Beruflich Dokumente
Kultur Dokumente
Disclaimer
THIS DOCUMENT IS PROVIDED AS IS WITHOUT ANY EXPRESS OR IMPLIED WARRANTY OF ANY KIND, INCLUDING WARRANTIES OF MERCHANTABILITY, NONINFRINGEMENT OF INTELLECTUAL PROPERTY, OR FITNESS FOR ANY PARTICULAR PURPOSE. IN NO EVENT SHALL PACKETEER OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION, OR LOSS OF INFORMATION) ARISING OUT OF THE USE OF OR INABILITY TO USE THIS DOCUMENT OR THE PRODUCTS DESCRIBED HEREIN, EVEN IF PACKETEER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. BECAUSE SOME JURISDICTIONS PROHIBIT THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. Packeteer and its suppliers further do not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this document, or assume liability for any incidental, indirect, special, or consequential damages in connection with the furnishing, use, or performance of the information in this document. Packeteer may make changes to this document, or to the products or software described herein, at any time, without notice. Packeteer makes no commitment to update this document.
Copyright/Trademarks/Patents
Packeteer, the Packeteer logo, and combinations of Packeteer and the Packeteer logo, as well as PacketWise, PacketSeeker, PacketShaper, PacketShaper Xpress, and PolicyCenter, are trademarks or registered trademarks of Packeteer, Inc. in the United States and other countries. Other product and company names used in this document are used for identification purposes only, may be trademarks of other companies, and are the property of their respective owners. Copyright 19962006 Packeteer, Inc. All rights reserved. No part of this document may be reproduced, photocopied, stored on a retrieval system, transmitted, or translated into another language without the express written consent of Packeteer, Inc. PacketShaper, PacketShaper Xpress, and PacketSeeker appliances, and PolicyCenter and PacketWise software protected by, or for use under, one or more of the following U.S. Patents: 5,802,106; 6,018,516; 6,038,216; 6,046,980; 6,115,357; 6,205,120; 6,285,658; 6,298,041; 6,412,000, 6,456,630; 6,457,051; 6,591,299; 6,741,563; 6,928,052; 6,934,745; 6,970,432; 7,003,572; 6,460,085; 6,529,477; 6,584,083; 6,654,344; 6,934,255; 7,013,342 and 7,012,900. Other U.S. and international patents pending. Portions of the product incorporate software licensed from General Software, Inc. Copyright 2001 General Software, Inc. All rights reserved. This product also includes software for zipping and unzipping. Copyright 1990-2001 Info-ZIP. All rights reserved.
Printing History
October, 2006 PacketWise 8.1 December, 2006 PacketWise 8.1.1 June, 2007 PacketWise 8.2 November, 2007 PacketWise 8.3
A few basic conventions apply to commands: Commands are not case sensitive that is, you can use either uppercase or lowercase characters. A command can be abbreviated by entering the minimum number of characters required to uniquely distinguish it from other commands. For example, you can type cl sh instead of class show. Command syntax can be verified by typing one of the following: help <command> or <command> ? where <command> is the name of the command for which you want help. To issue multiple commands from a single command line, separate the commands with a semicolon (;) for example, setup show;traffic bandwidth. The semicolon is the equivalent of pressing the Enter key. Note: When combining multiple commands on one line, do not attempt to run a command file in series with other commands. The run command executes a separate task and the other commands in the line may not run in sequence. To repeat the last CLI command you entered, type !!. To repeat a previous command, type !<n>, where <n> corresponds to the sequence of the command in the current remote login or console session. For example, !5 repeats the fifth command you entered in the current session. Use the history command to determine the line number of previous commands. Alternatively, you can scroll through the command history by pressing the up and down arrows. You can also edit previously entered commands, as described below.
<tclass> refers to a traffic class name. Include the class full pathname if it is needed to uniquely identify the class. For example, if HTTP appears in both the Inbound and Outbound subtrees, the explicit path is required to identify a specific HTTP class for example, / inbound/http.
If you make a typing mistake in your command, you dont need to retype it you can redisplay the command and edit it. This capability is available via Telnet or SSH, but not via a direct console connection. Function Display a previously entered command Technique Press up arrow until the command you want is displayed Press down arrow Press left arrow Press Ctrl+a Press right arrow Position cursor and start typing Press Backspace or Delete (characters are deleted to the left of the cursor) Press Ctrl+u
Scroll down through the command history Move cursor to the left Move cursor to the beginning of the line Move cursor to the right Insert characters Delete character
Typographical Conventions
Note: If the arrow keys arent working, make sure your Telnet client is emulating VT100 arrows. You may need to enable this option in your client.
The following typographical conventions are used for command syntax: Convention Boldface [Square brackets] Description Commands Optional arguments in a command line Required arguments for which you will supply a name The or symbol in a command line choose one of the options separated by the | symbol Example
class delete web_in class show [<tclass>]
<angle brackets>
Pipe character ( | )
You are free to choose any remote login utility that is available for your operating system. For example, for clear text connections, you can use Telnet. For secure connections, you can choose any SSH client, such as SecureCRT for Windows or OpenSSH for UNIX operating systems. To access the PacketWise command-line interface with a remote login utility: 1. First, verify that your workstation can access the unit. See the Getting Started Guide for installation details. For a router-installed unit, the unit must be installed on the network between your workstation and the WAN access router. For a server-installed unit, you must log in from the server. See the Getting Started Guide for details. 2. If the unit has already been configured for your network, you can connect to it using its IP address, for example: telnet 10.10.1.100 or ssh 10.10.1.100. When you connect successfully, you will be prompted for the units password. Enter the password and press Enter.
3.
To access the command-line interface via a serial connection: 1. 2. 3. Using the provided null-modem cable, attach a workstation or PC to the units port labeled Console. Start your terminal emulation program (such as HyperTerminal). Verify that you have configured your program with the following values to communicate with the units console serial port: 9600 bps, 8 data bits, 1 stop bit, no parity, hardware flow control If you are using a modem connected to the serial port, the modem must be set to: 9600 bps, 8 data bits, 1 stop bit, no parity, auto-answer (usually ATH1 in the standard Hayes command set), and DTR always on (usually a DIP switch setting). Check the modem manual for details. 4. Power on the unit, if you have not already done so. If it was already turned on, you will need to press Enter several times to make the connection. When you connect successfully, you will be prompted for the units password.
actionfile library
For PolicyCenter only Show the current portfolios of adaptive response action files available for distribution from PolicyCenter to individual PacketShapers. actionfile library [verbose] The actionfile library command shows the name of the available portfolios only. Use actionfile library verbose to view the names of all the action files within each portfolio.
actionfile prescribe
For PolicyCenter only Prescribe a group of adaptive response action files by portfolio name. Use the actionfile library command to determine available action file portfolios. actionfile prescribe <portfolio> default|none|show <portfolio> default|none|show Name of portfolio. A portfolio is any sub-folder of PolicyCenter/publish/action that contains a group of action files. On a child configuration, the default option allows that child configuration to inherit its portfolio of action files from its parent configuration. (On a parent configuration, the default option sets the prescription to unconfigured.) Specify none if the configuration should not inherit its portfolio. The show option shows the configuration's current prescribed portfolio of action files.
actionfile subscribe
For PolicyCenter only Configure when and how often PacketShapers assigned to a PolicyCenter configuration update their portfolio of adaptive response action files. actionfile subscribe asap|scheduled|default The actionfile subscribe command has the following options: asap scheduled default PacketShapers assigned to the configuration will automatically update their action file portfolio as soon as an updated portfolio is prescribed. PacketShapers assigned to the configuration will wait for the actionfile sync command before downloading the prescribed portfolio of files. If a child configuration is set to default, the child configuration inherits its action file subscription behavior from its parent. If a parent configuration is set to default, units assigned to the parent configuration will automatically update their action file portfolio as soon as an updated portfolio is prescribed.
actionfile sync
For units in shared mode only Issue this command from an individual PacketShaper to immediately download adaptive response action files prescribed for the units PolicyCenter configuration. This command is only required when the PolicyCenter configuration prescription mode has been set to scheduled with the actionfile subscribe command. Note: It is not necessary to issue this command if the prescription mode is currently in its default state, or has been set to asap with the actionfile subscribe command. actionfile sync <seconds> If you include the optional <seconds> value, the actionfile sync operation runs for the specified number of seconds.
PacketGuide for PacketWise 8.3
10
agent action
Delete an adaptive response action file, temporarily disable or reenable an existing action file, or modify the value of an existing parameter. Note that this command will not create a new action file, or add a new parameter to an existing action file. agent action <name> green|red [on <filename>]|[off]|[delete]|[parm <parm-name> <parm-value>]| [resetparms] <name> green|red <[on <filename>] | [off] | [delete] Name of the agent. If the agent name has a space, the words must be entered within quotation marks, for example My Agent. If the agent name is a single word, the quotation marks are not necessary. Action file will trigger when the green or red threshold is crossed Specify one of the following: on: Enables the action file. Specify the name of the action file you want to associate with the agent with the <filename> variable. off: Disables the action file delete: Deletes the action file specification for the agent. The action file is no longer associated with the agent, but the action file is not removed from the unit or PolicyCenter server.
Specify the following: <parm-name>: The name of the action file parameter being modified <parm-value>: The new value of the parameter
[resetparms]
Specify this operation only when action file parameters have been edited and need updating. agents will not recognizes new action file parameters unless the action file is reset with this variable.
Before you can issue any other agent actionfile commands, you must first issue the command agent actionfile <name> green|red on <filename> to associate an action file with the agent. You may then issue any of the following commands (see the table above for an explanation of variables):
agent action <name> green|red off agent action <name> green|red delete agent action <name> green|red resetparms agent action <name> green|red parm <parm-name> <parm-value> For Example: agent action "Packet Drops" green on actnfile.cmd agent action "Packet Drops" green parm ClassName /outbound/Citrix See also: Create Command Files
11
agent createdefaults
Recreate the default set of agents. agent createdefaults Note that this command will not overwrite any existing default agents that you may have customized, nor does it remove any new agents you may have created. For a list of predefined (default) agents, see Adaptive Response Overview.
PacketGuide for PacketWise 8.3
12
agent delete
Delete an existing adaptive response agent. Scoring and status information for the agent will no longer appear in the agent pop-up window on the unit's info page or the PolicyCenter configurations page. agent delete <name> where <name> is the name of the agent. If the agent name has a space, the words must be entered within quotation marks, for example, High Bandwidth Host . If the agent name is a single word, the quotation marks are not necessary.
PacketGuide for PacketWise 8.3
13
agent interval
Set an evaluation interval for an adaptive response agent, in minutes. An evaluation interval determines how often the agent checks the status of its target. agent interval <name> <interval> | default where <name> is the name of the agent. If the agent name has a space, the words must be entered within quotation marks, for example, High Bandwidth Host . If the agent name is a single word, the quotation marks are not necessary. Specify the interval in minutes, or enter default for the default evaluation interval. The maximum evaluation interval allowed is 99999 minutes; the minimum is 1 minute.
PacketGuide for PacketWise 8.3
14
agent new
Create a new adaptive response agent based on one of the agent templates. Note that this command creates a new agent, but does not allow you to specify parameter values. Once you have created a new agent, issue the command agent parm to change the parameter values from their default settings. Each PacketShaper or PolicyCenter configuration can have a maximum of 32 agents. Note: Some agent templates do not allow multiple instances. If you want to create a new agent from the following templates, first delete the existing agent from that template from your unit or PolicyCenter configuration.
q q q q q q
High Bandwidth Host New Application High Bandwidth New App Memory Allocation Unit Limits System Load
agent new <name> <template> <name> Name you want to assign to the agent. An agent name can have up to 32 alphanumeric characters, including -, _, and . (period). If the agent name has a space, the words must be entered within quotation marks, for example, My Agent. If the agent name is a single word, the quotation marks are not necessary. Specify one of the following agent templates: Class ME Variables Default Traffic Failed Flow Ratio High Bandwidth Host High Bandwidth New App Host Info Variables Link ME Variables Memory Allocation New Application NFPM Failed Flows NFPM Side Unknown Partition ME Variables Partition Utilization System Load Traffic Performance Unit Limits
<template>
Example: agent new testagent "Class ME Variables" agent new "agent two" "Class ME Variables"
PacketGuide for PacketWise 8.3
15
agent off
Disable an existing adaptive response agent without deleting it. The agent will no longer return values or create new reports, yet it can be reenabled at any time with the agent on command. agent off <name> where <name> is the name of the agent. If the agent name has a space, the words must be entered within quotation marks, for example, My Agent.
PacketGuide for PacketWise 8.3
16
agent on
Enable an existing adaptive response agent that has been disabled. The agent will once again return values and create new reports. agent on <name> where <name> is the name of the agent to be turned on. If the agent name has a space, the words must be entered within quotation marks, for example "My Agent."
PacketGuide for PacketWise 8.3
17
agent override
For PolicyCenter / PacketShapers in Shared Configuration Mode Override an adaptive response agent that a child configuration inherits from a parent configuration, so the agent may be modified on the child configuration. Inherited agents cannot be modified until they are overridden. agent override <name> where <name> is the name of the agent. If the agent name has a space, the words must be entered within quotation marks, for example, My Agent.
PacketGuide for PacketWise 8.3
18
agent parm
Specify the parameter values for an adaptive response agent. The agent must have been already defined with the agent new command. agent parm <name> [<parm-name> <parm-value> | default] <name> <parm-name> Name of the agent. If the agent name has a space, the words must be entered within quotation marks, for example, My Agent. If the agent name is a single word, the quotation marks are not necessary. The name of the parameter or threshold to be set. Each agent is based on a template which has its own parameters. For parameters associated with each template, see the following: Class ME Variables Default Traffic Failed Flow Ratio High Bandwidth Host High Bandwidth New App Host Info Variables Link ME Variables Memory Allocation New Application NFPM Failed Flows NFPM Side Unknown Partition ME Variables Partition Utilization System Load Traffic Performance Unit Limits
<parm-value>
The parameter value for <parm-value>, or enter default for the parameters default value. For information on the acceptable and default parameter values, see the links above.
default
Examples: The first example shown below changes the ClassName parameter for the agent testagent so that agent will now monitor the class /Inbound/ Citrix. agent parm testagent ClassName /Inbound/Citrix If you don't specify any parameters, the agent parm command shows current and default parameter settings for the specified agent. agent parm "System Load" Score Parms RedThreshold 95(Default: 95) GreenThreshold 90(Default: 90)
PacketGuide for PacketWise 8.3
19
agent show
Show data for one or many adaptive response agents, including information on the agent type and category, the corresponding plug-in file, any incident report files, and the agent version number. The agent show command will show values with a timestamp based upon the end of the evaluation interval. This is different from the measure dump command, which shows values with a timestamp that reflects the beginning of the time interval. agent show [name <name> | templates | [result <score-result>] | [feedback [<unitSN> <name>]] <name> Name of the agent. If the agent name has a space, the words must be entered within quotation marks, for example My Agent. If the agent name is a single word, the quotation marks are not necessary. Show a list of available adaptive response agent templates If the agent is unable to measure its target, the output of the agent show name "<name>" command will display additional Result category of data showing an explanation of the error and the error code. You can determine the meaning of an error code by issuing the command agent show result <score-result>. See the example below.
<unitSN> <name>
Used with the agent show feedback command, the <unitSN> parameter is serial number of the unit for which want to view agent data and feedback. This parameter is optionalif you do not specify a unit, the agent show feedback command will show data for all agents (and when issued from PolicyCenter, all agents for all configurations.) The <name> parameter is the name of the agent. If no data exists for a new agent, or there is no agent with the specified name, this command will return the output No feedback available.
Examples: The agent show command displays agent information for an individual PacketShaper, or when issued from the PolicyCenter client, agent information for the configuration you are editing. This information includes data on whether or not the agent has been enabled, the name of the agent, and the last score information. For PolicyCenter configurations, an I to the left of the agent name indicates that the configuration has inherited that agent from a parent configuration. An O to the left of the agent name indicates that the configuration has a local override of an agent that supersedes the agent it inherits from its parent. An exclamation point (!) beside the agent name indicates a configuration error. Last Score Information includes the latest value measured by the agent, its status color, and the time and date of the measurement.
Agent Name Status Last Score Information ------------------------------------------------------------------------------Class ME Variables agent On 0 Yellow Wed Jan 12 02:03:00 2005 PST High Bandwidth New App On New score value in 51m 13s. Inbound Default Traffic On 1 Green Wed Jan 12 02:03:00 2005 PST Outbound Default Traffic On 0 Green Wed Jan 12 02:03:00 2005 PST Partition Utilization agent On 0 Green Wed Jan 12 02:03:00 2005 PST Spoofing - Client On 0 Green Wed Jan 12 02:03:00 2005 PST Spoofing - Server On 0 Green Wed Jan 12 02:03:00 2005 PST Syn Attack - Failed Flows On 0 Green Wed Jan 12 02:03:00 2005 PST Traffic Performance agent On 1 Red Wed Jan 12 02:03:00 2005 PST *NT = No template found for agent. *NF = Either an action or incident file not found. agent show templates PacketShaper# agent show templates PlugIn Incident Ver Template Name File Report File Num Category ------------------------------------------------------------------------------Quota Bandwidth Host hostquot.cmd 1.0 Hosts Host Info Variables hostvar.cmd 1.0 Hosts Failed Flow Ratio ffratio.cmd 1.0 Hosts NFPM Failed Flow syn.cmd 1.0 Hosts NFPM Side Unknown spoof.cmd 1.0 Hosts Link ME Variables melink.cmd 1.0 User Event Emulation Partition ME Variables meptn.cmd 1.0 User Event Emulation Class ME Variables meclass.cmd 1.0 User Event Emulation High Bandwidth New App susapp.cmd 2.0 Application Health New Application newapp.cmd 1.0 Application Health Default Traffic dflttraf.cmd 2.0 Application Health High Bandwidth Host sushost.cmd 3.0 Hosts Traffic Performance trafperf.cmd 2.0 Network Health Partition Utilization ptnutl.cmd 3.0 Network Health Memory Allocation sysmem.cmd 1.0 Unit Health System Load sysload.cmd 1.0 Unit Health Unit Limits syslimit.cmd 1.0 Unit Health
Notes:
q
The PlugIn File column displays a dash (-) unless the agent's template was loaded from an adaptive response plug-in file. For more information about plug-ins, see Download Plug-Ins. The incident report files described in the above output above are the files used by each agent to create incident reports. Incident report files are different from action files, as they are used only to generate drilldown incident reports. Do not edit or modify incident report files in any way. Any modifications to an agents incident report file could stop new reports from being generated for that agent.
agent show name "inbound default traffic" Agent Name Status Template Info
21
Default Traffic 2.0 Application Health This agent monitors the rate (avg-bps) of the default traffic class. This agent can alert you when the amount of traffic not classified (falling into 'default') is too great. This agent must be used with a 'default' (i.e., /Inbound/Default) traffic class. Threshold Units: % of bandwidth on the partition Action File Variables: $class-id, $avg-bps 9.258/agent/cmd/dflttraf.cmd Allowed 1 minute(s)
Plugin File Incident File MultiInstance Interval Score Parms RedThreshold GreenThreshold ClassName Color Mappings Green Red Last Score Status Value Color Start time Finish time
1 Green Wed Jan 12 02:05:00 2005 PST Wed Jan 12 02:06:00 2005 PST
If the agent in the example above had a status color of blue, the Last Score Status category would display additional Result information with an explanation of the error and an error code. The example below shows the Last Score Status displaying this additional Result output. Last Score Status Value Color Result 0 Blue Agent score parm not found. (scoreresult: 4569) <--------
Start time Mon Jun 19 08:19:00 2005 PST Finish time Mon Jun 19 08:20:00 2005 PST New score value in 45s. You can determine the meaning of a Result error code with the agent show result <score-result> command. The following example displays information for error code 4569. agent show result 4569 Agent score parm not found. This next example shows the resultant output when the command agent show feedback is issued for a PolicyCenter configuration. (If this command was issued for a unit configuration, it will show only the agents on
22
that individual unit.) The Feedback Information includes the latest value measured by the agent, its status color, and the time and date of the measurement. agent show feedback Unit 06510000193 Agent Name Feedback Information 1 Green Mon Jul 19 22:33:01 2005 LST 1 Green Mon Jul 19 22:38:01 2005 LST 2 Yellow Mon Jul 19 22:33:01 2005 LST 7 Yellow Mon Jul 19 22:38:01 2005 LST 0 Green Mon Jul 19 23:00:06 2005 LST 1 Green Mon Jul 19 23:00:06 2005 LST
ClassMeVar
065-10000193 Hosts 065-10000179 ClassMeVar 065-10000179 Hosts 065-10000238 PacketDrops 065-10000238 Hosts
Issue the agent show feedback command with the <unit#> and <name> parameters to display data for one agent on a single unit. agent show feedback 025-10000210 "FTP Partition Over Limit"
18073 Red User Event Emulation Fri Oct 15 08:56:02 2005 PDT Fri Oct 15 09:56:02 2005 PDT
Incident Report Feedback: File Output 9.258/agent/cmd/complete/155646.htm Result Success. Finish Time Fri Oct 15 09:56:02 2005 PDT
23
arp
Display and update the Address Resolution Protocol (ARP) table. The ARP table usually does not require user intervention, because it is built automatically by the ARP protocol. If you are reconfiguring or troubleshooting a network problem, you may want to manipulate the table using the arp command. arp show|test|add|drop|flush|privadd show Display the ARP table Look up specified IP address or host name in the ARP table. When using LEMs, make sure to specify the <device> name or number: # 0 1 2 3 4 5 7 Name inside outside lower_inside or left_inside lower_outside or left_outside upper_inside or right_inside upper_outside or right_outside management
Note: The device numbers vary according to the number of LEMs installed. If two LEMs are installed, the above numbers are correct. If only one LEM is installed (regardless of whether it's installed in the upper/ right or lower/left position), the LEM interfaces will be assigned device numbers 2 and 3. If no LEMs are installed, the management port's device number is 3. add <ipaddress>|<hostname> drop <ipaddress> flush Add the MAC address entry for the specified IP address Drop the specified IP address entry from the ARP table Flush ARP table
24
Add static ARP entry This command will add and correlate the specified MAC address to the IP address without trying to resolve it. This will be a permanent entry in the ARP table and will be deleted only when the PacketShaper is reset. It can also be deleted manually using the arp drop command.
Only the show option can be executed in look mode. All other arp options require touch access.
25
atm add
Add a router. The atm add command enables automatic configuration of routers used in an ATM (Asynchronous Transfer Mode) network. Note that the ATM feature requires Cisco routers using IOS version 12.0 or later. For a list of additional ATM pre-requisites, see ATM Overview. Note: This command is not available on PacketShaper ISP, PacketShaper 1200, or PacketShaper 1400 Lite models. atm add <address> <community> <address> is the IP address or DNS name of the router. <community> is the SNMP community string of the router. To verify that PacketWise was able to detect the IP routes, use the atm routing command. To see the ATM configuration, including partitions that were created for each virtual circuit, use the atm show command. See also: atm options atm override
PacketGuide for PacketWise 8.3
26
atm community
Set a new SNMP community string on the PacketShaper. If the SNMP community read string on your local router has changed from what it was when you configured the ATM feature, you can use the atm community command to set the new string on the unit. Note: This command is not available on PacketShaper ISP, PacketShaper 1200, or PacketShaper 1400 Lite models. atm community <router> <community> <router> is the system name or IP address of the router. <community> is the SNMP community string of the PacketShaper. In the interval of time before the unit has the new string, you will see that the atm show output no longer shows router or virtual circuit (VC) information. In addition, the partition show output will no longer show the min/max VC partition sizes you might have previously set with the atm override command. However, the entire class tree will remain intact. The ATM routing table will be blank. After you use this command, the unit will be able to use this new string and communicate successfully with the router on the next configuration update (which happens every five minutes; or you can force it by resetting the box). The atm show command will once again show the router and VC class/partition info, including the CIR/EIR values you might have originally set using the atm override command. The partition show command will show these CIR/EIR values as the min/max of the VC partitions and the routing table will be populated once more.
27
atm delete
Delete a router from the ATM configuration. Note: This command is not available on PacketShaper ISP, PacketShaper 1200, or PacketShaper 1400 Lite models. atm delete <router> <router> is the IP address or DNS name used when the router entry was created, or the Sysname (local system name) of the router. This command also deletes all traffic classes and partitions created to match the router traffic.
PacketGuide for PacketWise 8.3
28
The atm show command indicates whether a manual mapping is required (this information appears at the bottom of the output) and provides you with the subinterface number. For example: These routes require a manual mapping: SubIf = 281, VPI = 1, VCI = 604 The command to map subinterface 281 to interface 1 on router1 would be: atm map add router1 1 281 See also: atm map delete
PacketGuide for PacketWise 8.3
29
30
atm options
Enable and disable the ATM routing and discovery options for an existing router, or set the default for all new routers created by subsequent atm add commands. Note: This command is not available on PacketShaper ISP, PacketShaper 1200, or PacketShaper 1400 Lite models. atm options routing|discovery on|off default|<router> By default, both routing and discovery are enabled. routing discovery <router> Automatically fetch the IP routing tables for this device via SNMP and use in the virtual circuit (VC) traffic class matching rules; also, create internal routing table in the PacketShaper. Activate traffic discovery for all VC classes created for this router The IP address or DNS name used when the router entry was created, or the Sysname (local system name) of the router
PacketGuide for PacketWise 8.3
31
atm override
Set Committed Information Rate (CIR) and Excess Information Rate (EIR) values for virtual circuit (VC) partitions. Note: This command is not available on PacketShaper ISP, PacketShaper 1200, or PacketShaper 1400 Lite models. atm override <router> <interface-number> <vpi> <vci> off|[<cir> <eir>] Note: After updating the CIR/EIR values with this command, reset the unit so that the new values will take effect. where: <router> <interface-number> <vpi> The SysName of your router (use atm show to get this name) The identifier of the serial interface on your router associated with the given VC (use atm show to get this number, shown in parentheses in the command output) The Virtual Path Identifier (VPI) of the given VC; VPI is a field in the ATM cell header that identifies the virtual path on which the data will travel from transmitting device to target device. The virtual path contains a bundle of virtual channels. The Virtual Channel Identifier (VCI) of the VC; VCI is a field in the ATM cell header that identifies the virtual circuit on which a single stream of cells will travel from transmitting device to target device. The virtual channel is contained within a virtual path. Disables previously-set CIR/EIR override values
<vci>
off
<cir> <eir>
<eir> corresponds to the Peak Cell Rate (PCR). Use atm show to check CIR and EIR values.
32
<vci>
The atm routing table will show the association of each BGP route with the correct VC class after the next configuration update (which happens every 15 minutes) or after the next software reset, whichever comes first.
33
34
35
atm routing
Display routing tables that PacketWise has constructed based on routing information from the router via SNMP polling. The router must have a dynamic routing protocol enabled, and must have the routing option enabled on the PacketShaper. atm routing [<router>] If you specify a <router>, the output shows the IP routing tables associated with the specified router name or IP address. If you don't specify a <router>, the output displays the tables for all routers. The output displays the subnets, the routing ID number used in the matching rule for the virtual circuit (VC) class, and the full pathname of the VC class. Dynamic and static routes are listed in separate tables. Routing ID numbers are chosen automatically by PacketWise, and are used to link a destination address with the VC class to which it belongs. This command gives the same output as the atm route show command.
PacketGuide for PacketWise 8.3
36
atm show
Display ATM information. Note: This command is not available on PacketShaper ISP, PacketShaper 1200, or PacketShaper 1400 Lite models. atm show [<router>] Specify a <router> by IP address or DNS name; or omit the parameter to display all configured routers. Example: atm show 10.12.27.2 Router Address: SysName: Traffic Discovery: Auto Routing: 10.12.27.2 router1 on on
Interface Act VPI VCI CIR EIR Partitions Name(Number) --------------------------------------------------------------------------Se1/0/0(2) 1 45.0M /Inbound/router1-Se1_0_0/PVC_1_604 + 604 0 /Outbound/router1-Se1_0_0/PVC_1_604 AT0/0(1) 1 45.0M /Inbound/router1-AT0_0/PVC_1_604 + 604 0 /Outbound/router1-AT0_0/PVC_1_604 AT0/0(1) 1 45.0M + 275 0 /Inbound/router1-AT0_0/PVC_1_275 /Outbound/router1-AT0_0/PVC_1_275 AT0/0(1) 1 45.0M + 245 0 /Inbound/router1-AT0_0/PVC_1_245 /Outbound/router1-AT0_0/PVC_1_245 AT0/0(1) 1 45.0M + 225 0 /Inbound/router1-AT0_0/PVC_1_225 /Outbound/router1-AT0_0/PVC_1_225 These routes have been configured manually: Interface = 1, SubIf = 281, VPI = 1, VCI = 604 The output shows each of the router's interface names and hardware port numbers, status ('+' in the Act column indicates active; '-' indicates inactive), the VPI (Virtual Path Identifier), the VCI (Virtual Channel Identifier), the CIR and EIR values for the virtual circuit, and the partition names. The partition name is a combination of the router SysName, the interface name and number, and the VPI and VCI values. The bottom of the output may indicate that a route requires a manual mapping or that routes have been configured manually (as the above example shows). See atm map add for more information about mapping.
PacketGuide for PacketWise 8.3
37
38
39
40
41
42
43
<username>
44
ID
Stat
Limit
Type Access User Name look look touch pbosten lrose (admin)
Description Identification given to the user session The status of the session:
Stat
logged in the user has logged in logged out the user has logged out Length of time the session has been active that is, the amount of time since the user logged in Amount of time since the user gave a command; whenever a user gives a command, the idle value is reset to zero Amount of time a session is idle before the user will be timed out and logged off; for example, if the limit is 60 minutes, a user will get logged off when no commands are given for a 60-minute period. Type of interface used: CLI (command-line interface), or WUI (web user interface) User's role for accessing PolicyCenter; Look or Touch
Age Idle
Limit
Type Access
User Name Name of the user who logged into the session
45
<organization> <role>
only view these settings in PolicyCenter, but cannot modify them or access the individual units.
<firstname> <lastname>
New first and last names for the user. Names cannot have spaces; compound names will require a dash or underscore character (e.g., Ann-Marie or Van_Patten).
<password>
Specify a login password for the user. A password can be up to 19 characters long and include all printable characters, including spaces, periods, underscores, and dashes.
48
49
50
For example: authentication user enable jsmith authentication user enable all org_2 look Though this command will enable individual users or all users with a specific role, if the organization itself is disabled, these users will still be unable to access PolicyCenter. See also: authentication organization enable
PacketGuide for PacketWise 8.3
51
To add a new user to an organization, use the command authentication user new
PacketGuide for PacketWise 8.3
52
53
To change a user's first and last names in their user record, use the command authentication user name.
PacketGuide for PacketWise 8.3
54
55
authentication user show exampleuser login name: exampleuser (Joe Smith) Login time: 2006-03-13 12:30:56 Pacific Standard Time Logout time: 2006-07-18 18:06:17 Pacific Daylight Time Organization: Retailer2 Role: Touch
PacketGuide for PacketWise 8.3
56
banner show
Note: The banner show command replaces the sys banner command, available in previous PacketWise versions. Display the messages (such as "Packet shaping: off") that are initially shown after logging into PacketWise. You can use the banner show command to display all of the unit's configuration errors, warning messages, and notices. (This same information is displayed in the Info tab of the browser interface.) banner show [verbose] The verbose option displays additional information, such as the date and time and the type of message (notice, warn, etc.). For example: banner show Packet shaping: off. Power supply 1 FAILED. INSIDE interface down
57
cat
Display the contents of a file. cat <filename>
PacketGuide for PacketWise 8.3
58
cd
Change your current directory. cd <dir> For example, type cd 9.258/ to change to the unit's hard drive.
PacketGuide for PacketWise 8.3
59
class capture-ids
Create a text file that contains a list of all well-known class identification values. This command is useful when using SNMP the class ID is the index into tables of real-time class and partition data. For example, the well-known ID for /Inbound is 1 and the ID for /Outbound is 2. class capture-ids The file that this command creates is named classids.txt and is located on the unit's flash disk, in the LOG directory (9.256/log). If you use the cat or more command to view the contents of this file, a list appears with the class ID next to each class name. This list includes all classes that can be auto-discovered not just the ones currently in the traffic tree. Part of the ID list appears below. 1 /Inbound 2 /Outbound 3 /Inbound/Inside 4 /Inbound/Outside 5 /Inbound/Default 6 /Inbound/Global 7 /Inbound/Global/IP 8 /Inbound/Global/TCP 9 /Inbound/Global/UDP 10 /Inbound/Global/Miscellaneous 11 /Inbound/Global/DECnet 12 /Inbound/Localhost 13 /Inbound/SameSide 15 /Inbound/OutsideVPNTunnel 50 /Outbound/Inside 51 /Outbound/Outside 52 /Outbound/Default 53 /Outbound/Global 54 /Outbound/Global/IP 55 /Outbound/Global/TCP
60
class category
Assign a traffic class to a host accounting category. (See host accounting categories for details on creating the categories.) Once you have assigned a class to a category, the bytes sent and received for the class will get tallied into the assigned category for both the source and destination hosts. Note: This command is not available on the PacketShaper 1200 or 1400 Lite models. class category <tclass> none|<category-name> You can assign multiple classes to each category, if you like. The <tclass> must be a leaf class; that is, you cannot assign a category to a class that has any child classes. Note: You cannot create a child class after the parent has been assigned to a host accounting category. To remove a traffic class from a host accounting category, use: class category <tclass> none
PacketGuide for PacketWise 8.3
61
62
class compress on
applicable to legacy compression tunnels only; the equivalent command for enhanced tunnels is tunnel class set algorithm Turn on compression for all services in an Outbound class. This command allows you to experiment with compression on a class basis and can be used for finetuning. class compress <tclass> on [default|override <compressionType> [<dictionaryId>]|nondefault <compressionType> [<dictionaryId>]] default Uses the predefined compression type for the service(s) in the class; If you used the override parameter to select a different compression type, you can use default to return to the default (predefined) type. Or, if you used the nondefault parameter to turn on compression for services that arent normally compressed, use default to return to the default settings. Note: Typing the default parameter is optional. (In other words, typing class compress <tclass> on and class compress <tclass> on default does the same thing.)
override
Changes the compression type to be applied to all traffic flows in the class
63
nondefault
Specifies the compression type to be applied to any services in the class that dont have a predefined type. If the class contains any services that have a predefined compression type, this command will not override their predefined type. Note: Packeteer has tried to optimize the default compression settings of each service for high compression gains and low latency. Assigning a compression method to a previously uncompressed service may affect computational resources and latency as well as compression efficiency.
