usage

VIP Port Memory Configured Memory Used Percent Used --------------------------------------------------------------------------------------vs120 80 10485760 8386560 79.98% --------------------------------------------------------------------------------------Total 10485760 8386560 79.98%
Example
The following command shows replacement statistics:
AX#show slb cache replacement cached-vip 80 Frequency Total --------------------------------------------------------------1/256 6 1/128 0 1/64 0
b y
657 of 722

show slb connection-reuse
1/32 1/16 1/8 1/4 1/2 1 2 4 8 16 32 64 128 0 0 0 0 0 0 0 0 0 0 0 0 2
The output shows the distribution of requests for the cached entries. Entries listed for 1/256 (one in 256 requests) are the least requested, whereas entries listed for 128 are the most requested.
show slb connection-reuse

Description Syntax Mode Example Show SLB connection-reuse statistics. show slb connection-reuse [detail] All The following command shows summary connection-reuse statistics:
AX#show slb connection-reuse Total -----------------------------------------------------------------Open persist 0 Active persist 0 Total established 1787 Total terminated 1787 Total bind 1277 Total unbind 2389 Delayed unbind 4 Long resp 0 Missed resp 0 Unbound data rcvd 0
658 of 722
b y
D e s i g n

show slb connection-reuse Table 50 describes the fields in the command output. TABLE 50 show slb connection-reuse fields
Field Open persist Active persist Total established Total terminated Total bind Total unbind Delayed unbind Description Number of new client connections directed to the same server as previous connections by the persistence feature. Number of currently active connections that were sent to the same real server by the persistence feature. Total number of established connections to the backend server. Total number of terminated connections to the backend server. Total number of client persistent connections bound to the backend server. Total number of client persistent connections unbound from the backend server. Number of connections whose unbinding was delayed. Note: In the current release, this counter is unused and is always 0. Number of responses that took too long. Number of missed responses to HTTP requests.
Long resp Missed resp Unbound data rcvd
Example
The following command shows detailed connection-reuse statistics for each data processor (DP):
Total 0 0 1787 1787 1277 2389 4 0 0 0
AX#show slb connection-reuse detail DP0 DP1 DP2 DP3 -----------------------------------------------------------------Open persist 0 0 0 0 Active persist 0 0 0 0 Total established 0 537 597 653 Total terminated 0 537 597 653 Total bind 0 349 420 508 Total unbind 0 676 797 916 Delayed unbind 0 1 1 2 Long resp 0 0 0 0 Missed resp 0 0 0 0 Unbound data rcvd 0 0 0 0
b y
659 of 722

show slb conn-rate-limit
show slb conn-rate-limit

Description Syntax Show statistics for source-IP based connection rate limiting. show slb conn-rate-limit src-ip { [tcp | udp] locked-out-ips | [tcp | udp] statistics | tcp | udp } All The following command shows statistics for source-IP based connection rate limiting:
Mode Example
AX(config)#show slb conn-rate-limit src-ip statistics Sessions allocated 0 Sessions freed 0 Too many sessions consumed 0 Out of sessions 0 Threshold check count 1022000 Honor threshold count 20532 Threshold exceeded count 1001408 Lockout drops 60 Log messages sent 20532 DNS requests re-transmitted 1000 No DNS response for request 1021000
Table 51 describes the fields in the show command output. TABLE 51 show slb conn-rate-limit src-ip statistics fields
Field Sessions allocated Sessions freed Too many sessions consumed Out of sessions Threshold check count Description Number of sessions allocated. Number of sessions freed. Number of times too many sessions were consumed.
Number of times the device ran out of sessions. Number of times the AX device has checked for connectionlimit violations.
660 of 722
b y
D e s i g n

show slb fast-http-proxy TABLE 51 show slb conn-rate-limit src-ip statistics fields (Continued)
Field Honor threshold count Threshold exceeded count Lockout drops Log messages sent DNS requests re-transmitted No DNS response for request Description Number of requests permitted because they were within the connection limit. Number of requests denied because they exceeded the connection limit. Number of requests dropped because a client was locked out. Number of log messages generated by this feature. Number of re-transmitted DNS requests detected. These are DNS requests for which no response was received by the AX device. Number of DNS requests for which no response was received.
show slb fast-http-proxy

Description Syntax Mode Example Show statistics for SLB fast-HTTP proxy. show slb fast-http-proxy [detail] All The following command shows summary fast-HTTP-proxy statistics:
AX#show slb fast-http-proxy Total -----------------------------------------------------------------Curr Proxy Conns 0 Total Proxy Conns 0 HTTP requests 0 HTTP requests(succ) 0 No proxy error 0 Client RST 0 Server RST 0 No tuple error 0 Parse req fail 0 Server selection fail 0 Fwd req fail 0 Fwd req data fail 0 Req retransmit 0 Req pkt out-of-order 0 Server reselection 0 Server premature close 0 Server conn made 0 P e r f o r m a n c e D e s i g n Document No.: D-030-01-00-0003 - Ver. 2.4.3-P2 11/3/2010 b y
661 of 722

show slb fast-http-proxy
Source NAT failure 0 Tot data before compress 0 Tot data after compress 0
Table 52 describes the fields in the command output. TABLE 52 show slb fast-http-proxy fields
Field Curr Proxy Conns Total Proxy Conns HTTP requests HTTP requests(succ) No proxy error Client RST Server RST No tuple error Parse req fail Server selection fail Fwd req fail Fwd req data fail Req retransmit Req pkt out-of-order Server reselection Server premature close Server conn made Source NAT failure Tot data before compress Tot data after compress Description Number of currently active connections using the fast-HTTP proxy. Total number of connections that have used the fast-HTTP proxy. Number of HTTP requests received by the fast-HTTP proxy. Number of HTTP requests successfully fulfilled (by establishing a connection to a real server). Number of proxy errors. Number of times TCP connections with clients were reset. Number of times TCP connections with servers were reset. Number of tuple errors. Number of times the HTTP parser failed to parse a received HTTP request. Number of times selection of a real server failed. Number of forward request failures. Number of forward request data failures. Number of retransmitted requests. Number of request packets received from clients out of sequence. Number of times initial selection of a real server for an HTTP request failed (for example, due to a TCP Reset sent by the server). Number of times the connection with a server closed prematurely. Number of connections made with servers. Number of source NAT failures. These counters show statistics for HTTP compression, in bytes.
662 of 722
b y
D e s i g n

show slb ftp Example The following command shows detailed fast-HTTP-proxy statistics for each data processor (DP):
Total 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
AX#show slb fast-http-proxy detail DP0 DP1 DP2 DP3 -----------------------------------------------------------------Curr Proxy Conns 0 0 0 0 Total Proxy Conns 0 0 0 0 HTTP requests 0 0 0 0 HTTP requests(succ) 0 0 0 0 No proxy error 0 0 0 0 Client RST 0 0 0 0 Server RST 0 0 0 0 No tuple error 0 0 0 0 Parse req fail 0 0 0 0 Server selection fail 0 0 0 0 Fwd req fail 0 0 0 0 Fwd req data fail 0 0 0 0 Req retransmit 0 0 0 0 Req pkt out-of-order 0 0 0 0 Server reselection 0 0 0 0 Server premature close 0 0 0 0 Server conn made 0 0 0 0 Source NAT failure 0 0 0 0 Tot data before compress 0 0 0 0 Tot data after compress 0 0 0 0
show slb ftp

AX#show slb ftp Total Control Sessions Total ALG packets ALG packets rexmitted Out of Connections Total Data Sessions Out of Connections
Show SLB FTP statistics. show slb ftp All The following command shows SLB FTP statistics.
0 0 0 0 0 0
b y
663 of 722

show slb geo-location Table 53 describes the fields in the command output. TABLE 53 show slb ftp fields
Field Total Control Sessions Total ALG packets ALG packets rexmitted Out of Connections Total Data Sessions Out of Connections Description Total number of FTP control sessions load-balanced by the AX Series device. Total number of Application Layer Gateway (ALG) packets. Number of ALG packets that have been retransmitted. Number of times an FTP control session could not be established because none of the real servers had available connections. Total number of FTP data sessions load-balanced by the AX Series device. Number of times an FTP data session could not be established because none of the real servers had available connections.
show slb geo-location

Description Syntax Display geo-location information. show gslb geo-location [ virtual-server-name | port-num | bad-only | depth num | id group-id | ip ipaddr | location location-name | statistics ] Option Description
virtual-servername Displays geo-location information for only the specified virtual server. port-num bad-only Displays geo-location information for only the specified virtual port. Displays only the invalid entries.
664 of 722
b y
D e s i g n

show slb http-proxy depth num Specifies how many nodes within the geo-location data tree to display. For example, to display only continent and country entries and hide individual state and city entries, specify depth 2. By default, the full tree (all nodes) is displayed. You can specify 1-5. Displays geo-location information for only the specified black/white-list group ID. Displays geo-location database entries for only the specified IP address. Displays geo-location database entries for only the specified location. Displays statistics for the specified geo-location.
id group-id ip ipaddr location location-name statistics Mode Usage All
Some options can be combined on the same command line. See the CLI help for information.
show slb http-proxy

AX#show slb http-proxy Total -----------------------------------------------------------------Curr Proxy Conns 2 Total Proxy Conns 3266 HTTP requests 3860 HTTP requests(succ) 3605 No proxy error 0 Client RST 351 Server RST 1 No tuple error 0 Parse req fail 0 Server selection fail 0 Fwd req fail 10 Fwd req data fail 0 Req retransmit 0 P e r f o r m a n c e D e s i g n Document No.: D-030-01-00-0003 - Ver. 2.4.3-P2 11/3/2010 b y
Show statistics for SLB HTTP proxy. show slb http-proxy [detail] All The following command shows summary HTTP-proxy statistics:
665 of 722

show slb http-proxy
Req pkt out-of-order Server reselection Server premature close Server conn made Source NAT failure Tot data before compress Tot data after compress 0 0 0 1791 0 1373117 404410
Table 54 describes the fields in the command output. TABLE 54 show slb http-proxy fields
Field Curr Proxy Conns Total Proxy Conns HTTP requests HTTP requests(succ) No proxy error Client RST Server RST No tuple error Parse req fail Server selection fail Fwd req fail Fwd req data fail Req retransmit Req pkt out-of-order Server reselection Server premature close Server conn made Source NAT failure Tot data before compress Tot data after compress Description Number of currently active HTTP connections using the AX Series device as an HTTP proxy. Total number of HTTP connections that have used the AX Series device as an HTTP proxy. Total number of HTTP requests received by the HTTP proxy. Number of HTTP requests received by the HTTP proxy that were successfully fulfilled (by connection to a real server). Number of proxy errors. Number of times TCP connections with clients were reset. Number of times TCP connections with servers were reset. Number of tuple errors. Number of times parsing of an HTTP request failed. Number of times selection of a real server failed. Number of forward request failures. Number of forward request data failures. Number of retransmitted requests. Number of request packets received from clients out of sequence. Number of times a request was forwarded to another server because the current server was failing. Number of times the connection with a server closed prematurely. Number of connections made with servers. Number of source NAT failures. These counters show statistics for HTTP compression, in bytes.
666 of 722
b y
D e s i g n

show slb hw-compression Example The following command shows detailed HTTP-proxy statistics for each data processor (DP):
Total 2 3266 3860 3605 0 351 1 0 0 0 10 0 0 0 0 0 1791 0
AX#show slb http-proxy detail DP0 DP1 DP2 DP3 -----------------------------------------------------------------Curr Proxy Conns 0 0 0 2 Total Proxy Conns 0 1026 1102 1138 HTTP requests 0 1218 1282 1360 HTTP requests(succ) 0 1064 1176 1365 No proxy error 0 0 0 0 Client RST 0 102 118 131 Server RST 0 0 1 0 No tuple error 0 0 0 0 Parse req fail 0 0 0 0 Server selection fail 0 0 0 0 Fwd req fail 0 5 3 2 Fwd req data fail 0 0 0 0 Req retransmit 0 0 0 0 Req pkt out-of-order 0 0 0 0 Server reselection 0 0 0 0 Server premature close 0 0 0 0 Server conn made 0 537 598 656 Source NAT failure 0 0 0 0
show slb hw-compression

Description Syntax Mode Usage Show statistics for hardware-based compression. show slb hw-compression All Hardware-based compression is available using an optional hardware module in the following models: AX 2100, AX 2200, AX 3100, and AX 3200. If this command does not appear on your AX device, the device does not contain a compression module. The following commands enable hardware-based compression and display statistics for the feature:
Example
AX(config)#show slb hw-compression Hardware compression device is installed. Hardware compression module is enabled. Total -----------------------------------------------------------------total request count 177157 total submit count 177157 total response count 177157 P e r f o r m a n c e D e s i g n Document No.: D-030-01-00-0003 - Ver. 2.4.3-P2 11/3/2010 b y
667 of 722

show slb l4
total failure count last failure code compression queue full max queued request count max queued submit count 0 0 0 84 68
show slb l4
AX#show slb l4 Total -----------------------------------------------------------------IP out noroute 0 TCP out RST 0 TCP out RST no SYN 0 TCP out RST L4 proxy 0 TCP out RST ACK attack 0 TCP out RST aFleX 0 TCP out RST stale sess 2 TCP out RST TCP proxy 1906748 TCP SYN received 17556 TCP SYN cookie snt 3276 TCP SYN cookie snt fail 0 TCP received 2014764 UDP received 0 Server sel failure 0 Source NAT failure 0 TCP SYN cookie failed 18 No vport drops 0 No SYN pkt drops 0 No SYN pkt drops - FIN 0 No SYN pkt drops - RST 0 No SYN pkt drops - ACK 0 Conn Limit drops 0 Conn Limit resets 0 Conn rate limit drops 0 Conn rate limit resets 0 Proxy no sock drops 0 aFleX drops 0 TCP Session aged out 0 UDP Session aged out 0 Other Session aged out 0
Show Layer-4 SLB statistics. show slb l4 [detail] All The following command shows summary statistics for Layer 4 SLB:
668 of 722
b y
D e s i g n

show slb l4
TCP no SLB UDP no SLB SYN Throttle Inband HM retry Inband HM reassign 0 0 0 0 0
Table 55 describes the fields in the command output. TABLE 55 show slb l4 fields
Field IP out noroute TCP out RST TCP out RST no SYN TCP out RST L4 proxy TCP out RST ACK attack TCP out RST aFleX TCP out RST stale sess TCP out RST TCP proxy TCP SYN received TCP SYN cookie snt TCP SYN cookie snt fail TCP received UDP received Server sel failure Source NAT failure TCP SYN cookie failed No vport drops No SYN pkt drops No SYN pkt drops - FIN No SYN pkt drops - RST Description Number of IP packets that could not be routed. Number of TCP Resets sent. Number of Resets sent for which there was no SYN. Number of TCP Reset packets the AX device has sent as a Layer 4 proxy. Number of TCP Resets sent in response to a TCP ACK attack. Number of TCP Reset packets the AX device has sent due to an aFleX policy. Number of TCP Reset packets the AX device has sent due to stale TCP sessions. Number of TCP Reset packets the AX device has sent as a TCP proxy. Number of TCP SYN packets received. Number of TCP SYN cookies sent. Number of TCP SYN cookie send attempts that failed. Number of TCP packets received. Number of UDP packets received. Number of times selection of a real server failed. Number of times a source NAT failure occurred. Number of times a TCP SYN cookie failure occurred. Number of times traffic was dropped because the requested virtual port was not available. Number of SYN packets dropped. Number of SYN packets dropped due to a TCP FIN. Number of SYN packets dropped due to a TCP Reset.
b y
669 of 722

show slb l4 TABLE 55 show slb l4 fields (Continued)
Field No SYN pkt drops - ACK Conn Limit drops Conn Limit resets Conn rate limit drops Conn rate limit resets Proxy no sock drops aFleX drops TCP Session aged out UDP Session aged out Other Session aged out TCP no SLB UDP no SLB SYN Throttle Inband HM retry Description Number of SYN packets dropped due to an ACK. Number of connections dropped because the server connection limit had been reached. Number of connections reset because the server connection limit had been reached. Number of connections dropped by connection rate limiting. Number of connections reset by connection rate limiting. Number of packets dropped because the proxy did not have an available socket. Number of packets dropped due to an aFleX policy. Number of TCP sessions that have aged out. Number of UDP sessions that have aged out. Number of sessions of other types (not TCP or UDP) that have aged out. Number of non-SLB TCP packets received by the AX device. Number of non-SLB UDP packets received by the AX device. Number of SYN packets that have been throttled. Number of times the AX device retried an inband health check, because a SYN-ACK was not received for the previous SYN. Number of times the AX device reassigned a clients traffic to another server, because the initial server exceeded the maximum number of retries allowed by the inband health check.
Inband HM reassign
Example
AX#show slb l4 detail
The following command shows detailed Layer 4 SLB statistics for each data processor (DP):
Total 0 0 0 0 0 0 2 1906748 D e s i g n
DP0 DP1 DP2 DP3 -----------------------------------------------------------------IP out noroute 0 0 0 0 TCP out RST 0 0 0 0 TCP out RST no SYN 0 0 0 0 TCP out RST L4 proxy 0 0 0 0 TCP out RST ACK attack 0 0 0 0 TCP out RST aFleX 0 0 0 0 TCP out RST stale sess 0 0 1 1 TCP out RST TCP proxy 0 618892 617473 670383 P e r f o r m a n c e b y
670 of 722

show slb passthrough
TCP SYN received TCP SYN cookie snt TCP SYN cookie snt fail TCP received UDP received server sel failure Source NAT failure TCP SYN cookie failed No vport drops No SYN pkt drops No SYN pkt drops - FIN No SYN pkt drops - RST No SYN pkt drops - ACK Conn Limit drops Conn Limit resets Conn rate limit drops Conn rate limit resets Proxy no sock drops aFleX drops Session aged out TCP no SLB UDP no SLB SYN Throttle Inband HM retry Inband HM reassign 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 5476 1029 0 645686 0 0 0 5 0 0 0 0 0 0 0 0 0 0 0 24 0 0 0 0 0 5963 1105 0 651307 0 0 0 6 0 0 0 0 0 0 0 0 0 0 0 24 0 0 0 0 0 6118 1142 0 717772 0 0 0 7 0 0 0 0 0 0 0 0 0 0 0 19 0 0 0 0 0 17557 3276 0 2014765 0 0 0 18 0 0 0 0 0 0 0 0 0 0 0 67 0 0 0 0 0
show slb passthrough

Description Display statistics for pass-through TCP sessions. A pass-through TCP session is one that is not terminated by the AX device (for example, a session for which the AX device is not serving as a proxy for SLB). show slb passthrough All The following command displays TCP pass-through session statistics:
10741 570272 0 Response packets: Response bytes: Total connections: 38195 56562872 4
Syntax Mode Example

Request packets: Request bytes: Current connections:
AX#show slb passthrough
b y
671 of 722

show slb performance
show slb performance

Description Syntax Show SLB performance statistics. show slb performance [interval number [detail]] [{l4cpi | l7cpi | l7tpi | natcpi | sslcpi} [detail]] Option Description
interval number Automatically refreshes the output at the specified interval. The interval can be 1-32 seconds. If you omit this option, the output is shown one time. If you use this option, the output is repeatedly refreshed at the specified interval until you press ctrl+c. l4cpi l7cpi l7tpi natcpi sslcpi detail Mode Example All The following command shows SLB performance statistics: Shows only Layer 4 connections per interval. Shows only Layer 7 connections per interval. Shows only Layer 7 transactions per interval. Shows only Network Address Translation (NAT) connections per interval. Shows only SSL connections per interval. This option is not used in the current release.
AX#show slb performance Refreshing SLB performance every 1 seconds. (press ^C to quit) Note: cpi conn/interval, tpi transactions/interval CPU Usage L4cpi L7cpi L7tpi SSLcpi Natcpi Time -----------------------------------------------------------------------8/9 0 0 0 0 0 11:46:10 4/4 4222 0 0 0 0 11:46:11 4/4 3 0 0 0 0 11:46:12
672 of 722
b y
D e s i g n

show slb persist Table 56 describes the fields in the command output. TABLE 56 show slb performance fields
Field Refreshing SLB performance every # seconds CPU Usage Description Interval at which the statistics are refreshed.
Utilization on each data CPU. Each number is the utilization on one data CPU. In the example shown above, the AX model has three data CPUs, and the utilization on each one is 1%. Layer 4 connections per interval. Layer 7 connections per interval. Layer 7 transactions per interval. SSL connections per interval. NAT connections per interval. System time when the statistics were collected.
L4cpi L7cpi L7tpi SSLcpi Natcpi Time
show slb persist