The <compressionType> can be any compression dictionary supported by the unit; the supported types will vary according to the model and amount of memory in the unit. To see a list of compression types, look at the setup compression show types command output. A dictionary will be created when a new compression type is used; any classes that subsequently specify this same compression type will share this group dictionary. With the optional <dictionaryId> parameter, you can assign an ID (1-128) to a particular class. By doing so, a dictionary will be created specifically for this class to use. By giving a class its own dictionary, you can potentially improve compression results. However, these additional dictionaries consume extra compression memory, so be sure to assign IDs only to your most critical and/or active classes. If you have classes with data patterns similar to a class that has its own dictionary, you may want to share the dictionary with these other classes; you can do this by assigning the similar classes the same <dictionaryID> and <compressionType>. If a class has a dictionary ID, it is indicated in the class show <tclass> output. Note: Xpress will not allow you to change the compression type or assign a dictionary ID to a class when compression is enabled. Therefore, before changing the compression type or assigning a dictionary ID, you must turn compression off. Examples In this first example, suppose the outbound/georgia class has a predefined compression type of cna-1M and you want to override this type with zlib-L9. Use this command: class compress outbound/georgia on override zlib-L9
64
Or, in the next example suppose the outbound/idaho class contains services that dont have a predefined compression type and you want to see if the cna-4M type has any effect on compression results. Use this command: class compress outbound/georgia on nondefault cna-4M If you want the outbound/georgia class to have its own dictionary, you can assign it a dictionary ID. In the following example, the ID is 1: class compress outbound/georgia on override zlib-L9 1
PacketGuide for PacketWise 8.3
65
class copy
Copy a traffic class and its children to another parent in the traffic tree. class copy <tclass> <new_parent> [children] Specify the explicit path and class name for the traffic class to be copied and the receiving parent traffic class. For example: class copy /inbound/HTTP/Gifs /inbound/HTTP/Graphics Note: Any defined top talkers, top listeners or RTM settings are not copied with a traffic class.
PacketGuide for PacketWise 8.3
66
class criteria
Certain services, such as Citrix and Oracle, can be further classified by application-specific criteria. For example, you can create a traffic class for a specific Citrix application or an Oracle database. You can use the class criteria commands to display the attributes that can be specified in a matching rule for these applications and to discover the values that can be specified for the attributes. class criteria attributes|recent|track attributes recent track Display the available application-specific criteria Show recently tracked criteria values for a class Enable or disable criteria tracking for a class
The application-specific criteria format in a matching rule is: <application>:<attribute>:<value> where <application> and <attribute> are as described in the table below, and <value> is specific to your configuration and classification requirements. This table shows available applications, attributes, and sample values. Application Citrix Service Type Citrix-ICA Attribute application client priority UUID server client FileName PeopleSoft pat-pc 0 1cbcad78-df0b-4934-b558-87839ea501c9 DICOM_STORAGE DICOM_ECHO *.mp3 Example of Value
DCOM DICOM
DCOM DICOM
FTP
FTP-Data-Clear
Web
HTTP
HTTP-Tunnel
ICMP NNTP-Clear
67
Oracle PostgreSQL
Oracle-netv2 PostgreSQL
dbname dbname
corp corp
RTCP
RTCP-I
encoding media clock encoding media clock to from user-agent source destination
GSM v 8000 dynamic, GSM v 8000 +12125551212@server.phone2net.com agb@bell-telephone.com Motorola VT1000, A* 207.78.98.18 207.78.98.18 Notes:
q
RTP
RTP-I
For SIP attributes, you can enter a substring of the attribute. For example, to match all Motorola models, you can enter Motorola for the user-agent criteria. The asterisk (*) wildcard is supported for user-agent.
SMTP SOAP
SMTP-Clear SOAP-HTTP
SSL WAP
SSL WAP
Note: In order to add an application-specific matching rule to a class, the class' service type must be the one indicated in the Service Type column above. For example, to classify by Oracle database name, the class must be based on the Oracle-netv2 service. You can use the class criteria commands to identify the specific values to use in application-specific matching rules. First, you use class criteria attributes to get a list of applications and attributes that can be used in matching rules. Next, you use class criteria track to enable tracking on a specific class. Then, you use class criteria recent to see a list of recent values for the class; the output will provide you with the information you need to create an application-specific matching rule. Command Change History Release Modification
68
UUID attribute for DCOM added 8.2.0 dynamic encoding attribute for RTP added (for classification of dynamic codec numbers) Wilcard (*) support added for RTP-I user-agent attribute.
69
class delete
Remove a class from the traffic tree. class delete <tclass> [children] <tclass> The name of the traffic class to delete. The class' explicit hierarchical path must be supplied only if the class name itself is not unique. Specify to delete all of the class' child classes; this parameter is required in order to delete a class that has children
[children]
If you delete a class that was created by traffic discovery and you have traffic discovery turned on, the class is likely to appear again in your traffic class tree. Note: Do not use the class delete command to remove virtual circuit classes. Instead, use the frame delete or atm delete command.
70
class discover
Enable or disable traffic discovery within a specific class. For class discovery to take effect, traffic discovery must be enabled at a global level using the setup discover command. class discover <tclass> [inside|outside|both|off] <tclass> The name of the traffic class within which you are enabling or disabling traffic discovery. The class' explicit hierarchical path must be supplied only if the class name itself is not unique. Specify the location of the server for which you want traffic to be discovered, or off to turn off discovery for this class. If you don't specify one of these options, the action defaults to turning on traffic discovery effectively using the both setting.
[inside|outside|both|off]
71
class hosts
Displays a list of all host references in matching rules and host lists. A host may be listed as an IP address, a DNS name, or an LDAP DN (Lightweight Directory Access Protocol domain name) for a host list entry. If more than one matching rule contains the same host reference, the host is shown only once. class hosts Host reference 127.0.0.3 DNS name www.lycos.com www.excite.com IP address 127.0.0.3 206.79.171.51... 198.3.98.99
If a DNS name resolves to more than one address, the first address is listed followed by an ellipsis (...). To list the additional addresses, use the dns lookup command. If there is a problem resolving a DNS name, the third column shows the DNS error message.
PacketGuide for PacketWise 8.3
72
class id
Change or view a traffic class identification number. The numeric ID of a class is used for Simple Network Management Protocol (SNMP) and the measurement engine. It must be unique and does not change when the class is renamed. class id <tclass> [<number>] <tclass> [<number>] The name of the traffic class whose ID you are changing. The class' explicit hierarchical path must be supplied only if the class name itself is not unique. The new unique number for the traffic class
Note: Class IDs should be changed in special circumstances only, for example when you want class IDs to be the same across multiple PacketShapers. Changing class IDs can lead to erroneous reporting of data if you choose an ID value that was previously used by another class. To see the current ID for a traffic class, type class id <tclass>. To see the ID for all services, use the class services id command.
73
class licenses
Limit the number of TCP flows allowed simultaneously in the given class, where the number of flows admitted to a class is based on a fixed number instead of the available bandwidth. class licenses <tclass> off|<number> where <number> is the maximum number of TCP flows to admit. After <number> flows are active on the specified traffic class, new flows are given the admission control treatment defined by policy admit. Specify the off option to remove the limit on the number of flows. After you have limited the flows with the class licenses command, you can use the traffic licenses command to see the number of flows currently in use.
74
class load
Load a new traffic configuration file. This command will load the traffic tree and everything related to the classes in the tree, such as policies and partitions. This feature can be used to share configurations with other units. You can FTP a saved configuration to the flash disk root (9.256/) of another PacketShaper unit and then activate it with the class load command. Note: Issuing the class load command will revert a unit in shared mode back to local mode. class load <path> [<path>] You can load traffic.cfg, an .ldi file (such as config.ldi), or both. If both files are specified, one file must be a traffic.cfg and the other must be a config.ldi. Which type of file(s) you specify here depends on the version of the configuration you are loading (see below). The following example loads a traffic.cfg and config.ldi file from the flash disk root directory: class load 9.256/traffic.cfg 9.256/config.ldi The class load command prompts for confirmation, then overwrites the existing cfg/traffic.cfg and/or cfg/config.ldi file with the files you specify. If you are loading a traffic.cfg file, the unit reboots to activate the new configuration.
In PacketWise 5.0/5.1, the traffic configuration and host lists were stored in traffic. cfg. If you want to load a 5.0/5.1 configuration on a unit with a 5.2 image, use the following command (assuming the file is located on the flash disk root): class load 9.256/traffic.cfg
76
class move
Relocate a traffic class by assigning it to a new parent class. Unlike using the class copy command, the class will no longer reside under its original parent, but will be moved to a new location in the tree structure. class move <tclass> <new parent> [children] Use the literal children to move all of the class' children as well; otherwise, only the parent class will be moved and the children will be promoted a level. Note: When moving a traffic class, you cannot change the direction. For example, you cannot move a traffic class from /Inbound to /Outbound.
77
class new
Create a new traffic class. class new <parent_name> <name> [nodefault] <rule> <parent_name> <name> The parent class for the new traffic class. You must use the explicit hierarchical pathname if the class name is not unique - for example, /inbound/http. A unique name for the new traffic class, up to 31 characters long. Use only alphanumeric characters and the following special characters: underscore ( _ ), hyphen ( - ), and period ( . ). Specify only the class name, without the leading tree hierarchy pathname. A Default match-all class will not be created (applicable when creating a child class). For example, if you don't specify the nodefault parameter when creating the Inbound/HTTP/ WebSurfing class, PacketWise will also create an Inbound/HTTP/Default class. If you do specify the nodefault parameter, the Inbound/HTTP/Default class will not be created. A matching rule defines a traffic class' attributes. A class can contain multiple matching rules, which are treated as separate, distinct rules. To define one or more rules for a traffic class, see class rule. For matching rule details, see Matching Rule Details.
[nodefault]
<rule>
Notes:
q q
You cannot create a child class if the parent has been assigned a host accounting category. If your unit is within one traffic class of its capacity, PacketWise will not let you create any more classes. This is due to the possibility that two classes will be created in some circumstances. For example, when you create the first child class for a parent, a Default class automatically gets created.
Creating a Class for a Specific File Type: Examples Specify GIF file downloads: class new inbound/http graphics outside service:http web:url:"*.gif" Specify MP3 files downloaded via FTP: class new inbound/ftp ftp_mp3_downloads outside service:ftp-data-clear ftp:filename:*.mp3 Creating a Class for a Specific Host or Port: Examples Target any traffic from an external host: class new inbound competitor outside host:145.34.0.2 service:http Specify web traffic to a port other than port 80, the normal web port: class new inbound web_in inside service:http port:8080 Creating a Class for a Specific URL, IP Address, or Host List: Examples Specify a URL (http://altman.com/support/support.htm): class new inbound altman outside service:http host:altman.com web:url:"/support/support.htm" For security purposes, you can classify TCP traffic based on the origin of the connection. To do this, create a traffic class that specifies an outside TCP client. Create this type of class only after you are satisfied that traffic discovery has sufficiently identified traffic on your network. Otherwise, it will prevent the discovery of more specific services.
78
class new inbound mystuff outside tcp client Specify an IP address if you do not have a DNS server configured: class new inbound server_guru inside 203.160.106.3 Specify a host list (a set of IP addresses and/or DNS names): class new inbound/servers inside host:any outside list:servers Creating a class for ICMP or IGMP Traffic When creating a symmetrical traffic class for the ICMP or IGMP protocols, we recommend that you explicitly specify the protocol for both the inside and outside interface. For example: class new /Inbound/ABQ ICMP inside ICMP outside ICMP To create an asymmetrical traffic class for ICMP or IGMP, where traffic is classified on either the inside or the outside interface: class new /Inbound/ABQ ICMP inside ICMP or class new /Inbound/ABQ ICMP outside ICMP
79
class note
Annotate a traffic class. class note <tclass> "<note>" This note appears in the class show display. Non-printing characters are not allowed.
PacketGuide for PacketWise 8.3
80
class override
For PolicyCenter only Override an inherited traffic class by creating a local copy of the traffic class. class override <tclass> You must make a local copy of an inherited traffic class before you can change the class on the individual unit.
81
class owner
Specify an owner name for a traffic class. class owner <tclass> <ownername> The owner name can be up to 32 characters and the following special characters are not allowed: quote (), ampersand (&), backslash (\), and non-printing characters. The owner name appears in the class show display. This field can be used as a search criteria for customer portal pages.
82
class publish
For PolicyCenter only This command publishes a traffic class on a child configuration to the traffic tree of its parent. The traffic class is then cleared from the child configuration, so it will inherit that class from its parent configuration. Include the children parameter to also publish all child classes of the selected traffic class. class publish <tclass> [children] See Publish an Individual Traffic Class from a Child Configuration to its Parent for details on this operation. Note: Host list settings are not included in the publish operation. If the published class uses a host list, that host list must be manually added to the new class on the parent configuration.
PacketGuide for PacketWise 8.3
83
class rename
Rename a traffic class. class rename <tclass> <new tclass> The class to be renamed must be specified with its full pathname; do not specify the path for the new class name. (The path from the original name is used.) For example: class rename inbound/test sap When renaming a class you are not allowed to change just the case; for example, you cannot rename HTTP to http. Note: If you rename a class and that class has an event associated with it, the class name is not automatically updated in the event registration. Therefore, after renaming a class, you will need to re-register the event with the new class name.
84
class reset
Revert to the factory-default traffic tree configuration. class reset The traffic class tree is reset to its original state, which includes only the inbound, inbound default, outbound, and outbound default classes. All other classes, policies, and partitions are removed. Frame Relay classes are removed from the tree, but the Frame Relay configuration is not; use the frame delete command to remove the configuration.
85
class rule
Add or delete matching rules. class rule add <tclass> <rule> class rule delete <tclass> <rule_id> The maximum number of matching rules per traffic class depends on the Packeteer model. (See PacketShaper or PacketShaper ISP Configuration Limits.) If a traffic class has more than one matching rule, PacketWise compares the flow to the first specification. If it doesn't find a match, it moves to the class' next matching rule. Matching rules are identified by a rule ID in brackets [ ]. You can determine the rule ID by using the command: class show <tclass> See Matching Rule Details for additional information. Examples: Create a new Oracle class with three matching rules. The first matches on an inside host IP address of 190.160.0.207, the second matches on 190.160.0.208, and the third on 190.169.0.254. class new /outbound oracle inside service:oracle host:190.160.0.207 class rule add /outbound/oracle inside service:oracle host:190.160.0.208 class rule add /outbound/oracle inside service:oracle host:190.169.0.254 Create a new FTP class with two matching rules, one for the outside and the other for the inside. class clear class clear new inbound/ftp ftp_mp3_downloads outside service:ftp-dataftp:filename:*.mp3 rule add inbound/ftp/ftp_mp3_downloads inside service:ftp-dataftp:filename:*.mp3
Recall that if a traffic class has more than one matching rule definition, PacketWise compares the flow to the first specification. If it doesn't find a match,
86
it moves to the class' next rule. Traffic that matches any of a class' matching rules will fall into the class. If the info page has flagged one or more of your classes with the configuration error message attrib iqosMatchingRule = ???, Failed to add matching rule to traffic class, you have exceeded the maximum number of matching rules available on your Packeteer model. (In the CLI, you can display configuration error messages with the class show <tclass> command.) To free up resources, you need to remove one or more classes or matching rules. Configuration errors will disappear once the total number of matching rules is less than the units limit. If you find that you are consistently exceeding your units maximum configuration limits, you should consider upgrading your PacketShaper.
87
class services
List the services available in PacketWise. These services are also listed in Applications, Protocols and Services Classified by PacketWise. class services [<service name>]|[plug-ins] [id] <service name> [plug-ins] The name of a service; you can type the complete name, or just the first few letters List only services that were individually added to (plugged into) the software that is, services not built into PacketWise List the internal ID numbers associated with each service name. Service ID numbers are recorded in flow detail records (FDRs). Since FDRs record the service ID, not the service name, the class services id command would be useful for someone interpreting FDR data with a protocol analyzer or other tool that displays FDR data.
[id]
The <service name> option is useful for narrowing down the service list to a particular name you are looking for. The following example lists all the services that start with AOL: class services aol AOL-IM AOL - Instant Messenger & ICQ Client-Server AOL-IM-File AOL-IM - Point to Point File Transfer AOL-IM-ICQ AOL - Instant Messenger & ICQ2000 AOL-IM-IMAGE AOL-IM-Image - Point to Point Chat AOL-IM-Talk AOL-IM - Point to Point Talk
88
class set
Make a traffic class an exception class, or configure a class to allow its policy to be inheritable. class set <tclass> inherit|standard|exception inherit Inheritable traffic classes have policies that can be applied to other classes when the other class doesn't have its own policy. Specific rules apply to how PacketWise decides which policy a class should inherit; see Inheritance Rules for details. The output of the class show command indicates (with an I flag) which classes have an inheritable policy. Standard traffic types have no exception or inheritable attributes. Exception traffic classes are always positioned above non-exception classes in the tree. When you make a class an exception class, you redefine the search order that PacketWise uses to find a match for traffic flow. The exception attribute can be applied to all classes except /Inbound, /Outbound, and any default match-all classes. Marking a traffic class as an exception ensures that it is ordered first in the subtree, overriding the tree's built-in hierarchical order.
standard exception
89
class show
Display traffic class information for a specific class or the entire traffic tree. class show [<tclass> | verbose <tclass> | since <seconds>] Use the verbose option to list all host lists referenced by a traffic class. The since option shows only classes auto-discovered within the last number of <seconds>. When you specify a class, configuration details such as matching rule and policy information are displayed. Each matching rule is prefaced by a rule ID number. The class ID used for extracting data via SNMP is also displayed as the last line of the output. For example: class show dhcp Traffic Class: /Outbound/DHCP Partition: /Outbound Class Flags: autocreated Rule Types: optimized Current guaranteed rate 0 excess rate 0 Matching Rules: [52 ] inside any host service:Client any outside any host service:DHCP-S any [54 ] inside any host service:Client any outside any host service:DHCP-C any [53 ] inside any host service:DHCP-S any outside any host service:Client any [55 ] inside any host service:DHCP-C any outside any host service:Client any no policy Class id (for SNMP and Measurement Engine): 1069 Compression: Override (pred1-256K) Dictionary Id: 1 The Class Flags indicate class attributes: autocreated The class was created with the traffic discovery feature. built-in One of the classes built into PacketWise (such as Inbound and Outbound). Built-in classes cannot be deleted. cacheable The class is cacheable (that is, a class based on an IP address that is on the same side as the cache). discovering Traffic discovery is turned on for this class. exception The class is treated as an exception, overriding PacketWises default ordering.
90
inherited The policy for the class is inheritable. policy The class has a policy. (The specific policy type is shown next to Policy Flags near the bottom of the output.) The Rule Types indicate the type of matching rule: optimized The class is optimized. An optimized class is one that was autodiscovered or one that was manually created with a simple matching rule (service type, IP address, or port number). address-is-cacheable The class has a pure IP address-based matching rule that is on the same side as the cache (on the inside, by default). It can be an individual IP address, a range of IP addresses, an address with a mask, or host lists. These classes can be cached unless an error in the tree configuration is causing cacheability problems. match-all This class is a match-all class (protocol = any, service = any; for example, a Default bucket). If you are using the compression feature in legacy mode and have set compression options for the class, you may see one of the following: Compression: Off (disabled) Compression has been turned off for this class (using the class compress off command) Compression: Override A compression type has been specified for this class, overriding the default type (using the class compress on override command). The compression type is indicated in parentheses, for example (pred1-256K). If a dictionary ID was assigned, it is also indicated. Compression: On Compression has been turned on for this class (using the class compress on nondefault command). The compression type is indicated in parentheses, for example (pred1-256K). If a dictionary ID was assigned, it is also indicated. Note: In enhanced mode, use the tunnel class show command to see per-class compression overrides. If you don't specify a class, all classes in the traffic tree are displayed, but with less detail. When displaying the entire traffic tree with the class show command (as shown in the following example), several flags indicate class attributes, type of matching rule, and legacy compression options (described above). class show Derivation: (I)nherited (O)verride (U)nderride (L)ocal Class Flags: (A)utocreated (D)iscovering (E)xception (I)nherit (P)olicy Rule Types: (o)ptimized (m)atch-all (a)ddress is cacheable Compression: (c)ompression specified (d)isable compression
91
(C)acheable
Class Name Inbound Localhost 10.7.38.0 CUSTOMER mysite.org Default Outbound Localhost 10.7.38.0 CUSTOMER mysite.org Default
Flags m E P P IP E P a ma C a m a ma C a m m
Partition Name /Inbound /Inbound /Inbound /Inbound /Inbound /Inbound /Outbound /Outbound /Outbound /Outboun /Outbound /Outbound
IP
92
class test
Test a traffic flow against the present classification tree in order to determine the flow's class, partition, and policy. class test <direction> <protocol> [<inhost:inport> <outhost:outport>] <direction> <protocol> <inhost:inport> <outhost:outport> inbound or outbound tcp, udp, icmp, netbeui, ipx, appletalk, decnet, fna, sna, lat, or misc The inside and outside IP addresses and port numbers to test (required for IP protocols only: TCP, UDP, ICMP) You must supply both an inside and an outside address. Use 0.0.0.0:0 as a placeholder if you don't have an address to test on one of the sides.
This information simulates a flow, returning the following information: Traffic Class Partition Policy The traffic class in the current traffic tree into which the flow would be classified The partition associated with the matching traffic class. If the traffic doesn't have its own partition, the parent partition is used. The matching policy. If the matching traffic class has no applied policy, the policy is inherited. See Inheritance Rules.
Note: The class test command will only match traffic classes that have "any" for the server location. Examples:
class test inbound appletalk Traffic class Partition Policy --> /Inbound/AppleTalk --> /Inbound --> /Inbound/Default
class test inbound tcp 216.110.182.168:80 0.0.0.0:0 Traffic class Partition Policy
Notes:
q
The class test command can be used to test basic classification for IP protocols, but is not intended to test every type of classification PacketWise offers. Its purpose is to check a
93
particular IP address or port number to determine how the traffic is classified into existing portbased and IP address-based classes in the traffic tree. The command does not include fields for specifying more complex types of classification such as MAC address or device. The class test command requires touch access.
PacketGuide for PacketWise 8.3
94
class undelete
For PolicyCenter only Issue this command to restore a class marked for deletion from a draft configuration. If the class has any child classes, they will also be restored. class undelete <tclass>
PacketGuide for PacketWise 8.3
95
cmp
Compare two files. This command generates no output if the files don't differ; if they differ, the byte and line number at which the first difference occurred is reported. Bytes and lines are numbered beginning with one (1). cmp [-ls] file1 file2 [skip1] [skip2] The following options are available: -l Print the byte number (decimal) and the differing byte values (octal) for each difference. -s Print nothing for differing files; return exit status only.
The optional arguments skip1 and skip2 are byte offsets from the beginning of file1 and file2, respectively, where the comparison will begin. The offset is decimal by default, but may be expressed as an hexadecimal or octal value by preceding it with a leading 0x or 0.
PacketGuide for PacketWise 8.3
96
types
summary Show a tunnel summary in tabular form. For each tunnel, the tabular output lists the tunnel partner, quality, savings, and state. Note that the summary does not list the specific classes and services that are being compressed. all In addition to compression status, the output includes the lists from the services, types, and hosts options.
97
Display tunnels associated with a particular PacketShaper device: main built-in interface upper upper LEM lower lower LEM right right LEM left left LEM
Note: If a unit is assigned to a PolicyCenter configuration with compression dictionary that the unit cannot support, the unit will substitute a smaller compression dictionary of the same type. For example, if a 2500 model is assigned to a PolicyCenter configuration configured with a CNA-32M dictionary, the unit will use the largest CNA dictionary supported, in this case, CNA-16M. If the unit does not have the assigned compression plug-in, it will use its currently configured compression dictionary. Sample output for setup compression show: Tunnel Interface: Tunnel Partner: Tunnel Status: Tunnel Quality: Tunnel Savings: Compressors main 172.21.26.45 Normal Operation (Up: 12m 4s, Idle: 9s) 100 56 KBpm Type %Bytes Saved
----------------------------------------------------------------------------------------GROUP DICTIONARY cna-1M 70% ( 19 secs old) DNS NetBIOS-IP-SSN Microsoft-ds ICMP SNMP-Mon LDAP-Clear Observed cna-1M cna-1M cna-1M cna-1M cna-1M cna-1M cna-1M 18% ( 19 secs old) 70% ( 53 secs old) 70% ( 50 secs old) 45% ( 32 secs old) 70% ( 53 secs old) ----% (125 secs old) 29% ( 60 secs old)
Compression: On Memory: 9879 KB / 204800 KB Tunnels: 1 Active, 0 Idle, 1 Total Tunnel Status can be one of the following:
q
q q q
Normal Operation A compression tunnel has been established in both directions, and the unit is ready to compress and decompress data. Compressing The unit is currently compressing data. Decompressing The unit is currently decompressing data. Passthru operation (Decompressing) Compressible packets are not being sent through the compression tunnel. When compressed packets are retransmitted because the tunnel partner is not acknowledging that it received the packets, PacketWise sends the packets through the normal mechanism (not the tunnel). The tunnel will resume normal operation after it gets an acknowledgement for the retransmitted packets.
Tunnel Quality can range between 0 and 100, with a value of 100 indicating best tunnel quality. It is derived from underlying metrics such as packet loss. Poor tunnel quality could be caused by problems with your network configuration or service provider. See Compression Troubleshooting for more information.
98
Tunnel Savings is the bytes saved per minute, due to compression. If the tunnel is currently compressing data, the output includes details about each of the services that are being compressed. Column Description
Compressors Lists the name of each class and service being compressed Lists the compression dictionary the service is using. The dictionary name indicates the type of algorithm (such as cna, predictive, or zlib), number of passes (with one pass, data is compressed once; with two passes, the compressed data is compressed again), and the size. For example, pred2-512K uses the predictive type of algorithm, does two passes, and has a 512K dictionary. Indicates the percentage of bytes saved, due to compression. This value is calculated by subtracting pre-compression bytes (the size without any compression) and post-compression bytes (the size after compressible bytes were compressed) and dividing this difference by pre-compression bytes. %Bytes Saved If ----% appears in the %Bytes Saved column, either compression savings were negligible or the service has flows that were recently compressed (more than 2 minutes ago), but are not currently being compressed. A service will be dropped from the list if it hasn't been compressed in 999 seconds.
Type
Occasionally, you may have Observed listed as a compressor in the setup compression show output (as shown in the example above). When Xpress is unable to identify the service for any traffic that is sent through the compression tunnel, the traffic gets categorized into Observed. If you include a specific IP address, you can display additional compression information about the host or PacketShaper. The Compression Type field in the setup compression show output indicates the type of host: Shaper (PacketShaper), Initiator, or Recipient. The output varies, depending on the type of host. For example, if 172.21.18.253 is a recipient host, the setup compression show output includes the forwarding MAC address: setup compression show 172.21.18.253 IP Address: 172.21.18.253 INSIDE Compression Type: Recipient Forwarding Address: 00:90:27:54:a7:d5 Or, if 192.168.130.101 is an initiating host, the output lists the tunnel partner and tunnel status: setup compression show 192.168.130.101 IP Address: Compression Type: Tunnel Partner: Tunnel Status: 192.168.130.101 OUTSIDE Initiator 172.21.0.85 Normal operation (Up: 1m 48s, Idle: 29s)
If 172.17.56.201 is a PacketShaper unit, the output includes the tunnel savings and tunnel status:
172.17.56.201 Normal operation (Up: 30s, Idle: 0s) 100 8618 KBpm
Compressors Type %Bytes Saved -----------------------------------------------------------------------------GROUP DICTIONARY cna-1M 72% ( 0 secs old) HTTP cna-1M 72% ( 0 secs old) ICMP cna-1M 0% ( 11 secs old)
Tunnel Status can be one of the following:
q q q q
Normal Operation The unit is currently compressing and decompressing data. Compressing The unit is currently compressing data. Decompressing The unit is currently decompressing data. Tunnel is not up The compression tunnel has not been set up (see Compression Status for details on why the tunnel was not set up) Partner not available The data from the active PacketShaper will not be compressed because the tunnel partner does not allow tunnel traffic from the active PacketShaper (the unit from which you issued the setup compression show command). In other words, the PacketShaper on the other side of the tunnel has not configured the active PacketShaper to use the compression facility it is not on its list of PacketShapers that are allowed to use the compression facility. Passthru operation (Decompressing) Compressible packets are not being sent through the compression tunnel. When compressed packets are retransmitted because the tunnel partner is not acknowledging that it received the packets, PacketWise sends the packets through the normal mechanism (not the tunnel). The tunnel will resume normal operation after it gets an acknowledgement for the retransmitted packets.
Device Partner Quality Savings State ----------------------------------------------------------------------------lower 172.17.58.109 100 4022 KBpm Normal 17m 24s upper 172.17.59.103 100 4063 KBpm Normal 17m 24s upper 172.17.59.108 100 3842 KBpm Normal 17m 24s main 172.17.56.104 100 8914 KBpm Normal 17m 24s main 172.17.56.109 100 1229 KBpm Normal 17m 24s upper 172.17.58.105 100 3684 KBpm Normal 17m 24s main 172.17.56.107 100 10267 KBpm Normal 17m 24s upper 172.17.58.106 100 1263 KBpm Normal 17m 24s main 172.17.56.102 100 9038 KBpm Normal 17m 24s upper 172.17.56.102 100 3979 KBpm Normal 17m 25s upper 172.17.59.106 100 4035 KBpm Normal 17m 25s upper 172.17.56.109 100 4028 KBpm Normal 17m 25s
100
upper
172.17.59.102
100
3999 KBpm
Normal
17m 25s
Totals: Tunnels: Active: Idle: Unidirectional: Bidirectional: Passthru: Memory: 13 13 0 0 0 0 260845 KB / 704437 KB
Compression Status
If the compression tunnel is not up, you will see an additional field, Compression Status, which gives you additional information about why a tunnel could not be created. These messages are described below. Message Disabled because compression is off Disabled because shaper is not in allowed partner list Description The data from the specified host will not be compressed because the compression feature has been turned off on the active PacketShaper. Use the setup compression on command to enable compression.
The data from the specified host will not be compressed because the tunnel partner has not been configured to use the or compression facility (using the setup compression partners command). To see which partners (PacketShaper units) have Disabled because shaper x.x. been configured to use compression, type setup compression x.x is not in allowed partner show hosts. list The data from the specified host will not be compressed because it is not configured to use the compression facility (using the setup compression hosts command). To see which hosts have been configured to use compression, type setup compression show hosts. This message means that the host is trying to be an initiator and recipient at the same time, a situation that is not allowed. Resetting the unit should resolve this problem. Note: You may get this message if your site router is on the inside compression will not work with inside routers. A probe packet was sent to look for a tunnel partner, but a PacketShaper unit did not reply; another probe will be sent in the specified number of seconds/minutes Compression was turned off and then turned back on and there currently aren't any flows going through the PacketShaper for this host; a probe will be sent to look for a tunnel partner
Process started, probe sent __ ago, no answer, resend in __ Compression was restarted, can probe now
101
Host can probe now Probe sent __ ago, can probe now
The host has been identified, but a probe packet has not yet been sent to see if a tunnel partner exists A probe packet was sent, but a tunnel partner did not reply; another probe will be sent. (If you want to force a probe, use the setup compression reprobe command.)
102
config backup
For PolicyCenter only Make a backup copy of a PolicyCenter configuration. After you issue the config backup command, you will be prompted to confirm that you want to create a backup of the specified configuration. Enter the word Yes, or press the Enter key. Backup configurations will appear in the PolicyCenter configuration tree with a "backup" after the configuration name. config backup [<cfg_path>] Restore a backup copy of a PolicyCenter configuration with the config restore command.
PacketGuide for PacketWise 8.3
103
config clear
For PolicyCenter / PacketShapers in Shared Configuration Mode Clears all non-default configuration values from the named configuration. If none is named, it clears the current configuration. Clearing a child configuration means that the child will derive its sharable attributes and settings from its parent configuration. If you clear a parent configuration, its child configurations will no longer inherit any values from its parent. config clear [<cfg_path>]
PacketGuide for PacketWise 8.3
104
config cp
For PolicyCenter only Copies an existing configuration to a new or existing configuration. Include the -r (recursive) option to include the selected configuration's child configurations in the copy operation. Note that if the configuration to be copied and the destination configuration both have a child configuration with the same name, the destination configuration's child will be overwritten. If the <source cfg_path> argument is omitted, it copies the current active configuration. This command does not allow a parent configuration to be copied to its child configuration with the "-r" option. You also may not copy to a draft configuration, or to any configuration that has a draft anywhere in its configuration hierarchy. The individual serial-number configuration of a PacketShaper is unique to that unit, and cannot be copied to another location in the configuration tree unless you also rename the new copy of the unit configuration as a part of the copy operation. config cp [-r] [<source cfg_path>] <dest cfg_path> Where the <source cfg_path> is the source configuration to be copied, and the <dest cfg_path> is the destination for the new copy of that configuration. Specify a slash (/) for the <dest cfg_path> value to copy the source configuration to the root of the configuration tree. See also config mv for details on moving PolicyCenter configurations
PacketGuide for PacketWise 8.3
105
config dump
For PolicyCenter / PacketShapers in Shared Configuration Mode This command prints out the current effective configuration objects formats and attributes in something like LDAP data interchange format. Useful mainly for development and diagnostic purposes. config dump See also: config save
PacketGuide for PacketWise 8.3
106
config edit
For PolicyCenter only Locks the current configuration, creates a draft copy of that configuration if a draft does not exist, and opens the draft configuration for display and modification. If a draft copy of that configuration already exists, this command only opens the draft configuration for display, but does not create a new draft. config edit <cfg_path> Draft configurations impose limitations not present in other configurations. Once you have created a draft copy of a configuration, neither the original configuration or any of its parent or child configurations can be modified until the draft configuration is permanently committed or deleted. If, for example, you had a PolicyCenter configuration tree with the following configurations
q
the command config edit parent_cfg/child1 would lock the configurations / parent_cfg, /parent_cfg/child1 and /parent_cfg/child1/grandchild, and would create a new draft configuration called parent_cfg/child1-draft. The configuration tree would then appear as follows:
q
107
/parent_cfg/child2/grandchild2
A draft configuration can only be edited by one PolicyCenter user at a time--no other user can modify a draft until the first user logs out of PolicyCenter or sets the focus of his PolicyCenter session on another configuration (for example, by using the config view or config edit commands and specifying another configuration). However, while one user is modifying a draft, other users are allowed to view (but not change) the draft. Once you have made the required modifications to a draft configuration, you can test that configuration on one or more PacketShapers with the command draft try, or permanently commit the changes using the command draft commit.