Description Syntax Example
AX#show slb persist Total -----------------------------------------------------------------URL hash persist(pri) 0 URL hash persist(sec) 0 URL hash persist fail 0 SRC IP persist ok 0 SRC IP persist fail 0 SRC IP hash persist(pri) 0 SRC IP hash persist(sec) 0 SRC IP hash persist fail 0 DST IP persist ok 0 DST IP persist fail 0 DST IP hash persist(pri) 0 DST IP hash persist(sec) 0 DST IP hash persist fail 0 SSL SID persist ok 0 SSL SID persist fail 0
Show persistence load-balancing statistics. show slb persist [detail] The following command shows summary persistence statistics:
b y
673 of 722

show slb persist
Cookie persist ok 0 Cookie persist fail 0 Persist cookie not found 0
Table 57 describes the fields in the command output. TABLE 57 show slb persist fields
Field URL hash persist(pri) Description Number of requests successfully sent to the primary server selected by URL hashing. The primary server is the one that was initially selected and then re-used based on the hash value. Number of requests that were sent to another server (a secondary server) because the primary server selected by URL hashing was unavailable. Number of requests that could not be fulfilled using URL hashing. Number of requests successfully sent to the same server as previous requests from the same client, based on source-IP persistence. Number of requests that could not be fulfilled by the same server as previous requests from the same client, based on source-IP persistence. These fields are used by A10 Networks technical support for troubleshooting.
URL hash persist(sec) URL hash persist fail SRC IP persist ok SRC IP persist fail SRC IP hash persist(pri) SRC IP hash persist(sec) SRC IP hash persist fail DST IP persist ok DST IP persist fail DST IP hash persist(pri) DST IP hash persist(sec) DST IP hash persist fail SSL SID persist ok SSL SID persist fail Cookie persist ok
Number of requests that were sent to the same resource, based on destination-IP persistence. Number of requests that were sent to the same resource based on destination-IP persistence. These fields are used by A10 Networks technical support for troubleshooting.
Number of requests successfully sent to the same server as previous requests that had the same SSL session ID, based on SSL session-ID persistence. Number of requests that could not be fulfilled by the same server as previous requests that had the same SSL session ID, based on SSL session-ID persistence. Number of requests successfully sent to the same server as previous requests based on a persistence cookie. P e r f o r m a n c e b y D e s i g n
674 of 722

show slb rate-limit-logging TABLE 57 show slb persist fields (Continued)
Field Cookie persist fail Persist cookie not found Description Number of requests that could not be fulfilled by the same server as previous requests based on a persistence cookie. Number of requests in which a persistence cookie was not found in the request header.
show slb rate-limit-logging

Description Syntax Mode Example Show log rate-limiting statistics. show slb rate-limit-logging [detail] All The following command shows log rate-limiting statistics:
AX#show slb rate-limit-logging Total -----------------------------------------------------------------Total log times 51 Total log messages 26 Local log messages 190 Remote log messages 1959 Local rate (per sec) 32 Remote rate (per sec) 453 Log message too big 0 No route 0 Buffer alloc fail 0 Buffer send fail 0 Log-session alloc 15 Log-session free 15 Log-session alloc fail 0 No repeat message 4
Table 58 describes the fields in the command output. TABLE 58 show slb rate-limit-logging fields
Field Total log times Total log messages Description Total number of times log rate limiting has been used. Total number of log messages generated by the AX device. Note: The AX device combines repeated messages into a single message. For this reason, the Total log times count will differ from the Total log messages count. Total number of log messages in the AX devices log buffer. These messages can be displayed using the show log command.
Local log messages
b y
675 of 722

show slb server TABLE 58 show slb rate-limit-logging fields (Continued)
Field Remote log messages Local rate (per sec) Remote rate (per sec) Log message too big No route Buffer alloc fail Buffer send fail Description Total number of log messages the AX device has sent to external log servers. Number of messages sent to the AX devices log buffer during the most recent one-second interval. Number of messages sent to external log servers during the most recent one-second interval. Number of log messages dropped by the AX device because they were too long. Number of log messages dropped by the AX device because the device did not have a route to the log server. Number of times the AX device was unable to allocate a buffer for sending a log message to an external log server. Number of times the AX device was unable to send a log message that had been placed in the buffer for sending to an external log server. Number of times the AX device allocated a log session for repeated log messages. Number of times the AX device freed a log session that was allocated for repeated log messages. Number of times the AX device was unable to allocate a log session for repeated log messages. Number of times there was no repeated message for a log session allocated for repeated messages.
Log-session alloc Log-session free Log-session alloc fail No repeat message
show slb server

Description Syntax Show information about real servers. show slb server [[server-name [port-num] detail] config | connection-reuse] [all-partitions | partition name] Option server-name [[port-num] detail] Description
Shows information only for the specified server or port. If you omit this option, information is shown for all real servers and ports. The detail option shows statistics for the specified server or port. This option also displays the
676 of 722
b y
D e s i g n

show slb server name of the server or port template bound to the server or port. config connectionreuse Shows the SLB configuration of the real servers. Shows connection-reuse state information and statistics for the real servers.
Mode Usage
All To display server information for a specific Role-Based Administration (RBA) partition only, use the partition name option. The following command shows SLB statistics for real server mhs001:
Example
AX#show slb server mhs001 Total Number of Services configured on Server mhs001: 3 Current = Current Connections, Total = Total Connections Fwd-pkt = Forward packets, Rev-pkt = Reverse packets Service Current Total Fwd-pkt Rev-pkt State/Rsp Time -----------------------------------------------------------------------------mhs001:25/tcp 0 481 0 0 Up /116 ms mhs001:80/tcp 23 320543 1732383 1263164 Up /60 ms mhs001:587/tcp 0 0 0 0 Up /92 ms mhs001: Total 23 321024 1732383 1263164 Up
Table 59 describes the fields in the command output. TABLE 59 show slb server fields
Field Total Number of Services configured Service Current Total Fwd-pkt Rev-pkt State Description Total number of services configured on the AX Series device (if a server name is not specified) or on the specified server. Real server name, service protocol port, and transport protocol (TCP or UDP). Current number of connections to the service. Total number of connections to the service. Number of request packets received for the service. Number of response packets sent on behalf of the real server. Current state of the service: Up Down Rsp Time Disabled Response time of the server.
b y
677 of 722

show slb server Example The following command shows details for a real port on a server:
dang1 1.1.1.1:80 Up default default 53 42 10011 20090 20089 36378463 378463 463784638 3784638
AX(config)#show slb server dang1 80 detail Server name: Port: State: Port template: Health check: Current connection: Current request: Total connection: Total request: Total request success: Total forward bytes: Total forward packets: Total reverse bytes: Total reverse packets:
Table 60 describes the fields in the command output. TABLE 60 show slb server <server-name> <portnum> detail fields
Field Server name Port State Description Name of the server. Real port number. Current state of the service: Up Down Port template Health check Current connection Current request Disabled Name of the real port template bound to the port. Name of the health monitor used to check the health of the real port. Current number of connections to the port. Current number of HTTP requests being processed by
the port.
Note: In this field and the Total request and Total request success fields, Layer 7 requests are counted only if Layer 7 request accounting is enabled. See slb enable-l7-req-acct on page 287. Total number of connections that have been made to the port. Total number of HTTP requests processed by the port. Total number of HTTP requests that were successful. Number of request bytes forwarded to the port.
Total connection Total request Total request success Total forward bytes
678 of 722
b y
D e s i g n

show slb server TABLE 60 show slb server <server-name> <portnum> detail fields
Field Total forward packets Total reverse bytes Total reverse packets Description Number of request packets forwarded to the port. Number of request bytes received from the port. Number of request packets received from the port.
The following command displays detailed information for the hostname server. The configuration details are shown first, followed by details for the dynamically created servers.
AX#show slb server s-test1 detail Server name: Hostname: Last DNS reply: State: Server template: DNS query interval: Minimum TTL ratio: Maximum dynamic server: Health check: Current connection: Current request: Total connection: Total request: Total request success: Total forwarded byte: Total forwarded packet: Total received byte: Total received packet: Dynamic server name: Last DNS reply: TTL: State: Server template: DNS query interval: Minimum TTL ratio: Maximum dynamic server: Health check: s-test1 s1.test.com Tue Nov 17 03:41:59 2009 Up temp-server 5 3 16 none 0 0 1919 1919 1877 546650 5715 919730 5631 DRS-10.4.2.5-s1.test.com Tue Nov 17 03:41:59 2009 4500 Up test 5 15 1023 none
b y
679 of 722

show slb server
Current connection: Current request: Total connection: Total request: Total request success: Total forward bytes: Total forward packets: Total reverse bytes: Total reverse packets: 0 0 1919 1919 1877 546650 5715 919730 5631
Example
The following command shows SLB configuration information for real servers:
AX#show slb server config Total Number of Services configured: 30 H-check = Health check Max conn = Max. Connection Wgt = Weight Service Address H-check Status Max conn Wgt -----------------------------------------------------------------------------1_yahoo_finance:80/tcp 69.147.86.163 None Enable 1000000 1 1_yahoo_finance 69.147.86.163 None Enable 1000000 1 1_cybozu:80/tcp 1_cybozu win20:25/tcp win20 win21:25/tcp --MORE-202.218.147.129 None 202.218.147.129 None 172.22.66.20 172.22.66.20 172.22.66.21 Default ping Default Enable Enable Enable Disable Enable 1000000 1000000 1000000 1000000 1000000 1 1 1 1 1
Table 61 describes the fields in the command output. TABLE 61 show slb server config fields
Field Total Number of Services configured Service Address Description Total number of SLB services configured on the AX Series device. Real server name, service protocol port, and transport protocol (TCP or UDP). Real IP address of the server.
680 of 722
b y
D e s i g n

show slb server TABLE 61 show slb server config fields (Continued)
Field H-check Description Health check enabled for the service: None No health check has been applied to the service. Default The default health monitor for the service type was automatically applied to the service by the AX Series device. Name of a configured health monitor (for example, ping) The named health monitor was applied to the service by an AX administrator. Current administrative status of the service: Enable Max conn Wgt Disable Maximum number of connections allowed to the service. Administrative weight assigned to the service.
Status
Example
The following command shows connection-reuse state information and statistics for real servers:
AX#show slb server connection-reuse Total Number of Services configured: 30 Service State Persistent-Conn ---------------------------------------------------1_yahoo_finance:80/tcp Up 0 1_cybozu:80/tcp win20:25/tcp win21:25/tcp win21:110/tcp win21:80/tcp win21:443/tcp linux22:25/tcp linux22:80/tcp linux22:53/udp linux23:25/tcp linux23:80/tcp linux23:53/udp Up Down Up Up Up Down Disb Up Disb Down Down Down 0 0 0 0 0 0 0 0 0 0 0 0
b y
681 of 722

show slb service-group Table 62 describes the fields in the command output. TABLE 62 show slb server connection-reuse fields
Field Total Number of Services configured Service State Description Total number of SLB services configured on the AX Series device. Real server name, service protocol port, and transport protocol (TCP or UDP). Current state of the service: Up Down Persistent-Conn Disabled Number of connections sent to the server by the persistence feature.
show slb service-group