PacketGuide for PacketWise 8.3
108
config errors
Display configuration errors for the unit. When issued from PolicyCenter, this command displays errors for the PolicyCenter configuration currently being edited. config errors Note: Configuration errors are also shown in the output of the banner show command.
PacketGuide for PacketWise 8.3
109
config information
For PolicyCenter only View information for when a specified configuration was last modified, and the user name and organization of the PolicyCenter user that made the changes. config information [<cfg_path>] For example:
config information /config1 Configuration Information for: /config1 Modification Details: User Name : JSmith Organization : IT Date : December 28, 2006 08:08:07 (Local Time)
110
config load
Load a saved configuration file (such as config.ldi). This command loads the traffic tree, partitions, policies, host lists, events, agents, basic settings (such as shaping, traffic discovery, compression, and adaptive response), security settings (such as passwords), and SNMP, SNTP, email, and Syslog settings. config load <path> <path> is the location and name of a saved .ldi file. For example, to load a file named test.ldi that is in the flash disk root, use: config load 9.256/test Specifying the .ldi extension is optional. The config load command discards the current configuration and institutes the loaded configuration; it does not merge the loaded configuration with the preexisting one. The new configuration settings are then stored in 9.256/CFG/config. ldi. Keep in mind that the .ldi file includes the units password, and if you load the configuration on another unit, you will change its password. If you want to load a traffic configuration on another unit without changing the password, use the class load command instead of the config load command. Note: The PacketWise image version is stored in the .ldi file if it was set in PolicyCenter. If the image version on a unit is different from the image version stored in an .ldi file you are loading, you may see an image configuration error message after issuing the config load command in local mode. You can clear the error by giving the setup version none command. The error message does not appear in shared mode. See also: config save
PacketGuide for PacketWise 8.3
111
config mode
For PolicyCenter / PacketShapers in Shared Configuration Mode Tells you whether a unit is in local or shared mode. config mode Note: This command does not enable or disable the LDAP client, which is normally initialized with config setup and disabled with config unset. See also: config setup config unset
PacketGuide for PacketWise 8.3
112
config mv
For PolicyCenter only Moves a configuration to another location within the PolicyCenter configuration tree. This command copies the specified source configuration to the destination configuration name, switches any assigned units from their source sharable configuration to the new destination configuration, and deletes the source configuration. Note that you cannot move the /default configuration or the individual unit configurations of PacketShapers that have not been assigned to a sharable configuration. If the configuration is a parent configuration with child configurations, the selected configuration's child configurations will be included in the move operation. Note: You may not move a configuration under a draft configuration, or to any configuration that has a draft anywhere in its configuration hierarchy. The unique serial-number configuration for units running a version of PacketWise released before 7.5.0 cannot be moved from the configuration root while the unit is still assigned to that configuration, although the units themselves can be assigned to any sharable PolicyCenter configuration via the CLI command unit assign. You can, however, copy a pre-7.5.0 unit's serial-number configuration to another location, and then assign the unit to that renamed configuration. If the source configuration name is omitted, this command will assume the current active configuration is the configuration to be moved. You must, however, specify the destination configuration path. config mv [<source_cfg_path>] <dest_cfg_path> Where the <source_cfg_path> is the source configuration to be moved, and the <dest_cfg_path> is the destination for that configuration. If the first <cfg_path> value is omitted, PolicyCenter will move the current active configuration. Specify a slash (/) for the <dest_cfg_path> value to move the source configuration to the root of the configuration tree. See also: config copy
PacketGuide for PacketWise 8.3
113
config new
For PolicyCenter only Creates a new, empty configuration with the given name. You can use this command to create a new configuration at the top of the configuration tree, or to add a new child configuration under an existing parent. config new <cfg_path> examples: config new newchild config new /otherparent/newchild
PacketGuide for PacketWise 8.3
114
115
116
config publish
For PolicyCenter only This command publishes a child configuration to its parent, replacing classes and settings in the parent configuration with classes and settings in the child configuration. The child configuration is then cleared, so it will inherit its entire configuration from the new settings of parent. Use this command to publish discovered traffic classes to a parent configuration, or to publish a prototype configuration that should be inherited by all child configurations under the same parent. If the <cfg_path> argument is omitted, this command publishes the current active configuration. config publish [<cfg_path>] Note: PolicyCenter cannot publish traffic classes from or to a draft configuration. This command will not work if either the parent or child configuration is a draft configuration.
PacketGuide for PacketWise 8.3
117
config rm
For PolicyCenter only Removes a configuration or group of configurations from PolicyCenter. If the configuration name is omitted, this command will assume the current active unit configuration is the configuration to be deleted. config rm [-r] [<cfg_path>] This command cannot delete a configuration if it or any of its child configurations have units assigned to them. Before you delete a configuration that has a unit assigned to it, be sure to reassign the units to another configuration. Include the r (recursive) argument to delete both the selected configuration and all its child configurations. Omit the -r argument to delete a configuration with no children. Note: The default configuration cant be removed. See also: config clear
PacketGuide for PacketWise 8.3
118
config reset
For PolicyCenter / PacketShapers in Shared Configuration Mode This command disables the unit's connection to the directory server, returning the unit to local mode and setting the unit's sharable attributes to their factorydefault state. This command does not remove any information from the directory server itself. Note that the unit's non-sharable settings (IP address, DNS and management port settings, etc.) will not be changed by this command. config reset If you want to return a unit to local mode without clearing the unit's sharable attributes, use config unset, instead. You may restore the previous PolicyCenter configuration at any time by resetting its connection to the directory server with the config setup command. The config reset command will not remove a unit entry from the PolicyCenter directory server, so the unit will still appear on the PolicyCenter configurations tab. To remove the unit entry from PolicyCenter, use unit clean. Warning: Issuing this command from the configuration for your PolicyCenter software (which typically starts with the numbers 901) will disable communication between PolicyCenter and the directory server. With this connection disabled, PolicyCenter will no longer be able to contact PacketShapers in shared mode. See also: config setup
PacketGuide for PacketWise 8.3
119
config save
Save the current configuration in an .ldi file. config save [<cfg-path>] <file> [unit] <cfg-path> <file> To save a PolicyCenter configuration, specify the path of the configuration you want to save. The filename can be up to eight characters long. You can save the file on the flash disk (9.256/) or the hard drive (9.258/) of a PacketShaper. When you issue the command from PolicyCenter, the file is saved to the directory <install_directory>/Packeteer/ PolicyCenter on the PolicyCenter server. An .ldi extension is automatically added to the configuration filename, if you dont specify it yourself. For example, to save the configuration in a file named test.ldi on the PacketShaper hard disk, type: config save 9.258/test [unit] Include the unit parameter to save only local settings on a PolicyCenter configuration. If this parameter is omitted, the config save command will save a configuration's inherited and local settings.
The configuration consists of all classes, class IDs, partitions, policies, host lists, and events. In addition, the configuration stores basic settings (such as shaping and traffic discovery), security settings (such as passwords), and SNMP, SNTP, email, and Syslog settings. Use the setup show command to see a list of sharable settings that are stored in the configuration file. The config save and config load commands are useful for experimenting with different configuration settings. For example, you can save your current settings, make changes to the configuration (such as create new partitions or policies), and then return to the original configuration if you prefer it. You can create as many configurations as you like. This feature can also be used to share configurations with other units. You can FTP a saved configuration to the flash disk or hard drive of another PacketShaper or PacketSeeker unit and then activate it with the config load command. Note: Keep in mind that the .ldi file includes the units password, and if you load the configuration on another unit, you will change its password. If you want to load a configuration on another unit without changing the password, use the class load command instead of the config load command. See also: config load
PacketGuide for PacketWise 8.3
120
config setup
For PolicyCenter only Configures the unit to access shared configurations in Lightweight Directory Access Protocol (LDAP). Initializes the LDAP client to communicate with the directory server and establish the default unit configuration name. A unit's initial PolicyCenter configuration is based on its DNS name (if known) or IP address. When this command is complete, the unit will obtain its configuration from the directory server, replacing any previous local setup, policy, or other sharable configuration values. If you add the optional convert option, the configuration of the unit is preserved. config setup <ldap_host>[<:port>] [secure | unsecure] [<directory_server_password>] [convert] Where: <ldap-host> <:port> secure| nonsecure <directory_server_password> [convert] DNS name or IP address of a PolicyCenter Directory Server TCP port number to connect to on the Directory Server Specify secure to establish a secure LDAP connection between the PacketShaper and the PolicyCenter directory server, or specify nonsecure for a standard LDAP connection. Password for the PolicyCenter directory server. This password was called the PolicyCenter Super-User password in previous versions of PacketWise. Specify the convert option to convert the unit's existing configuration into a new PolicyCenter configuration with the same attributes and values. Because the units new PolicyCenter configuration will be based upon its previous configuration, the unit will continue to operate the same in PolicyCenter as it did in local mode. If you do not select the convert option, the units new PolicyCenter configuration is cleared, and will have default settings only.
If you previously issued the command config unset to disable communication between PolicyCenter and the directory server, you can issue the command config setup <ldap_host>[<:port>] [secure | unsecure] [<directory_server_password>] from the PolicyCenter configuration (the configuration for the PolicyCenter software) to restore communications between PolicyCenter and the directory server. Note that this use of the config setup command doesn't support the convert option. See also: setup reset for PolicyCenter
PacketGuide for PacketWise 8.3
121
config show
For PolicyCenter / PacketShapers in Shared Configuration Mode Lists available PolicyCenter configurations. Depending on the subcommand, shows the available configurations and unit status information. Useful for monitoring units, verifying the PolicyCenter configuration hierarchy, or determining software image versions. config show all|units|versions|{details <unit name>|<unit serial number>} all Displays a table of all units subscribing to the directory server, the configuration they are assigned to, IP address, and status. If a unit has not recently updated its status entry, the time since last update is noted as its 'Out of Contact' time. The status column reports whether a unit has found any errors in its configuration. Displays a table of all units that are posting status to the directory server, with serial number, group/unit name, model, and domain name. Displays a table of all units that are posting status to the directory server, with serial number, IP address, and image version. Shows all status information reported by the unit to its status entry in the directory server. You can designate the unit by its unit configuration name (e.g. '/default/ austin') or its serial number (e.g. '100-10000105').
The example output below shows a configuration tree with fourteen configurations, including the configuration for the PolicyCenter server itself, configuration 901-20000132. The other configurations at the top of the configuration tree are default, branch_west, branch_east and branch_central. The branch_west, branch_east and branch_central configurations each have three child configurations with an assigned unit. The names of each of these child configurations are indented in the Configuration Name column, to show that they are child configurations under another parent. Information on the individual PacketShapers, such as unit name, IP address, Out of Contact time, and the status of the unit is displayed beside the unit's assigned configuration. /025-10001808# config show Out Of Contact
Configuration Name 901-20000132 default branch_west los_angeles portland san_francisco branch_east new_york raleigh washington_dc branch_central denver madison oklahoma_city
Unit Name 901-20000132 main_site shaper_1 shaper_2 shaper_3 shaper_4 shaper_5 shaper_6 shaper_7 shaper_8 shaper_9
IP Address 172.21.7.50 172.21.29.129 172.21.29.130 172.21.29.135 172.21.29.139 172.21.18.75 172.21.18.45 172.21.18.99 172.21.25.160 172.21.25.170 172.21.27.203
Status OK OK OK OK OK OK OK OK OK OK OK
122
config unset
For PolicyCenter / PacketShapers in Shared Configuration Mode This command disables directory server access for a unit, and returns the unit to local mode. The config unset command allows the unit to retain its last PolicyCenter configuration after it returns to local mode. To set the unit to local mode and return its configuration to a factory-default state, use config reset. config unset The config unset command will not remove a unit entry from the PolicyCenter directory server, so the unit will still appear on the PolicyCenter configurations tab. To remove the unit entry from PolicyCenter, use unit clean. Warning: Issuing this command from the configuration for your PolicyCenter software (which typically starts with the numbers 901) will disable communication between PolicyCenter and the directory server. With this connection disabled, PolicyCenter will no longer be able to contact PacketShapers in shared mode. See also: config reset
PacketGuide for PacketWise 8.3
123
cp
Copy a file on the unit's flash or hard drive. cp <file1> <file2>
PacketGuide for PacketWise 8.3
124
date
View or set the date and/or time. When initially setting the date and time, use setup timezone. date [<yyyymmddhhmm>[<.ss>]] Note that this command has the same functionality as the setup date command.
125
dns lookup
List the IP address(es) associated with a domain name. PacketWise keeps the mapping data up to date so that when a site changes an IP address, the matching rule knows about the change. dns lookup <hostname> If the name that you enter is different from the canonical or official name, the canonical name record (CNAME) is displayed at the end of the address list. A canonical name record defines an alias for the official host name, facilitating the transition from an old name to a new name. Some sites return multiple addresses to a lookup query. The PacketWise classification process compares the traffic flows to the address lists when looking for a match.
PacketGuide for PacketWise 8.3
126
dns names
List all domain names and addresses that are configured in traffic class matching rules. dns names Domain Name IP Address TTL (luna-corp.packeteer.com)... 192.168.0.33 3600 (m10-pat-corp.packeteer.com)... 192.168.0.207 3600 percy.xyz.com (204.202.49.73) 86400 Age 647 427 12512 RQSNCRP Q Q Q Error
The resolved values are shown in parentheses. The other columns in the output are described below. TTL: The time interval that the DNS entry may be cached before the source of the information should again be consulted. Age: The time, in seconds, since PacketWise received the last name refresh. R: If a name server cannot be reached, the entry's retry count is incremented. This is a high-level retry, and each one may include multiple queries to each name server. If the retry value is greater than 9, an asterisk is displayed in this column. If the retry value is zero, nothing is displayed in the column. Q: Displays a Q if PacketWise sent a query and received a response for the name. S: Displays an S if PacketWise learned the name's address (or vice versa) by spying on DNS traffic instead of making a query. N: The number of successful responses received since the one containing this address. If the value is 0, nothing is displayed in the column. C: The number of responses received before getting one without any new addresses. This is the length of a round-robin cycle. If the value is 1, nothing is displayed in the column. R: The number of matching rules that refer to this name. It will be incremented by one while a name is being resolved. If the value is 1, nothing is displayed in this
127
column. P: Displays a P if PacketWise is currently resolving this name. Error: Shows the problem (if any) encountered by the last refresh attempt. Some possible errors are: name not found: The authoritative server for this domain has no such name. server offline: The resolver could not reach the authoritative name server, either directly or indirectly through the locally-configured name servers. rqst refused: The name server knows (or might know) but won't tell you. no data record: The name exists, but does not have an address (or vice versa). internal error: The name server is not functioning.
128
dns refresh
Clear the resolved DNS values that is, names and IP addresses in the names database. The entries then are repopulated at the next ten-second polling interval. dns refresh Immediately after executing dns refresh, if you use the dns names command, the resolved values will be listed as <unknown> in the output. These entries are repopulated at the next polling interval.
PacketGuide for PacketWise 8.3
129
dns rlookup
Find the host name associated with an IP address. dns rlookup <ipaddress>
PacketGuide for PacketWise 8.3
130
dns servers
List the DNS servers, their online/offline status, and the time since the servers either timed out or responded to a DNS request. dns servers Address 192.168.0.33 192.168.0.22 Status on line unknown Idle 4
131
dns trace
This is a troubleshooting command that should be used only with the guidance of Customer Support.
PacketGuide for PacketWise 8.3
132
draft commit
Merge changes made to a draft copy of a configuration into the original target configuration. After merging the changes, PolicyCenter reassigns any PacketShapers using the draft configuration back to their original target configuration, then deletes the draft. Once a draft has been committed, PolicyCenter removes the configuration locks on the draft's parent and sibling configurations, so other PolicyCenter users may edit them. draft commit <config-draft> Example: draft commit myconfig-draft
PacketGuide for PacketWise 8.3
133
draft discard
Discard a draft copy of configuration without merging any of the changes into the original target configuration. If any PacketShapers were assigned to this draft configuration with the draft try command, you will not be able to discard the draft configuration until the units are assigned back to their original target configuration with the draft revert command. This command also removes the configuration locks on the draft's parent and sibling configurations, so other PolicyCenter users may edit them. draft discard <config-draft> Example: draft discard myconfig-draft
PacketGuide for PacketWise 8.3
134
draft revert
Reassign any PacketShapers using a draft configuration back to their original target configuration. The changes made to the draft configuration are retained, and the draft's parent and sibling configurations remain locked. draft revert <config-draft> Example: draft revert myconfig-draft
135
draft try
For PolicyCenter only Applies a modifed draft configuration to one or more selected PacketShapers, allowing you to test the draft configuration before you apply it to a larger group of units. You re-issue this command to assign additional PacketShapers to a draft, though the draft may not be modified while any PacketShaper is trying it. Note: The Try operation is only available for PacketShapers running PacketWise 7.5.0 or later releases. draft try [<cfg_path>] [all | <<unit_name>|<unit_sn> <unit_name>| <unit_sn> ....>] If you dont like the result, you can revert the PacketShapers running the draft configuration back to their original target configuration with the command draft revert. If the test goes well and you would like to make the draft changes permanent, you can commit the draft to the original configuration with the command draft commit. Once a draft configuration has been commited, all shapers running or inheriting from the target configuration will get the draft changes.
PacketGuide for PacketWise 8.3
136
draft view
For PolicyCenter only Change the focus of your PolicyCenter session to the selected draft configuration, but only with read access. (You will only be allowed to view, but not modify, the draft configuration.) You can also use this command to release your sessions lock on a draft configuration you are finished editing, so another PolicyCenter user can access and edit the draft. draft view [<cfg_path>] Note: To edit and modify a draft configuration issue the command config edit <config_path>.
PacketGuide for PacketWise 8.3
137
du
Display the unit's flash disk usage. du
PacketGuide for PacketWise 8.3
138
echo
Display a line of text. echo <string>
PacketGuide for PacketWise 8.3
139
email queue
Display or delete messages in the email queue. email queue show|display <message-id>|delete (<message-id>|all) Examples: To display the email queue: email queue show To display the contents of message 1: email queue display 1 To delete all messages in the email queue: email queue delete all
PacketGuide for PacketWise 8.3
140
email retry
Deliver mail immediately, rather than waiting for next retry. email retry
PacketGuide for PacketWise 8.3
141
email test
Verify the email configuration by sending a test message to individual recipients. email test <recipient> [<recipient>] [<recipient>] [<recipient>]
PacketGuide for PacketWise 8.3
142
event delete
Delete an event and all its registrations. event delete <name>
PacketGuide for PacketWise 8.3
143
event email
Add or delete an email recipient for event notifications. event email add [<recipient> ... <recipient>] event email delete [<recipient> ... <recipient>]|all Separate recipients with a space. You can add up to four recipient addresses. To use the command-prompt mode, use: event email add
PacketGuide for PacketWise 8.3
144
145
146
event new
Define a new event. When you define an event, you specify a measurement variable in an expression that is, the condition for which you want to be notified. In addition, you can define a default event-checking interval. The maximum number of events that can be defined is 32. Defined events are not active until registered. To initiate the command-prompting mode use: event new You may exit 'event new' at any time by typing 'exit' Name of the event: WebQoS Type of object to be tested: Link, Partition, or traffic Class: (class): Measurement Engine variable to be tested: tcp-conn-aborts% Default checking interval [1m,1h] (1m): Enter a relational operator. When you register this event later, you will supply a threshold on 'tcp-conn-aborts%' that triggers the event. The event can be triggered when 'tcp-conn-aborts%' becomes >, >=, <, or <= the threshold. Relational operator ( >, >=, <, or <= ) (>): As an alternative to the prompting mode, you can use a single command line to create an event, as follows: event new <name> <expression> [<default checking interval>] <name> Event names must begin with an alphabetic character and contain only alphabetic characters, numbers, and underscores, up to a maximum of 32 characters. Note that you cannot use hyphens in event names. The expression specifies the condition that will be checked and requires adherence to the following syntax: <variable>[.<object type>] <relational operator> <constant> Where: <variable>.<object type> is one of the PacketWise measurement variables with an appended object type that is, a link, partition, or class. This object type is required for most variables those that are common to link, partition, and class objects. Some variables are unique to the object type. For example, peak-excessbps is relevant only to partitions, so it does not need the object-type qualifier in this syntax. Later, when you register the event, you will supply a specific name for the object type. For a list of measurement variables, use the measure show command. <relational operator> is one of the following: <, <=, =, >=, or >. <constant> is a placeholder for the threshold value. Use the $n syntax for example, $1 or $2. When you register an event, you supply a value that is substituted for this constant in the expression. Example of an expression: tcp-rtx-pkts% > 30
<expression>
The default frequency that PacketWise will use to check for this event. When you register this event, you can substitute a different interval. For standard PacketShaper units, you can specify 1m (one minute) or 1h (one hour). For PacketShaper ISP units, you can specify 1m or 4h.
Examples:
147
event new NetworkInefficiency tcp-efficiency%.link<$1 1m event new WebQos tcp-conn-aborts%.class>$1 1h For more information about PacketWise's event feature, see Overview of Event Notification and Notify Someone of Situations of Interest. Note: An alternative way to monitor a specific class, link, or partition and receive notification when a threshold crossing has occurred is to create User Event Emulation agents with the adaptive response feature.
PacketGuide for PacketWise 8.3
148
event override
For PolicyCenter only Override the inherited user event by creating a local copy of the event. event override <event_name> You must make a local copy of an inherited user event before you can change the user event on the child configuration.
149
event register
Initiate event-checking and notification for an event. The maximum number of events that can be registered at one time is 32. To use the command-prompting mode, simply use event register, otherwise use the following command syntax. event register <event name>(<object>,<threshold>,<re-arm>) [<checking interval>] [email] [trap] [syslog] [limit=<n>] <event name> <object> <threshold> An existing predefined or user-defined event The name of a link, partition, or class that is relevant to the event definition The value used to trigger event notification. The value is substituted in the event's expression, which you defined with the event new command. If the condition in the expression occurs, it triggers the event notification that is registered for the event. The value that tells PacketWise that it's okay to once again send event notifications. After the initial notification occurs for the threshold crossing, additional event messages traps, email, or syslog will not be sent until the re-arm condition occurs. The purpose of the re-arm value is to prevent excessive event notification. The frequency at which this condition should be checked. For standard PacketShaper units, you can specify 1m (one minute) or 1h (one hour). For PacketShaper ISP units, you can specify 1m or 4h. The notification mechanism for this event email, trap, or Syslog. The number of notifications to be sent within the 24-hour period from midnight to midnight. If you omit this option, the number of notifications is limitless.
<re-arm>
Example: event new WebQos tcp-conn-aborts%.class>$1 1h event register WebQos(inbound/outside/http,70,50) 1m email limit=20 Note that in the above example, the event was defined with a default interval of one hour. When the event was registered, the specific class was identified with a threshold of 70%, a re-arm level of 50%, a 1-minute interval, and a limit of 20 notifications within a 24-hour period. When an event exceeds the predefined threshold value, the event is in violation and the PacketShaper will automatically send out notification. PacketShaper will also send a notification when the re-arm level is crossed, allowing you to be alerted automatically when the event has been cleared. For more information about PacketWise's event feature, see Overview of Event Notification and Notify Someone of Situations of Interest.
150
event reset
Reset the user events system. This command removes all user-defined events and unregisters all events (user-defined and predefined). event reset Note: Issuing the event reset command from the PolicyCenter command line interface can incorrectly trigger an error message stating that the operation failed, even if the operation executed correctly
PacketGuide for PacketWise 8.3
151
event show
Display email notification recipients, available events (both user-defined and predefined), registered events, and their status. event show
PacketGuide for PacketWise 8.3
152
event test-email
Verify the event email configuration with a test email. event test-email
PacketGuide for PacketWise 8.3
153
event unregister
Stop checking an event. event unregister <registration-id>|all Use event show to display the registration IDs.
PacketGuide for PacketWise 8.3
154
exit
Log out of a PacketWise connection. exit
PacketGuide for PacketWise 8.3
155
frame add
Add a Frame Relay Access Device (FRAD). The frame command enables automatic configuration of Frame Relay Access Devices (FRADs). Note: This command is not available on PacketShaper ISP, PacketShaper 1200, or PacketShaper 1400 Lite models. frame add <address> <community> <address> is the IP address or DNS name of the FRAD. <community> is the SNMP community string of the FRAD.
156
frame community
Set a new SNMP community string on the PacketShaper. If the SNMP community read string on your local FRAD has changed from what it was when you configured the Frame Relay feature, you can use the frame community command to set the new string on the unit. Note: This command is not available on PacketShaper ISP, PacketShaper 1200, or PacketShaper 1400 Lite models. frame community <frad> <community> <frad> is the system name or IP address of the FRAD. <community> is the SNMP community string of the PacketShaper. In the interval of time before the unit has the new string, you will see that the frame show output no longer shows FRAD or PVC information. In addition, the partition show output will no longer show the min/max PVC partition sizes you might have previously set with the frame override command. However, the entire class tree will remain intact. The frame routing table will be blank. After you use this command, the unit will be able to use this new string and communicate successfully with the FRAD on the next configuration update (which happens every five minutes; or you can force it by resetting the box). The frame show command will once again show the FRAD and PVC class/partition info, including the CIR/EIR values you might have originally set using the frame override command. The partition show command will show these CIR/EIR values as the min/max of the PVC partitions and the routing table will be populated once more.
157
frame delete
Delete a Frame Relay Access Device. Note: This command is not available on PacketShaper ISP, PacketShaper 1200, or PacketShaper 1400 Lite models. frame delete <frad> <frad> is the IP address or DNS name used when the FRAD entry was created, , or the Sysname (local system name) of the FRAD. This command also deletes all traffic classes and partitions created to match the FRAD traffic. The frame delete command deletes the specified FRAD but does not clear the user-entered BGP neighbor information (that is, the static routes entered with the frame route add command). To clear out these entries you will need to issue the reset command.
PacketGuide for PacketWise 8.3
158
frame options
Enable and disable the frame relay routing and discovery options for an existing FRAD, or set the default for all new FRADs created by subsequent frame add commands. Note: This command is not available on PacketShaper ISP, PacketShaper 1200, or PacketShaper 1400 Lite models. frame options routing|discovery on|off default|<frad> By default, both routing and discovery are enabled. routing discovery <frad> Automatically fetch the IP routing tables for this device via SNMP and use in the Permanent Virtual Circuit (PVC) traffic class matching rules; also, create internal routing table in the PacketShaper. Activate traffic discovery for all PVCs created for this frame device The IP address or DNS name used when the FRAD entry was created, or the Sysname (local system name) of the FRAD
PacketGuide for PacketWise 8.3
159
frame override
Set Committed Information Rate (CIR) and Excess Information Rate (EIR) values for PVC partitions. Note: This command is not available on PacketShaper ISP, PacketShaper 1200, or PacketShaper 1400 Lite models. frame override <frad> <interface-number> <dlci> off|[<cir> <eir>] Note: After updating the CIR/EIR values with this command, reset the unit so that the new values will take effect. Where: <frad> <interface-number> <dlci> off The system name of your FRAD (use frame show to get this name) The identifier of the serial interface on your FRAD associated with the given PVC (use frame show to get this number, shown in parentheses in the command output) The Data Link Control Identifier (DLCI) of the given PVC The option used if CIR/EIR values have already been set via this command and you want to disable them.
<cir> <eir>
EIR, as used in PacketWise frame relay support, refers to the amount over the CIR such that CIR + EIR = maximum rate possible. Use frame show to check CIR and EIR values. The new values will be preceded by "LMI Override:".
160
161
162
163
frame routing
Display routing tables that PacketWise has constructed based on routing information from the FRAD via SNMP polling. The FRAD must have a dynamic routing protocol enabled, and must have the routing option enabled on the PacketShaper. Note: This command is not available on PacketShaper ISP, PacketShaper 1200, or PacketShaper 1400 Lite models. frame routing [<frad>] If you specify a <frad>, the output shows the IP routing tables associated with the specified FRAD name or IP address. If you don't specify a <frad>, the output displays the tables for all FRADs. The output displays the subnets, the routing ID number used in the matching rule for the PVC class, and the full pathname of the PVC class. Dynamic and static routes are listed in separate tables. Routing ID numbers are chosen automatically by PacketWise, and are used to link a destination address with the PVC class to which it belongs. This command gives the same output as the frame route show command.
PacketGuide for PacketWise 8.3
164
frame show
Display Frame Relay Access Device (FRAD) information. Note: This command is not available on PacketShaper ISP, PacketShaper 1200, or PacketShaper 1400 Lite models. frame show [<frad>] Specify a <frad> by IP address or DNS name; or omit the parameter to display all configured FRADs. Example: FRAD Address: SysName: Traffic Discovery: Auto Routing: 10.12.27.2 frad1 on on
Interface Act DLCI CIR EIR Partitions Name(Number) --------------------------------------------------------------------------Se1(3) 100 1.5M /Inbound/frad1-Se1/PVC_100 + 0 /Outbound/frad1-Se1/PVC_100 Se1(3) 200 1.5M /Inbound/frad1-Se1/PVC_200 + 0 /Outbound/frad1-Se1/PVC_200 The output shows the FRAD's interface name and hardware port number, interface status ('+' in the Act column indicates active), the DLCI, the CIR and EIR values for the PVC, and the partition names.
PacketGuide for PacketWise 8.3
165
frame statistics
Display statistics for the frame relay PVCs and associated partitions. Note: This command is not available on PacketShaper ISP, PacketShaper 1200, or PacketShaper 1400 Lite models. frame statistics The displayed rates include: Actual Part Target Measured at the FRAD serial interface Measured at the PacketWise partition Maximum possible rate for the partition when in shaping is turned on, taking into account Forward/Backward Explicit Congestion Notification (FECN/BECN) counts and traffic on the PVC that bypasses the unit
All displayed rates are one-minute moving averages. The percentage values indicate the one-minute average percentage of frames with FECN or BECN bits set.
PacketGuide for PacketWise 8.3
166
ftp
Start a client FTP session on a PacketShaper unit. ftp <ipaddress>
PacketGuide for PacketWise 8.3
167
ftpget
Use File Transfer Protocol (FTP) to copy a file from an FTP server to a Packeteer unit. The file is automatically copied in binary mode. ftpget [<user>[:<password>]@]<host> <srcfile> <destfile> <user> is the user name to be used when FTP logs into the <host> (the IP address or dns name of the FTP server). If <password> is omitted, the password is transmitted empty or blank. The default user name and password if both items are omitted are user=anonymous and password=anonymous@anonymous.com. Name of the file to be retrieved; specify a path if the file is not on the servers default directory Name of the new file to be created on the PacketShaper. The filename must have an 8.3 format. Notes:
q
<srcfile>
<destfile>
The full path must be specified even if the file is in the units root directory. For example, if 9.256/ test.cmd is specified for the <destfile>, the <srcfile> will be copied to the root directory of the flash disk (9.256/) and will be named test.cmd. For more information about the drives and directories on the Packeteer unit, see Packeteer Directories. If <destfile> is not in 8.3 filename format, the FTP client will hang.
For example:
168
ftpget touch@10.10.10.10 test.cmd 9.256/test.cmd If you want to transfer files on a regular basis, you can use the schedule command with the ftpget and ftpput commands to create a command file. See schedule new.
169
ftpput
Use File Transfer Protocol (FTP) to copy a file from the PacketShaper to an FTP server. The file is automatically copied in binary mode. This command is useful for transmitting PacketWise logs and diagnostic files to another machine. ftpput [<user>[:<password>]@]<host> <srcfile> <destfile> <user> is the user name to be used when FTP logs into the <host> (the IP address or dns name of the FTP server). If <password> is omitted, the password is transmitted empty or blank. The default user name and password if both items are omitted are user=anonymous and password=anonymous@anonymous.com Name of the file to be retrieved from the PacketShaper Note: The full path must be specified even if the file is in the units root directory. For example, if 9.256/test.cmd is specified for the <srcfile>, the test.cmd file in the root directory of the flash disk (9.256/) will be copied. For more information about the drives and directories on the PacketShaper, see Packeteer Directories. Name of the new file to be created; specify a path if you dont want to create the file in the servers default directory
<srcfile>
<destfile>
170
head
Display the first few lines of a file. head [-<number>] <filename> The <number> refers to how many lines are displayed; the default is 10 lines. For example, this displays the first 10 lines of the file myfile.cmd: head myfile.cmd This displays the first 20 lines of the file myfile.cmd: head -20 myfile.cmd
PacketGuide for PacketWise 8.3
171
help
List available commands. Specify a command to view its syntax and usage details. help [<command>]
PacketGuide for PacketWise 8.3
172
highav add
Define an access router for the access-link monitoring (high availability) feature. This feature allows PacketShaper to deal with imperfect load-balancing and has the ability to respond to the occurrence of WAN link failure. When high availability is enabled, PacketWise can adjust partitions appropriately to prevent overloading any given WAN link and to account for lost available capacity due to router or link failure. High availability has two modes: basic and advanced. highav add <address> <community> where <address> <community> Example: highav add 10.10.10.10 pAss4WoRD IP address of the router SNMP community string (password) for the router
173
highav community
Change the community string of a high availability router. Use this command when the community string changes after you have already defined the router with the highav add command. highav community <address/sysname> <community> where <address/sysname> The routers IP address or system name <community> New SNMP community string (password) for the router
174
highav delete
Remove an existing router from the high availability configuration. highav delete <address/sysname>
175
highav disable
Disable link monitoring (basic mode) as well as link overload protection (advanced mode, if enabled). highav disable
176
177
178
<inbound-bps>
<outbound-bps>
Adding an interface will increase the routers available bandwidth unless you have set override values. The lowest value (override versus sum of interfaces) takes precedence. For example, suppose a router has two 400K interfaces and you have
179
set an override of 600K. If you add another 200K interface, the override will take precedence (in other words, the routers available bandwidth will still be 600K). Make sure that you adjust your override after adding a new interface.
180
Deleting an interface may reduce the routers available bandwidth, depending on the override value. For example, suppose a router has two 400K interfaces and you have set an override of 600K. If you then delete an interface, the routers available bandwidth would be reduced to 400K; the override would be ignored since its greater than the sum of the routers interfaces.
181
<inbound-bps>
<outbound-bps>
182
highav override
Configure the inbound and outbound speed of the router. When an override is set, PacketWise uses this speed for calculating the WAN link capacity for the router, as opposed to using the sum of the interfaces. highav override <address> {<inbound-bps> <outbound-bps>} | none where <address> The routers IP address or sysname
Maximum inbound and outbound throughput that is <inbound-bps> expected to pass through the router. Rates may be <outbound-bps> specified as integer bits per second, followed by a k (thousands), M (millions), G (billions). |none To remove the override, use none.
This optional approach might be used in a situation with multiple WAN access line interfaces on a router. If you dont expect to get perfect load balancing between the interfaces, you can configure a smaller value for the router than for the sum of the interfaces. If both interfaces are up, PacketWise would use the override value for the router when calculating the WAN access line capacity available for the router. If one of the interfaces goes down, PacketWise would use the capacity configured for the active interface (the values configured with the highav interface add command).
183
highav show
Show current high availability configuration and status. The output indicates the overall high availability capacity as well as the settings of each interface and router. highav show High Availability: Mode = Basic Access Set: In 500k Out 500k Total Available Capacity: In 500k Out 500k Router Address: 192.168.176.5 Active: yes SysName: testnetrouter.packeteer. com
Override Capacity: No Override Set Interface: + ET0(1) speed: 10.0M Interface Capacity: In 200k Out 200k Router Address: 192.168.176.2 Active: yes SysName: router1 Override Capacity: In 300k Out 300k Interface: + ET0(1) speed: 10.0M Interface Capacity: In 200k Out 200k Interface: + ET2(3) speed: 1.5M Interface Capacity: In 200k Out 200k The table below describes the output.
184
High Availability The current high availability mode (basic, advanced, or disabled) Access Set Inbound and Outbound access link speed. In basic mode, these values are the same as Total Available Capacity. With link overload protection (a feature of advanced mode), these values are based on actual throughput observed through SNMP polling. More detailed information about observed minimum values are also listed. Total Available Capacity The total bps available based on the values configured for the interfaces and routers. It is the sum of the routers capacities. A routers capacity is determined by the values set with the highav override command or by summing all the interfaces capacities (if no override has been set). When high availability is enabled and a link becomes inactive, the Total Available Capacity will reflect this reduction of available bandwidth (that is, the inactive links capacity will be subtracted out, assuming it is less than the override value). Router The routers IP address and sysname that were configured with the highav add command, the router status (active vs. inactive), and the override capacity (if one was set with the highav override command). Interface name, SNMP index number, and the inbound and outbound capacities that were configured with the highav interface add command. If you see Unknown for the interface name, your routers OS may not support the ifname variable. For example, ifname was not available in Cisco IOS before v11.1. A + indicates the interface is active; a - indicate the interface is inactive. If advanced mode is enabled, the actual bps throughput (based on SNMP polling) is listed.
185
Interface
history
The history command displays the last 20 commands that were entered into the command line interface; each command is prefixed by a number. Any command on the history list can be executed by using the !<n> command, where <n> is the number next to the command on the history list. history For example: history 31: 32: 33: 34: 35: 36: 37: 38: 39: 40: 41: 42: 43: 44: 45: 46: 47: 48: 49: 50: setup show help me dump help class rule help setup secure traffic flow -tuO traffic flow -tIPc /inbound/default setup shaping on setup discovery on traffic tree link show class show /inbound/default traffic bandwidth /inbound help class new hostdb show sys info traffic bandwidth cat 9.256/log/bootlog ls 9.258/diag setup shaping off setup discovery off
186
hl add
Add entries to an existing host list. When specifying multiple names and/or addresses, separate each with a space. hl add <hostlist> <host> [<host> ...] where <hostlist> is an existing host list name, and <host> can be specified in any of the following ways: Type of <host> Host IP address 192.168.1.10 Range of IP addresses Use a dash with no spaces between the low and high address in the range. Address of the subnet; the CIDR number specifies the number of constant bits in the address range Range of subnet addresses; the CIDR number specifies the number of constant bits in the address range 192.168.10.0-192.168.20.0/24 Use a dash between the low and high address in the range. Spaces are not allowed before or after the dash or slash characters. 192.168.1.100-192.168.1.200 Example
192.168.10.0/24
187
DNS name Note: Do not use domain names if you will be using the host list with the host sidedness feature. Example: hl add competitors yourcompany.com 192.168.1.00-192.168.1.200
PacketGuide for PacketWise 8.3
www.yourcompany.com
188
hl delete
Remove one or more items from an existing host list. hl delete <hostlist> <host> [<host> ...] where <hostlist> is an existing host list name, and <host> can be specified in any of the following ways: Type of <host> Host IP address 192.168.1.10 Range of IP addresses Use a dash with no spaces between the low and high address in the range. Address of the subnet; the CIDR number specifies the number of constant bits in the address range Range of subnet addresses; the CIDR number specifies the number of constant bits in the address range 192.168.10.0-192.168.20.0/24 Use a dash between the low and high address in the range. Spaces are not allowed before or after the dash or slash characters. DNS name www.yourcompany.com 192.168.1.100-192.168.1.200 Example
192.168.10.0/24
Note: You can only remove hosts the way they were originally added to the host list. For instance, suppose you add a host to the host list by specifying a single IP address. The only way to remove the host is by specifying the single address. You cannot remove this host by entering a range of addresses, a subnet, or a range of
189
subnet addresses.
190
hl new
Create a host list by defining a unique name and specifying the DNS names, IP addresses, and/or subnets that should be included in the list. You can combine names and addresses in the same list. When specifying multiple names and/or addresses, separate each with a space. hl new <hostlist> [<host> [<host> ...]] where <hostlist> is a descriptive name, up to 127 characters; the slash (/) and backslash (\) characters may not be used. The <host> can be specified in any of the following ways: Type of <host> Host IP address 192.168.1.10 Range of IP addresses Use a dash with no spaces between the low and high address in the range. Address of the subnet; the CIDR number specifies the number of constant bits in the address range Range of subnet addresses; the CIDR number specifies the number of constant bits in the address range 192.168.10.0-192.168.20.0/24 Use a dash between the low and high address in the range. Spaces are not allowed before or after the dash or slash characters. 192.168.1.100-192.168.1.200 Example
192.168.10.0/24
191
DNS name Note: Do not use domain names if you will be using the host list with the host sidedness feature. www.yourcompany.com
Host lists are useful when creating classes based on hosts, defining hosts and partners that can use compression, assigning hosts to sides, retrieving host accounting data, and defining exception lists for adaptive response host agents. The hl new command accepts any addresses and/or names that are syntactically correct. It does not validate the existence of the entries. To add entries to the host list after it's created, use the hl add command. Examples: hl new BigGifs www.yourcompany.com 192.168.0.116 hl new insidelist
192
hl override
For PolicyCenter / Units in shared mode only Override an inherited host list by creating a local copy of the list. hl override <list-name> You must make a local copy of an inherited host list before you can change the host list on the child configuration.
PacketGuide for PacketWise 8.3
193
hl refresh
Update the host lists with the latest data from the DNS server. hl refresh
PacketGuide for PacketWise 8.3
194
hl resolve
Display the addresses that are mapped to a particular host list name. hl resolve <hostlist> Example: hl resolve BigGifs ldap:///biggifs,ou=hostlists,ou=m10-pat,ou=pscfg,o=packeteer.com: 198.3.99.199, 192.168.0.116, 204.71.177.35
PacketGuide for PacketWise 8.3
195
hl rm
Remove a host list from the directory configuration. hl rm <hostlist> Host lists cannot be removed if they are currently being used (for example, in a class matching rule, in a compression host or partner list, or a host side list).
PacketGuide for PacketWise 8.3
196
hl show
Display a list of all defined host lists or show the details of a specific host list. hl show [<list_name>] To show all host lists and all host values: hl show * Host values are listed alphabetically or by top-level domain order.
PacketGuide for PacketWise 8.3
197
198
both record data for inside and outside hosts none turn off host accounting
Number of minutes between each recorded sample (the default is 10, the <interval-minutes> minimum is 1, and the maximum is 1440 minutes) Maximum number of samples that can be stored in the host database (default is 1,000,000). This value needs to be greater than the concurrent host limit on your unit (this limit varies by model). <max-samples> may require some experimentation. Try a large number (such as 3,000,000) and see if the unit stores host data for a sufficient length of time. If it stores only three weeks of data (and you need it to store a month's worth), you'll need to increase the <maxsamples> value. Bear in mind that the larger number of samples you store,
199
<max-samples>
the more disk space youll need. Note that you cannot issue this command while the measurement engine is in the process of starting or resetting. The building of the host accounting measurement data file can take awhile; the more categories and samples you have, the longer it takes to build the file. While the file is building, you will not be able to issue any commands in the current remote login session. If you open another session while youre waiting, you can issue any command except for the measure show command. Note that any pre-existing host accounting data will be cleared when the data file is built, so make sure you retrieve your measurement data before enabling host accounting (see measure dump). After you enable host accounting host accounting measurement data will not begin recording again until the next full interval. For example, assume <intervalminutes> is 2 and you reset the unit. When you give the measure show command, the message indicates "Measurement engine is waiting until 15:03 to start." At 15:03 all other measurement groups will begin recording, but host accounting will not begin recording until 15:04 (the next interval). To disable recording, use: host accounting enable none
200
[dns]
M/D HH:MM (for example, 5/3 13:15 1:15pm on May 9 HH:MM (for example, 9:00 9am today You can also specify a relative date for example, -7 for 7 days ago. Note: If the end date is after todays date, PacketWise assumes the date you meant was last years date. If the end date is before the current date and after the start date, PacketWise will display the requested data (if any exists). The into literal dumps the records to the file named <file>. If <file> already exists, the records will be appended to the existing file. The to literal also dumps the records to the file named <file>, but it overwrites the contents of <file> if it already exists.
If no path is specified, the file is stored in the current directory (the flash disk, by default). To make sure you have enough disk space, you may want to specify a directory on the hard drive (9.258/). If into <file> or to <file> is omitted, the records appear on the screen.
202
The output contains, for each specified host, a comma-separated-values list of the total bytes recorded over the time period as well as the total for each category. host accounting retrieve dns all from 14:12 to 14:14 # 26-Jul-2001 14:12:00 to 26-Jul-2001 14:14:00 host,bytes,web,overhead r2.us.rmi.yahoo.com,9085,9085,0 ck101.rmi.yahoo.com,377,377,0 store.yahoo.com,1684,1684,0 ... ... 10.7.6.62,42,0,0 pal.ads.vip.sc5.yahoo.com,1289,1289,0 Or, to see the total usage for the month of March for all of the hosts in a certain subnet: host accounting retrieve 192.168.1.0/24 from 3/1 00:00 to 3/31 23:59 Note: You can also use the measure dump command to retrieve host accounting data.
PacketGuide for PacketWise 8.3
203
204
hostdb cache
Display the current connections in the IP classification-accelerator cache, or list the class name and matching rule of a specific IP address in the cache. The cacheing feature stores qualified IP address-based classes in a cache, thereby increasing the speed in which PacketWise classifies flows on the inside of the unit. This feature is primarily used on PacketShaper ISP models. For more information about the accelerator cache, see the First Steps to Using the PacketShaper ISP. hostdb cache [<ipaddress>] If you dont specify an IP address, the output lists the current connections in the host cache: hostdb cache IP Address Direction Class ----------------------------------------------------------10.7.38.100 inbound mysite.org 10.7.38.100 outbound mysite.org 10.7.6.81 outbound default 10.7.39.12 outbound default 10.7.6.12 outbound default 10.7.40.1 outbound default The following example lists details about a specific IP address (10.7.38.100) in the cache. It indicates the class name and match rule that has been cached for a particular host. hostdb cache 10.7.38.100 Traffic Class: /Inbound/10.7.38.0/CUSTOMER/mysite.org Match rule used for this host, 10.7.38.100: inside host 10.7.38.100 any port IP outside any host any port Traffic Class: /Outbound/10.7.38.0/CUSTOMER/mysite.org Match rule used for this host, 10.7.38.100: [1 ] inside host 10.7.38.100 any port IP outside any host any port [1 ]
205
hostdb info
Display the host IP address, average and current connections, current guaranteed and excess bandwidth, and throughput information. Hostdb info shows more detailed rate information than the hostdb show command. The host database is a record of all hosts that have active connections through the unit. Once a host closes its connection, the host will be purged from the database. In addition, the unit will clear host entries if they aren't active for approximately ten minutes. Thus, the hostdb is a real-time list of hosts. hostdb info [<sort-switch>] [<number-switch>] [<switch>|all] [<host_addr>|<host_name> [<mask>]] [<sort-switch>] Specify one of the following switches: -sf or sortfpm (sort hosts by flows per minute in descending order) -sp or sortfail (sort hosts by rate of failed new TCP connections) -sr or sortrate (sort hosts by current rate in descending order) Note: Because the host database changes even as the hostdb info command is executed, the returned list of hosts will not always display in decending order. [<number-switch>] Specify the number of hosts to display: -n <number> [<switch>|all] Specify one of the following switches: -a -o -i -u or active (currently connected hosts only) or outside (hosts outside the unit) or inside (hosts inside the unit) or unknown
Note: The active switch can be used in conjunction with the other switches. Or, use all to show information for all hosts in the database. When you omit the <switch>|all parameter, the command displays hosts that have accessed the unit within the last five minutes, but may not be currently connected.
[<host_addr>|<host_name>] [<mask>]
The following example shows information for all the hosts in the database: hostdb info
IP Address
RTT Cur 1 Min Peak --- New Flows Per Minute --to PS rate avg rate Client Server Failed -------------------------------------------------------------------------------12.104.153.33 O 0 --70 71 63k 0 0 0 63.147.175.100 O 2 21ms 19k 5390 31k 0 32 0 65.174.190.201 O 2 30ms 301k 299k 773k 0 0 0 65.200.201.14 O 2 32ms 3562 15k 389k 0 32 0 179.168.0.200 0 --0 0 0 0 0 0 192.168.0.1 O 0 --0 0 151 0 0 0 192.168.0.4 O 0 --0 0 0 0 0 0
206
Conn
192.168.0.5 192.168.0.7 192.168.0.8 192.168.0.10 192.168.0.175 192.168.0.255 204.127.198.4 207.171.166.25 207.171.166.102 216.148.227.68
O I O O I O O O O
0 9 0 0 1 0 0 1 1 0
0 5 0 0 6 0 0 0 0 0
0 1 0 0 18 2 1 0 0 13
0 0 0 0 0 0 0 0 0 0
17 entries
The displayed information includes: IP Address Conn RTT to PS Cur rate 1 Min avg Peak rate New Flows Per Minute Identifies the host that is connected through the unit. This field is followed by either an I or O, indicating the location of the host (Inside or Outside) relative to the unit. The number of connections The round-trip time from the host to the PacketShaper The current rate for the host in Kbps A one-minute moving average for the host's rate in Kbps The highest rate the host's connection has reached. This is the sum of the inbound and outbound traffic, relative to the host. Shows the rate of initiation of new flows from this host (as Client) and to this host (as Server). This rate can be limited via the policy flowlimit command. The Failed column shows the rate of new TCP connections per minute that the host initiated but failed, either because the host received an immediate RST response or received no response at all. IP addresses with many failed connections are good candidates for more scrutiny; they may be overloaded servers, clients initiating port scans or systems involved as an initiator or recipient of attacks. A "+" next to a host's New Flows Per Minute value indicates load shedding is occurring or has recently occurred. For example, if the Failed column for a host lists 105+, that host has flows that are being shed. For more information about load shedding, see setup loadshedding.
Note: Since most web browsers open multiple simultaneous connections, a web policy set to 100 Kbps may actually allow, for example, 400 Kbps per PC if the browser is configured to allow four simultaneous connections. This impacts the peak flow numbers for a class. The following example shows details about a specific host: hostdb info 65.174.190.201
IP Address
RTT Cur 1 Min Peak --- New Flows Per Minute --to PS rate avg rate Client Server Failed -------------------------------------------------------------------------------65.174.190.201 O 2 34ms 296k 301k 913k 0 0 0
Conn
In the output of the hostdb info command, some of the fields are not populated and list their values as 0. To see information about the recent throughput of known hosts use the hostdb show command instead. To display the top 5 bandwidth users:
IP Address
RTT Cur 1 Min Peak --- New Flows Per Minute --to PS rate avg rate Client Server Failed -------------------------------------------------------------------------------65.174.190.201 O 2 30ms 298k 296k 773k 0 0 0 192.168.0.7 I 8 --297k 299k 773k 3 0 0 207.171.166.25 O 0 88ms 1326 3811 140k 0 0 0 192.168.0.175 I 1 --1047 779 51k 4 12 0 12.104.153.33 O 0 --11 45 63k 0 0 0
Conn
5 entries
To find an infected host on the network, you can display the top 10 hosts that have the most failed flows during the last minute: hostdb info -sp -n 10 To find a host that might be propagating a virus or worm, you can display the top 10 hosts with the most flows: hostdb info -sf -n 10
208
hostdb rtostats
Display a list of hosts that have sent premature retransmission timeout (RTO) segments. hostdb rtostats On some server systems the TCP stack uses a short retransmission time interval, which causes premature RTO. This results in unnecessary packet retransmissions on low-speed links, which waste bandwidth. PacketWise controls retransmission timeouts for inbound and outbound retransmissions by discarding premature RTO segments. If PacketWise detects a premature retransmission (retx), it delays that packet for an additional time period, based on measured host latency. If an acknowledgment is received before the retransmission is to be forwarded, the retransmission is discarded. The hostdb rtostats command shows which hosts are experiencing premature RTO. The output also indicates how often PacketWise "clamped down" on RTO segments. With this RTO clamping feature, needless retransmissions (shown as outClampedSegs and inClampedSegs in the hostdb rtostats output) are discarded. The term segment refers to a TCP datagram. RTO clamping works only when shaping is turned on.
PacketGuide for PacketWise 8.3
209
hostdb show
Display the host IP address, estimated access speed, number of speed changes, the number of TCP and UDP flows that a specified host has processed, the amount of time the host has been idle, the status of the match rule cache, and compression status. hostdb show [<switch>|all] [main|lower|upper|left|right] [<host_addr>|<host_name> [<mask>]] [<switch>|all] Specify one of the following switches: -a -o -i -u or active (currently connected hosts only) or outside (hosts outside the unit) or inside (hosts inside the unit) or unknown
When using the legacy compression feature, the following additional switches are available: -d or decompressor (PacketShaper units that are decompressing) initiator (hosts that are initiating legacy compression) recipient (hosts that are legacy compression recipients) Note: The active switch can be used in conjunction with the other switches. Or, use all to show information for all hosts in the database. When you omit the <switch>|all parameter, the command displays hosts that have accessed the unit within the last five minutes, but may not be currently connected.
[main|lower|upper|left|right]
Type of PacketShaper interface to show hosts for: main built-in interface upper upper LEM lower lower LEM right right LEM left left LEM
Note: No output will be displayed if both of the main LEM ports are disconnected and watch mode is enabled. hostdb show
LEM "Main": IP Address Side Speed/Effective TCP/UDP Time I O I R S NC --------------------------------------------------------------------1.2.3.4 OUT 0/0 0/0 288s ? ? n n n n 1.255.255.255 N/A 0/0 0/0 288s ? ? n n n n 10.1.1.16 OUT 0/19 0/0 23s ? ? n n n n 10.1.1.20 10.1.1.27 10.1.1.45 10.1.1.120 10.100.99.32 172.21.0.20 172.21.0.84 172.21.1.26 OUT OUT OUT out OUT OUT out OUT 0/25153 0/510.7k 0/876 0/1 0/170.3k 0/394.2k 0/21 0/784 1/0 1/0 2/0 0/1 1/0 0/0 0/0 0/0 83s 20s 234s 2s 31s 11s 202s 154s
210
? ? ? ? ?
? ? ? ? ?
n n n n n
n n n n n
n n n n n
n n n n n
? ? ? ? ? ?
n n n n n n n n n n n n
172.21.1.58 172.21.1.66
IN in
1.5M/1.5M 0/0
6/1 0/0
0s 30s
? ? ? ?
n n n n n n n n
The displayed fields include: IP Address Side IP addresses of hosts that have communicated through the Packeteer unit Inside or Outside host. If N/A is displayed, the traffic seen from the host is broadcast or multicast. Note: The capitalization (IN versus in and OUT versus out) indicates Packeteer's level of confidence for the host's side. If a packet's source host is seen on the inside interface, there is high confidence the host is on the inside of the PacketShaper (IN all caps). It is then assumed with low confidence that the packet's destination host is on the outside interface (out lowercase). If the host is set to the wrong side, you can override this setting with the hostdb side set command. Having accurate host sidedness is important for Xpress compression. Speed Effective TCP/UDP Idle Time Cache Estimated access speed of the connection in bits per second Effective rate Number of TCP connections or UDP sessions currently used by this host. If these fields contain zeroes, the host is not currently communicating through the unit. Amount of time, in seconds, since a packet was received for/from the host The status of the match rule cache: I entry has been cached for the Inbound direction O entry has been cached for the Outbound direction ? currently unknown whether the entry for the corresponding direction is in the cache N entry cannot be cached for the corresponding direction Indicates the type of host, with respect to legacy compression. Note: The compression information should be disregarded in enhanced tunnel mode. A "y" in a column indicates: I the host is a legacy compression initiator (sending compressed data) R the host is a legacy compression recipient (receiving compressed data) S the host is a legacy compression PacketShaper NC no legacy compression tunnel to the host was created because the host was previously defined as a recipient and then became an initiator (or vice versa). In this indeterminate state, PacketWise will not set up a compression tunnel to this host. If you see a host with the NC flag enabled, you should reset the unit.
Compress
The following example shows details about a specific PacketShaper: hostdb show 172.21.0.85 IP Address: 172.21.0.85 OUTSIDE Time since last touched: 8194 secs Current References: TCP 0 UDP 0 Speed: 0 Bps Effective: 113k Bps Compression Type: Shaper Tunnel Savings: 88 Bpm Tunnel Status: Compressing (Up: 6h 39m 14s, Idle: 0s) Notes:
q
The Compression Type indicates the type of host: Shaper (PacketShaper), Initiator (a host that is sending compressed data), or Recipient (a host that is receiving compressed data). The Tunnel Savings is the bytes saved per minute, due to compression. For descriptions of Tunnel Status and Compression Status messages, see setup compression show. The compression-related columns provide information about hosts using legacy compression only; the information should be disregarded when running enhanced mode (use the tunnel remote show or tunnel local show commands instead).
211
212
213
214
215
hostdb side rm
Remove a host from the manually configured side list. Use this command if you no longer want a particular host assigned to a side. After you remove a host, PacketWise will determine and assign a side to the host, using its normal mechanism. hostdb side rm list:<hostlist>|<ip-addr>|<subnet>/<cidr>|hosts|all Name of the host list file to be removed from the side list list:<hostlist> Note: This does not delete the list use the hl rm command if you want to delete the list. Host IP address or a range of IP addresses to be removed from the side list <ip-addr> To specify a range, use a dash with no spaces between the low and high address in the range (for example, 192.168.1.100-192.168.1.200). The address of the subnet or a range of subnet addresses to be removed from the side list; the CIDR number specifies the number of constant bits in the address range <subnet>/<cidr> To specify a subnet range, use a dash between the low and high address in the range (for example, 192.168.10.0192.168.20.0/24). Spaces are not allowed before or after the dash or slash characters. Removes all individually defined IP addresses, ranges, and subnets (but not host lists) Removes all hosts from the inside and outside lists, including host lists
hosts all
216
Note: To verify the host was removed, use the hostdb side show command. Examples: hostdb side rm 172.17.72.0-172.17.75.0/22 hostdb side rm list:outside_list
217
Notes:
q
After you assign hosts to sides, you will need to enable manual side mode
218
with the hostdb side manual command. For any host that isn't assigned to a specific side when manual side mode is enabled, PacketWise will use its normal mechanism for determining and assigning a side. To remove a host after you have assigned it to a side, use the hostdb side rm command. To view a list of hosts assigned to each side, use the hostdb side show command. A maximum of 32 entries can be assigned to the inside and outside. An entry can be a single IP address, a range of IP addresses, a subnet, a subnet range, or a host list. Only one host list can be assigned to a side. For details on using the hostdb side commands for troubleshooting purposes, see Compression Troubleshooting.
Examples: In this example, host lists named inside_list and outside_list were created with the hl new command. Inside_list contains a list of hosts and subnets that are known to be on the inside of PacketShaper and outside_list contains the hosts known to be on the outside of PacketShaper. To assign each of the hosts in inside_list an inside designation, use this command: hostdb side set inside list:inside_list To assign each of the hosts in outside_list an outside designation, use this command: hostdb side set outside list:outside_list And then enable manual mode: hostdb side manual Each time you assign IP addresses or subnets with the hostdb side set command, the specified hosts are added to the appropriate side you do not overwrite previous settings. For example, the following two commands will assign two hosts to the outside: hostdb side set outside 192.21.18.172 hostdb side set outside 192.15.17.45 However, this rule does not apply to host lists since only one host list is allowed per side. If you assign a host list to a side that already has a host list defined, this
219
220
221
hostdb topusers
Determine which users are consuming the most bandwidth. You can configure PacketWise to track the Top Talkers (hosts which initiate the most traffic) and Top Listeners (hosts which receive the most traffic) for up to 12 different traffic classes. Note: A total of 12 Top Talkers and Top Listeners (combined) can be enabled at one time. To display statistics for the top 20 bandwidth users per traffic class either receivers or senders use the following commands: hostdb topusers start <tclass> [talk|listen] hostdb topusers stop <tclass> [talk|listen] hostdb topusers reset <tclass> [talk|listen] hostdb topusers show [<tclass>] [talk|listen] start stop reset Starts tracking top hosts (talkers or listeners) for a traffic class Stops tracking top hosts for a traffic class Clears the list of top users and restarts the host-tracking process Displays the hosts that have used the highest percentage of bandwidth in the class since tracking was started. The list is cleared with the hostdb topusers reset <tclass> command or when you reset the unit. A host stays on the top-20 list until another host uses more bandwidth, at which point the host may drop off the list entirely or move further down the list. For example, suppose top talkers is turned on for the Inbound/HTTP class, and cnn.com is the top consumer with 22%. If another host, yahoo.com, later consumes more bandwidth than cnn. com, yahoo.com might go to the top of the list and cnn.com would drop lower on the list.
show
For non-IP traffic, PacketWise does not track sessions or hosts. Therefore, traffic for non-IP protocols (IPX, AppleTalk, NetBEUI, DECnet, FNA, and SNA) will not appear in the Top Talker or Top Listener lists.
222
Examples To start top listener tracking on the Outbound/HTTP class: hostdb topusers start outbound/http listen To see a list of top listeners in the Outbound/HTTP class: hostdb topusers show outbound/http Top talker not started for traffic class: /Outbound/HTTP. Use "hostdb topusers start /Outbound/HTTP talk" to do so. Top listener analysis for outbound class HTTP. Duration: 00:05:01 14 active hosts. IP Address Percent Name -------------------------------------------------------------------64.236.43.63 26 No such name 64.236.24.137 18 i3.cnn.net 64.236.24.4 16 www1.cnn.com 216.74.134.231 11 No such name 64.12.174.57 11 ads.web.aol.com 216.73.86.13 5 annymdvip1.doubleclick.net 216.73.87.62 5 ad.us.doubleclick.net 216.109.126.70 3 p1.weather.vip.dcn.yahoo.com 209.225.0.6 2 servedby.advertising.com 64.14.128.201 1 No such name 64.236.24.20 1 www5.cnn.com 64.215.169.64 < 1 No such name 64.215.169.48 < 1 No such name 64.215.169.49 < 1 No such name To see which classes have topuser tracking enabled: hostdb topusers show 2 active top user sessions. Direction Class T/L Duration ---------------------------------------------------inbound HTTP talker 00:35:47 outbound HTTP listener 00:16:55
223
image
Upgrade to a new version, revert to a previous version, or display the current, backup, and bootloader versions. image [load|revert|show] image load [//<hostname>/]<filename> [[<user>] <passwd>] image revert image show Notes:
q
The image load command creates a backup of the current image before loading the new image. In case the image fails to load, PacketWise automatically reverts to the backup image. On PacketShaper units with 16M Flash, there may be problems reverting to the backup image. For example, suppose you start with v8.1.1, load v8.3.0, and then revert to the v8.1.1 image. This operation will perform successfully. However, if you then try to use the image revert command to switch back to v8.3.0, the command will not succeed. The workaround is to use the image load command to reload the 8.3.0 image. If you are still having problems, you can delete unnecessary files on the flash drive (9.256/).
224
image library
For PolicyCenter only Show the current library of image files available for distribution from PolicyCenter to individual PacketShapers. image library units|policycenter [alt] The image library units command shows the version name and type, build time and build variations for available PacketWise images. The image library policycenter command displays information for PolicyCenter executable files. Use the optional alt with either command to view additional details such as checksum, file size, the time the file was last modified, and the publishing server. Example output of this command: image library units Name Type Version PacketWise v6.0.1g1 2003-07-09 PacketWise v6.1.2g1 2005-02-09
STD
image library policycenter Name Type Version pc7.0.0g1 PolicyCenter pc7.0.1g1 PolicyCenter
PC700g1 PC PC701g1 PC
225
PC701g1 PC
226
image prescribe
For PolicyCenter only Prescribe an image for a PolicyCenter configuration by filename, version, or checksum. Use the image library command to determine these values for available images. Once you prescribe an image for units assigned to a PolicyCenter configuration, do not manually load a different image on a unit until you change the image prescribed via PolicyCenter, or turn off image prescription with the image prescribe none command. Otherwise, the unit will realize that its new image is different from its prescribed image, and will re-download and reload its prescribed image during its next scheduled synchronization window. image prescribe <filename>|version=<version>|checksum=<checksum>| default|none|show <filename> <version> <checksum> default|none|show The filename of the image file you wish to prescribe to a PolicyCenter configuration. The version number of the image file you wish to prescribe to a PolicyCenter configuration. The checksum value of the image file you wish to prescribe to a PolicyCenter configuration. Specify default if the configuration should inherit its image from a parent configuration, or specify none if the configuration should not inherit its image. The show option shows the configuration's current effective image.
Examples: image prescribe std610 image prescribe version=v6.1.0g1 image prescribe checksum=1094692686
227
image subscribe
For PolicyCenter only Configure when and how often PacketShapers assigned to a PolicyCenter configuration update image files. image subscribe asap|scheduled|default The image subscribe command has the following options: asap scheduled default PacketShapers assigned to the configuration will automatically update their image files as soon as they are prescribed. PacketShapers assigned to the configuration will wait for the image sync command before downloading prescribed files. If set to default, the PolicyCenter configuration inherits its image subscription behavior from its parent configuration.
228
image sync
For units in shared mode only Issue this command from an individual PacketShaper to immediately download the image file prescribed for the units PolicyCenter configuration. This command is only required when the PolicyCenter configuration prescription mode has been set to scheduled with the image subscribe command. Note: It is not necessary to issue this command if the prescription mode is currently in its default state, or has been set to asap with the image subscribe command. image sync See also: image subscribe
PacketGuide for PacketWise 8.3
229
image update
For PolicyCenter only Determine when PolicyCenter updates its library of available images and plug-ins from the Packeteer support website. image update [nightly|manual|default|now] nightly manual default now PolicyCenter attempts to update its library of images and plug-ins nightly, typically during the very early hours of the morning (local time). PolicyCenter does not automatically update its image and plug-in library until you issue the command image update now. This is the default behavior. Returns the image update mode to its default state (manual). The command image update now enables PolicyCenter to immediately begin updating its image and plug-in library.
230
ipfilter
Creates an IP filter that configures a PacketShaper to filter traffic based on IP address. ipfilter discard|onlyaccept|passthrough <device> src|dst <ipaddress> [<mask>] Configures the IP filter to discard packets arriving on <device> with the src|dst IP address as <ipaddress>. Configures the IP filter to only accept packets arriving on <device> with the src| dst IP address as <ipaddress>. Configures the IP filter to pass through packets arriving on <device> with the src| dst IP address as <ipaddress>. The PacketShaper interface on which the IP filter will act. Depending on the PacketShaper model and configuration, available interfaces may include the following:
q q q q q
discard
onlyaccept
passthrough
<device>
q q q q q q q
inside outside backup_inside backup_outside left_inside left_outside lower_inside lower_outside right_inside right_outside upper_inside upper_outside
To see a list of available interfaces on your PacketShaper, enter a question mark (?)
231
as the device argument. For example: ipfilter discard ? Specifies whether the IP filter applies to traffic originating from (src) or directed to (dst) the specified host. <ipaddress> The IP address of the specified host [<mask>] The net mask of the specified host Note: To filter all traffic to and from a specified host, you must create an IP filters for the host as both the source (src) and destination (dst) of network traffic. You can create up to 2,000 IP filters on a PacketShaper; filter entries are saved in the PacketShaper configuration file. Examples This example creates an IP filter that will discard all traffic on the upper inside interface that originates from the host with the IP address 10.1.1.14: ipfilter discard upper_inside src 10.1.1.14 This example creates an IP filter that will only accept traffic on the upper outside interface that originates from the host with the IP address 10.10.1.1. All other traffic not otherwise managed by an IP filter is discarded. ipfilter onlyaccept upper_outside src 10.10.1.1 This example creates an IP filter that allows all traffic destined for the IP address 10.1.10.1 to pass through the inside interface. ipfilter passthrough inside dst 10.1.10.1 Note: For each IP filter, PacketWise assigns a unique eight-digit alphanumeric identifier, such as DC73DA16. These identifiers are used to specify an IP filter for removal when using the ipfilter clear command. To see a list of all configured IP filters and their identifiers, use the ipfilter show command.
232
See also: ipfilter clear ipfilter iponly ipfilter show Command Change History Release Modification 8.2.0 Command introduced
233
ipfilter clear
Removes all IP filers (default) or the ip filter that you specify. ipfilter clear [<id>] ipfilter clear Removes all IP filters. Removes the IP filter identified by [<id>]. [<id>] To see a list of all configured IP filters and their identifiers, use the ipfilter show command.