Description Syntax Show SLB service-group information. show slb service-group [group-name] [config] [all-partitions | partition name] Option group-name Description Shows information only for the specified service group. If you omit this option, information is shown for all service groups configured on the AX Series device. Shows the SLB configuration of the service groups.
config
Mode Usage
All To display service-group information for a specific Role-Based Administration (RBA) partition only, use the partition name option.
682 of 722
b y
D e s i g n

show slb service-group Example The following command shows statistics for SLB service groups:
AX#show slb service-group Total Number of Service Groups configured: 4 Current = Current Connections, Total = Total Connections Fwd-p = Forward packets, Rev-p = Reverse packets Service Group Name Service Current Total Fwd-p Rev-p ----------------------------------------------------------------------*louis State: Functional Up 1.168:80 0 0 0 0 20.29:80 1 1 1 4 1.167:80 0 0 0 0 *flu 20.29:80 *test 20.29:22 State: All Up 0 State: All Up 0
Table 63 describes the fields in the command output. TABLE 63 show slb service-group fields
Field Total Number of Service Groups configured Service Group Name State Description Total number of SLB service groups configured on the AX Series device. Name of the service group. Indicates the state of the service group: All Up All service ports on all real servers in the service group are up. Functional Up Each service port number is up on at least one real server in the service group. Partially Up Some service ports are up but others are down. Down Either all the service ports are down, or some but not all of them are Disabled. Current Total Req-p Resp-p Disabled All the service ports are disabled. Current number of connections to the service. Total number of connections to the service. Total number of request packets received by the AX Series device for the service. Total number of server response packets sent to clients by the AX Series device on behalf of real servers.
b y
683 of 722

show slb service-group Example The following command shows configuration information and statistics for SLB service group louis:
AX#show slb service-group louis Service group name: louis State: Disb Service selection fail drop: 2 Service selection fail reset: 1 Service: s-4-2-1:80 DOWN Request packets: 6 Response packets: 0 Request bytes: 360 Response bytes: 0 Current connections: 2 Persistent connections: 0 Current requests: 0 Total requests: 0 Total connections: 3 Response time: 0.00 msec Total requests succ: 0 Service: s-2-2-1:80 DOWN Forward packets: 12 Reverse packets: 9 Forward bytes: 951 Reverse bytes: 396 Current connections: 0 Persistent connections: 0 Current requests: 0 Total requests: 0 Total connections: 3 Response time: 0.00 msec Total requests succ: 0
Table 64 describes the fields in the command output. TABLE 64 show slb service-group <group-name> fields
Field Service group name State Description Name of the service group. Indicates the state of the service group: All Up All service ports on all real servers in the service group are up. Functional Up Each service port number is up on at least one real server in the service group. Partially Up Some service ports are up but others are down. Down Either all the service ports are down, or some but not all of them are Disabled. Service selection fail drop Service selection fail reset Disabled All the service ports are disabled. Number of server selection failures for which the AX device dropped the client request. Number of server selection failures for which the AX device sent a RST to the client.
684 of 722
b y
D e s i g n

show slb service-group TABLE 64 show slb service-group <group-name> fields (Continued)
Field Service Forward packets Reverse packets Forward bytes Reverse bytes Current connections Persistent connections Current requests Description Service bound to the service group. Also indicates the state of the service. Total number of request packets received by the AX Series device for the service. Total number of server response packets sent to clients by the AX Series device on behalf of real servers. Total number of request bytes received by the AX Series device for the service. Total number of server response bytes sent to clients by the AX Series device on behalf of real servers. Current number of connections to the service. Number of connections established on the server due to an SLB persistence feature. Current number of HTTP requests being processed by
the server.
Note: In this field and the Total Requests and Total requests success fields, Layer 7 requests are counted only if Layer 7 request accounting is enabled. See slb enable-l7-req-acct on page 287. Total number of HTTP requests processed by the server. Total number of connections to the service. Server response time. Total number of HTTP requests that were successful.
Total requests Total connections Response time Total requests succ
Example
The following command shows configuration information for SLB service groups:
AX#show slb service-group config Total Number of Service Groups configured: 21 Service group name: c172-80 Type: tcp Distribution: Round Robin Health Check: None Member Count:3 Member3: c1721:80 Priority: 1 Member2: c1722:80 Priority: 1 Member1: c1723:80 Priority: 1 Service group name: linux80 Type: tcp Health Check: None Member Count:2
Distribution: Round Robin
b y
685 of 722

show slb service-group
Member2: linux22:80 Member1: linux23:80 Priority: 1 Priority: 1
Service group name: 1_sg_cybozu_80 Type: tcp Distribution: Round Robin Health Check: None Member Count:1 Member1: 1_cybozu:80 Priority: 1 --MORE--
Table 65 describes the fields in the command output. TABLE 65 show slb service-group config fields
Field Total Number of Service Groups configured Service group name Type Health Check Distribution Member Count Member n Priority Description Total number of SLB service groups configured on the AX Series device. Name of the service group. Transport protocol used to reach the service, TCP or UDP. Name of the health monitor assigned to the service group. Load-balancing method used by the service group to select real servers. Number of real servers in the group. Member number, assigned by the AX Series for use in this show commands output. Priority assigned to the member when it was added to the group.
The following command displays service-group information. A separate row of information appears for each dynamically created member.
AX#show slb service-group Total Number of Service Groups configured: 40 Current = Current Connections, Total = Total Connections Fwd-p = Forward packets, Rev-p = Reverse packets Service Group Name Service *sg-test Current State: All Up 0 36 0 0 1919 53 0 5714 265 0 5631 212 b y D e s i g n Total Fwd-p Rev-p ----------------------------------------------------------------------DRS-10.4.2.6-s2.test.com:80 DRS-10.4.2.5-s1.test.com:80 s-test2:80
686 of 722

show slb sip The following command displays detailed statistics for the dynamically created service-group members:
AX#show slb service-group sg-test Service group name: sg-test Service selection fail drop: Service selection fail reset: Forward packets: Forward bytes: Current connections: Current requests: Total connections: Total requests succ: Forward packets: Forward bytes: Current requests: Total connections: Total requests succ: Service: s-test1:80 Forward packets: Forward bytes: Current requests: Total connections: Total requests succ: Current connections: 450 31500 0 0 90 1877 Current connections: 0 0 0 0 0 0 UP 5631 919730 0 1919 msec 5715 546650 10 10 1919 1877 UP Reverse packets: Reverse bytes: Total requests: Response time: 0.00 360 44820 0 0 msec Reverse packets: Reverse bytes: Total requests: 0 0 UP 0 0 0 0 msec State: All Up
Service: DRS-10.4.2.6-s2.test.com:80
Reverse packets: Reverse bytes: Persistent connections: Total requests: Response time: 0.00
Service: DRS-10.4.2.5-s1.test.com:80
Persistent connections: Response time: 0.00
Persistent connections:
show slb sip

AX#show slb sip Total -----------------------------------------------------------------Curr Proxy Conns 0 Total Proxy Conns 115 P e r f o r m a n c e D e s i g n Document No.: D-030-01-00-0003 - Ver. 2.4.3-P2 11/3/2010 b y
Display SIP SLB statistics. show slb sip [detail] All The following command shows SIP SLB statistics:
687 of 722

show slb sip
Client message Client message (fail) Server message Server message (fail) Client request Client request (succ) Client RST Server RST Parse message fail Server selection fail Server conn made Source NAT failure 125 0 12 0 119 12 0 113 0 0 115 0
Table 52 describes the fields in the command output. TABLE 66 show slb sip fields
Field Curr Proxy Conns Total Proxy Conns Client message Client message (fail) Server message Server message (fail) Client request Client request (succ) Client RST Server RST Parse message fail Server selection fail Server conn made Source NAT failure Description Current number of SIP connections between the AX device and SIP servers. Total number of SIP connections between the AX device and SIP servers. Total number of SIP messages received from clients. Number of SIP messages received from clients that were not forwarded to servers. Total number of SIP messages received from servers. Number of SIP messages received from servers that were not forwarded to clients. Total number of SIP requests received from clients. Number of SIP requests received from clients that were successful. Number of times TCP connections with clients were reset. Number of times TCP connections with servers were reset. Number of times the SIP parser failed to parse a received SIP request. Number of times selection of a real server failed. Number of connections made with servers. Number of source NAT failures.
688 of 722
b y
D e s i g n

show slb smtp
show slb smtp

AX#show slb smtp Total -----------------------------------------------------------------Current proxy conns 0 Total proxy conns 0 SMTP requests 0 SMTP requests (success) 0 No proxy error 0 Client reset 0 Server reset 0 No tuple error 0 Parse request failure 0 Server selection failure 0 Forward request failure 0 Forward REQ data failure 0 Request retransmit 0 Request pkt out-of-order 0 Server reselection 0 Server premature close 0 Server connection made 0 Source NAT failure 0
Shows SLB information for SMTP. show slb smtp [detail] All The following command shows summary SMTP SLB statistics:
Table 67 describes the fields in the command output. TABLE 67 show slb smtp fields
Field Current proxy conns Total proxy conns SMTP requests SMTP requests (success) No proxy error Client reset Description Number of currently active SMTP connections using the AX Series device as an SMTP proxy. Total number of SMTP connections that have used the AX Series device as an SMTP proxy. Total number of SMTP requests received by the SMTP proxy. Number of SMTP requests received by the AX Series device that were successfully fulfilled (by connection to a real server). Number of proxy errors. Number of times TCP connections with clients were reset.
b y
689 of 722

show slb smtp TABLE 67 show slb smtp fields (Continued)
Field Server reset No tuple error Parse request failure Server selection failure Forward request failure Forward REQ data failure Request retransmit Request pkt out-of-order Server reselection Server premature close Server connection made Source NAT failure Description Number of times TCP connections with servers were reset. Number of tuple errors. Number of times parsing of an SMTP request failed. Number of times selection of a real server failed. Number of forward request failures. Number of forward request data failures. Number of retransmitted requests. Number of request packets received from clients out of sequence. Number of times a request was forwarded to another server because the current server was failing. Number of times the connection with a server closed prematurely. Number of connections made with servers. Number of source NAT failures.
Example
The following command shows detailed SMTP SLB statistics for each data processor (DP):
AX#show slb smtp detail DP0 DP1 DP2 Total -----------------------------------------------------------------Current proxy conns 0 0 0 0 Total proxy conns 0 0 0 0 SMTP requests 0 0 0 0 SMTP requests (success) 0 0 0 0 No proxy error 0 0 0 0 Client reset 0 0 0 0 Server reset 0 0 0 0 No tuple error 0 0 0 0 Parse request failure 0 0 0 0 Server selection failure 0 0 0 0 Forward request failure 0 0 0 0 Forward REQ data failure 0 0 0 0 Request retransmit 0 0 0 0 Request pkt out-of-order 0 0 0 0 Server reselection 0 0 0 0 Server premature close 0 0 0 0 Server connection made 0 0 0 0 Source NAT failure 0 0 0 0
690 of 722
b y
D e s i g n

show slb ssl
show slb ssl

Description Syntax Show SLB information for SSL. show slb ssl {cert | crl | stats} [all-partitions | partition name] Option cert crl stats Mode Usage All To display SSL information for a specific Role-Based Administration (RBA) partition only, use the partition name option. The following command shows SSL certificate information: Description Shows information about the certificates on the AX device. Shows information about the Certificate Revocation Lists (CRLs) imported onto the AX device. Shows SSL SLB statistics.
Example
AX#show slb ssl cert name: dang type: certificate/key Common Name:Dan G Organization:Techpubs Expiration: Jul 28 03:23:17 2008 GMT Issuer: Self key size: 512
Example
The following command shows SSL SLB statistics:
AX#show slb ssl stats Number of SSL modules: 1 SSL module 1 number of enabled crypto engines: 12 number of available crypto engines: 12 Current SSL connections: 0 Total SSL connections: 0 Failed SSL handshakes: 0 Failed crypto operations: 0 SSL memory usage: 0 bytes SSL fail CA verification 0 HW Context Memory alloc failed 0 HW ring full 0 Record too big 0
b y
691 of 722

show slb ssl-proxy Table 68 describes the fields in the command output. TABLE 68 show slb ssl stats fields
Field Number of SSL modules SSL module n number of enabled crypto engines number of available crypto engines Current SSL connections Total SSL connections Failed SSL handshakes Failed crypto operations SSL memory usage SSL fail CA verification HW Context Memory alloc failed HW ring full Description Total number of SSL processing modules on the device. ID number of the SSL module to which the following statistics apply.
Number of SSL encryption/decryption processing engines that are enabled. Number of SSL encryption/decryption processing engines that are available on the device. Number of currently active SSL sessions. Total number of SSL sessions since the last time statistics were cleared. Number of SSL sessions in which the SSL security handshake failed. Number of times an encryption/decryption failure occurred for an SSL record. Amount of memory in use by the SSL processing module.
Number of times an SSL session was terminated due to a certificate verification failure.
Number of times the encryption processor was unable to allocate memory. Number of times the AX software was unable to enqueue an SSL record to the SSL processor for encryption/decryption. (Number of times the processor reached its performance limit.) Number of times the AX device received an SSL record that spanned across more than 64 packets.
Record too big
show slb ssl-proxy