Examples This example removes all configured IP filters from the PacketShaper. ipfilter clear This example removes only the IP filter with the identifier DC73DA16. ipfilter clear DC73DA16
See also: ipfilter ipfilter iponly ipfilter show Command Change History Release Modification 8.2.0 Command introduced
234
ipfilter iponly
Configures a PacketShaper to relay only IP traffic. ipfilter iponly on|off Creates an IP filter that relays only IP traffic (applies to all on interfaces). (Default). Configures the PacketShaper to relay both IP and non-IP off traffic.
See also: ipfilter ipfilter clear ipfilter show Command Change History Release Modification 8.2.0 Command introduced
235
ipfilter show
Shows all configured IP filters. ipfilter show Returned data include the status of the ipfilter iponly setting (whether or not the PacketShaper will relay only IP or both IP and non-IP traffic), the unique identifier of the IP filter, number of hits (instances where the IP filter rule matched a packet), and the configuration of the IP filter. Example In this example, the PacketShaper is configured to relay both IP and non-IP traffic, and one passthrough IP filter has been configured on the outside interface: ipfilter show
Relay all traffic. Exclude Filters: total 1 [DC73DA16] hits 0 Outside src 172.21.1.44 (ffffffff) Include filters: total 0
--> passthru
0 0 0 0 0
[ [ [ [ [
1] 3] 5] 7] 9]
0 0 0 0 0
236
ipfilter iponly
237
links show
Display the programmed link speeds with current link statistics (current rate, oneminute average, and peak rate). links show
Interface
Cur 1 Min Peak rate avg rate ---------------------------------------------------Inside 1000000000 7220 6178 357k Outside 100000000 2519 294 84k Management 100000000 1894 685 6294
If traffic shaping is enabled, the output will also show statistics for each direction. For instance:
Speed
Direction
Cur 1 Min Peak rate avg rate ---------------------------------------------------Inbound 1500000 2966 602 3821 Outbound 1500000 1866 600 9096
Notes:
q
Speed
The Inside and Outside statistics measure the traffic that enters the unit through these ports. Localhost traffic is not included in the Inside and Outside statistics. When compression is enabled, the Inbound/Outbound traffic use compressed sizes in rate measurements. Inbound accelerated traffic is measured after rate control is applied. The Inbound measurement does not measure accelerated traffic that exits the PacketShaper through the Inside interface. The In and Out display on the LCD panel use the same measurements as the Inbound Outbound display in the links show command. The bps values for the management port represent Localhost traffic only. (applicable to units with MGMT ports) Use the setup link command to configure the inbound and outbound link speeds.
PacketGuide for PacketWise 8.3
238
look
Set read-only access when accessing the command-line interface. Note that this command does not set the access of the browser user interface. look CLI commands that modify the PacketShaper's configuration are not available in look mode. Similarly, you cannot retrieve sensitive information or issue commands that would impact the performance of the unit, nor can you create, edit, or delete classes, policies, or partitions. You can show settings, but you cannot change them in look mode. To see what commands are available in look mode, type the first word of the command (such as setup, class, partition, or policy) and press Enter. If you have look access and attempt a command that changes the configuration, a message notifies you that the command requires touch access. To enable read-write access, use the touch command.
PacketGuide for PacketWise 8.3
239
ls
Display flash disk or hard drive directory listings. ls [<directory> | <file>]...
PacketGuide for PacketWise 8.3
240
measure backup
Back up measurement data files. After you have backed up your data files, you can use the backups in case data later becomes corrupted. You may also want to create a backup to archive all the current data on a unit. For details on restoring measurement data, see measure restore. When you back up data files, you have the choice of backing up all measurement groups or a specific group (link day, link month, partition day, partition month, class day, or class month). Or, if you are using the host accounting feature, you can back up host accounting data. measure backup {link|partition|class day|month}|{host accounting}| {all groups} [compress] [<user>[:<password>]@<host>] <destfile> Backs up a specific set of measurement variables: link, partition, or class link|partition|class day backs up one-minute samples (of which at least a days worth of data is stored); month day|month backs up hourly samples (at least one month of one-hour data is stored on standard Packeteer models and at least two months of four-hour data is stored on ISP models) Backs up host accounting data (if host accounting is enabled) host accounting Note: Host accounting is not available on the PacketShaper 1200 or 1400 Lite models.
241
all groups
Backs up all measurement groups (link day, link month, partition day, link month, class day, class month, and host accountingif enabled). The data is backed up into different files with automatically generated filenames. The new filenames for the backups combine a portion of the unit's serial number with a number 0-6. For example, if the serial number is 065-10001072, the bulk backup filenames will look like this: link day link month partition day partition month class day class month host accounting 00010721.dat 00010722.dat 00010723.dat 00010724.dat 00010725.dat 00010726.dat 00010720.dat
[compress]
Compresses the measurement data while uploading to an FTP server (saves disk space); the data is compressed using a proprietary compression format <user> is the user name to be used when FTP logs into the <host> (the IP address or dns name of the FTP server). If <password> is omitted, the password is transmitted empty or blank. The default user name and password if both items are omitted are user=anonymous and password=anonymous@anonymous.com. Name of the new file to be created on the remote FTP server; specify a path if you dont want to create the file in the users default directory. Its a good idea to include the group and data type in the name, for example link_mo. dat for one month of link data. When using the all groups option, the destination filenames are automatically generated as described above. You can specify a destination directory for <destfile>, or to back up the files into the default directory, you can omit <destfile>. Note: You cannot back up data files onto the
242
<destfile>
unit itself.
For example, to back up the hourly samples of link measurement data into a file named link_mo.dat: measure backup link month compress john:jester@abc.com link_mo.dat To back up all measurement data into the directory /home/user/backups: measure backup all groups john:jester@ftp.example.com /home/user/ backups/ Here are a few things to keep in mind:
q
Some of the measurement data files are quite large (such as the one that stores class day data) and can take several minutes to back up, particularly if the FTP server is across a WAN link. Warning: While data is being backed up, the measurement engine stops recording data. Existing data will still be available for dumps and reports but keep in mind that certain features (such as Top Ten and user events) will not function properly without current data.
The time at which the measurement engine is stopped is used as the end time for data dumps. The measurement engine will not record any data in the intervals during which it was stopped or started. After the backup is complete, you have an opportunity to restart the measurement engine.
243
measure cumvar
Note: The measure cumvar command is intended as a troubleshooting tool to be used with the guidance of Customer Support. Use this command to display a base measurement value. A base measurement variable is the accumulated value that is sampled to generate the measurement engine time-series data. measure cumvar <type> <element> <var> <type> <element> The element type of the element whose variable is to be viewed: link, partition, or class The name of the element whose variable is to be viewed: link (inbound or outbound), partition name, or class name. This command is valid for "leaf" classes only that is, classes that do not have children. If you specify a non-leaf class, it will display a variable value of zero. The variable to be viewed. This may be a simple variable, the high 32 bits of a 64-bit variable, indicated by the suffix "Hi", or a particular histogram value, indicated by the suffix "[<name>]", where <name> is the histogram index name.
<var>
For example, use the measure show command to get a list of variables for a measurement type, then use measure cumvar to display the value: measure cumvar class outbound/outside/http class-hits Base value of "class-hits" on "class outbound/outside/http" is 18.
PacketGuide for PacketWise 8.3
244
measure dump
Display a list of comma-separated measurement values at the command line or redirect the measurement data to a file. When you redirect the data to a file, you can generate graphs using a spreadsheet application. This command provides four selections for ordering the output (one is required):
q q
q q
245
[immediate|leaf|all]
immediate dumps data for the specified class and direct child classes (not grandchildren classes) leaf dumps data for leaf classes only (that is, child classes that don't have any children); this is the default setting for class data all dumps data for the complete branch: the specified class, direct child classes, and all other classes that are descendants of the child classes. Note: The immediate and leaf options are not applicable to link data. If classes or partitions were deleted during this measurement interval, they will appear in the output list. Examples that compare immediate, leaf, and all options
List one or more names of the elements you want to dump; that is, specific class names, partition names, links (inbound or outbound), or host IP addresses. A specific name is not required if you want to dump all link, partition, class, or host data. Note: As mentioned above, host accounting must be enabled in order to get measurement data on specific hosts.
[endtime [<date>]<time>]
Specify a fixed end date and time for the data dump. The <date> should be in the format YYYYMMDD and the <time> should be in the format HHMM. The <date> is optional, but the <time> is required. If endtime is omitted, the current date and time (now) are used. Time duration over which to total the values. Duration must be specified as one of: s for seconds, m for minutes, h for hours, d for days, w for weeks.
<duration>
246
to <file>
Use the to literal to specify that the records should be dumped to a text file named <file>. If to <file> is omitted, the records are dumped to stdout. Note: This text file can be downloaded from PacketShaper's flash drive (9.256/) to a PC. You can then import the data into another program (such as Microsoft Excel) for further analysis.
[sort] <var>...
Use the sort literal to sort each dumped interval by the first variable, in descending order. Specify one or more variables to dump (for example, bytes, pkts, or avg-bps). To list the available variables, specify ? for this parameter. When listing host accounting data, you can specify element, bytes, kbytes, or host accounting categories for the <var>.
Examples: measure dump class all inbound/http by element 1m peak-bps measure dump partition inbound/sales-dept by element 1d peak-bps partition-over-limit-msecs measure dump class outbound/ftp by element 2d avg-bps class-hits policy-hits An example that lists host accounting data (when host accounting is enabled): measure dump host all by element 20m sort bytes web mail "time:08-May-2002 15:30:00" "host","bytes","web","mail" "10.3.10.1",6181803,6260,0 "10.1.1.40",3922184,0,0 "165.212.11.125",1905799,0,0 "10.10.254.85",1479605,0,562 "10.7.19.4",790212,16906,2073 "10.10.254.8",557468,540480,1088 The above example lists each host that had an open connection during the time period (the last 20 minutes), the total number of bytes that each host sent and/or received, and the number of bytes transferred in the "web" and "mail" host accounting categories. (The "web" and "mail" categories were previously defined with the host accounting categories command.) See also: measure dump by time measure dump by var
247
Name of the agent, enclosed in quotes. For example: "Outbound Default Traffic" For a list of available agent names, use the agent show command.
[endtime [<date>]<time>]
Specify a fixed end date and time for the data dump. The <date> should be in the format YYYYMMDD and the <time> should be in the format HHMM. The <date> is optional, but the <time> is required. If endtime is omitted, the current date and time (now) are used. Use the to literal to specify that the records should be dumped to a text file named <file>. If to <file> is omitted, the records are dumped to stdout. Note: This text file can be downloaded from PacketShaper's flash drive (9.256/) to a PC. You can then import the data into another program (such as Microsoft Excel) for further analysis.
to <file>
Use the sort literal to sort each dumped interval by the first variable, in descending order. Retrieve data for a selected number of evaluation intervals Retrieve all data recorded over the selected duration. Use one of the following formats to indicate a time duration: Ns for seconds, Nm for minutes, Nh for hours, Nd for days, Nw for weeks.
<var>
The following measurement variables are available for each agent type: agent1 variables: score-value, score-color, score-result Note: Score colors are reported by the following values: 0=green, 1=red, 2=yellow, 3=blue. The score result has a value of 0 if the agent successfully measured its target. Otherwise, the score result will return an error code. agent2 variables: element, sample-interval-msecs, namelist, avg-bps agent3 variables: element, sample-interval-msecs, host-ip, direction, avg-bps. Direction is displayed as: 1=Inbound, 0=Outbound. agent4 variables: element, sample-interval-msecs, class-id, network-efficiency agent5: element, sample-interval-msecs, class-id, avg-bps
248
Examples: The following command dumps data by <count>, and returns the data for the past two evaluation intervals for all agents (the agent1 <cdf-type>). me dump agent1 all by event 2 score-value score-color score-result
"time","agent1","score-value","score-color","score-result" "13-Jan-2005 03:24:00","Class ME Variables agent",0,2,0 "13-Jan-2005 03:24:00","High Bandwidth Host",2,0,0 "13-Jan-2005 03:24:00","Inbound Default Traffic",1,0,0 "13-Jan-2005 03:24:00","Outbound Default Traffic",0,0,0 "13-Jan-2005 03:24:00","Partition Utilization agent",0,0,4557 "13-Jan-2005 03:24:00","Spoofing - Client",0,0,0 "13-Jan-2005 03:24:00","Spoofing - Server",0,0,0 "13-Jan-2005 03:24:00","Syn Attack - Failed Flows",0,0,0 "13-Jan-2005 03:24:00","Traffic Performance agent",2,1,0 "13-Jan-2005 03:23:00","Class ME Variables agent",0,2,0 "13-Jan-2005 03:23:00","High Bandwidth Host",2,0,0 "13-Jan-2005 03:23:00","Inbound Default Traffic",1,0,0 "13-Jan-2005 03:23:00","Outbound Default Traffic",0,0,0 "13-Jan-2005 03:23:00","Partition Utilization agent",0,0,4557 "13-Jan-2005 03:23:00","Spoofing - Client",0,0,0 "13-Jan-2005 03:23:00","Spoofing - Server",0,0,0 "13-Jan-2005 03:23:00","Syn Attack - Failed Flows",0,0,0 "13-Jan-2005 03:23:00","Traffic Performance agent",0,0,4557
To display data for a specific agent you can include the <agent-name>, enclosed in quotes: measure dump agent1 all "Inbound Traffic Performance" by event 5 score-value "agent1:Inbound Traffic Performance" "time","score-value" "12-Oct-2005 11:06:00",87 "12-Oct-2005 11:05:00",100 "12-Oct-2005 11:04:00",95 "12-Oct-2005 11:03:01",92 "12-Oct-2005 11:02:00",97 The command below returns data for a <duration>, displaying the last recorded minute of information for the agent3 <cdftype> (the High Bandwidth Host agent). me dump agent3 all by event 1m host-ip "21-Jul-2005 13:51:00","High Bandwidth "21-Jul-2005 13:51:00","High Bandwidth "21-Jul-2005 13:51:00","High Bandwidth "21-Jul-2005 13:51:00","High Bandwidth "21-Jul-2005 13:51:00","High Bandwidth "21-Jul-2005 13:51:00","High Bandwidth "21-Jul-2005 13:51:00","High Bandwidth "21-Jul-2005 13:51:00","High Bandwidth "21-Jul-2005 13:51:00","High Bandwidth "21-Jul-2005 13:51:00","High Bandwidth "21-Jul-2005 13:51:00","High Bandwidth "21-Jul-2005 13:51:00","High Bandwidth "21-Jul-2005 13:51:00","High Bandwidth "21-Jul-2005 13:51:00","High Bandwidth "21-Jul-2005 13:51:00","High Bandwidth "21-Jul-2005 13:51:00","High Bandwidth "21-Jul-2005 13:51:00","High Bandwidth "21-Jul-2005 13:51:00","High Bandwidth "21-Jul-2005 13:51:00","High Bandwidth "21-Jul-2005 13:51:00","High Bandwidth "21-Jul-2005 13:51:00","High Bandwidth direction avg-bps Host",174351134,0,56 Host",2887062186,0,1824 Host",2887061257,0,32 Host",2887059946,0,8 Host",2887057727,0,40 Host",2887062278,0,16 Host",2887061761,0,24 Host",2887063396,0,16 Host",2887063331,0,16 Host",2887057710,1,224 Host",2887062068,0,16 Host",2887057428,0,344 Host",2887059941,0,8 Host",2887061002,0,8 Host",2887059960,0,8 Host",2887059943,0,8 Host",2887060739,0,8 Host",2887064948,0,24 Host",2887064955,0,8 Host",2887063300,0,16 Host",2887062919,0,8
249
250
[immediate|leaf|all]
immediate dumps data for the specified class and direct child classes (not grandchildren classes) leaf dumps data for leaf classes only (that is, child classes that don't have any children); this is the default setting for class data all dumps data for the complete branch: the specified class, direct child classes, and all other classes that are descendants of the child classes. Note: The immediate and leaf options are not applicable to link data. If classes or partitions were deleted during this measurement interval, they will appear in the output list. Examples that compare immediate, leaf, and all options
List one or more names of the elements you want to dump; that is, specific class names, partition names, links (inbound or outbound), or host IP addresses. A specific name is not required if you want to dump all link, partition, class, or host data. Note: As mentioned above, host accounting must be enabled in order to get measurement data on specific hosts.
[endtime [<date>]<time>]
Specify a fixed end date and time for the data dump. The <date> should be in the format YYYYMMDD and the <time> should be in the format HHMM. The <date> is optional, but the <time> is required. If endtime is omitted, the current date and time (now) are used.
251
by time [element]
Use time to get a time-series data dump. Specify element to list the output as separate elements (links, partitions, classes, or hosts) within the time-series order. For example, when you specify element for a class, data for each class is output on a separate row. Example: measure dump class all inbound by time element all 1d peak-bps Result: "03-May-1998 15:27:02","/Inbound/Global/AppleTalk",0 "03-May-1998 15:27:02","/Inbound/Global/NetBIOS",12858 When you omit element, the output is displayed as a table, with column headers and a column for each element's data. Example: measure dump class all inbound by time all 1d peak-bps Result: "class" "time","/Inbound/Global/AppleTalk-peak-bps","/Inbound/Global/NetBIOS-peakbps" "03-May-1998 15:27:02",0,25,12858 "02-May-1998 15:54:35",0,32,98,11966 "01-May-1998 15:15:33",0,4,2,15882 "30-Apr-1998 15:30:30",0,0,0,23965
all|<count>|<duration>
Dump all available records for the specified interval; or dump the most recent <count> intervals; or dump all of the intervals within <duration> of the current time. Duration must be specified as one of: s for seconds, m for minutes, h for hours, d for days, w for weeks. Specify the interval time as one of: s for seconds, m for minutes, h for hours, d for days, w for weeks. Use the to literal to specify that the records should be dumped to the file named <file>. If to <file> is omitted, the records are dumped to stdout. Use the sort literal to sort each dumped interval by the first variable, in descending order. If sort is specified, a "by time element" dump format is used, even if a "by time" format was specified. Specify one or more variables to dump (for example, bytes, pkts, or avg-bps). To list the available variables, specify ? for this parameter. When listing host accounting data, you can specify bytes, kbytes, or host accounting categories for the <var>.
<var>...
Examples In the following example, the avg-bps and peak-bps variables are displayed for the Inbound partition. The duration is one week (1w) and the interval is one day (1d). In the output, each interval is a different record. measure dump partition all inbound by time 1w 1d avg-bps peak-bps "partition:/Inbound" "time","avg-bps","peak-bps" "09-Jun-2003 13:00:01",1707,2555221 "08-Jun-2003 13:00:01",2484,1796609 "07-Jun-2003 13:00:01",0,0 "06-Jun-2003 13:00:01",0,0 "05-Jun-2003 13:00:01",3436,8655317 "04-Jun-2003 13:00:01",983,2263233 "03-Jun-2003 13:00:01",4175,4219764
252
Here are some additional examples: measure dump class inbound/global by time 5 1h avg-bps measure dump class all by time 5 1h avg-bps measure dump class all inbound/global by time element 5 1h avg-bps measure dump partition all inbound by time 1d 1h avg-bps peak-bps measure dump class all endtime 200105261700 by time 5 1h bytes To get data for just the /inbound and /outbound classes: measure dump class immediate / by time 10m 1m bytes An example that lists host accounting data: measure dump host all by time 1H 10m sort bytes web mail "time","host","bytes","web","mail" ... "08-May-2002 14:00:00","65.54.192.248",0,0,0 "08-May-2002 14:00:00","10.7.31.21",0,0,0 "08-May-2002 13:50:00","10.10.254.9",18661010,51819,1091 "08-May-2002 13:50:00","10.10.254.102",2658874,968143,8081 ... The above example lists for each interval in the specified time period, hosts that had an open connection during the interval, the total number of bytes that each host sent and/or received for the time interval (10 minutes), and the number of bytes transferred in the "web" and "mail" host accounting categories. (The "web" and "mail" categories were previously defined with the host accounting categories command.) See also: measure dump by element measure dump by var
PacketGuide for PacketWise 8.3
253
[immediate|leaf|all]
immediate dumps data for the specified class and direct child classes (not grandchildren classes) leaf dumps data for leaf classes only (that is, child classes that don't have any children); this is the default setting for class data all dumps data for the complete branch: the specified class, direct child classes, and all other classes that are descendants of the child classes. Note: The immediate and leaf options are not applicable to link data. If classes or partitions were deleted during this measurement interval, they will appear in the output list. Examples that compare immediate, leaf, and all options
List one or more names of the elements you want to dump; that is, specific class names, partition names, links (inbound or outbound), or host IP addresses. A specific name is not required if you want to dump all link, partition, class, or host data. Note: As mentioned above, host accounting must be enabled in order to get measurement data on specific hosts.
[endtime [<date>]<time>]
Specify a fixed end date and time for the data dump. The <date> should be in the format YYYYMMDD and the <time> should be in the format HHMM. The <date> is optional, but the <time> is required. If endtime is omitted, the current date and time (now) are used. Time duration over which to total the values. Use one of the following: s for seconds, m for minutes, h for hours, d for days, w for weeks. Use the to literal to specify that the records should be dumped to the file named <file>. If to <file> is omitted, the records are dumped to stdout.
<duration> to <file>
254
[sort]
Use the sort literal to sort each dumped interval by the first variable, in descending order. If sort is specified, a "by time element" dump format is used, even if a "by time" format was specified. Specify one or more variables to dump (for example, bytes, pkts, or avg-bps). To list the available variables, specify ? for this parameter. When listing host accounting data, you can specify bytes, kbytes, or host accounting categories for the <var>.
<var>...
Examples: measure dump partition all /inbound/http by var 8h avg-bps peak-bps measure dump class /inbound/http by var 1d to daily.out avg-bps measure dump class all /inbound/http by var 1w sort peak-bps pkts "time:17-Jun-1998 18:21:48" "class-var","/Inbound/HTTP/Default","/Inbound/HTTP/gifs" "peak-bps",229729,86944 "pkts",39,26 An example that lists host accounting data for a specific host: measure dump host 152.163.209.65 by var 30m sort bytes web mail "time:08-May-2002 15:20:00" "host-var","152.163.209.65" "bytes",2730 "web",2316 "mail",0 See also: measure dump by element measure dump by time
255
measure reset
Reset the measurement configuration to its factory-default state. This command clears the measurement data stored on the units hard drive(s). Resetting may be necessary after upgrading the software. (See the last paragraph below for further explanation.) measure reset [link|partition|class|host|<cdf-type>] With the optional [link|partition|class|host|<cdf-type>] parameters, you can selectively clear different types of measurement data. The <cdf-type> parameter is applicable to adaptive response agents. The <cdf-type> can be one of the following:
q q q q q
measurement data for all agents data for the High Bandwidth New App agent data for the High Bandwidth Host agent data for Traffic Performance agents data for Partition Utilization agents
If a parameter is not specified, all types of measurement data are cleared. After you issue the command, you are prompted to confirm your reset request. Accumulated measurement data is cleared and the unit resets. Measurement and reporting data will not be available for several minutes. After measure reset executes, the measurement engine begins running as a background process. During the first ten minutes following the reset, do not attempt to load a new software image, as the file transfer will conflict with measurement engine processing. You will need to reset measurement data in order to use new measurement variables introduced in new PacketWise software versions. To help you determine whether you need to reset measurement data, the output from the measure show command indicates if the measurement reset has been done. For example, if the message A Measurement Reset of this type has not been done appears in the measure show class output, PacketWise has detected that you upgraded to a PacketWise image that has new measurement variables of the type you listed. To enable the new variables of that type, you need to issue the measure reset class command.
PacketGuide for PacketWise 8.3
256
measure restore
Restore measurement data files to the measure directory on the units hard drive (9.258/measure). Use this command to restore data in case data became corrupted after the last backup or if you want to copy measurement data to another unit. If you are restoring measurement data files to a different unit from which they were backed up, note the following:
q
The unit to which you are restoring the data must be the same model, use the same software version, and have the same specifications as the unit from which you backed up the data. For example, you can back up data from a 1024-class PacketShaper 9500 running PacketWise 8.0 software and restore it to this same model, but you cannot restore it to a 2048-class PacketShaper 9500, a 1024-class PacketShaper 6500, or a 1024-class PacketShaper 9500 running PacketWise v7.1. Before restoring, rename the measurement data files with the serial number of the target unit. Example: The serial number of the unit from which the files were backed up is 06510001072. The serial number of the target unit is 065-10001183. The filename of the link day data is 00010721.dat. "1072" is the serial number portion that must be renamed. Rename 00010721.dat to 00011831.dat. Rename all the other data files in a similar fashion.
It is recommended that you back up all the measurement data on the target unit before using the measure restore command.
If the measurement data was backed up with the compress option, the measure restore command will automatically decompress as it restores the data. Warning: While data is being restored, the measurement engine stops recording data and measurement data will not be available for dumps or reports. In addition, certain features (such as Top Ten and user events) will not function properly without current data. measure restore {link|partition|class month|day}|{host accounting}| {all groups} [<user>[:<password>]@<host>] [<srcfile>]
257
Restores a specific set of measurement variables: link, partition, or class link|partition|class day|month day restores one-minute samples (data recorded in one-minutes intervals); month restores hourly samples (data recorded every hour on standard models, every four hours on ISP models) Restores host accounting data host accounting Note: Host accounting is not available on the PacketShaper 1200 or 1400 Lite models. Restores all groups of measurement data (link day, link month, partition day, link month, class day, class month, and host accountingif enabled) <user> is the user name to be used when FTP logs into the <host> (the IP address or dns name of the FTP server). If <password> is omitted, the password is transmitted empty or blank. The default user name and password if both items are omitted are user=anonymous and password=anonymous@anonymous.com. Name of the file to be restored; specify a path if the file is not in the users default directory. If you are restoring all groups, enter a source directory for <srcfile>, or omit <srcfile> to restore from the default directory.
all groups
<srcfile>
For example, to restore the link data that was backed up into a file named link_mo.dat: measure restore link month john:jester@abc.com link_mo.dat Or, to restore all groups of measurement data that were backed up into the directory /home/user/backups: measure restore all groups john:jester@ftp.example.com /home/user/ backups
258
Notes:
q
The time at which the measurement engine is stopped is used as the end time for data dumps. The measurement engine will not record any data in the intervals during which it was stopped or started. After the restoration is complete, you have an opportunity to restart the measurement engine.
Restore Failures
If the restoration process fails or gets interrupted before completion, the measurement data will not be available. You can try restoring the data again, but if you are unable to restore the data successfully, you will need to perform a measure reset on that type of data (for example, measure reset link if you were unable to restore link data). If the measure restore command fails when restoring host accounting data (for example, you mistyped the filename or the file didn't exist), you do not need to do a measure reset. Instead, turn off host accounting and re-enable it . See host accounting enable for details. See also: measure backup
259
measure show
Use the measure show command to check the measurement engine status, to see whether the measurement engine needs to be reset, or to display the details for a specific measurement type. measure show The resulting display indicates if the engine is running, starting, or stopped. The output displays one line of status for each element in the measurement volume. Each line contains the element type, the sample interval (m=minutes and h=hours), the number of recorded samples, and the number of samples that can be recorded. Measurement engine is running A complete Measurement Reset has not been done.
class day class month link day link month partition day partition month host accounting agent1 score agent4 perf agent5 util agent2 newap agent3 host
Interval: 1m Interval: 1h Interval: 1m Interval: 1h Interval: 1m Interval: 1h Interval:20m Interval: 1m Interval: 1m Interval: 1m Interval: 1m Interval: 1m
Samples: 1474560/ 1474560 Samples: 122439/ 761856 Samples: 20160/ 20160 Samples: 2436/ 8928 Samples: 214396/ 737280 Samples: 3424/ 380928 Samples: 1000000/ 1000000 Samples: 223199/ 223200 Samples: 644/ 223200 Samples: 69/ 223200 Samples: 1146/ 223200 Samples: 223191/ 223200
If the message "A complete Measurement Reset has not been done" appears in the measure show output (as shown above), PacketWise has detected that you upgraded to a PacketWise image that has new measurement variables. To enable the new variables, you need to issue the measure reset command.
all agents High Bandwidth New App agent High Bandwidth Host agent Traffic Performance agents Partition Utilization agents
Example: measure show class Measurement engine is running class base interval: 60 (secs)
260
A Measurement Reset of this type has not been done. class day class month Interval: 1m Samples: Interval: 1h Samples: 438/ 0/ 368640 190464
If the message A Measurement Reset of this type has not been done appears in the measure show output (as shown above), PacketWise has detected that you upgraded to a PacketWise image that has new measurement variables of the type you listed. To enable the new variables of that type, you need to issue the measure reset [link|partition|class|host] command (for example, measure reset class in the above example).
Group: Interval time: Interval count: Path: Samples: Overruns: Last sample: Next sample: Variable(s):
class day 60 (seconds) 1440 (minimum) 9.258/measure/CL_DAY.dat max 1474560 current 1474560 1105612862 at 13-Jan-2005 03:04:00 13-Jan-2005 03:05:00 to near 13-Jan-2005 03:06:00 element sample-interval-msecs sample-interval-overruns bytes pkts tcp-data-pkts tcp-retx-pkts tcp-early-retx-toss-pkts guar-rate-fails guar-rate-allocs peak-tcp-conns tcp-conn-inits tcp-conn-exits tcp-conn-server-refuses tcp-conn-server-ignores tcp-conn-aborts tcp-conn-self-denies peak-guar-rate-flows tcp-retx-bytes non-compressible-bytes postcompression-bytes precompression-bytes tunneled-postcompression-bytes tunneled-precompression-bytes class-hits policy-hits conn-speed-hist peak-bps license-overflows licenses-total licenses-peak total-delay-threshold service-level-threshold% total-delay-msec total-delay-histogram server-delay-msec server-delay-histogram network-delay-msec network-delay-histogram slow-transactions service-level-errors total-trans trans-bytes round-trip-time-msecs client-flood-block peak-ipdg-conns web-response-2XX web-response-3XX web-response-4XX web-response-5XX pkt-exchange-time-msecs pkt-exchange-time-samples sample-interval-secs kbytes avg-bps avg-pps tcp-retx-pkts% tcp-efficiency% tcp-early-retx-toss-pkts% tcp-conn-server-refuses% tcp-conn-server-ignores% tcp-conn-aborts% tcp-conn-self-denies% precompression-avg-bps postcompression-avg-bps compressible-bytes pkt-exchange-time-avg <app-availability%> server-flood-block total-delay-median total-delay-avg service-level%
261
server-delay-median server-delay-avg network-delay-median network-delay-avg trans-bytes-avg avg-round-trip-time bytes-saved-by-compression bytes-saved-by-compression% <normalized-network-delay-avg> tunneled-postcompression-avg-bps tunneled-precompression-avg-bps tunneled-bytes-saved-by-compression% tunneled-compression-bandwidth-multiple% compression-bandwidth-multiple%
Note: Any variable, such as <normalized-network-delay-avg>, enclosed in angle brackets is experimental and may be removed from PacketWise in the future. You can use this variable, but do not type the angle brackets. Any variable enclosed in square brackets will be removed in the next version of PacketWise. Overruns (listed in the output above) occur when the measurement daemon misses a full (1-minute) interval. The following example displays the available variables for the measurement group agent3: me show agent3 host Group: agent3 host Interval time: 60 (seconds) Interval count: 0 (minimum) Path: 9.258/cmeasure/AG_HOST.dat Samples: max 223200 current 223186 Overruns: 1086109980 Last sample: at 19-Jul-2005 10:17:01 Next sample: 19-Jul-2005 10:17:01 to near 19-Jul-2005 10:17:01 Variable(s): element sample-interval-msecs host-ip direction avg-bps
PacketGuide for PacketWise 8.3
262
measure start
Restart the measurement engine after it has been stopped with the measure stop command. measure start Typically, you will be given the option to restart the ME after backing up or restoring data so you will not have to issue the measure start command yourself. However, if the unit resets in the middle of the backup or restore process, the ME will be in a suspended (stopped) state. After rebooting, you will need to restart the measurement engine with the measure start command. If a reset occurs during the restore process, you will also need to reset the measurement data for the group you were trying to restore. For example, if you were restoring class data when the unit reset, you will need to issue the measure reset class command. After you issue the measure start command, PacketWise will begin recording measurement data (although not for the interval in which it was started).
PacketGuide for PacketWise 8.3
263
measure stop
Stop or pause the measurement engine. The measurement engine is automatically stopped before backing up or restoring measurement data (see measure backup and measure restore) and automatically restarted after the operation is complete. measure stop After you issue this command, PacketWise will stop recording measurement data until you restart the measurement engine with the measure start command. Data will not be recorded for the interval in which it was stopped. Warning: Use the measure stop command with caution. When the measurement engine is stopped, no data will be recorded. Some features, such as Top Ten and user events, will not function properly without current data.
PacketGuide for PacketWise 8.3
264
mib
In addition to the SNMP Management Information Base (MIB) files, PacketWise supports a variety of other internal MIBs. These internal MIBs contain data such as MAC cache and DNS information. These diagnostic commands are intended to be used only under the guidance of Customer Support and are not covered in this guide. For information about the Packeteer SNMP MIB, see SNMP Overview.
PacketGuide for PacketWise 8.3
265
mkdir
Make a directory on the unit's flash disk or hard drive. mkdir <dir>
PacketGuide for PacketWise 8.3
266
more
Display the named file, showing a single page and pausing before displaying the next page. More than one filename can be specified. more [-<number>] <filename> Providing an optional number will display the specified number of lines on one page.
PacketGuide for PacketWise 8.3
267
mv
Move or rename a file on the unit's flash disk or hard drive. mv <file1> <file2>
PacketGuide for PacketWise 8.3
268
net nic
View network statistics such as packets transmitted and discarded. net [nic {<device>}]|ip|pna nic ip pna Show Ethernet statistics. The parameters inside and outside represent ports 0 and 1, respectively. To display both inside and outside statistics, omit this parameter. Show IP statistics Show network statistics
Device Name inside outside lower_inside left_inside lower_outside left_outside upper_inside right_inside upper_outside right_outside management
Note: The device numbers vary according to the number of LEMs installed. If two LEMs are installed, the above numbers are correct. If only one LEM is installed (regardless of whether it's installed in the upper/right or lower/left position), the LEM interfaces will be assigned device numbers 2 and 3. If no LEMs are installed, the management port's device number is 3.