Description Syntax Mode Show statistics for SSL-proxy SLB. show slb ssl-proxy All
692 of 722
b y
D e s i g n

show slb switch Example
AX#show slb ssl-proxy Current Total ----------------------------------------------------------------------------Proxy connections 0 0 Client error 0 Server error 0 Session not found 0 No route 0 Server selection fail 0 Source NAT failure 0
The following command shows SSL-Proxy statistics:
Table 69 describes the fields in the command output. TABLE 69 show slb ssl-proxy fields
Field Proxy connections Client error server error Session not found No route server selection fail Source NAT failure Description Number of currently active connections using the AX device as an SSL proxy. Number of client errors. Number of server errors. Number of times a session was not found. Number of times no route was available. Number of times selection or a real server failed. Number of occurrences of source NAT failure.
show slb switch

Description Syntax Show SLB switching statistics. show slb switch [detail | ethernet port-num [detail]] Option detail ethernet portnum Description Shows detailed statistics. Shows statistics only for the specified Ethernet port.
Mode
All
b y
693 of 722

show slb switch Example
AX#show slb switch Total -----------------------------------------------------------------L2 Forward 2793 L3 IP Forward 0 IPv4 No Route Drop 0 L3 IPv6 Forward 0 IPv6 No Route Drop 0 L4 Process 709223 Incorrect Len Drop 0 Prot Down Drop 289 Unknown Prot Drop 32136 TTL Exceeded Drop 0 Link Down Drop 0 SRC Port Suppresion 0 VLAN Flood 141022 IP Fragment Rcvd 0 ARP REQ Rcvd 80272 ARP RESP Rcvd 15939 Forward Kernel 91163 IP(TCP) Fragment Rcvd 0 IP Fragment Overlap 0 IP Frag Overload Drops 0 IP Fragment Reasm OKs 23 IP Fragment Reasm Fails 0 BPDUs Received 0 BPDUs Sent 0 ACL Denys 0 SYN rate exceeded Drop 0 Packet Error Drops 0 IPv6 Frag Reasm OKs 0 IPv6 Frag Reasm Fails 0 IPv6 Frag Invalid Pkts 0 Bad Pkt Drop 0 IP Frag Exceed Drop 0 IPv4 No L3 VLAN FWD Drop 0 IPv6 No L3 VLAN FWD Drop 0
The following command shows summary SLB switching statistics:
Table 70 describes the fields in the command output. TABLE 70 show slb switch fields
Field L2 Forward L3 IP Forward IPv4 No Route Drop L3 IPv6 Forward Description Number of packets that have been Layer 2 switched. Number of packets that have been Layer 3 routed. Number of IPv4 packets that were dropped due to routing failures.
Number of IPv6 packets that have been Layer 3 routed.

694 of 722

show slb switch TABLE 70 show slb switch fields (Continued)
Field IPv6 No Route Drop L4 Process Incorrect Len Drop Prot Down Drop Unknown Prot Drop TTL Exceeded Drop Link Down Drop SRC Port Suppression VLAN Flood IP Fragment Rcvd ARP REQ Rcvd ARP RESP Rcvd Forward Kernel IP(TCP) Fragment Rcvd IP Fragment Overlap IP Frag Overload Drops IP Fragment Reasm OKs IP Fragment Reasm Fails Anomaly LAN Attack Drop Description Number of IPv6 packets that were dropped due to routing failures. Number of packets that went to a VIP or NAT for processing. Number of packets dropped due to incorrect protocol length. Note: A high value for this counter can indicate a packet length attack. Number of packets dropped because the corresponding protocol was disabled. Number of packets dropped because the protocol was unknown.
Number of packets dropped due to TTL expiration.

Number of packets dropped because the outgoing link was down. Packet drops because of source port suppression. Number of packets that have been broadcast to a VLAN. Number of IPv4 fragments that have been received. Number of ARP requests that have been received. Number of ARP responses that have been received. Number of packets received by the kernel from data interfaces. Number of IP TCP fragments received. Number of overlapping fragments received. Number of fragments dropped due to overload. Number of successfully reassembled IP fragments. Number of IP fragment reassembly failures. Number of SYN packets dropped because they were spoofed (used the destination IP address as the source IP address). Note: This field and the other Anomaly fields appear only on models AX 1000, AX 2000, AX 2100, and AX 3000. Number of packets dropped because they had IP options set. Number of oversized (longer than 32 K) ICMP packets dropped. An oversized ICMP packet can trigger Denial of Service (DoS), crashing, freezing, or rebooting.
Anomaly IP OPT Drops Anomaly PingDeath Drop
b y
695 of 722

show slb switch TABLE 70 show slb switch fields (Continued)
Field Anomaly All Frag Drop Anomaly TCP noFlag Drop Description Number of IP fragments dropped. Number of TCP packets dropped because they had no flags set. TCP packets are normally sent with at least one bit in the flags field set. Number TCP SYN fragments dropped that had the fragmentation bit set. A SYN fragment attack floods the target host with SYN packet fragments. An unprotected host will store the fragments, in order to reassemble them. By not completing the connection, and flooding the server or host with such fragmented SYN packets, the attacker can cause the hosts memory buffer to fill up eventually. Number of TCP packets dropped that had TCP SYN and FIN bits set. An attacker can send a packet with both bits set to determine what kind of system reply is returned, and then use the system information for further attacks using known system vulnerabilities. Also, some older devices will let such packets through even though there is an established ACL defined and the state of the TCP connection is not considered to be established. Total number of packets dropped by IP anomaly filtering. Number of Bridge Protocol Data Units (BPDUs) received. Number of Bridge Protocol Data Units (BPDUs) sent. Number of times traffic was not forwarded due to a deny rule in an Access Control List (ACL). This counter also includes traffic dropped due to the l3-vlanfwd-disable action in ACL rules. Number of packets dropped because the TCP SYN threshold had been exceeded. Number of packets dropped due to a packet error. Number of successfully reassembled IPv6 fragments. Number of IPv6 fragment reassembly failures. Number of IPv6 fragments that were invalid. Number of bad packets dropped. Number of fragmented IP packets that were dropped because they exceeded the allowed maximum. P e r f o r m a n c e b y D e s i g n
Anomaly SYN Frag Drop
Anomaly TCP SYNFIN Drop
Anomaly Any Drops BPDUs Received BPDUs Sent ACL Denys
SYN rate exceeded Drop Packet Error Drops IPv6 Frag Reasm OKs IPv6 Frag Reasm Fails IPv6 Frag Invalid Pkts Bad Pkt Drop IP Frag Exceed Drop
696 of 722

show slb syn-cookie TABLE 70 show slb switch fields (Continued)
Field IPv4 No L3 VLAN FWD Drop IPv6 No L3 VLAN FWD Drop Description Number of IP packets that were dropped by the l3-vlan-fwddisable action in an IPv4 ACL. Number of IP packets that were dropped by the l3-vlan-fwddisable action in an IPv6 ACL.
Example
The following command shows detailed SLB switching statistics for Ethernet port 1:
AX#show slb switch ethernet 1 detail DP0 DP1 DP2 Total -----------------------------------------------------------------L2 Forward 2115 227 453 2795 L3 IP Forward 0 0 0 0 IPv4 No Route Drop 0 0 0 0 L3 IPv6 Forward 0 0 0 0 IPv6 No Route Drop 0 0 0 0 L4 Process 0 299123 412578 711701 Incorrect Len Drop 0 0 0 0 Prot Down Drop 0 174 115 289 Unknown Prot Drop 32156 0 0 32156 TTL Exceeded Drop 0 0 0 0 Link Down Drop 0 0 0 0 SRC Port Suppresion 0 0 0 0 VLAN Flood 126819 13530 752 141101 IP Fragment Rcvd 0 0 0 0 ARP REQ Rcvd 80314 0 0 80314 ARP RESP Rcvd 15949 0 0 15949 Forward Kernel 32281 35501 23464 91246 ...
show slb syn-cookie

AX#show slb syn-cookie syn-cookie ON
Show the state of dynamic SYN cookie support. show slb syn-cookie All The following command shows the state of the dynamic SYN cookie feature:
b y
697 of 722

show slb tcp-proxy
show slb tcp-proxy

Description Syntax Mode Example Show statistics for TCP-proxy SLB. show slb tcp-proxy [detail] All The following command shows summary TCP-proxy statistics:
AX#show slb tcp-proxy Total -----------------------------------------------------------------Currently EST conns 29 Active open conns 6968 Passive open conns 7938 Connect attemp failures 0 Total in TCP packets 678804 Total out TCP packets 712974 Retransmited packets 359 Resets rcvd on EST conn 5369 Reset Sent 4303
Table 71 describes the fields in the command output. TABLE 71 show slb tcp-proxy fields
Field Currently EST conns Active open conns Passive open conns Connect attemp failures Total in TCP packets Total out TCP packets Retransmitted packets Resets rcvd on EST conn Reset Sent Description Current number of established TCP connections being handled by the proxy. Number of active connections open. Number of passive connections open. Number of TCP connection attempts that failed. Total number of TCP packets received by the TCP proxy. Total number of TCP packets sent by the TCP proxy. Number of TCP packets retransmitted by the TCP proxy. Number of TCP Resets received for established connections. Number of TCP Resets sent by the AX Series device.
698 of 722
b y
D e s i g n

show slb tcp-proxy Example The following command shows detailed TCP-proxy statistics for each data processor (DP):
AX#show slb tcp-proxy detail DP0 DP1 DP2 Total -----------------------------------------------------------------Currently EST conns 0 14 13 27 Active open conns 0 3479 3490 6969 Passive open conns 0 3955 3984 7939 Connect attemp failures 0 0 0 0 Total in TCP packets 0 269216 409613 678829 Total out TCP packets 0 272092 440907 712999 Retransmited packets 0 204 155 359 Resets rcvd on EST conn 0 2657 2712 5369 Reset Sent 0 2138 2165 4303 Input errors 0 0 0 0 Sockets allocated 0 14 15 29 Orphan sockets 0 0 0 0 Memory alloc 0 0 0 0 Total rx buffer 0 0 8 8 Total tx buffer 0 0 0 0 TCP in SYN-SNT state 0 0 0 0 TCP in SYN-RCV state 0 0 0 0 TCP in FIN-W1 state 0 2 3 5 TCP FIN-W2 state 0 0 1 1 TCP TimeW state 0 0 0 0 TCP in Close state 0 3907 3929 7836 TCP in CloseW state 0 31 38 69 TCP in LastACK state 0 1 0 1 TCP in Listen state 0 0 0 0 TCP in Closing state 0 0 0 0
Table 72 describes the fields in the command output. TABLE 72 show slb tcp-proxy detail fields
Field Currently EST conns Active open conns Passive open conns Connect attemp failures Total in TCP packets Total out TCP packets Description Current number of established TCP connections being handled by the proxy. Number of connections opened actively. Number of connections opened passively. Number of TCP connection attempts that failed. Total number of TCP packets received by the TCP proxy. Total number of TCP packets sent by the TCP proxy.
b y
699 of 722

show slb template TABLE 72 show slb tcp-proxy detail fields (Continued)
Field Retransmitted packets Resets rcvd on EST conn Reset Sent Input errors Sockets allocated Orphan sockets Memory alloc Total rx buffer Total tx buffer TCP in SYNSNT state TCP in SYNRCV state TCP in FIN-W1 state TCP FIN-W2 state TCP TimeW state TCP in Close state TCP in CloseW state TCP in LastACK state TCP in Listen state TCP in Closing state Description Number of TCP packets retransmitted by the TCP proxy. Number of TCP Resets received for established connections. Number of TCP Resets sent by the AX device. Number of invalid TCP packets received by the AX device. Number of TCP sockets currently allocated. Current number of orphan sockets. Total memory allocated for TCP. Total RX buffers allocated for TCP. Total TX buffers occupied by TCP. Current number of TCP connections in the SYN-SNT state. Current number of TCP connections in the SYN-RCV state. Current number of TCP connections in the Fin-Wait-1 state. Current number of TCP connections in the Fin-Wait-2 state. Current number of TCP connections in the Time Wait state. Current number of TCP connections in the Close state. Current number of TCP connections in the Close-Wait state. Current number of TCP connections in the Last-ACK state. Current number of TCP connections in the Listening state. Current number of TCP connections in the Closing state.
show slb template

Description Show configuration information for SLB templates. The template configuration commands in the running-config are displayed. show slb template [template-type [template-name]] [all-partitions | partition name] All
Syntax
Mode
700 of 722
b y
D e s i g n

show slb virtual-server Usage To display template information for a specific Role-Based Administration (RBA) partition only, use the partition name option. The following command shows the template configuration commands in the running-config on an AX Series device:
Example
AX#show slb template slb template udp udp-aging aging immediate slb template http X-Forwarded-For insert-client-ip "X-Forwarded-For" compression minimum-content-length 120 slb template http clientip-insert insert-client-ip "x-Forwarded-For" slb template http cookie-delete header-erase "Cookie" slb template http hostdelete header-erase "Host" slb template http hostinsert header-insert "Host: www.example.com" slb template http http100 header-insert "Expect: 100-continue" slb template http httpinsert header-erase "Host" header-insert "Host: www.example.com" slb template tcp-proxy tcp-timeout idle-timeout 180 slb template connection-reuse creuse timeout 60 --MORE--
show slb virtual-server

Description Syntax Show information for SLB virtual servers. show slb virtual-server [ virtual-server-name [[virtual-port-num service-type [service-group-name]] detail] [config] [all-partitions | partition name]
b y
701 of 722

show slb virtual-server Option Description
virtual-servername Shows information only for the specified virtual server. The virtual-port-num service-type option shows information only for the specified virtual port on the virtual server. The service-group-name option further restricts the output, to show information only for the specified service group. The detail option displays connection and packet statistics. config Displays virtual-server configuration information.
Mode Usage
All To display virtual-server information for a specific Role-Based Administration (RBA) partition only, use the partition name option. The following command shows summary information for all virtual servers:
Example
AX#show slb virtual-server Total Number of Virtual Services configured: 2 Virtual Server Name IP Current Total Request Response Service-Group Service connection connection packets packets -------------------------------------------------------------------------------*v-server 3.1.1.99 port 80 http 0 3 14 10 abctcp 80/http 0 2 14 10 Total received conn attempts on this port: 3 port 53 udp 0 0 0 0 abcudp 53/udp 0 0 0 0 Total received conn attempts on this port: 0 ...
Table 73 describes the fields in the command output. TABLE 73 show slb virtual-server fields
Field Total Number of Virtual Services configured Description Total number of virtual services (virtual server ports) configured on the AX Series device.
702 of 722
b y
D e s i g n

show slb virtual-server TABLE 73 show slb virtual-server fields (Continued)
Field Virtual Server Name Description Name of the virtual server. Underneath the virtual server name, each of the virtual ports on the server is listed, followed by the service groups in which the virtual server and the virtual port are members. In the example above, virtual server v-server has two virtual ports, HTTP port 80 and UDP port 53. HTTP port 80 is a member of service group abctcp, and UDP port 53 is a member of service group abcudp. Virtual IP address of the virtual server. Current number of connections to the virtual service port. Note: Connection and packet counters are listed separately for virtual ports and for service groups. Total number of connections to the virtual service port. Number of request packets received for the virtual service. Number of server reply packets sent by the AX device for the virtual service. Total number of connection requests received for this port.
IP Current connection Total connection Request packets Response packets Total received conn attempts on this port Service-Group Service
Service group bound to the virtual service. Virtual service port number and service type.
Example
The following command shows status information for SLB virtual server v-server:
AX1(config)#show slb virtual-server v-server Virtual server: v-server State: All Up IP: 3.1.1.99 Port Curr-conn Total-conn Rev-Pkt Fwd-Pkt -----------------------------------------------------------------------Virtual Port:80 / service:abctcp / state:All Up port 80 http 0 3 Source NAT Pool: pootest Virtual Port:53 / service:abcudp / state:All Up port 53 udp 0 0 Source NAT Pool: pootest Total Traffic 0 3 ...
10
14
0 10
0 14
b y
703 of 722

show slb virtual-server Table 74 describes the fields in the command output. TABLE 74 show slb virtual-server <server-name> fields
Field Virtual server State Description Name of the virtual server. State information is shown separately for virtual servers and for individual virtual ports. Virtual server state: All Up All virtual ports on the virtual server are Running. Functional Up Some of the virtual ports are Running or Functional Running, but at least one of them is not Running. Partial Up At least one virtual port is Running or Functional Running, but at least one other virtual port is Down. Down All the virtual ports are Down. Disb The virtual server has been administratively disabled. Virtual port state: All Up All members (real servers and ports) in all service groups bound to the virtual port are up. Functional Up At least one member in a service group bound to the virtual port is up, but not all members are up. Down All members in all service groups bound to the virtual port are down. IP Port Curr-conn Total-conn Rev-Pkt Fwd-Pkt Disb The virtual port has been administratively disabled. Virtual IP address of the virtual server. Virtual port number and service type. Current number of connections to the virtual service port. Total number of connections to the virtual service port. Number of server reply packets sent by the AX device for the virtual service. Number of request packets received for the virtual service.
704 of 722
b y
D e s i g n

show slb virtual-server Example The following command shows configuration information for SLB virtual server louis2:
AX#show slb virtual-server config louis2 Total Number of Virtual Services configured: 1 Virtual server Name Address -----------------------------------------------louis2 192.168.20.253 member0:louis 80/http Source NAT Pool: p1 HTTP Template: clientip-insert Reuse Template: cr Persist Cookie:cookie-persist aFleX: bugzilla_proxy_fix
Table 75 describes the fields in the command output. TABLE 75 show slb virtual-server config fields
Field Total Number of Virtual Services configured Virtual server Name Address membern Description Total number of virtual services (virtual server ports) configured on the AX Series device. Name of the virtual server. Virtual IP address of the virtual server. Real server bound to the virtual server. The number at the end is assigned by the AX Series for this show command output. Under the member name, the NAT pools and SLB templates bound to the virtual server are listed.
Example
The following command shows details for a virtual port on a virtual server:
AX(config)#show slb virtual-server dangvip1 80 detail Virtual port name: dangvip1:80 Virtual port number: 4.4.4.4:80 Virtual port template: default Current connection: 0 Current request: 0 Total connection: 0 Total request: 0 Total request success: 0 Total forward bytes: 0 Total forward packets: 0 Total reverse bytes: 0 Total reverse packets: 0
b y
705 of 722

show slb virtual-server Table 76 describes the fields in the command output. TABLE 76 show slb virtual-server detail fields
Field Virtual port name Virtual port number Virtual port template Current connection Current request Description Name of the virtual server and virtual port. IP address of the virtual server and protocol port number of the virtual port. Name of the virtual port template bound to the virtual port. Current number of connections to the virtual port. Current number of HTTP requests being processed by the virtual port. Note: In this field and the Total request and Total request success fields, Layer 7 requests are counted only if Layer 7 request accounting is enabled. See slb enable-l7-req-acct on page 287. Total number of connections that have been made to the virtual port. Total number of HTTP requests processed by the virtual port. Total number of HTTP requests that were successful. Number of request bytes forwarded to the virtual port. Number of request packets forwarded to the virtual port. Number of request bytes received from the virtual port. Number of request packets received from the virtual port.
Total connection Total request Total request success Total forward bytes Total forward packets Total reverse bytes Total reverse packets
706 of 722
b y
D e s i g n
AX Debug Commands
The AX debug subsystem enables you to trace packets on the AX device. To access the AX debug subsystem, enter the following command at the Privileged EXEC level of the CLI: axdebug The CLI prompt changes as follows: AX(axdebug)# This chapter describes the debug-related commands in the AX debug subsystem. To perform AX debugging using this subsystem: 1. Use the filter command to configure packet filters to match on the types of packets to capture. 2. (Optional) Use the count command to change the maximum number of packets to capture. 3. (Optional) Use the timeout command to change the maximum number of minutes during which to capture packets. 4. (Optional) Use the incoming or outgoing command to limit the interfaces on which to capture traffic. 5. Use the capture command to start capturing packets. The AX device begins capturing packets that match the filter, and saves the packets to a file or displays them, depending on the capture options you specify. 6. To display capture files, use the show axdebug file command. (See show axdebug file on page 533.) 7. To export capture files, use the export axdebug command at the Privileged EXEC or global configuration level of the CLI. (See export on page 56.) The AXdebug utility creates a debug file in packet capture (PCAP) format. The PCAP format can be read by third-party diagnostic applications such as Wireshark, Ethereal (the older name for Wireshark) and tcpdump. To simplify export of the PCAP file, the AX device compresses it into a zip file in tar format. To use a PCAP file, you must untar it first.
b y
707 of 722