269
net switchnic
For each iShaper interface, view network statistics such as packets transmitted, received, and dropped. net switchnic [<device>] where <device> is the interface name or number: Device Number 0 1 2 3
iShaper# net switchnic device Switch Port 0 (Inside) Link State: UP (speed = 1000M) Controller Type: Realtek 8366 Switchnic0 MIB: [ 0] TxPackets 919815 [ 1] RxPackets [ 2] RxDrops device Switch Port 1 Link State: DOWN Controller Type: Realtek 8366 Switchnic1 MIB: [ 0] TxPackets 27403 [ 1] RxPackets [ 2] RxDrops device Switch Port 2 Link State: UP (speed = 1000M) Controller Type: Realtek 8366 Switchnic2 MIB: [ 0] TxPackets 0 [ 1] RxPackets [ 2] RxDrops device Switch Port 3 Link State: UP (speed = 1000M) Controller Type: Realtek 8366 Switchnic3 MIB: [ 0] TxPackets 0 [ 1] RxPackets [ 2] RxDrops
27403 4
949717 0
0 0
0 0
270
packetcapture add
Specify the type of traffic for which you want to capture packets. The packet capture feature can capture packets for future analysis, allowing you to analyze detailed information about the packets, such as the source and destination IP addresses and protocols used. You can capture packets for traffic classes, IP addresses and ranges, subnets, host lists, port numbers and ranges, Xpress tunnels, and NICs. packetcapture add class:<tclass> | list:<hostlist> | host:<ipaddr> | net:<ipaddr>/<cidr> | range:<low>-<high> | port:<low>-<high> | tunnel: <tunnel name> | nic:<interface pair> [<ipaddr>|<ipaddr>/<cidr>] Name of the traffic class. Specify the complete path if the class exists in both Inbound and Outbound. You can capture packets from multiple classes, but you must add them one class at a time. class:<tclass> Packet capture can only capture packets for leaf classes (classes without any children). For example, if your Inbound/HTTP class has child classes (such as / Inbound/HTTP/Critical), you cannot capture packets on /Inbound/HTTP. Example: class:inbound/default Name of the host list created with the hl new command Example: list:finance IP address or domain name of a host host:<ipaddr> Examples: host:172.21.18.160, host:west.us.com net:<ipaddr>/ <cidr> The address of the subnet; the CIDR number specifies the number of constant bits in the address range Example: net:10.0.0.0/8 range:<low><high> Range of IP addresses, separated by a dash Example: range:192.21.18.160-192.21.18.170
271
list:<hostlist>
Range of port numbers, separated by a dash Examples: port:80, port:1000-3000 Name of the static or dynamic Xpress tunnel Example: tunnel:london Network Interface Card (NIC) where <interface pair> is one of the following main, lem_upper, lem_lower, lem_left, lem_right, or backup Example: nic:main Optionally, a host or a subnet can be specified for the NIC pair.
When the NIC filter is used, all other filters will be removed. Two output files will be created: one for packets captured as they are received by the NIC's Inside port (xxxxxxin.dmp) and one for packets captured as they leave the NIC on its Output port (xxxxxxot.dmp). The xxxxxx part of the filename specifies the date and time of the capture file. The packetcapture limit packets command does not apply to NIC filters since this filter captures raw packets from the NIC card without any processing by the PacketShaper.
Packet capturing doesn't begin until after the feature is enabled (see packetcapture on). When you no longer want to capture packets for a filter you have added, use the packetcapture remove command.
272
Command Change History Release Modification 8.2.2, 8.3.0 8.2.0 8.1.1 Added option to filter by host or subnet at the NIC level NIC filter added Additional filters for IP addresses and ranges, subnets, host lists, ports, and Xpress tunnels
273
274
packetcapture off
Disable packet capture and close the log file. packetcapture off After packet capture is turned off, you can FTP the file to an FTP server and use a protocol analyzer such as EtherPeek to look at the contents of the file. Use the packetcapture status command to determine the filename to FTP. If you like, you can use the File Browser to download the .DMP file (see Download a File). See also: Sniff Without a Sniffer
275
packetcapture on
Enable packet capture. After capture is turned on, PacketWise will create a .dmp file in TCPDump format and start capturing packets into this file. Note: Before you can enable packet capture, you must add at least one item to the capture list (see packetcapture add). You may also want to limit the number of packets that are captured per flow (see packetcapture limit packets). packetcapture on The file is stored in the pktlog directory on the units hard drive (9.258/pktlog) and is named according to the day and time packet capture was enabled. For example, if capture was enabled on the 12th of the month at 9:02:35am, the filename would be 12090235.dmp. When NIC filters are used, two output files are created: one for packets captured as they are received by the NIC's Inside port (xxxxxxin.dmp) and one for packets captured as they leave the NIC on its Output port (xxxxxxot.dmp). The xxxxxx part of the filename specifies the date and time of the capture file. Packets are captured until one of the following occurs:
q q
capturing is disabled with the packetcapture off command the log file reaches 99% of the maximum log file size (use the packetcapture status command to see the current and maximum log file sizes; these sizes vary by model based on the amount of memory installed in the unit)
276
packetcapture remove
Remove a filter that was added to the packet capture list (using the packetcapture add command). packetcapture remove class:<tclass> | list:<hostlist> | host:<ipaddr> | net:<ipaddr>/<cidr> | range:<low>-<high> | port:<low>-<high> | tunnel:<tunnel name> | nic:<interface pair> Name of the traffic class. Specify the complete path if the class exists in both Inbound and Outbound. Example: class:inbound/default Name of the host list list:<hostlist> Example: list:finance IP address or domain name of a host host:<ipaddr> Examples: host:172.21.18.160, host:west.us.com net:<ipaddr>/ <cidr> The address of the subnet; the CIDR number specifies the number of constant bits in the address range Example: net:10.0.0.0/8 range:<low><high> port:<low><high> tunnel:<tunnel name> Range of IP addresses, separated by a dash Example: range:192.21.18.160-192.21.18.170 Range of port numbers, separated by a dash Examples: port:80, port:1000-3000 Name of the static or dynamic Xpress tunnel Example: tunnel:london
class:<tclass>
277
Network Interface Card (NIC) where <interface pair> is one of the following nic:<interface pair> main, lem_upper, lem_lower, lem_left, lem_right, or backup Example: nic:main To see a list of the current packet capture filters, use the packetcapture status command.
Command Change History Release Modification 8.2.0 8.1.1 NIC filter added Additional filters for IP addresses and ranges, subnets, host lists, ports, and Xpress tunnels
278
packetcapture status
List the current packet capture settings. The status report indicates whether packet capture is enabled, the name and location of the log file, the file format, the maximum and current size of the log file, the number of packets in the current log file, and which items are being logged. packetcapture status Example output:
Packet capture status: Packet capture: Log file directory: Log file name: Log file format: Maximum log size: Current log size: Packets in current log: Captured option(s):
OK On - Logging 9.258/pktlog 15153739.dmp tcpdump 12582912 bytes 640 bytes (0%) 8 IP Host: 10.1.1.70 Subnet mask 255.255.255.255 class:/Inbound/Default Port Range: 80 - 80 IP Range: 192.21.18.160-192.31.18.170 none
Captured tunnel(s):
Notes:
q
The maximum log size is a predetermined fixed amount, based on the amount of memory in your unit, as well as other features that use memory (such as the number of concurrent flows). When a NIC filter is configured, the packetcapture status output will show the status of two output files: one for the Inside port and one for the Outside.
PacketGuide for PacketWise 8.3
279
partition apply
Create a static partition for a traffic class. partition apply <tclass> <minBps>|<minPct>|uncommitted [<maxBps>|<maxPct>|none|fixed] <tclass> This traffic class and all of its children are partitioned together (those that are not already separately partitioned), so this traffic class becomes the root of a partitioned subtree of traffic classes. The minimum size of the new partition, specified in bits per second (minBps) or as a percentage of the parent partitions minimum size (minPct). If <minPct> is used, you must include the percent sign (for example, 10%). See Sizing a Static Partition for additional details and examples. The minimum partition size is 1000 bps (1024 bps on PacketShaper 3500, 7500, 9500, and 10000 models). The sum of all the partitions within either Inbound or Outbound can exceed the link size, allowing you to oversubscribe the link. Use the literal uncommitted to indicate that the guaranteed minimum allocation is whatever is not committed to other partitions. Normally uncommitted is used only by the default Inbound and Outbound partitions.
Limit the maximum bandwidth used by a burstable partition. The maximum can be specified in bits per second (maxBps) or as a percentage of the parent maximum (maxPct). If <maxPct> is used, you must include the percent sign (for example, 10%). The maximum must be greater than the minimum. Specify none to allow the partition to use any available bandwidth. Specify fixed to prevent a partition from exceeding the <minBps> or <minPct> size. If you do not specify burstable or fixed, the partition defaults to burstable.
Notes:
q q
In order for partitions to take effect, traffic shaping must be enabled. See setup shaping. When creating partitions, make sure you dont allocate bandwidth in such a way that Inbound/Default and Outbound/ Default get starved that is, there is no bandwidth available for these classes. If this happens, traffic classification and policies may not work as expected.
Examples: Create an inbound burstable partition (no maximum limit specified) of 10000 bps: partition apply inbound/outside/http 10k Create an inbound burstable partition of 20000 bps with the ability to borrow additional bandwidth from other partitions, if it is available, up to 30000 bps: partition apply inbound/outside/http 20k 30k Create a burstable partition for SAP that is 30% of the link (Inbound partition) size, with a maximum size of 40%: partition apply inbound/sap 30% 40% In the above example, if the link size is 1.5 Mbps, the SAP partition would get a minimum of 450 Kbps and a maximum of 600 Kbps.
280
Maximum amount of bandwidth to be assigned to each subpartition, specified in bits per second (maxBps) or as a percentage of the parent partitions size (maxPct). If <maxPct> is used, you must include the percent sign (for example, 10%). Specify a <maxBps> value if you want to enforce a cap on each user or subnet even if more bandwidth is available. Managed bandwidth service providers are most frequently in this position, needing to cut off usage at agreed-upon, paid-for limits. If you dont want a maximum, specify none. Specify fixed to prevent a subpartition from exceeding the <minBps> or <minPct> size. Even if this field is left blank, the limit on the static, parent partition still restricts the total bandwidth for the aggregate of all subpartitions.
To create a dynamic partition which handles traffic for a subnet: partition dynamic apply <tclass> per-subnet /<cidr> <side> <minBps>|<minPct> <maxBps>| <maxPct>|none <tclass> Name of the traffic class having a static partition you would like to subdivide for each user
281
CIDR number specifying the number of constant bits in the address range Side (inside or outside) of the Packeteer unit on which the user is located Minimum amount of bandwidth to be assigned to each user, specified in bits per second (minBps) or as a percentage of the parent partitions size (minPct). If <minPct> is used, you must include the percent sign (for example, 10%). The minimum sub partition size is 1000 bps (1024 bps on PacketShaper 3500, 7500, 9500, and 10000 models). Use the literal uncommitted to indicate that the guaranteed minimum allocation is whatever is not committed to other partitions. Set this field to zero (0) to have PacketWise allocate bandwidth equitably to each subpartition, so that the total of all subpartitions equals the static partition's size. Note: Minimum subpartition size is usually best handled by setting this field to zero and setting a maximum number of subpartitions (using the partition dynamic cap command). However, you must use a non-zero size if you want to implement per-session guaranteed rates within rate policies for this same traffic.
Maximum amount of bandwidth to be assigned to each subpartition, specified in bits per second (maxBps) or as a percentage of the parent partitions size (maxPct). If <maxPct> is used, you must include the percent sign (for example, 10%). Specify a maximum value if you want to enforce a cap on each user or subnet even if more bandwidth is available. Managed bandwidth service providers are most frequently in this position, needing to cut off usage at agreed-upon, paid-for limits. If you dont want a maximum, specify none. Specify fixed to prevent a subpartition from exceeding the <minBps> or <minPct> size. Even if this field is left blank, the limit on the static, parent partition still restricts the total bandwidth for the aggregate of all subpartitions.
After the dynamic partition is set up, whenever a new user begins generating flows in that class, a subpartition will be created for the user on the fly. The per-user partition remains in existence until it's reused for new flows by the same user or needed by another user. A subpartition may be given to another user if there have not been any recent flows in the partition. To be more precise, a subpartition may be given to another user if 30 seconds have passed without any flows or if it's been five minutes since an established flow has sent any packets.
PacketGuide for PacketWise 8.3
282
Maximum amount of bandwidth in the overflow partition, specified in bits per second (overflowMaxBps) or as a percentage of the parent partitions size (overflowMaxPct). If <overflowMaxPct> is used, you must include the percent sign (for example, 10%). When a value is specified, the overflow partition can use available excess bandwidth if needed. Specify none to allow the overflow partition to use any available bandwidth. Specify fixed to prevent the partition from exceeding the <overflowMinBps> or <overflowMinPct> specification. If you dont specify a value, the overflow partition has a fixed size; when its not using its reserved bandwidth, that bandwidth is available to other traffic.
To remove the cap on a dynamic partition: partition dynamic cap <tclass> none See also: partition dynamic apply
PacketGuide for PacketWise 8.3
283
284
After a dynamic partition is set up, whenever a new user begins generating flows in that class, a subpartition will be created for the user on the fly. The per-user partition remains in existence until it's re-used for new flows by the same user or needed by another user. A subpartition may be given to another user if there have not been any recent flows in the partition. A subpartition is considered Idle if it has not been active for 300 seconds (5 minutes). Idle subpartitions still have flows which are sending packets. A subpartition is considered Gone if the flows associated with it have been gone 30 seconds or less, or LongGone if they have been gone more than 30 seconds. When the dynamic partition cap has been reached, new subpartitions are created from LongGone and Gone partitions. In other words, a subpartition may be given to another user if 30 seconds have passed without any flows or if it's been five minutes since an established flow has sent any packets.
285
partition remove
Remove a static partition from a traffic class. The bandwidth allocated to this traffic class is returned to the parent partition. partition remove <tclass> Note: Do not use this command to remove Frame Relay partitions.
PacketGuide for PacketWise 8.3
286
partition show
Display current static partition usage. partition show [<tclass>] [clear]|[config] To display partition statistics for all partitions, omit the traffic class parameter; otherwise specify a class. Use clear to reset the displayed partition's statistics. Note that the statistics will not necessarily show as zero after this reset, because traffic activity could be recorded instantaneously. Use config to display the minimum and maximum usage. The usage maximum is a partition's burst limit. Example: partition show Partition name Size Min / Max Grntd Excess Prior Usage Curr 1-Min Avg Peak
------------------------------------------------------------------------------------/Inbound 4.5M 4.5M 0 0 1024 1024 2048 3687 537k /Inbound/MPEG-Audio 500k 4.5M* 0 0 0 0 0 0 0 /Inbound/WinMedia 0 4.5M* 0 0 0 0 0 0 0
This output lists both minimum and maximum partition size settings. It also lists the rate of priority traffic. In addition, it prints an asterisk (*) next to any minimum or maximum value that isn't "pure" that is, if the programmed value was adjusted due to (1) oversubscription or (2) the use of the strings fixed or none. The adjusted values, not the programmed values, are listed, followed by an asterisk. The Usage field represents the current bandwidth assigned to the partition, including guaranteed rate and excess rate for classes with rate policies, and any bandwidth currently allocated to classes with priority policies. Current rate and one-minute averages are bits-per-second rates.
287
288
289
off
290
default
Display current auto-deployment server settings with the command pc autodeploy server show.
291
<netmask>
292
<unit name>
Assign a name to the new unit to identify the unit in PolicyCenter. The name can be 20 characters long, including a-z, A-Z, -,_, and . (period). Spaces are not allowed in the unit name. A unit name can only be set on units running PacketWise version 7.2.1 and later. Auto-deployed units running PacketWise 7.1.0 /7.1.1 will display a unit name based upon the unit's serial number.
<gateway>
The IP address PacketShaper uses to reach other networks A PacketShaper uses this gateway to route unit-initiated transactions to a non-local address for example, FTP transfers initiated from a PacketShaper to a server on a non-local network. Frequently, the gateway address is the same as the site router address.
Example: pc autodeploy unit add 172.22.29.129 255.255.0.0 UnitOne 172.22.0.1 Important: After issuing the pc utodeploy unit add command to create the initial unit entry in the auto-deployment table, you should issue the pc autodeploy unit target command to specify a host IP address, that is, the IP address of any machine (host) that sits behind a single unconfigured unit. PolicyCenter will send the auto-deploy message directly to the specified host, thereby ensuring that the unconfigured unit sees the auto-deploy message and avoiding the potential problem of a router not forwarding the packets sent to the subnet. If no target is specified, the auto-deploy message will be sent to the subnet of the unconfigured unit. (See Auto-Deployment SetupConfiguring Network Routers for important details on auto-configuring units without a target host IP.
Example: The following command will assign the unit 172.22.29.129 to the PolicyCenter configuration UnitedStates/WestCoast/LosAngeles. pc autodeploy unit configuration 172.22.29.120 UnitedStates/WestCoast/ LosAngeles See also: Create a PolicyCenter Configuration for details on creating PolicyCenter configurations prior to auto-deploying units.
PacketGuide for PacketWise 8.3
294
pc
Example: pc autodeploy unit dns 172.22.18.170 10.1.1.16
PacketGuide for PacketWise 8.3
295
296
Note: By default, the auto-deploy daemon runs every 300 seconds. You can specify a new interval with the command pc autodeploy server interval.
PacketGuide for PacketWise 8.3
297
298
IP address Network Mask Unit Name Gateway address State (whether or not the unit will be sent auto-deployment message) Status (whether or not the unit has been successfully configured
<unit ip address>
Specify the IP address of a single unconfigured unit to display more detailed information about that unit's individual entry in the auto-deployment table. In addition to the information in the bullet list above, this command also displays the following additional values:
q q q q
DNS server Domain Target IP Attempts (number of times the unit has been sent an auto-deploy message) Timestamp (the time at which the
299
Examples: This first example shows general information for all units in the auto-deployment table pc autodeploy unit show all IP Address Netmask Unit Name Gateway State Status ----------------------------------------------------------172.22.29.129 255.255.0.0 Unit_One 172.22.0.1 on unconfigured 172.22.29.130 255.255.0.0 Unit_Two 172.22.0.1 on unconfigured 172.22.29.131 255.255.0.0 UnitFour 172.22.0.1 on unconfigured 172.22.29.132 255.255.0.0 UnitFive 172.22.0.1 on unconfigured This next example shows detailed status and configuration information for one specific unit entry. pc autodeploy unit show 172.22.29.129 Unit setup details: IP Address 172.22.29.129 Netmask 255.255.0.0 Unit Name UnitOne Gateway 172.22.0.1 DNS Server 10.1.1.16 Domain mycompany.com Configuration BranchOffices/WestCoast Unit auto-deployment details: Target host IP 172.22.7.50 State on Status unconfigured Attempts 0
PacketGuide for PacketWise 8.3
300
off
Do not allow PolicyCenter to send an autodeploy message for the specified unconfigured unit
301
pc image library
For PolicyCenter only Show the current library of PacketWise image files available for distribution from PolicyCenter to individual PacketShapers. This command can only be issued by network administrators with access to the PC organization. pc image library units|policycenter [alt] The pc image library units command shows the version name and type, build time and build variations for available PacketWise images. The pc image library policycenter command displays information for PolicyCenter executable files. Use the optional alt with either command to view additional details such as checksum, file size, the time the file was last modified, and the publishing server. Example output of this command: pc image library units Name Type Version PacketWise v7.1.0g1 2005-07-09 PacketWise v7.1.2g1 2006-02-09
STD
pc image library policycenter Name Type Version pc7.5.0g1 PolicyCenter pc7.4.1g1 PolicyCenter
PC750g1 PC PC741g1 PC
302
PC701g1 PC
303
pc image update
For PolicyCenter only Determine when PolicyCenter updates its library of available images, executables, and plug-ins from the Packeteer support website. This command can only be issued by network administrators with touch-role access to the PC organization. pc image update [nightly|manual|default|now] nightly manual default now PolicyCenter attempts to update its library of images and plug-ins nightly, typically during the very early hours of the morning (local time). PolicyCenter does not automatically update its image and plug-in library until you issue the command pc image update now. This is the default behavior. Returns the image update mode to its default state (manual). The command pc image update now enables PolicyCenter to immediately begin updating its image and plug-in library.
304
pc plugin library
For PolicyCenter only Show the current library of plug-in files available for distribution from PolicyCenter to individual PacketShapers. This command can only be issued by network administrators with touch-role access to the PC organization. pc plugin library The pc plugin library command shows the version name, type, version number, and description for available plug-in files. Example output of this command: pc plugin library Name Type Version Description
ntpplug bt03 1.0.0.0 Network News Transport Protocol FileRogue - File Sharing Application Microsoft SMS pre Windows Service Pack 2
rogue
bt03 1.0.0.0
sms
bt03 1.0.0.0
305
pc plugin prescribe
For PolicyCenter only When you prescribe new plug-in files for configurations with Packeteer units assigned to them, you must also add the plug-in files to the PolicyCenter server configuration, so the PolicyCenter software can recognize the new classification types. Use this command to prescribe plug-in files for PolicyCenter by filename. Use the pc plugin library command to determine the names of available files. This command can only be issued by network administrators with touch-role access to the PC organization. pc plugin prescribe [<filename> <filename> ...] |show <filename> show The filename of the plug-in file you wish to prescribe to a PolicyCenter configuration. The show option shows the PolicyCenter configuration's current plug-in files.
306
pc plugin subscribe
For PolicyCenter only When you prescribe new plug-in files for configurations with Packeteer units assigned to them, you must also add the plug-in files to the PolicyCenter server configuration, so the PolicyCenter software can recognize the new classification types. Issue this command to configure when and how often PolicyCenter updates its own plug-in files. This command can only be issued by network administrators with touch-role access to the PC organization. pc plugin subscribe asap|scheduled The pc plugin subscribe command has the following options: asap scheduled PolicyCenter will automatically update its plug-in files as soon as they are prescribed. PolicyCenter will wait for the plugin sync command before downloading prescribed files.
307
pc plugin sync
For PolicyCenter only Issue this command from PolicyCenter to synchronize plug-in files prescribed for the PolicyCenter software configuration. The <seconds> variable allows you to specify in seconds the amount of time that should elapse before the synchronization process begins. This command is only required when the PolicyCenter prescription mode has been set to scheduled with the plugin subscribe command. This command can only be issued by network administrators with touch-role access to the PC organization. Note: It is not necessary to issue this command if the prescription mode has been set to asap with the plugin subscribe command. pc plugin sync <seconds> To activate a new plug-in for PolicyCenter, use the Windows services panel (Settings > Control Panel > Administrative Services > Services) to stop and then restart the PolicyCenter service. When PolicyCenter restarts, it will recognize the plug-in file. See also: pc plugin subscribe
PacketGuide for PacketWise 8.3
308
pc portal library
For PolicyCenter only Show the current portfolios of customer portal files available for distribution from PolicyCenter to individual PacketShapers. This command can only be issued by network administrators with touch-role access to the PC organization. pc portal library [verbose] The pc portal library command shows the name of the available portfolios only. Use pc portal library verbose to view the names of all the customer portfolio files within each portfolio.
309
pc radius acct
For PolicyCenter only Set up or change the configuration of the RADIUS accounting service. This feature allows you to have an audit trail for user logins. This command can only be issued by network administrators with touch-role access to the PC organization. Note that PolicyCenter does not allow a RADIUS user to log in with the user name admin. pc radius acct default | off | on | [primary {<host> <shared_secret> [<port>]}|delete] | [secondary {<host> <shared_secret> [<port>]}| delete] default off on <host> <shared_secret> <port> delete Return RADIUS accounting to its default off setting Disable RADIUS accounting Enable RADIUS accounting IP address or DNS of the RADIUS server Specify the designated secret (password) To access the RADIUS server with a specific port, specify a port number. Otherwise, the default port will be used. Delete this RADIUS accounting server.
for example:
310
pc radius auth
For PolicyCenter only Set up or change the configuration of the RADIUS authentication service. RADIUS authentication is an optional method for users to log into the PolicyCenter console or browser interfaces. Using third-party RADIUS servers enables you to have central configuration of user accounts. This command can only be issued by network administrators with touch-role access to the PC organization. Note that PolicyCenter does not allow a RADIUS user to log in with the user name admin. pc radius auth default | off | on | [primary {<host> <shared_secret> [<port>]}|delete] | [secondary {<host> <shared_secret> [<port>]}| delete] default off on <host> <shared_secret> <port> delete Return RADIUS authentication to its default off setting Disable RADIUS authentication Enable RADIUS authentication IP address or DNS of the RADIUS server Specify the designated secret (password) To access the RADIUS server with a specific port, specify a port number. Otherwise, the default port will be used. Delete this RADIUS authentication server.
for example:
pc radius interval
For PolicyCenter only Adjust the RADIUS retry interval. By default, the RADIUS client waits five seconds before retrying a login when the RADIUS server fails to respond. You can select a value between 1 and 30 seconds. This command can only be issued by network administrators with touch-role access to the PC organization. pc radius interval <seconds>|default See also: pc radius limit
312
pc radius limit
For PolicyCenter only Adjust the RADIUS retry limit. By default, if the RADIUS server fails to respond, the RADIUS client will try to log onto the server three times before reporting a server failure. You can select a value between 1 and 10. If you have specified a secondary authentication host, the RADIUS client will alternate attempts to log onto each server. This command can only be issued by network administrators with touch-role access to the PC organization. pc radius limit <attempts>|default See also: pc radius interval
313
pc radius method
For PolicyCenter only Specify PAP (Password Authentication Protocol) or CHAP (Challenge Handshake Authentication Protocol) for your RADIUS authentication method, or enter default to return the RADIUS server to its default PAP protocol. This command can only be issued by network administrators with touch-role access to the PC organization. pc radius method pap|chap|default See also: pc radius auth
314
pc radius show
For PolicyCenter only View current settings for RADIUS authentication and accounting. This command can only be issued by network administrators with access to the PC organization. pc radius show Example output:
pc radius show Setup values: Radius Method :CHAP Authentication :off Accounting :off Retry limit :3 Retry interval :5 Service records: Type Host acct1 172.21.18.170 acct2 radius.mycompany.com
See also: pc radius auth pc radius acct
315
pc replication add
For PolicyCenter only You can extend your deployment beyond the capacity of the core PolicyCenter directory server by defining additional edge directory servers that can each support up to 600 additional PacketShapers. This command can only be issued by network administrators with touch-role access to the PC organization. This command can only be issued by network administrators with touch-role access to the PC organization. The following command defines and adds a new edge directory server. Select the secure option for secure replication using LDAPS (Lightweight Directory Access Protocol Over SSL). pc replication add <DNS|ip-address> [secure] See also: Generate SSL Certificates for a PolicyCenter Directory Server
PacketGuide for PacketWise 8.3
316
pc replication delete
For PolicyCenter only Issue this command to delete an unused edge directory server. This command can only be issued by network administrators with touch-role access to the PC organization. Important: If you delete a directory server that still has assigned PacketShapers, those units will will no longer receive configuration updates made via PolicyCenter. Before you delete a directory server, you must first issue the unit assign command to reassign units to another directory server. pc replication delete <DNS|ip-address>
PacketGuide for PacketWise 8.3
317
pc replication init
For PolicyCenter only You may need to reinitialize an edge directory server if it fails to replicate data from the core server, or if an edge server configured for secure replication did not have the appropriate security certificates when it was first initialized. This command can only be issued by network administrators with touch-role access to the PC organization. pc replication init <DNS|ip-address>
PacketGuide for PacketWise 8.3
318
pc replication show
For PolicyCenter only Show the current status of any configured edge directory servers, including information about the server's IP address, replication status and , current security (LDAPS) settings, and the number of units assigned to each server. The Srv column of data shows the server number for each edge directory server, which helps identify the server when you make backups of PolicyCenter. This command can only be issued by network administrators with access to the PC organization. Note: This command only displays the IP addresses of configured edge servers, even if you initially configured the edge directory server by specifying the servers DNS name. pc replication show Example output:
Core Directory Server: 111.111.1.100 Srv IP Address 1 111.111.2.100 2 111.111.3.100 3 111.111.4.100 Status Replicating Replicating Replicating
unsecure Units 506 LDAPS unsecure secure secure Units 3 503 3 Last contact 133 secs 0 sec 102 secs
319
pc setup autobackup
For PolicyCenter only When the autobackup feature is enabled, PolicyCenter makes a backup of a configuration before it updates that configuration with changes from a draft. If you later want to revert the changes and restore the configuration to its original state before the draft was committed, you can restore the backup configuration with the command config restore. This command can only be issued by network administrators with touch-role access to the PC organization. pc setup autobackup on | off | show Where: on off show Enables the autobackup feature, so a backup copy of configuration is created before any changes are committed back that that configuration. Disables the autobackup feature. Existing backup copies are not deleted, but no new backup copies will be created. Displays the current on or off setting for the autobackup feature.
320
pc setup date
For PolicyCenter only View or set the date and/or time for the PolicyCenter server. This command can only be issued by network administrators with touch-role access to the PC organization. pc setup date [[yyyymmdd]hhmm[.ss]] To define a timezone so PolicyCenter can change its local time automatically at the start and end of daylight savings time, use the command pc setup timezone.
321
pc setup https certificate This operation will generate a new certificates for HTTPS. This will replace your current certificate and may take up to 5 minutes Please confirm if you really want to proceed (YES): yes
322
on off default
323
324
325
326
pc setup message
For PolicyCenter only Configure a message that will display before logging into PolicyCenter. The message displays before users login via the browser login page, or the PolicyCenter console (CLI). This feature is useful for informing users about the company's access policies and consequences for unauthorized use. This command can only be issued by network administrators with touch-role access to the PC organization. pc setup message {set <message>}|show|default Defines the message text. The text should be enclosed in quotation marks and can be up to 511 characters long. Dispays the content of the login message Clears the message text
pc setup message set "Access to this system is restricted to authorized users only." Message set to: "Access to this system is restricted to authorized users onl... pc setup message show Configured Message: Access to this system is restricted to authorized users only.
Notes
q
q q
Quotation marks indicate the beginning and end of the login message. You cannot use a quotation mark within the body of the login message. The message can be configured in the browser interface as well. See PolicyCenter Login Message. To configure a login message for PacketShapers managed by PolicyCenter sharable configurations, see setup message
327
pc setup show
Display the basic configuration for your PolicyCenter software. This command can only be issued by network administrators with access to the PC organization. pc setup show
General Settings: IP address:172.16.16.16 Subnet mask: 255.255.0.0 Gateway:172.16.16.1 DNS server(s):172.16.64.10 Default domain:mycompany.com Date, time, timezone:Thu Dec 9 17:38:52 2006 PST (LosAngeles) SNTP Client:off SNTP Primary Server:time.nist.gov SNTP Secondary Server:time-a.nist.gov SNTP Poll Seconds:300 HTTPS port:443 Syslog:off
Auto-Deployment Server Configuration: Server State : Server Interval : off 300 (seconds)
RADIUS Setup values: Radius Method Authentication Accounting Retry limit Retry interval :CHAP :on :off :3 :5
329
pc setup sntp
For PolicyCenter only Set or display the Simple Network Time Protocol (SNTP) configuration for your PolicyCenter software. SNTP is used to synchronize the time in PacketWise to a server configured to propagate highly accurate time information through the Internet. This command can only be issued by network administrators with touchrole access to the PC organization. setup sntp on|off|servers {<primary> [<secondary>]|none}|poll|reset| sync To define a primary and secondary SNTP server, enter a standard dotted-decimal IP address for <primary> or <secondary>. To view current settings, issue the command pc setup show.
330
pc setup timezone
For PolicyCenter only When you configure a time zone, PolicyCenter can change its local time automatically at the start and end of daylight savings time. It also can retrieve time updates from time servers. This command can only be issued by network administrators with touch-role access to the PC organization. pc setup timezone [<name>|custom <tz_spec>] Each time zone has a unique name usually the name of the best-known city in that zone. The default time zone is Los Angeles, CA. To display the valid time zones, use setup timezone help. <tz_spec> is a string defined by POSIX.1 as: <std><offset>[<dst>[<offset>],<date>[/<time>],<date>[/<time>]] Where: <std> and <dst> 3 or more characters specifying the standard and daylight saving time (DST) zone names <offset> [-]hh:[mm[:ss]] specifies the offset west of UTC. The default DST offset is one hour ahead of standard time
<date>[/<time>] Specifies the beginning and end of DST. If this is absent, the system applies US DST rules (first Sunday of April at 2:00 AM to last Sunday of October at 2:00 AM) <time> hh:[mm[:ss]] with a default of 02:00
331
<date>
One of the following forms: Jn (1<=n<=365): origin-1 day number, not counting February 29 n (0<=n<=365): origin-0 day number, counting February 29, if present Mm.n.d (0[Sunday]<=d<=6[Saturday], 1<=n<=5, 1<=m<=12): for the dth day of week n of month m of the year, where week 1 is the first week in which day d appears, and 5 stands for the last week in which day d appears (which may be either the 4th or 5th week)
For example, you could configure a time zone for Cairo, Egypt with the command: pc setup timezone custom EET-2EEST,M4.5.5/01:00,M9.5.5/03:00 Current time zone: Time zone name: Custom Time zone desc: Custom time spec in POSIX format Time zone spec: EET-2EEST,M4.5.5/01:00,M9.5.5/03:00 Time zone offset: GMT+02:00 DST offset: 60 minutes DST starts: Last Friday of April at 01:00 AM DST ends: Last Friday of September at 03:00 AM In this example, the standard time, known as EET, is two hours ahead of GMT and daylight savings time, known as EEST, is the default 60 minutes ahead of EET. Rather than using US default rules, EEST begins on the last Friday of April at 1:00 AM and ends on the last Friday of September at 3:00 AM.