capture
capture
Description Syntax Start capturing packets. [no] capture parameter Parameter brief [save ...] detail [save ...] Description Captures basic information about packets. (For save options, see save filename below.) Captures packet content in addition to basic information. (For save options, see save filename below.) Does not display the captured packets on the terminal screen. Use the save options to configure a file in which to save the captured packets.
non-display [save ...]
save filename [max-packets] [incoming [portnum ...]] [outgoing [portnum ...]]
Saves captured packets in a file. filename Specifies the name of the packet capture file. max-packets Specifies the maximum number of packets to capture in the file, 0-65535. To save an unlimited number of packets in the file, specify 0. incoming [portnum ...] Captures inbound packets. You can specify one or more physical Ethernet interface numbers. Separate the interface numbers with spaces. If you do not specify interface numbers, inbound traffic on all physical Ethernet interfaces is captured. outgoing [portnum ...] Captures outbound packets on the specified physical Ethernet interfaces or on all physical Ethernet interfaces. If you do not specify interface numbers, outbound traffic on all physical Ethernet interfaces is captured.
708 of 722
b y
D e s i g n

capture Default By default, packets in both directions on all Ethernet data interfaces are captured. Note: Mode Usage The traffic also must match the AX debug filters. AX debug To minimize the impact of packet capture on system performance, A10 Networks recommends that you configure an AX debug filter before beginning the packet capture. To display a list of AX debug capture files or to display the contents of a capture file, see show axdebug file on page 533. Example The following command captures brief packet information for display on the terminal screen. The output is not saved to a file.
AX(axdebug)#capture brief Wait for debug output, enter <ctrl c> to exit (0,1738448) i( 1, 0, cca8)> ip 10.10.11.30 > 78f07ab8:dbffc02d(0) (0,1738448) o( 3, 0, cca8)> ip 10.10.11.30 > 78f07ab8:dbffc02d(0) (0,1738448) i( 1, 0, cca9)> ip 10.10.11.30 > 78f07ab9:dbffc0c2(0) (0,1738448) o( 3, 0, cca9)> ip 10.10.11.30 > 78f07ab9:dbffc0c2(0) (1,1738450) i( 1, 0, ccaa)> ip 10.10.11.30 > 78f07ab9:dbffc0c2(191) (1,1738450) o( 3, 0, ccaa)> ip 10.10.11.30 > 78f07ab9:dbffc0c2(191) (1,1738450) i( 1, 0, ccab)> ip 10.10.11.30 > 78f07b78:dbffc0c3(0) (1,1738450) o( 3, 0, ccab)> ip 10.10.11.30 > 78f07b78:dbffc0c3(0)
30.30.31.30 tcp 80 > 13632 SA 30.30.31.30 tcp 80 > 13632 SA 30.30.31.30 tcp 80 > 13632 A 30.30.31.30 tcp 80 > 13632 A 30.30.31.30 tcp 80 > 13632 PA 30.30.31.30 tcp 80 > 13632 PA 30.30.31.30 tcp 80 > 13632 FA 30.30.31.30 tcp 80 > 13632 FA
...
These lines of debug output show the following:

0 CPU ID. Indicates the CPU that processed the packet. CPU 0 is the
control CPU.
1738448 Time delay between packets. This is a jiffies value that incre-
ments in 4-millisecond (4-ms) intervals.

i Traffic direction: 1 (input) or o (output). (1, 0, cca8) Ethernet interface, VLAN tag, and packet buffer index. If
the VLAN tag is 0, then the port is untagged. In this example, the first packet is received on Ethernet port 1, and the VLAN is not yet known. The packet is assigned to buffer index cca8.
b y
709 of 722

capture Note: Generally, the VLAN tag for ingress packets is 0. It is normal for the ingress VLAN tag to be 0 even when the egress VLAN tag is not 0. The source and destination IP addresses are listed next, followed by the source and destination protocol port numbers. The TCP flag is shown next:
S Syn SA Syn Ack A Ack F Fin PA Push Ack
The TCP sequence number and ACK sequence number are then shown. Finally, the packet payload is shown. The header size is excluded. Example The following command captures packet information and packet contents for display on the terminal screen. The output is not saved to a file.
AX(axdebug)#capture detail Wait for debug output, enter <ctrl c> to exit i( 1, 0, ccae)> ip 10.10.11.30 > 30.30.31.30 tcp 80 > 13638 SA 7ab6ae46:ddb87996(0) Dump buffer(0xa6657048), len(80 bytes)... 0xa6657048: 00900b0b 3e83001d 09f0dec2 08004500 : ....>.........E. 0xa6657058: 003c0000 40004006 e8580a0a 0b1e1e1e : .<..@.@..X...... 0xa6657068: 1f1e0050 35467ab6 ae46ddb8 7996a012 : ...P5Fz..F..y... 0xa6657078: 16a02ea5 00000204 05b40402 080a5194 : ..............Q. 0xa6657088: 6c551f3c 1d3f0103 03072d59 f97f0000 : lU.<.?....-Y.... 0xa6657098: 00000000 00000000 00000000 00000000 : ................ o( 3, 0, ccae)> ip 10.10.11.30 > 30.30.31.30 tcp 80 > 13638 SA 7ab6ae46:ddb87996(0) Dump buffer(0xa6657048), len(80 bytes)... 0xa6657048: 001d09f0 e01e0090 0b0b3e83 08004500 : ..........>...E. 0xa6657058: 003c0000 40003f06 e9580a0a 0b1e1e1e : .<..@.?..X...... 0xa6657068: 1f1e0050 35467ab6 ae46ddb8 7996a012 : ...P5Fz..F..y... 0xa6657078: 16a02ea5 00000204 05b40402 080a5194 : ..............Q. 0xa6657088: 6c551f3c 1d3f0103 03072d59 f97f0000 : lU.<.?....-Y.... 0xa6657098: 00000000 00000000 00000000 00000000 : ................ i( 1, 0, ccaf)> ip 10.10.11.30 > 30.30.31.30 tcp 80 > 13638 A 7ab6ae47:ddb87a2b(0) Dump buffer(0xa6657848), len(80 bytes)... 0xa6657848: 00900b0b 3e83001d 09f0dec2 08004500 : ....>.........E. 0xa6657858: 0034c211 40004006 264f0a0a 0b1e1e1e : .4..@.@.&O...... 0xa6657868: 1f1e0050 35467ab6 ae47ddb8 7a2b8010 : ...P5Fz..G..z+.. 0xa6657878: 00367344 00000101 080a5194 6c561f3c : .6sD......Q.lV.< 0xa6657888: 1d4041de e3380000 00000000 00000000 : .@A..8.......... 0xa6657898: 00000000 00000000 00000000 00000000 : ................ ...
710 of 722
b y
D e s i g n

count Example The following command saves captured packet information in file file123. The captured traffic is not displayed on the terminal screen.
AX(axdebug)#capture save file123
count
Description Syntax Specify the maximum number of packets to capture. [no] count num Parameter num. Description Maximum number of packets to capture, 065535. To capture an unlimited number of packets, specify 0.

AX(axdebug)#count 2048
3000 AX debug The following command sets the maximum number of packets to capture to 2048:
delete
Description Syntax Default Mode Example Delete an axdebug capture file. delete filename N/A AX debug The following command deletes capture file file123:
AX(axdebug)#delete file123
b y
711 of 722

filter
filter
Description Syntax Configure an AX debug filter, to specify the types of packets to capture. [no] filter filter-id Parameter filter-id Description ID of the filter, 1-255.
This command changes the CLI to the configuration level for the specified AX debug filter, where the following AX debug filter-related commands are available: Command dst {ip ipaddr | mac macaddr | port portnum} l3-proto {arp | ip | ipv6} ip ipaddr {subnet-mask | /mask-length} mac macaddr offset position length bytes operator value Description
Matches on the specified destination IP address, MAC address, or protocol port number. Matches on the specified Layer 3 protocol.
Matches on the specified IPv4 address. Matches on the specified MAC address.
Matches on the specified length of bytes and value of those bytes within the packet. position Starting position within the packet, 1-65535 bytes. bytes Number of consecutive bytes to filter on, from 1-65535, beginning at the offset position. operator One of the following: > (greater than) >= (greater than or equal to) <= (smaller than or equal to) < (smaller than) = (equal to)
712 of 722
b y
D e s i g n

filter range min-value range) max-value (select a
value String to filter on. port minportnum maxportnum proto {icmp | icmpv6 | tcp | udp | portnum} src {ip ipaddr | mac macaddr | port port-num}
Matches on the specified range of protocol port numbers.
Matches on the specified protocol or protocol port number.
Matches on the specified source IP address, MAC address, or protocol port number.
Default
No filters are configured by default. When you create one, all packets match the filter by default. AX debug If a packet capture is running and you change the filter, there will be a 5-second delay while the AX device clears the older filter. The delay does not occur if a packet capture is not already running. The packet filter for the debug command is internally numbered filter 0. In AXdebug, you can create multiple filters, which are uniquely identified by filter ID. If you create filter 0 in AXdebug, this filter will overwrite the debug packet filter. Likewise, if you configure filter 0 in AXdebug, then configure the debug packet filter, the debug packet filter will overwrite AXdebug filter 0.
Mode Usage
Example
The following commands configure an AX debug filter to match on source IP address 10.10.10.30, destination protocol port number 80, and source MAC address aabb.ccdd.eeff. The show axdebug filter command displays the filter.
b y
713 of 722

incoming | outgoing
AX(axdebug)#filter 1 AX(axdebug-filter:1)#src ip 10.10.10.30 AX(axdebug-filter:1)#dst port 80 AX(axdebug-filter:1)#src mac aabb.ccdd.eeff AX(axdebug-filter:1)#exit AX(axdebug)#show axdebug filter axdebug filter 1 src ip 10.10.10.30 dst port 80 src mac aabb.ccdd.eeff
incoming | outgoing
Description Specify the Ethernet interfaces and traffic direction for which to capture packets. [no] incoming [portnum ...] [outgoing [portnum ...]] outgoing [portnum ...] Default Note: Mode Example Incoming and outgoing traffic on all Ethernet data ports is captured. The traffic also must match the AX debug filters. AX debug The following command limits the packet capture to inbound packets on Ethernet interface 3 and outbound packets on Ethernet interface 4:
Syntax
AX(axdebug)#incoming 3 outgoing 4
Example
The following command limits the packet capture to outbound packets on Ethernet interface 7. Inbound packets on all Ethernet interfaces are captured, unless specified otherwise in AX debug filters.
AX(axdebug)#outgoing 7
714 of 722
b y
D e s i g n

length
length
Description Specify the maximum length of packets to capture. Packets that are longer are not captured. [no] length bytes Parameter bytes Default Mode Example
AX(axdebug)#length 128
Syntax
Description Maximum packet length, 64-1518 bytes.
96 AX debug The following command changes the maximum packet length to capture to 128:
maxfile
Description Syntax Specify the maximum number of axdebug packet capture files to keep. [no] maxfile num Parameter num Default Mode Usage 100 AX debug Once the maximum is reached, the oldest axdebug files are purged to make room for the newest ones. The following command changes the maximum number of AX debug capture files to keep to 125: Description Maximum number of files to keep, 1-65535.
Example
AX(axdebug)#maxfile 125
outgoing
Description See incoming | outgoing on page 714.
b y
715 of 722

timeout
timeout
Description Syntax Specify the maximum number of minutes to capture packets. [no] timeout minutes Parameter minutes Description Maximum number of minutes to capture packets, 0-65535.