332
pc setup variable
For PolicyCenter only Change a default variable setting for the PolicyCenter software configuration. pc setup variable [<variable> <value>|default] | [-reset|-nd] where <variable> is one of the variables listed below and <value> is the value you want to set the variable to. The default, minimum, and maximum values for each <variable> are listed in the table. After changing a variable's setting, you will need to stop and then restart the PolicyCenter service order for the change to take effect. To stop and restart the PolicyCenter service: 1. Access the Windows services panel on your PolicyCenter server. (Settings > Control Panel > Administrative Services > Services) 2. Select the PolicyCenter service from the list of services. 3. Click the square stop icon to stop the PolicyCenter service. 4. Click the triangle start icon to restart the PolicyCenter service. To reset all system variables to their defaults, use the pc setup variable -reset command. To reset a specific variable to its default, use the pc setup variable <variable> default command. To see a list of all variables that have non-default settings, use the pc setup variable -nd command. Variable/ Description Default Value Min. Value Max. Value show screen
333
accelerationStrictHostCheck When this variable is enabled, outbound TCP flows will be accelerated only if the source host is configured (or discovered) on the local device and the destination host is configured/discovered as a remote host via the outbound tunnel. Likewise, inbound accelerated flows will not be intercepted unless the source host is configured/discovered as a remote host via the inbound tunnel and the destination host is configured/discovered on the local device. Certain topologies require this variable to be enabled in order for acceleration to work properly:
q q
Multiple inline PacketShapers Hub-and-spoke topologies in which traffic accelerated at the edge PacketShaper will pass through an intermediate PacketShaper at the central site
0 (off)
0 (off)
1 (on)
Notes:
q
Enabling this variable may result in a slight degradation of performance for XTP acceleration, since lookup and validation of local and remote hosts are done per packet. SCPS acceleration does not have this side effect. If packets pass through the same PacketShaper multiple times, it may be necessary to restrict hosts (using the tunnel discovery host command), to manually provision hosts on a particular
334
side (using the hostdb side manual command), or to disable host discovery (using the tunnel discovery command). autoCreateSameSide When this variable is enabled, the SameSide class is created automatically. When disabled, the SameSide class will not be autocreated. You may want to disable this variable if traffic is being misclassified into the SameSide class. bridgePassThru With bridgePassThru enabled, the PacketShaper forwards packets that have a source and destination MAC address on the same side of the unit. When bridgePassThru is disabled and traffic shaping is enabled, the Packeteer unit drop packets that have source and destination MAC addresses on the same side. cmprsnDiffservInterop Preserve TOS (Type-of-Service) IP header values on compressed packets. When this option is enabled, TOS values will be preserved on IPComp packets. When it is disabled, TOS values will not be preserved on compressed packets. Note: This variable is applicable to legacy compression tunnels only.
1 (on)
0 (off)
1 (on)
1 (on)
0 (off)
1 (on)
1 (on)
0 (off)
1 (on)
335
cmprsnDiffservReapply Reapply network-modified TOS IP header values to decompressed packets. When this option is enabled, the decompressing PacketShaper will compare the original TOS value of the compressed packets to the TOS value in the IPComp packets IP header. If the network modified the TOS value of the IPComp packet, Xpress will apply this modified TOS value to the original packets as they are decompressed. Notes:
q
0 (off)
0 (off)
1 (on)
The cmprsnDiffservInterop variable must also be enabled. This variable is applicable to legacy compression tunnels only.
cmprsnEnablePacking When packing is enabled, multiple packets are combined into a single "super packet," in order to save on overhead. Packing increases compression rates because less data is being sent out on the wire. On very busy links, packing doesn't cause much latency because the packets are bundled and sent off quickly. On less active links, Xpress may have to wait to get enough packets in a bundle, possibly creating application performance problems. If you are experiencing latency, try lowering the packing hold time or disabling it altogether. Note: This variable is applicable to legacy compression tunnels only.
336
0 (off)
0 (off)
1 (on)
cmprsnFirewallSupport Enables/disables firewall support for the Xpress compression feature. If set to 0, Xpress firewall support is disabled; use this setting when there is not a firewall between partner units. When there is a firewall between partner units, you should enable firewall support by selecting either 1 or 2:
q
1: Firewall support is enabled only when compression is ON. 2: Firewall support stays enabled for persistent flows even after disabling compression. When compression is turned off, any TCP flows already hidden from the firewall continue to be hidden (tunneled), but new TCP flows are not hidden.
Note: This variable is applicable to legacy compression tunnels only. cmprsnHostEntries The maximum number of hosts and partners that can be defined to use the compression facility 0* * 0 indicates that the default system limit will be used; the system limit depends on the amount of memory installed in the unit 2 99999
337
cmprsnInsideHostMode Set inside host lists to be inclusive or exclusive. If inclusive, inbound traffic destined to inside hosts on the host list are eligible for tunneling. If 0 exclusive, traffic destined to the (inclusive) listed hosts are not sent through the Xpress tunnel but all other inside hosts are eligible for tunneling. Use the tunnel discovery host command to create the list. cmprsnMaxRetransmissions The maximum consecutive retransmissions of a packet before a compression tunnel is shut down cmprsnOutsideHostMode Set outside host lists to be inclusive or exclusive. If inclusive, outbound traffic destined to outside hosts on the host list are eligible for tunneling. If exclusive, traffic destined to the listed hosts are not sent through the Xpress tunnel but all other outside hosts are eligible for tunneling. Use the tunnel discovery host command to create the list. cmprsnPackingHoldTimeMsecs Maximum number of milliseconds packets will be held for packing. When PacketShaper receives a packet, it is held up to the maximum packing hold time (10ms by default), waiting to be combined with additional packets. After that time expires, Xpress compresses all the accumulated packets into a super packet and sends it out. Note: This variable is applicable to legacy compression tunnels only. 5
0 (inclusive)
1 (exclusive)
99
0 (inclusive)
0 (inclusive)
1 (exclusive)
10
1024
338
cmprsnPartnerMode Set tunnel partner lists to be inclusive or exclusive. If inclusive, Xpress creates tunnels only with the listed PacketShapers. If exclusive, Xpress does not establish tunnels with the listed PacketShapers; only PacketShapers not listed will have tunnels established. Use the tunnel discovery partner command to create the list. cmprsnRSVPPathDiscard When cmprsnRSVPPathDiscard is disabled (the default), the PacketShaper will respond to an RSVP (Resource Reservation Protocol) message from another PacketShaper and continue to pass the original RSVP packet to the inside to any other PacketShapers that may be downstream. When this variable is enabled, the PacketShaper will respond to the RSVP message but will not send the packet on. Note that the packet will be discarded only when compression is enabled and when the RSVP packet is moving inwards. Note: This variable is applicable to legacy compression tunnels only.
0 (inclusive)
0 (inclusive)
1 (exclusive)
0 (off)
0 (off)
1 (on)
339
cmprsnTransparentTrigger The number of consecutive retransmissions of a packet before Xpress disables the compression tunnel and sends packets in the clear (uncompressed). The tunnel will resume normal operation after it gets an acknowledgment for the retransmitted packets; if acknowledgment is not received before the Tunnel shutdown threshold is reached, the tunnel will be shut down. Note: This variable is applicable to legacy compression tunnels only. DiffservClassSortPref Controls the sort order of the traffic tree, with respect to Diffserv classes (those with DSCP marks). Three settings are available: 0 Diffserv classes are sorted below IP-address-based classes, but above port-based classes (the default). 1 Diffserv classes are sorted above IP-address-based classes 2 Legacy sort order (Diffserv classes are sorted after IP-address-based classes, port-based classes, and auto-discovered classes) Note: The new sort order doesn't take effect until the unit is rebooted. discoveryThresholdDynamicPort The number of new connections of an identifiable service to a port greater than 1024 that must be identified within a one-minute timeframe before PacketWise creates a class
99
1000000
340
discoveryThresholdNonIP The number of new non-IP connections of a given type that must be identified within a oneminute timeframe before PacketWise creates a class discoveryThresholdNormal The number of new connections of an identifiable service to a port less than or equal to 1024 that must be identified within a one-minute timeframe before PacketWise creates a class discoveryThresholdPort The number of new connections to a particular port within a one-minute timeframe before PacketWise creates a Port_#### class in the DiscoveredPorts folder It may be necessary to increase this value on Internet link deployments to prevent excessive number of DiscoveredPorts classes being created. If you dont want any Port_#### classes discovered, set this variable to its maximum value. dynPtnActiveReuseSeconds The number of seconds a dynamic partition will be retained after an established flow has sent packets Note: If no other user needs a dynamic partition, the partition will be retained indefinitely. dynPtnIdleReuseSeconds The number of seconds a dynamic partition will be retained after an established flow has not sent or received packets Note: If no other user needs a dynamic partition, the partition will be retained indefinitely.
341
1000000
1000000
100
1000000
300 (5 min)
10
7200 (2 hrs)
30
10
7200 (2 hrs)
dynPtnSequestrationCount The number of partitions reserved for static partitions; all other partitions can be used for dynamic or static partitions (applicable to PacketShaper 1200 and 1500 only) enableCongestion Enable/disable the calculation of packet exchange time. When this variable is disabled, the Pkt Exch column on the Monitor Traffic page will not appear, RTM will not be available, and the packet exchange time and RTM measurement variables will always have a value of 0. Note: This variable is not supported on the PacketShaper 1200 model. After disabling the enableCongestion variable, you should reset the unit. enableLatency Enable/disable the calculation of VoIP metrics. When this variable is enabled, PacketWise collects data that measure packet loss, jitter, and latency for VoIP flows. Notes:
q
99
1 (on)
0 (off)
1 (on)
VoIP metrics can only be measured between PacketShapers with the VoIP metrics feature enabled. The VoIP metrics feature can measure traffic only from VoIP applications whose data is classified as RTP-I. For instance, latency metrics are not provided for DialPad, iChat, Vonage, and Skype.
0 (off)
0 (off)
1 (on)
342
enableSupportForSSHv1 Enable/disable support for Secure Shell version 1 (SSH v1) for secure access to the PacketShaper. When this variable is enabled, the PacketShaper can be accessed with SSHv1 and SSHv2 clients. When this variable is disabled, only SSH clients using the SSHv2 protocol version are supported. Note that this variable doesnt take effect until the PacketShaper is reset. enableWinnyClassification Enable/disable classification of the Winny service. For optimal performance, enable only when management of Winny traffic is required. Note: The Winny peer-to-peer application is used primarily in Japan. flowRecordsIntermediateTimeout Number of milliseconds between generation and sending of intermediate flow detail records when traffic is present flowRecordsPktr0Timeout Number of seconds between generation and sending of Packeteer0 flow records. flowRecordsPktrPTimeout Number of seconds between generation and sending of PacketeerP flow records.
1 (on)
0 (off)
1 (on)
0 (off)
0 (off)
1 (on)
1500
1000
36000
3600
10
5000
60
10
5000
343
flowRecordsResetCounters Controls whether or not the counter fields in FDR packets are reset with each intermediate FDR sent Note: This variable only affects Packeteer-1 and Packeteer-2 format FDRs: counter fields are always reset in the NetFlow-5 format. flowRecordsSendIntermediate Enable/disable the intermediate flow detail records feature. When this variable is enabled, PacketWise emits intermediate FDRs at the interval specified by the flowRecordsIntermediateTimeout variable. Note: Enable the intermediate flow detail records feature only when using a suitably-instrumented collector, such as Cisco-based Netflow-5 collectors. ReportCenter version 3.1 and earlier ignore intermediate FDRs. flowRecordsSendPktrP Enable/disable emission of PacketeerP packets to Packeteer flow detail record collectors. Packeteer-P packets contain statistics that are not related to particular flows, but rather provide information about utilization on the PacketShaper at the time flows are recorded. If this variable is enabled, Packeteer-P records are sent after each UDP flow record packet is sent to Packeteer-1 or Packeteer-2 collectors (not more than once per minute).
1 (on)
0 (off)
1 (on)
0 (off)
0 (off)
1 (on)
0 (off)
0 (off)
1 (on)
344
flowRecordsSendPktr0 Enable/disable emission of Packeteer0 packets to Packeteer flow detail record collectors. Packeteer-0 packets are mapping messages that allow collectors to decipher Packeteer-related information in the FDRs they receive. For example, in the FDRs ClassID field, a value identifies the traffic class. In order for the collector to understand what class is actually associated with the ID, it uses the class map a list that contains each traffic class on the unit along with the identifying number assigned to each class. If this variable is enabled, Packeteer-0 mappings are sent out approximately once each hour. Note that this variable needs to be enabled only if the collector does not know this information through other means. frameMaxRouteEntries The maximum number of route entries PacketWise can import from a FRAD or ATM routing table. Note: This variable is not supported on the PacketShaper 1200 or 1400 Lite models. graphTimeoutSeconds The maximum number of seconds a graph can take to generate in the browser interface; if the graph takes longer to generate than this value, a system timeout error message will appear. Note: Increasing this setting can make the browser interface appear to "freeze" while PacketWise is generating some of the more complex graphs. Sometimes the browser will not display the page
345
0 (off)
0 (off)
1 (on)
300
25
2000
60
until all of the graphs are generated. hostTspecCacheInside Enable/disable caching of IP addressbased classes on the inside. Change this setting to outside (0) to increase performance of classification if the majority of IP addresses in manually created classes are on the outside, rather than the inside. To disable the caching of inside IP address-based classes, use the setup variable hostTspecCacheInside 0 command. After you reset the PacketShaper, IP address-based classes will be cacheable on the outside. To re-enable caching for inside classes, use the setup variable hostTspecCacheInside 1 command. httpStealth503 Control the display of the 503 Service unavailable server error message when a connection is refused because of admission control (such as a never-admit policy). 0 The 503 - Service unavailable message will be customized with the text This message is sent by Packeteer PacketShaper. 1 The PacketShaper text is not displayed with the 503 - Service unavailable message. 2 PacketWise performs a TCP reset and drops the HTTP request; the error message will likely be The attempt to load http://... failed.
1 (inside)
0 (outside)
1 (inside)
346
LFNSupport When enabled, this setting improves performance on Long Fat Networks (LFN) which require larger TCP window sizes. An LFN is a long distance network with large bandwidth and long delay; for example, high-capacity satellite channels are LFNs. linkOverheadBytes Number of bytes that are added to each packet to account for WAN protocol header overhead linkOverheadPpt Number of parts per thousand* by which packet sizes are increased to account for link overhead. This adjustment is useful for links that do bit stuffing. (Bit stuffing is the practice of adding bits to a stream of data. Bit stuffing is required by many network and communications protocols, for example to prevent data from being interpreted as control information.) * to be more precise, its actually parts per 1024 mirrorLinks Enable/disable link state mirroring. With link state mirroring, PacketWise will bring down the second port of a NIC pair if the first goes down. This feature allows each PacketShaper to sit between a WAN router and a switch without blocking detection of switch outages by the router. Link state mirroring is automatically enabled when direct standby is enabled and the redundant management port is connected. Note: Link state mirroring is not active on the LEM being used for the direct link; this allows you to
347
0 (off)
0 (off)
1 (on)
256
35 (3.5%)
1024
0 (off)
0 (off)
1 (on)
disconnect the redundant management port without impacting connectivity. However, link state mirroring is disabled when the redundant management link is disconnected. mplsSecondLabelIndex Designates the MPLS label stack position (1-5) to be looked at for classification purposes. By default, PacketWise looks at the top MPLS label (1), which identifies the path through the core. If you want to classify by other MPLS labels (2-5) in the MPLS stack, you need to change this system variable to identify the stack position. PolicyFlowLimitForAllClasses Enables/disables the policy flow limit feature. When enabled, PacketWise will enforce all policy flow limits that have been set on traffic classes. When disabled, all policy flow limits will be ignored. For additional information, see policy flowlimit. probeIntervalSeconds Number of seconds between the issuance of VoIP latency probes that measure VoIP metrics, enabled by the enableLatency variable. rtoInboundClampMsecs Number of milliseconds delay for clamping early retransmission timeout on Inbound packets. Puts a maximum on retransmit time. rtoOutboundClampMsecs Number of milliseconds delay for clamping early retransmission timeout on Outbound packets.
1 (on)
0 (off)
1 (on)
60
1600
0 (disable)
3000 (3 sec)
1600
0 (disable)
3000 (3 sec)
348
syntheticReadTimeoutSeconds Number of seconds after which a synthetic transaction will end when the response received is incomplete Note: This variable is not supported on PacketShaper ISP models. syntheticWriteTimeoutSeconds Number of seconds after which a synthetic transaction will be canceled if the server fails to respond to a request Note: This variable is not supported on PacketShaper ISP models. tcpClipInitialWindow When tcpClipInitialWindow is enabled, the PacketShaper will always reduce the initial TCP window size to 1x MSS (maximum segment size). When this variable is disabled, new flows will ramp up faster but enforcement of small rate policies and/or partitions may not work at the begininng of flows. tcpMssInbound Maximum segment size of TCP packets on Inbound flows. This setting can help avoid packet fragmentation when using VPN and not being able to support 1500-byte packets (the default size) through the VPN tunnel. tcpMssOutbound Maximum segment size of TCP packets on Outbound flows tcpSmallMssLinkSpeed Link speeds slower than this value will force the use of smaller MSS (maximum segment size). Prevents PacketWise from changing the MSS on large WAN links.
1000
60
10
5000
1 (on)
0 (off)
1 (on)
1460 bytes
65535
1460 bytes
65535
384000 bps
512000
349
tnlDontSpanPackets When packets are being packed into super packets, this variable determines whether a packet's contents will be spanned across two super packets. By default, packets are not spanned. tnlInheritInbound Determines how Xpress selects an outbound tunnel when a destination host is reachable via multiple routes. When this variable is enabled, Xpress will choose the tunnel that first serviced the inbound flow. When this variable is disabled, Xpress will choose the tunnel it discovered first. tnlLocalArpDiscovery One of three mechanisms for discovering local hosts for Xpress tunnels. When localArpDiscovery is enabled, Xpress extracts the source IP address from a valid ARP request or response and adds it as a local host for Xpress tunnels. This mechanism is enabled by default but only operates when global host discovery is enabled with the tunnel discovery command. This variable can be disabled for troubleshooting host discovery on different network topologies. Note: This variable is applicable to enhanced tunnels only.
1 (on)
0 (off)
1 (on)
0 (off)
0 (off
1 (on)
1 (on)
0 (off)
1 (on)
350
tnlLocalIpDiscovery One of three mechanisms for discovering local hosts for Xpress tunnels. When localIpDiscovery is enabled, Xpress extracts the IP addresses of all inside hosts and adds them to the local host list for Xpress tunnels. This mechanism is enabled by default but only operates when global host discovery is enabled with the tunnel discovery command. This variable can be disabled for troubleshooting host discovery on different network topologies. Note: This variable is applicable to enhanced tunnels only. tnlLocalOspfDiscovery One of three mechanisms for discovering local hosts (subnets) for Xpress tunnels. When OSPF (Open Shortest Path First) routing protocol is configured on a router, the router will broadcast link-state advertisement (LSA) messages to its subnets. When localOspfDiscovery is enabled, Xpress will examine these LSA messages, looking for any subnets that are local to the PacketShaper. These hosts will then be added to the local host list. This mechanism will not work in a redundant topology and is disabled by default. In a non-redundant topology, you have the option of enabling this variable if you so chose. Note: This variable is applicable to enhanced tunnels only. 1 (on) 0 (off) 1 (on)
0 (off)
0 (off)
1 (on)
351
tnlRemoteRsvpDiscovery A mechanism for discovering remote hosts for Xpress tunnels. When remoteRsvpDiscovery is enabled, Xpress sends RSVP Path request messages and if another Xpress unit along the path recognizes the host (host being probed for) as a local host, it will respond with an RSVP Resv reply message. If an RSVP Resv reply message is received for a host, the host will be added to the list of remote hosts. This mechanism is enabled by default but only operates when global host discovery is enabled with the tunnel discovery command. This variable can be disabled for troubleshooting host discovery on different network topologies. Note: This variable is applicable to enhanced tunnels only. tnlTcpServerPort The TCP port number that Xpress tunnels use for transport. Notes:
q
1 (on)
0 (off)
1 (on)
Traffic from any user machine sourcing from this port will not be accelerated. When you change the TCP port number, only new tunnels (those formed after the change) will use the new port. If there were any tunnels using the old port, be sure to delete them so that all tunnels use the same port.
64600
65535
352
trafficIsAsymmetric By turning on this setting, PacketWise will automatically assume all flows are asymmetric and stop TCP Rate Control. In topologies where there are a large percentage of asymmetric flows, this may be more efficient than attempting to apply regular rate control. In addition to disabling rate control, turning on this setting disables all layer 7 classification activities (PacketWise must see traffic in both directions in order to classify layer 7). userEventExtSnmpVersion Enable/disable the extended SNMP trap for user events. When this variable is turned on, there will be an additional field in the trap that indicates the type of situation that triggered the trap. The field indicates violated (when the threshold was exceeded) or rearm (when the rearm value was crossed). userEventMaxDefinitions The maximum number of events that can be user-defined userEventMaxRegistrations The maximum number of events that can be registered wccpRedirectUseShaperMAC This variable determines which source MAC address will be used for packets that are rejected by the cache device in WCCP redirection mode. When this variable is enabled, the MAC address of the PacketShaper will be used as the source. When the variable is disabled, the MAC address of the paired cache device will be used. This variable should be disabled when the cache device and the
353
0 (off)
0 (off)
1 (on)
0 (off)
0 (off)
1 (on)
32
32
128
32
32
128
1 (on)
0 (off)
1 (on)
clients are on different subnets in a VLAN topology. Other supported topologies, as well as the iShaper, should use the default setting (on). xpressLegacyMemoryRatio Percent of memory to assign to legacy tunnels when in migration mode. For example, a ratio of 30 would allocate 30 percent of memory to legacy compression tunnels and 70 percent to enhanced Xpress tunnels. xpressMode Mode for Xpress tunnels.
q
50
20
80
0 Legacy mode uses the PacketWise v6.x/7.x tunnel infrastructure. In legacy mode, the commands and capabilities are limited to those that were available in PacketWise 7.x. A tunnel's sole capability in legacy mode is to transport compressed data. 1 Enhanced mode uses the new PacketWise 8.x tunnel infrastructure. In enhanced mode, a tunnel serves multiple purposes and can include one or more of the following features: compression, acceleration, and packing. 2 Migration mode supports both types of tunnels: legacy and enhanced. Use this mode when migrating from earlier versions of PacketWise. For more information about migration mode, see Information about Migration Mode.
1 or 2
354
The default mode for new installations is enhanced mode. The default for units that have upgraded to 8.x is migration mode.
355
pc syslog add
For PolicyCenter only Add a Syslog server for PolicyCenter. The logging and PolicyCenter syslog audit trails features gives administrators a way to centrally log and analyze user events and system warning messages. For example, if you are using RADIUS authentication, each failed login attempt to PolicyCenter will be sent to the defined Syslog server. Adaptive response action files and user events can be configured to send messages to a Syslog server. For example, when you register an event, you will be asked if you want to send events to Syslog; you can define and register an event that sends a message to a Syslog server when retransmissions rise to 30 percent of your network activity. This command can only be issued by network administrators with touch-role access to the PC organization. You can add up to four servers. pc syslog add host:<ipaddress> [output:<facility>,<level>] [port: <portnum>] [datetime] The Syslog server IP address for example, host:10.7.38.100 The facility and severity level for example, output:local1,6 Up to three outputs can be specified. The default facility is local4 and the default level is 7. PacketWise user events are at severity level 6; if you want to capture them with Syslog, you must set the level to 6 or 7. See Facility Types and Severity Levels for lists of the valid facility types and levels. port:<portnum> The port number of the Syslog server; if the port isnt specified, port 514 is used
356
host:<ipaddress>
output:<facility>, <level>
datetime
Include the date and time in the message; the date and time are not included unless you specify the datetime parameter
For example: setup syslog add host:10.7.38.100 output:local1,3 datetime If you need to modify any of the settings later, you need to remove the server and then add it again (see pc syslog remove). Messages are not sent until you enable the logging feature. See pc syslog state. If you want a PacketWise event to be recorded in a Syslog, you need to specify this option when registering the event (see event register).
Facility Types
You can enter the keyword or value specified in the following table. Description Kernel User Processes Electronic Mail Background System Processes Authorization System Logging Printing Usenet News Unix-to-Unix Copy Program Clock Daemon Security FTP Daemon NTP Subsystem Log Audit Log Alert Keyword kern user mail sysd auth sysl lpr news uucp clkd sec2 ftpd ntp audit alert Value 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14
357
clkd2 local0local7
15 16-23
Severity Levels
You can enter the keyword or value specified in the following table. Set the level to specify which messages to suppress to the Syslog server. For example, setting the severity level to 3 allows messages with levels 0 3 and suppresses messages with levels 4 7. If you don't specify a severity level, 7 is used. With the default severity level, messages of all levels will get sent to the Syslog server. Description System unusable Take immediate action Critical condition Error message Warning message Normal but significant condition Informational (includes PacketWise user events) Debug message Keyword Value emerg alert crit err warn notice info debug 0 1 2 3 4 5 6 7
At the "warn" level, Packeteer will send the following types of messages to the Syslog server:
q q q q q
Login failed Hard drive status Measurement Engine status Direct standby status Plug-in status
See Packeteer Syslog Warn Messages for a list of these messages. User events that are configured to send a syslog message when a threshold is crossed are sent at the info severity level (6). See event register for more information on configuring an event to send a syslog message. Adaptive response action files that include the send syslog command can designate the severity level at which the message is sent to the Syslog server;
358
359
pc syslog rate
For PolicyCenter only Set the maximum number of syslog messages that will be sent per second. This command can only be issued by network administrators with touch-role access to the PC organization. pc syslog rate <number> The default rate is 20 messages per second and the valid range is 1-200. You may want to increase the rate if you are experiencing a problem with your unit.
360
pc syslog remove
For PolicyCenter only Remove a Syslog server from PolicyCenter. If you need to modify the settings of a server you have added, you will need to remove the server first. This command can only be issued by network administrators with touch-role access to the PC organization. pc syslog remove <ipaddress>
361
pc syslog show
For PolicyCenter only Display the settings for currently defined Syslog servers. This command can only be issued by network administrators with access to the PC organization. pc syslog show [<ipaddress>] If no <ipaddress> is specified, the setup of all Syslog servers is displayed. For example: pc syslog show Status: Max Rate: Total Sent: Total Lost: On 35 5 0
Server Addr Facility Level -----------------------------------10.7.38.200 local4, 20 warn, 4 10.7.38.100 local4, 20 warn, 4 If you specify an <ipaddress>, the settings for a single Syslog server are displayed. For example: pc syslog show 10.7.38.200 Server Addr: 10.7.38.100 UDP Port: 514 DateTime Option: Not Enabled ------------------------------------Facility Level ------------------------------------local4, 20 warn, 4
Message Format
When viewing the messages at the Syslog server, you will see the format of a
362
Syslog message is as follows: ReceiveDateTime address SendDateTime module-severity-MNEMONIC: description The date and time the message was received by the Syslog server (may not ReceiveDateTime be included, depending on the setup of the Syslog server) address The PacketShaper or PacketSeeker units IP address The date and time the message was sent to the Syslog server (if the datetime parameter was specified when defining the syslog server) A four-byte string that identifies the type of message. For example, USRE is a user event and SYSW is a system warning. A single digit code (07) that reflects the severity of the condition; see Severity Levels A code that uniquely identifies the error message for example, BAD_WR (bad write) or INSERT_F (insert into a list fails) A text string describing the condition
SendDateTime
module
severity
Aug 6 17:06:27 10.7.38.5 SYSW-4-LOG_WARN: Hard drive is down. Or, if the datetime parameter was specified: Aug 6 17:07:25 10.7.38.5 Mon Aug 6 17:05:01 2001 BST (London) SYSW-4LOG_WARN: Hard drive is down.
363
pc syslog state
Enable or disable the logging feature so that messages will be sent to the defined syslog server(s). The PolicyCenter Audit Log feature records configuration and operational changes in PolicyCenter. When you download the Kiwi Syslog Daemon from the Kiwi Enterprises web site then install and configure the Kiwi Syslog Daemon, you can view audit log messages directly in the PolicyCenter browser interface. This command can only be issued by network administrators with touchrole access to the PC organization. pc syslog state on|off|default Select the default option to set the logging feature to its default off state. To check whether the logging feature is on or off, use the pc syslog show command.
PacketGuide for PacketWise 8.3
364
pc tacacs acct
For PolicyCenter only Set up or change the configuration of the TACACS+ accounting service records for your PolicyCenter server. This feature allows you to have an audit trail for user logins. This command can only be issued by network administrators with touchrole access to the PC organization. To define the TACACS+ accounting service for the PolicyCenter server, use: pc tacacs acct primary|secondary {<host> <shared_secret> [<port>]}| delete|override Enter the literal primary or secondary to indicate which server you are defining. (The secondary server is used when the primary server isnt accessible.) The IP address or DNS name of the TACACS+ accounting server The designated secret for the server; quotes are not required The port number to access the server; if omitted, the default port 49 is used. Deletes the configuration of the primary or secondary server (whichever is specified) This option is not supported by the pc tacacs command
primary| secondary
To turn the service on or off, or to return the service to its default off value, use: pc setup tacacs acct on|of|default Example: pc tacacs acct primary 10.10.10.10 P4assw0rd1
365
pc tacacs acct secondary 10.10.20.10 Paa55w0rd2 pc tacacs acct on This example defines a primary accounting server at 10.10.10.10 which has a shared secret of P4ssw0rd, as well as a secondary server at 10.10.20.10. The third command line enables the TACACS+ accounting service. Once this service is configured and enabled, PolicyCenter will send a PW_STATUS_START accounting message to the accounting server when a user logs in and a PW_STATUS_STOP message when a user logs off or is disconnected.
366
pc tacacs auth
For PolicyCenter only Set up or change the configuration of the TACACS+ authentication service for your PolicyCenter server. Using third-party TACACS+ servers enables you to have central configuration of user accounts. pc tacacs auth primary|secondary {<host> <shared_secret> [<port>]}| delete Enter the literal primary or secondary to indicate which server you are defining. (Note: The TACACS+ client primary|secondary uses the secondary server when the primary server isnt accessible or authentication failed.) <host> <shared_secret> [<port>] delete override The IP address or DNS name of the TACACS+ authentication server The designated secret for the server; quotes are not required The port number to access the server; if omitted, the default port 49 is used Deletes the configuration of the primary or secondary server (whichever is specified) This option is not supported by the pc tacacs command
To turn the service on or off, or to return the service to its default off value, use: pc tacacs auth on|off|default Example: pc tacacs auth primary 10.10.10.10 CupServ44 pc tacacs auth on
367
This example first defines a primary authentication server at 10.10.10.10 which has a shared secret of CupServ44. The second command line enables TACACS+ authentication service. Once this is configured and enabled, PolicyCenter will prompt users for user name and password when they log in.
368
pc tacacs method
For PolicyCenter Only Select the TACACS+ authentication method for your PolicyCenter server:
q
ASCII (American Standard Code for Information Interchange): With ASCII, the username and password are transmitted in clear, unencrypted text. PAP (Password Authentication Protocol). With PAP, the username and password are transmitted in clear, unencrypted text. ASCII or PAP authentication is required for TACACS+ configurations that require access to clear text passwords (for example, when passwords are stored and maintained in a database external to the TACACS+ server) CHAP (Challenge Handshake Authentication Protocol). In other environments, CHAP may be preferred for greater security. The TACACS server sends a challenge that consists of a session ID and an arbitrary challenge string, and the username and password are encrypted before they are sent back to the server. MS-CHAP (Microsoft Challenge Handshake Authentication Protocol): This protocol is very similar to CHAP, but with MS-CHAP authentication, the TACACS+ server can store an encrypted version of a user password to validate the challenge response. Standard CHAP authentication requires that the server stores unencrypted passwords.
pc tacacs method ascii|pap|chap|mschap|default The default authentication method is ascii. Command Change History Release Modification 8.3.0 Command introduced
369
pc tacacs timeout
For PolicyCenter Only Set the amount of time for TACACS+ to wait for a response from a server. By default, the TACACS+ client waits 20 seconds before retrying a login when the TACACS+ server fails to respond. pc tacacs timeout <seconds>|default where <seconds> is a value between 1 and 180 seconds. For example: pc tacacs interval 20 In this example, the timeout interval is 25 seconds; this interval applies to any configured TACACS+ server. To return to the default timeout interval, use: pc tacacs timeout default Command Change History Release Modification 8.3.0 Command introduced
370
ping
Generate pings to test connectivity with another device on the network. If the device answers the pings from the PacketShaper, the message "x.x.x.x is alive" or "x packets transmitted, x packets received" will appear. If PacketWise is unable to connect with the device, the message "no answer from x.x.x.x" or "0 packets received" will display. ping <host> [<timeout>] ping [-s] <host> [<count>] <host> IP address or DNS name
Number of seconds to transmit packets; if you don't specify a <timeout> value, <timeout> PacketWise will ping the host for up to 10 seconds [-s] <count> Send a continuous ping Number of pings to transmit; if you don't specify a <count> value, PacketWise will ping the host 10 times
Examples of Successful Pings PacketShaper# ping 172.21.1.26 ping (172.21.1.26): 56 data bytes 172.21.1.26 is alive PacketShaper# ping 172.21.1.26 10 ping (172.21.1.26): 56 data bytes 172.21.1.26 is alive PacketShaper# ping -s 172.21.1.26 5 ping (172.21.1.26): 56 data bytes 64 bytes from 172.21.1.26: icmp_seq=0 64 bytes from 172.21.1.26: icmp_seq=1 64 bytes from 172.21.1.26: icmp_seq=2 64 bytes from 172.21.1.26: icmp_seq=3 64 bytes from 172.21.1.26: icmp_seq=4 5 packets transmitted, 5 packets received Examples of Unsuccessful Pings
371
PacketShaper# ping 192.168.0.1 ping (192.168.0.1): 56 data bytes no answer from 192.168.0.1 PacketShaper# ping 192.168.0.1 30 ping (192.168.0.1): 56 data bytes no answer from 192.168.0.1 PacketShaper# ping -s 192.168.0.1 ping (192.168.0.1): 56 data bytes 10 packets transmitted, 0 packets received PacketShaper# ping -s 192.168.0.1 5 ping (192.168.0.1): 56 data bytes 5 packets transmitted, 0 packets received
372
plugin library
For PolicyCenter only Show the current library of plug-in files available for distribution from PolicyCenter to individual PacketShapers. plugin library The plugin library command shows the version name and type, version number and description for available plug-in files. Example output of this command: plugin library Name Type Version Description
ntpplug bt03 1.0.0.0 Network News Transport Protocol FileRogue - File Sharing Application Microsoft SMS pre Windows Service Pack 2
rogue
bt03 1.0.0.0
sms
bt03 1.0.0.0
373
plugin prescribe
For PolicyCenter only Prescribe plug-in files for a PolicyCenter configuration by filename. Use the plugin library command to determine the names of available files. plugin prescribe [<filename> <filename> ...] default|none|show <filename> default|none|show The filename of the plug-in file you wish to prescribe to a PolicyCenter configuration. Specify default if the configuration should inherit its plug-ins from a parent configuration, or specify none if the configuration should not inherit its plug-ins. The show option shows the configuration's current plug-in files. Note: Issuing the plugin prescribe default command on a configuration with an inherited a plug-in prescription may incorrectly indicate that there are no inherited plug-ins. Use the command plugin prescribe show to correctly show all plug-ins prescribed for that configuration.