AX(axdebug)#timeout 10
5 AX debug The following command changes the capture timeout to 10 minutes:
716 of 722
b y
D e s i g n
show health stat Up / Down Causes

This chapter lists the cause strings for the numeric cause codes that appear in the Up and Down fields of the show health stat output. The Up / Down cause codes are shown in the output under Cause(Up/Down/Retry).
Up Causes
Table 77 lists the Up causes. TABLE 77 show health stat Up Causes
Cause Code 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Cause String HM_INVALID_UP_REASON HM_DNS_PARSE_RESPONSE_OK HM_EXT_REPORT_UP HM_EXT_TCL_REPORT_UP HM_FTP_ACK_USER_LOGIN HM_FTP_ACK_PASS_LOGIN HM_HTTP_RECV_URL_FIRST HM_HTTP_RECV_URL_NEARBY_FIRST HM_HTTP_RECV_URL_FOLLOWING HM_HTTP_RECV_URL_NEARBY_FOLLOWING HM_HTTP_STATUS_CODE HM_ICMP_RECV_OK HM_ICMP_RECV6_OK HM_LDAP_RECV_ACK HM_POP3_RECV_ACK_PASS_OK HM_RADIUS_RECV_OK HM_RTSP_RECV_STATUS_OK HM_SIP_RECV_OK HM_SMTP_RECV_OK HM_SNMP_RECV_OK HM_TCP_VERIFY_CONN_OK HM_TCP_CONN_OK HM_TCP_HALF_CONN_OK HM_UDP_RECV_OK HM_UDP_NO_RESPOND HM_COMPOUND_UP
b y
717 of 722
Down Causes
Table 78 lists the Down causes. TABLE 78 show health stat Down Causes
Cause Code 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 Cause String HM_INVALID_DOWN_REASON HM_DNS_TIMEOUT HM_EXT_TIMEOUT HM_EXT_TCL_TIMEOUT HM_FTP_TIMEOUT HM_HTTP_TIMEOUT HM_HTTPS_TIMEOUT HM_ICMP_TIMEOUT HM_LDAP_TIMEOUT HM_POP3_TIMEOUT HM_RADIUS_TIMEOUT HM_RTSP_TIMEOUT HM_SIP_TIMEOUT HM_SMTP_TIMEOUT HM_SNMP_TIMEOUT HM_TCP_TIMEOUT HM_TCP_HALF_TIMEOUT HM_DNS_RECV_ERROR HM_DNS_PARSE_RESPONSE_ERROR HM_DNS_RECV_LEN_ZERO HM_EXT_WAITPID_FAIL HM_EXT_TERM_BY_SIG HM_EXT_REPORT_DOWN HM_EXT_TCL_REPORT_DOWN HM_FTP_RECV_TIMEOUT HM_FTP_SEND_TIMEOUT HM_FTP_NO_SERVICE HM_FTP_ACK_USER_WRONG_CODE HM_FTP_ACK_PASS_WRONG_CODE HM_COM_CONN_CLOSED_IN_WRITE HM_COM_OTHER_ERR_IN_WRITE HM_COM_CONN_CLOSED_IN_READ HM_COM_OTHER_ERR_IN_READ HM_COM_SEND_TIMEOUT HM_COM_CONN_TIMEOUT HM_COM_SSL_CONN_ERR
718 of 722
b y
D e s i g n

TABLE 78 show health stat Down Causes (Continued)
Cause Code 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 Cause String HM_HTTP_SEND_URL_ERR HM_HTTP_RECV_URL_ERR HM_HTTP_RECV_MSG_ERR HM_HTTP_NO_LOCATION HM_HTTP_WRONG_STATUS_CODE HM_HTTP_WRONG_CHUNK HM_HTTP_AUTH_ERR HM_HTTPS_SSL_WRITE_ERR HM_HTTPS_SSL_WRITE_OTHERS HM_HTTPS_SSL_READ_ERR HM_HTTPS_SSL_READ_OTHERS HM_ICMP_RECV_ERR HM_ICMP_SEND_ERR HM_ICMP_RECV6_ERR HM_LDAP_RECV_ACK_ERR HM_LDAP_SSL_READ_ERR HM_LDAP_SSL_READ_OTHERS HM_LDAP_RECV_ACK_WRONG_PACKET HM_LDAP_SSL_WRITE_ERR HM_LDAP_SSL_WRITE_OTHERS HM_LDAP_SEND_ERR HM_POP3_RECV_TIMEOUT HM_POP3_SEND_TIMEOUT HM_POP3_NO_SERVICE HM_POP3_RECV_ACK_USER_ERR HM_POP3_RECV_ACK_PASS_ERR HM_RADIUS_RECV_ERR HM_RADIUS_RECV_ERR_PACKET HM_RADIUS_RECV_NONE HM_RTSP_RECV_STATUS_ERR HM_RTSP_RECV_ERR HM_RTSP_SEND_ERR HM_SIP_RECV_ERR HM_SIP_RECV_ERR_PACKET HM_SIP_CONN_CLOSED HM_SIP_NO_MEM HM_SIP_STARTUP_ERR HM_SMTP_RECV_ERR HM_SMTP_NO_SERVICE HM_SMTP_SEND_HELO_TIMEOUT HM_SMTP_SEND_QUIT_TIMEOUT
b y
719 of 722

TABLE 78 show health stat Down Causes (Continued)
Cause Code 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 Cause String HM_SMTP_WRONG_CODE HM_SNMP_RECV_ERR HM_SNMP_RECV_ERR_PACKET HM_SNMP_RECV_ERR_OTHER HM_TCP_PORT_CLOSED HM_TCP_ERROR HM_TCP_INVALID_TCP_FLAG HM_TCP_HALF_NO_ROUTE HM_TCP_HALF_NO_MEM HM_TCP_HALF_SEND_ERR HM_UDP_RECV_ERR HM_UDP_RECV_ERR_OTHERS HM_UDP_NO_SERVICE HM_UDP_ERR HM_COMPOUND_INVAL_RPN HM_COMPOUND_DOWN HM_COMPOUND_TIMEOUT
720 of 722
b y
D e s i g n
b y
D e s i g n
722
b y
D e s i g n
Corporate Headquarters A10 Networks, Inc. 2309 Bering Dr. San Jose, CA 95131-1125 USA Tel: +1-408-325-8668 (main) Tel: +1-408-325-8676 (support - worldwide) Tel: +1-888-822-7210 (support - toll-free in USA) Fax: +1-408-325-8666 www.a10networks.com
This document is for informational purposes only. A10 Networks MAKES NO WARRANTIES, EXPRESSED OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of A10 Networks Corporation. A10 Networks may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from A10 Networks, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2010 A10 Networks Corporation. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
722

AX CLI Ref v2 4 3-20101103

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

AX CLI Ref v2 4 3-20101103

Hochgeladen von

Copyright:

Verfügbare Formate

P e r f o r m a n c e

AX Series Advanced Traffic Manager

Command Line Interface Reference

A10 Networks, Inc. 11/3/2010 - All Rights Reserved

Information in this document is subject to change without notice. Trademarks

A10 Networks Inc. Software License and End User Agreement

AX Series - Command Line Interface - Reference

End User License Agreement

AX Series - Command Line Interface - Reference

Document No.: D-030-01-00-0003 - Ver. 2.4.3-P2 11/3/2010

AX Series - Command Line Interface - Reference

D e s i g n Document No.: D-030-01-00-0003 - Ver. 2.4.3-P2 11/3/2010

AX Series - Command Line Interface - Reference

Document No.: D-030-01-00-0003 - Ver. 2.4.3-P2 11/3/2010

AX Series - Command Line Interface - Reference

Obtaining Technical Assistance

Collecting System Information

USING THE GUI (RECOMMENDED)

D e s i g n Document No.: D-030-01-00-0003 - Ver. 2.4.3-P2 11/3/2010

AX Series - Command Line Interface - Reference

USING THE CLI

Document No.: D-030-01-00-0003 - Ver. 2.4.3-P2 11/3/2010

AX Series - Command Line Interface - Reference

About This Document

System Description - The AX Series

AX Series - Command Line Interface - Reference

Document No.: D-030-01-00-0003 - Ver. 2.4.3-P2 11/3/2010

AX Series - Command Line Interface - Reference

Collecting System Information.............................................................................................................. 7

System Description - The AX Series..................................................................................................... 9 Audience................................................................................................................................................ 10

Using the CLI

Privileged EXEC mode Commands

AX Series - Command Line Interface - Reference

Config Commands: Global

Document No.: D-030-01-00-0003 - Ver. 2.4.3-P2 11/3/2010

AX Series - Command Line Interface - Reference

AX Series - Command Line Interface - Reference

Document No.: D-030-01-00-0003 - Ver. 2.4.3-P2 11/3/2010

AX Series - Command Line Interface - Reference

Config Commands: Interface

D e s i g n Document No.: D-030-01-00-0003 - Ver. 2.4.3-P2 11/3/2010

AX Series - Command Line Interface - Reference

Config Commands: VLAN

Config Commands: IPv6

Document No.: D-030-01-00-0003 - Ver. 2.4.3-P2 11/3/2010

AX Series - Command Line Interface - Reference

Config Commands: Router OSPF

Configuration Commands Applicable to OSPFv2 or OSPFv3........................................................ 258

Configuration Commands Applicable to OSPFv2 Only .................................................................. 270

Configuration Commands Applicable to OSPFv3 Only .................................................................. 281

Config Commands: Server Load Balancing

D e s i g n Document No.: D-030-01-00-0003 - Ver. 2.4.3-P2 11/3/2010

AX Series - Command Line Interface - Reference

Config Commands: SLB Templates

Document No.: D-030-01-00-0003 - Ver. 2.4.3-P2 11/3/2010

AX Series - Command Line Interface - Reference

Config Commands: SLB Servers

Config Commands: SLB Service Groups

Config Commands: SLB Virtual Servers

Config Commands: SLB Virtual Server Ports

AX Series - Command Line Interface - Reference

Config Commands: Global Server Load Balancing