374
plugin subscribe
For PolicyCenter only Configure when and how often PacketShapers assigned to a PolicyCenter configuration update plug-in files. plugin subscribe asap|scheduled|default The plugin subscribe command has the following options: asap scheduled default PacketShapers assigned to the configuration will automatically update their plugin files as soon as they are prescribed. PacketShapers assigned to the configuration will wait for the plugin sync command before downloading prescribed files. If set to default, the PolicyCenter configuration inherits its plug-in subscription behavior from its parent configuration.
375
policy admit
Set the admission-control mechanism for a policy. policy admit <tclass> squeeze|refuse|"<redirect-URL>" [nontcp|nonweb|web] <tclass> squeeze|refuse| "<redirect-URL>" The traffic class whose policy is to be changed This admission-control mechanism determines what happens when there isn't enough bandwidth to satisfy a guaranteed rate allocation. When the mechanism is squeeze, new connections will get at most 256 bps (1024 bps on PacketShaper 3500, 7500, 9500, and 10000 models). When the mechanism is refuse, the connection is refused. For web traffic only, when the mechanism is "<redirectURL>", the connection will be redirected to the specified URL. The traffic type
[nontcp|nonweb|web|all]
The policy admit command supports these combinations: Admission Control Mechanism squeeze tcp_refuse http_refuse http_redirect Traffic Types nontcp, nonweb, web nonweb tcp web web
376
377
378
379
Priority-based policies are used to establish a priority for traffic without specifying a particular rate. Use priority policies for traffic that does not burst, or whenever rate is not your primary objective.
380
For example, to guarantee 10k to Inbound/HTTP, use the following command: policy apply rate inbound/http 10k 10k To allow a policy to use excess rate, specify the following additional parameters: <priority> [automatic] [<excess_lo_bps> <excess_hi_bps>] The excess rate priority for this traffic class, ranging from 0 (lowest) to 7 (highest) Adjusts scaling automatically at run time The excess rate for this class' low- and highspeed connections (if you don't specify automatic). If you choose to use this option, both speeds must be specified. The minimum value allowed for <excess_lo_bps> is 256 (1024 bps on PacketShaper 3500, 7500, 9500, and 10000 models). The maximum excess rate that can be used by this class
[<excess_limit_bps>]
Guaranteed rate represents the minimum acceptable service level and thus the
381
minimum acceptable rate to allocate. Low- and high-speed rate specifications are used to scale rate allocation to the user's access speed. For example, to guarantee 10k to Inbound/HTTP burstable up to 48K at priority 3, use the following command: policy apply rate inbound/http 10k 10k 3 automatic 38k Note: Excess rate is expressed differently in the CLI command than in the browser interface. In the browser interface, you specify 48k for the limit, but in the CLI you specify 38k for the amount of excess (the 48k limit minus the guaranteed rate of 10k). To change the guaranteed rate later, use the policy guaranteed command. To adjust the excess rate, use the policy excess command.
PacketGuide for PacketWise 8.3
382
policy default
Apply the PacketWise-recommended policy to a traffic class. policy default <tclass>
PacketGuide for PacketWise 8.3
383
policy delaybound
Set the delay bound for a policy to perform non-TCP rate control. PacketWise uses a UDP latency control mechanism to rate-control individual UDP traffic flows and minimize packet loss. PacketWise accumulates incoming UDP packets on a flowby-flow basis when they are not scheduled for immediate transfer. With the UDP latency control mechanism, you define a delay bound how long the packets can remain buffered before they become too old to be useful. If UDP flows don't get sent immediately (because of link congestion, for example), they are placed in a buffer or queue. UDP flows stay in the queue until they are sent or until the delay bound time is exceeded, in which case the packets are dropped. policy delaybound <tclass> [<bound_in_milliseconds>]|default <tclass> [<bound_in_milliseconds>] The traffic class whose policy is to be changed The new delay bound, from 1 to 10,000 milliseconds. The default delay bound is set to 200 milliseconds.
Note: Unless you have specific requirements for buffering non-TCP traffic, it is recommended that you do not change the delay bound size, as it has been optimized for most network environments. Use the traffic bandwidth command to view rate exceptions that is, flows that have exceeded the delay bound.
384
policy dscp
Substitute a value into the Differentiated Services Code Point (DSCP) field in each packet for the class. As defined in the Differentiated Services specification (RFC 2474), the DSCP field is the first six bits of the Type of Service (TOS) field in the IP header. This field is used by routers to make prioritized routing decisions. policy dscp <tclass> unchanged|<dscp> Valid <dscp> values are 0-63, inclusive.
385
policy excess
Modify a rate-based policy's excess rate allocation. policy excess <tclass> <priority> [automatic|<lo_speed_bps> <hi_speed_bps>] [<excess_limit_bps>] <tclass> <priority> The traffic class whose policy is to be changed The new highest priority for excess rate allocation
Optional rate allocations can be specified: automatic [<lo_speed_bps> <hi_speed_bps>] Automatically scale the low-speed and high-speed rates The new low- and high-speed rates. If you choose to use this option, both speeds must be specified. The minimum value allowed for <lo_speed_bps> is 256 (1024 on PacketShaper 9500 and 10000 models). The maximum excess rate that can be used by this class
[<excess_limit_bps>]
For example, the following command sets the excess rate limits for the FTP traffic class Inbound/Outside/ftp. It is assigned a priority of 4, and assigns both highand low-speed users an excess rate of 50,000 bps with a total excess rate limit of 200,000 bps: policy excess /inbound/outside/ftp 4 50k 50k 200k
PacketGuide for PacketWise 8.3
386
policy failover
Configure a policy to react to failover mode, replacing the policy's guaranteed rate with a rate that is appropriate for the loss of a router link. Use this command if the unit has been configured to go into failover mode when it detects a problem with a site router link. policy failover <tclass> none|<speed_bps> <tclass> none <speed_bps> Traffic class with the policy that is to be changed Remove the failover guaranteed rate from this class Guaranteed rate to apply to the class when failover is active. Rates may be specified as integer bits per second, followed by a k (thousands), M (millions), or G (billions). The guaranteed rate must be a minimum of 256 bps (1024 bps on PacketShaper 3500, 7500, 9500, and 10000 models).
For example, the following commands set the guaranteed rate for the test class for normal link conditions. The policy failover command sets the guaranteed rate for the test class when the router link fails and a backup link with less bandwidth is used: policy apply rate test 100k 100k 5 10k 10k policy failover test 25k
PacketGuide for PacketWise 8.3
387
policy flowlimit
Limit the rate of new flows to or from a unique host. This command can be used to detect and control a SYN Flood or similar denial-of-service attack directed at a particular host or if the attack is from a specific IP address. Flows exceeding the rate are blocked from passing through the unit. The limits are set to default values of 10,000 flows per minute on client hosts and 100,000 flows per minute on servers; depending on your network, you may need to change these defaults for effective control of SYN floods. Flow limits are automatically set on any classes that have a rate or priority policy assigned to them, and PacketWise will automatically block any flows that exceed these limits. Note: You cannot set a flow limit on a class unless it already has a rate or priority policy assigned to it. If you want to set or adjust the default limits on a particular class, use: policy flowlimit <tclass> none|<client-fpm> <server-frm> <tclass> none <client-fpm> Traffic class where the policy is located Remove the flow limit Maximum number of flows per minute to allow from each individual host; valid values are 0 1000000000 (one billion) Maximum number of flows per minute to allow to each individual host; valid values are 0 1000000000 (one billion)
<server-fpm>
Note that the <client-fpm> and <server-fpm> rates include new flows of all types from an individual client or to an individual server (not just flows of the type of traffic matching this specific traffic class or policy). PacketWise offers measurement variables to track the number of flows that were blocked due to a server (flow destination) or a client (flow initiator) exceeding the flow limit rate specified in the policy flowlimit command: server-flood-block and client-flood-block. If you don't want flow limits to be set automatically for newly created classes, enter the following commands:
388
policy flowlimit inbound/default none policy flowlimit outbound/default none To disable all flow limit policies without clearing each one, you can use the following command: setup variable PolicyFlowLimitForAllClasses 0
PacketGuide for PacketWise 8.3
389
policy guaranteed
Modify a rate policy's guaranteed rate allocations. policy guaranteed <tclass> <lo_speed_bps> <hi_speed_bps> <tclass> <lo_speed_bps> <hi_speed_bps> Traffic class whose policy is to be changed New low-speed and high-speed guaranteed rates. Rates may be specified as integer bits per second, followed by a k (thousands), M (millions), or G (billions). The guaranteed rate must be a minimum of 256 bps (1024 bps on PacketShaper 3500, 7500, 9500, and 10000 models).
For example, the following command sets the low-speed and high-speed rates (10000 bps for low-speed users and 100000 bps for high-speed users) for a class named inbound/jup_202_http: policy guaranteed inbound/jup_202_http 10000 100000
PacketGuide for PacketWise 8.3
390
policy mpls-exp
Add or change the experimental (EXP) bits field of the MPLS (Multi-Protocol Label Switching) label on a packet. This field can be used in different ways for example, some routers use the EXP field to set class of service. policy mpls-exp <tclass> swap|delete <exp> Traffic class for which you want to modify the experimental bits field of the MPLS label Marks the EXP field of an MPLS packet with the specified <exp> value (0 7)
delete <exp> Deletes the mpls-exp policy on the class For example, to mark /outbound/http packets with an <exp> value of 7, use this command: policy mpls-exp /outbound/http swap 7 To remove an mpls-exp policy that has an <exp> value of 7, use this command: policy mpls-exp /outbound/http delete 7 The mpls-exp policy can be applied only to a class that already has a rate or priority policy. Note that the mpls-exp policy is applicable only if the packet has an MPLS label. If the packet doesn't have a label, the mpls-exp policy will simply be ignored. If packets don't already have MPLS labelling, you can use the policy mplslabel command to create an MPLS-tagging policy. If more than one MPLS label exists in the stack, only the outermost packet's EXP field can be marked.
391
policy mplslabel
Add or change an MPLS (Multi-Protocol Label Switching) label on a packet. It can be applied only to a class that already has a rate or priority policy defined. policy mplslabel <tclass> push|swap <mplslabel> | pop <times> | delete <operation> Traffic class for which you want to modify the MPLS label Puts an MPLS label in a packet (and creates the MPLS stack if it doesnt exist); the <mplslabel> is the value of the label to be pushed (0 1048575) Swaps the topmost label of the MPLS stack with the specified <mplslabel> (0 1048575) Pops off the topmost label of the MPLS stack in the packet the specified number of <times> Deletes the specified <operation> (pop, swap, or push) from the policy
<tclass>
push <mplslabel>
swap <mplslabel>
Note that MPLS policies will work only on IP traffic. A class can have a combination of push, swap, and pop operations in its MPLS policy; the pop operation can be specified multiple times (up to 8). If more than one operation type is specified for a given class, they are executed in the following order: pop, swap, push. For example, a class might have a policy that specifies a swap, three pops, and a push. In this case, the three pops occur first, then the swap, and then the push.
392
policy precedence
Substitute a precedence value for IP-based traffic classes. policy precedence <tclass> unchanged|<precedence> <tclass> unchanged | <precedence> The traffic class for which you want to change precedence. Use unchanged to turn off precedence substitution, restoring precedence to its default value. Or, enter a precedence value 07, where 7 is the highest priority.
Note: The policy precedence command supplements rate and priority policies that is, a traffic class must have a policy already applied to it before you use the policy precedence command to substitute a precedence value.
393
policy remove
Remove a policy from a traffic class. policy remove <tclass>
394
policy route
Divert specific traffic to an alternative route by sending the class' traffic to a secondary gateway or router. Set the MAC address routing for a traffic class. policy route <tclass> none|<macaddr> PacketWise substitutes the MAC address and transmits the packet accordingly.
PacketGuide for PacketWise 8.3
395
policy show
Display policy information. policy show <tclass> [clear] <tclass> [clear] Explicit traffic class name whose policy is to be displayed - for example, Inbound/Outside/http Reset the associated traffic class and policy hit counts
396
policy substitute
PacketWise can detect the speed of a web connection at the first HTTP get request. You can use the policy substitute command to re-map the requested URL by substituting a URL that's more appropriate for the speed of the connection. policy substitute <tclass> none policy substitute <tclass> above|below <speed> "<pattern>" "<newpattern>" <tclass> above|below <speed> "<pattern>" The traffic class to which you are applying the policy Specify above or below a connection speed to indicate when the URL should be substituted. The connection speed that, in conjunction with above or below, triggers the content substitution Specify in quotes the current URL pattern, which will be substituted with a new pattern. Wildcard patterns are not supported. This URL string is compared with the pattern in the /directory/file portion of a URL. PacketWise ignores the http://computer-name portion of a URL when performing matching or substitution. The URL that you specify for substitution must be the same length as the original URL. The formatting rules are the same as those listed for the <pattern> parameter.
"<newpattern>"
For example, to better serve a low-speed user, you could substitute a text-based web page for the regular home page: policy substitute inbound/outside/web-in below 28800 "home-1.htm" "home-2.htm"
397
policy test
Test a policy to determine what rate will be allocated. policy test <tclass> <rate_bps> <tclass> <rate_bps> Example: Assume the class inbound/http has the following policy settings: 10k guaranteed, burstable at priority 5, limit of 100k. To see how excess rate is allocated when there is 150 Kbps of demand, use the following command: The traffic class whose policy is to be tested The access speed to use to determine rate allocation
policy test inbound/http 150k Policy Settings Guaranteed rate lo 10k hi 10k Excess rate default priority 5
CAP 90k
Allocation for flow at rate 150000 Guaranteed rate 10000 Excess rate at priority 5 -> 25088 Excess rate total 90000 Excess rate demand 0 0 15k 0
25k
25k
25k
This output shows how PacketWise would allocate bandwidth when traffic class inbound/http generates 150 Kbps of demand. The top part of the display summarizes the policy settings. The excess rate (90k, next to CAP) is calculated by subtracting the guaranteed rate from the limit (100k-10k=90k). The lower portion of the output lets you see how the excess rate is allocated between priority levels, 0-7. The sum of the rates allocated at each priority level equals the total excess rate (90k, in this example).
PacketGuide for PacketWise 8.3
398
policy tos
Set a specific type of service for an IP traffic flow. It can be applied only to a class that already has a rate control policy defined. policy tos <tclass> unchanged|<tos> <tclass> unchanged |<tos> Explicit traffic class name for which you want to change the type of service Use unchanged to turn off TOS substitution. Enter a <tos> value according to the following standard: 8 = minimize delay 4 = maximize throughput 2 = maximize reliability 1 = minimize monetary cost 0 = normal service Values can be combined to define broader results. For example, a value of 3 indicates "maximize reliability and minimize monetary cost."
399
policy vlan
Add or change a VLAN identification (802.1Q) or priority (802.1p) on a packet. It can be applied only to a class that already has a rate or priority policy defined.
<tclass>
Swaps the topmost priority level on the swap <priority> VLAN stack with the specified <priority>, 0 to 7. For example, to change the VLAN priority to 6: policy vlan type:8021p vlantestclass swap 6
<tclass>
push <vlanid>
swap <vlanid>
400
Pops off the topmost label of the VLAN stack in the packet the specified number of <times> Deletes the specified <operation> (pop, swap, or push) from the policy
Examples: policy vlan type:8021q testclass pop 2 policy vlan type:8021q testclass push 1 policy vlan type:8021q testclass swap 6 policy vlan type:8021q testclass delete pop A class can have a combination of push, swap, and pop operations in its VLAN policy; the pop operation can be specified multiple times (up to 8). If more than one operation type is specified for a given class, they are executed in the following order: pop, swap, push. For example, a class might have a policy that specifies a swap, three pops, and a push. In this case, the three pops occur first, then the swap, and then the push. Note: A VLAN ID swap policy will automatically zero out the existing VLAN priority. To keep an existing non-zero priority value or to set a priority, be sure to specify a VLAN priority swap policy as well.
401
portal delete
Delete a customer portal account. Note: This command is not available on the PacketShaper 1200 or 1400 Lite models. portal delete <name>|all
402
portal library
For PolicyCenter only Show the current portfolios of customer portal files available for distribution from PolicyCenter to individual PacketShapers. portal library [verbose] The portal library command shows the name of the available portfolios only. Use portal library verbose to view the names of all the customer portfolio files within each portfolio.
403
portal modify
Modify customer account information. Note: This command is not available on the PacketShaper 1200 or 1400 Lite models. portal modify <name> <password> <directory> <message-of-the-day> If RADIUS or TACACS+ authentication is enabled, passwords are not used (they are entered at the RADIUS/TACACS+ server). Thus, the syntax when RADIUS or TACACS+ is enabled is: portal modify <name> <directory> <message-of-the-day> Parameter <name> Description The existing customer login name The password for the customer account. If you are using RADIUS or TACACS+ authentication, you do not specify a password here the customer portal will use the password specified for this user in the RADIUS/TACACS+ server. The new name of the customers home directory (up to 8 characters); this directory will be created on the units hard disk under 9.258/customer (optional) The new custom message-of-theday (optional)
<password>
<directory>
<message-of-the-day>
If you dont specify the parameters, PacketWise will prompt you for the information: portal modify Enter the name of the customer : mycust Enter the new password : Confirm new password : Enter the new home directory name, 8 characters or less : newdir Enter the new custom message-of-the-day (optional) : All network
404
resources online Customer mycust was modified Note: You will not be prompted for a password if RADIUS authentication is enabled. After this is executed, mycusts home directory will be 9.258/customer/newdir. Note: You must explicitly type each entry when you use prompted mode. If, for example, you press Enter at the password prompt, the new password value becomes (none).
405
portal new
Create a new customer portal account. Note: This command is not available on the PacketShaper 1200 or 1400 Lite models. portal new <name> <password> <directory> <message-of-the-day> If RADIUS or TACACS+ authentication is enabled, passwords are not used (they are entered at the RADIUS/TACACS+ server). Thus, the syntax when RADIUS or TACACS+ is enabled is: portal new <name> <directory> <message-of-the-day> Parameter Description The login name the customer will use; up to 32 characters long, use numbers, letters and underscores spaces are not allowed. If you are using RADIUS or TACACS+ authentication, this name must match the user name entered in the RADIUS/TACACS+ server. <name> Note: If the directory name is not specified, then the login name is used for the directory name. In this case, the login name is limited to 8 characters because the directory name is limited to 8 characters. The password for the customer account. If you are using RADIUS or TACACS+ authentication, you do not specify a password here the customer portal will use the password specified for this user in the RADIUS/TACACS+ server.
<password>
406
<directory>
The name of the customers home directory (up to 8 characters); this directory will be created on the units hard disk under 9.258/ customer (optional)
A text string of 128 characters or less, intended to carry simple <message-of-the-day> messages such as System will be down from 5:00 am to 6:00 am tomorrow (optional) You must use empty quotes ("") if you dont want to enter a value for a parameter. For example, to create a user MyCust with a directory named cust01 (no password, no message of the day), use: portal new MyCust "" cust01 "" If you dont specify any parameters with the portal new command, PacketWise will prompt you for the values. This is an example of prompted mode: portal new Enter the customer login name, password, home directory name (8 characters or less) and an optional custom message-of-the-day (128 characters or less). Enter the customer's login name, e.g. 'marysmith' : mycust Enter the password : Confirm the password : Enter the customer's home directory name, e.g. 8 characters or less : mycust Enter a custom message-of-the-day (optional): No network outages Customer mycust was added. Note: You will not be prompted for a password if RADIUS authentication is enabled. After this is executed, a directory 9.258/customer/mycust will exist. The service provider must FTP an INDEX.HTM file to it before the mycust customer can use it effectively. Note: You must explicitly type each entry when you use prompted mode. If, for
407
example, you press Enter at the password prompt, the new password value becomes (none).
408
portal prescribe
For PolicyCenter only Prescribe a group of customer portal files by portfolio name. Use the portal library command to determine available customer portal portfolios. portal prescribe <portfolio> default|none|show <portfolio> default|none|show A portfolio is any sub-folder of PolicyCenter/publish/portal that contains a group of portal files. Specify default if the configuration should inherit its portfolio of customer portal files from a parent configuration, or specify none if the configuration should not inherit its portfolio. The show option shows the configuration's current prescribed portfolio of customer portal files.
409
portal show
Display the current customer portal configuration. Note: This command is not available on the PacketShaper 1200 or 1400 Lite models. portal show Customer Name Password Directory Message ---------------------------------------------------------------------Farnsworths ****** books Inventory starts Friday! Sigma_Air ****** air No scheduled network outages The Password column does not appear if RADIUS authentication is enabled.
410
portal subscribe
For PolicyCenter only Configure when and how often PacketShapers assigned to a PolicyCenter configuration update their portfolio of customer portal files. portal subscribe asap|scheduled|default The portal subscribe command has the following options: asap scheduled default PacketShapers assigned to the configuration will automatically update their customer portal portfolio as soon as it is prescribed. PacketShapers assigned to the configuration will wait for the portal sync command before downloading the prescribed portfolio of files. If set to default, the PolicyCenter configuration inherits its portal subscription behavior from its parent configuration.
411
portal sync
For units in shared mode only Issue this command from an individual PacketShaper to immediately download customer portal files prescribed for the units PolicyCenter configuration. This command is only required when the PolicyCenter configuration prescription mode has been set to scheduled with the portal subscribe command. Note: This command is not available on the PacketShaper 1200 or 1400 Lite models. Note: It is not necessary to issue this command if the prescription mode is currently in its default state, or has been set to asap with the portal subscribe command. portal sync See also: plugin subscribe
PacketGuide for PacketWise 8.3
412
pwd
Show the working directory. pwd
PacketGuide for PacketWise 8.3
413
radius acct
Test and debug the setup of your RADIUS accounting server. This command sends test accounting messages to the server. radius acct start|stop|on|off Specify start to send a test message that tells the accounting server that someone logged in and stop to send a log-off test message. The administrator can then verify that these messages are in the accounting server log. They will appear in the log under the name RadiusAccountingTestUser. You can use the on and off parameters to send a message to the server that the RADIUS accounting service is on or off. Note that this command does not affect the setup of the accounting service; if the service was enabled with the setup radius acct on command, it will remain enabled (even if you used the radius acct off to send a test message that the accounting service is off).
414
radius chaplogin
Send a test CHAP login request to the RADIUS authentication server. This command is useful for testing and debugging the setup of your RADIUS authentication server, when Challenge-Handshake Authentication Protocol (CHAP) is used. radius chaplogin <username> <password> For example: radius chaplogin bob 12567 chap ID = 0x1 challenge = 37a9aa04189c7ac5c826fde6a52c988f password = 12567 response = 7610c93540dc90422fb4b077d23dd63a "bob" RADIUS Authentication OK Vendor-Specific: access=touch The above output indicates that the authentication of the user Bob was successful. If authentication fails, you will see one of the following messages: What you should do Use the setup radius auth on command to enable authentication, and then send another test login request.
Message
415
No server configured
The RADIUS authentication service is turned on in PacketWise, but the server is not configured.
Use the setup radius auth primary command and specify the authentication servers IP address, port number, and shared secret. Then send another test login request. Contact your RADIUS administrator to verify that you are using the correct user name and password.
The RADIUS authentication service is turned on in PacketWise and the server is configured. This message could be caused by any of the following situations: Contact your RADIUS administrator to check the status of the RADIUS authentication server. Its a good idea to configure a secondary server to have a backup in case the primary server fails.
416
Contact your RADIUS administrator to verify the host name or IP address of the authentication server. Contact your RADIUS administrator to verify that the authentication service is enabled on the RADIUS server. For information on configuring the RADIUS server with Packeteerspecific attributes, see Configure RADIUS Servers. Check the status of the network.
The authentication service may not be enabled on the RADIUS server side.
The server may not be configured to work as a Packeteer client. The LAN may be busy or down.
417
radius clear
Clear the accounting drop count and remove the drop-notice banner. When an accounting request is dropped because the accounting server was not configured correctly or was unreachable for some reason, PacketWise keeps track of these dropped accounting requests and displays a banner alerting you that requests have been dropped. You can use the radius clear command to clear this banner. radius clear
418
radius login
Send a test PAP login request to the RADIUS authentication server. This command is useful for testing and debugging the setup of your RADIUS authentication server, when Password Authentication Protocol (PAP) is used. radius login <username> <password> For example: radius login bob 12567 "bob" RADIUS Authentication OK Vendor-Specific: access=touch The above output indicates that the authentication of the user Bob was successful. If authentication fails, you will see one of the following messages: What you should do Use the setup radius auth on command to enable authentication, and then send another test login request. Use the setup radius auth primary command and specify the authentication servers IP address, port number, and shared secret. Then send another test login request.
Message
No server configured
The RADIUS authentication service is turned on in PacketWise, but the server is not configured.
419
Contact your RADIUS administrator to verify that you are using the correct user name and password.
The RADIUS authentication service is turned on in PacketWise and the server is configured. This message could be caused by any of the following situations: Contact your RADIUS administrator to check the status of the RADIUS authentication server. Its a good idea to configure a secondary server to have a backup in case the primary server fails. Contact your RADIUS administrator to verify the host name or IP address of the authentication server. Contact your RADIUS administrator to verify that the authentication service is enabled on the RADIUS server.
The authentication service may not be enabled on the RADIUS server side.
420
The server may not be configured to work as a Packeteer client. The LAN may be busy or down. Error: Reply didnt contain an access level attribute The user name and password are valid, but the user wasnt configured with an access level attribute.
For information on configuring the RADIUS server with Packeteerspecific attributes, see Configure RADIUS Servers. Check the status of the network. Configure the RADIUS server with an access level attribute for this user.
421
radius session
Show a list of current user sessions (RADIUS, TACACS, ds, local) and detailed information about each session. radius session User Name
ID
40 0 60 CLI touch bob mins secs mins 91 91 60 FTP touch john secs secs mins 167 17 60 WUI touch george secs secs mins 45 0 60 CLI touch bob mins secs mins
Column ID
Description Identification given to the user session The status of the session: live the session is active
Stat dead the session timed out new the user is in the process of logging in Age Length of time the session has been active that is, the amount of time since the user logged in Amount of time since the user gave a command; whenever a user gives a command, the idle value is reset to zero
Idle
422
Amount of time a session is idle before the user will be timed out and logged off; for example, if the limit is 60 minutes, a user will get logged off when no commands are given for a 60-minute period Limit Note: The PacketWise default session life limit is 60 minutes. However, the RADIUS or TACACS + server can be independently configured with different limits for different users and these limits override PacketWises. Type of interface used: CLI (command-line interface), WUI (web user interface), or FTP (file transfer protocol) Type of access: Touch, Look, or Portal (if access is through a customer portal)
Type Access
User Name Name of the user who logged into the session
423
radius show
Display RADIUS client configuration. Use this command to verify that RADIUS authentication and accounting are enabled, to see the current settings for the retry limit and retry interval, and to view the configuration settings for the primary and secondary authentication and accounting servers. radius show
Radius method is CHAP Radius Authentication is ON Radius Accounting is OFF Retry limit: 3 Retry interval: 5 auth1 auth2 acct1 acct2 ---------------------------------------------------------------------------Server 172.23.225.203 172.23.225.213 Secret packet packet Port 1812 1812 0 0 Status Up Unknown Unknown Unknown Attempts 1 0 0 0 Success 1 0 0 0 Timeout 0 0 0 0 Auth1 last accessed: Wed Jul 11 14:16:48 2007 Auth2 was never accessed!
The output also indicates the number of attempts made to connect to each server, the number of successful connections, and the number of connections that timed out.
424
reset
Reset the unit. In certain situations, you may need to reboot the unit, for example, after creating host accounting categories, changing system variables, and installing plug-ins. reset The statistics that are cleared after you reset the device include: active IP hosts, current speed per host, active flows, peak flows, Top Talkers/Listeners, and dynamic hosts for Xpress tunneling. All counters on the Monitor Traffic page are reset. All traffic configurations (such as classes, policies, partitions, and static hosts defined for Xpress tunneling) are preserved when you reboot. To reset all settings to factory default, use the setup reset all command.
PacketGuide for PacketWise 8.3
425
rm
Remove one or more files from the unit's flash disk or hard drive. rm <file>...
PacketGuide for PacketWise 8.3
426
rmdir
Remove a directory from the unit's flash disk or hard drive. rmdir <dir>
PacketGuide for PacketWise 8.3
427
rtm accept
Note: This command is not available on PacketShaper ISP or PacketShaper 1200 models. Set an acceptable service level threshold percentage for response time measurement (RTM). The default is 100%. rtm accept <tclass> <percent> where <tclass> is the traffic class to be defined.
428
rtm clear
Note: This command is not available on PacketShaper ISP or PacketShaper 1200 models. Zero out response time measurement statistics for all classes. rtm clear
429
rtm drilldown
Note: This command is not available on PacketShaper ISP or PacketShaper 1200 models. List the hosts with the highest percentage of slow transactions, as defined by the class' Total Delay Threshold. A feature of the drilldown command is to suppress hosts that had fewer than N transactions, as they might skew the data. rtm drilldown <tclass> [<number> [<cutoff>]] <tclass> <number> <cutoff> Specify a traffic class that tracks response time and has a threshold. Limit the number of displayed entries (default is 10). Don't list hosts with fewer than cutoff transactions. This eliminates the hosts whose response figures aren't meaningful because too few data points were available (few transactions). If you want to include every host in the rtm drilldown output, set the optional cutoff parameter to 1.
PacketGuide for PacketWise 8.3
430
rtm hosts
Note: This command is not available on PacketShaper ISP or PacketShaper 1200 models. Enable or disable worst client/server tracking for a class. rtm hosts <tclass> enable|disable where <tclass> is the traffic class to be tracked.
431
rtm show
Note: This command is not available on PacketShaper ISP or PacketShaper 1200 models. Display a summary of the RTM statistics for all traffic classes with response-time data. rtm show The display has one row per traffic class with the following information: Traffic Class Goodness The name of the traffic class The number of good transactions (those within the Total Delay Threshold) divided by the transaction count, multiplied by 100. In other words, the percentage of good transactions. The average number of milliseconds required by the class' transactions. The value in the Normal column is the component of the transaction time that is directly related to the transaction size. An increase or decrease in that number does not indicate any change in network or server performance and requires no user intervention. This value is not tracked by the measurement engine.
PacketGuide for PacketWise 8.3
432
rtm threshold
Note: This command is not available on PacketShaper ISP or PacketShaper 1200 models. Differentiate between acceptable and unacceptable response by supplying a threshold that defines good performance. PacketWise uses the threshold when evaluating each transaction's total delay figure. If the transaction completes within the time indicated with the threshold, the transaction is considered "good." rtm threshold <tclass> <delay>|none [total|network|server] Specify the delay threshold in milliseconds or remove the threshold using the none literal. The threshold maximum is 99 seconds. If you set a network or server delay threshold in the CLI, the setting will not appear in the browser interface, as these types of thresholds are not supported in the browser version of PacketWise. (Only total delay threshold can be set in the browser interface.) Note that using the browser interface to make any changes to a class RTM settings will clear the network or server delay you set in the CLI.
433
rtm worst
Note: This command is not available on PacketShaper ISP or PacketShaper 1200 models. Display the traffic classes that have the "worst" response-time statistics. rtm worst [goodness|total|network|server [<number> [<cutoff>]]] goodness|total|network|server Displays response time measurement data sorted by Total Delay, Network Delay, Server Delay, or Goodness. If a data type is not specified, goodness is the default type. Limits the number of classes that are displayed. The default value is 10. Excludes the traffic classes that have less than the number of transactions specified by this cutoff value. The default is 10.
PacketGuide for PacketWise 8.3
<number> <cutoff>
434
run
Run a command file or script. This command runs in the context of your current directory. The filename must have a cmd suffix. An output file, <filename>.out, contains the results of command-file execution. To view the contents of this output file, use the cat or more command. Note: PacketWise's diagnostic commands (arp, dns, ping, net, sys, uptime) and utility commands (cat, cd, cmp, cp, date, du, echo, head, history, ls, mkdir, more, mv, pwd, rm, rmdir, and tail) cannot be executed from a command file or used with the schedule command.
PacketGuide for PacketWise 8.3
435
schedule delete
Delete a scheduled command execution. schedule delete <item_id>|all The scheduled item is removed from the list, but the remaining items are not renumbered. For example, in the following list, item 3 was deleted, leaving items 1, 2, and 4 intact. This command produces output similar to the following: Id Time Range Issued Date Command Mail recipients
436
schedule disable
Disable a scheduled item so that it won't be executed. If you want to permanently remove the scheduled item, use the schedule delete command. schedule disable <item_id> | all where <item_id> is the ID of the item displayed in the schedule show output. Use the all parameter to disable all entries. After you have disabled an item, it will still be listed in the schedule show output, but [disabled] will appear at the end of the line. Id 00000001: 2DA2B03E: 7EC07402: 5545F94E: Time Range 08:00:0008:00:40 18:00:0018:00:40 06:00:0006:00:40 06:00:0006:00:40 Issued 1 1 1 0 Date weekday weekday weekend daily Command Mail recipients "p2pday. test@abc.com cmd"* [disabled] "p2peve. test@abc.com cmd"* "p2psat. cmd"* "test. cmd"* test@abc.com
437
schedule enable
Enable a scheduled item that has been disabled with the schedule disable command. schedule enable <item_id> | all where <item_id> is the ID of the item displayed in the schedule show output. Use the all parameter to enable all entries.
438
schedule new
Schedule a command to execute at a specific time and date. When using the scheduling feature, its important that your unit has the correct date and time. Use the date command to check the date and time. If you need to correct the date or time, use the setup date command. Scheduling is limited to 64 scheduled commands. Scheduled commands that are no longer needed (for example, expired commands scheduled to run only once) should be removed from the list via the schedule delete command, so they do not continue to consume available resources. Note for units in shared mode: A command scheduled for a unit via a PolicyCenter sharable configuration will not be able to permanently remove itself from the unit after the command has run. If PolicyCenter detects that a scheduled command is on the unit's PolicyCenter configuration but no longer on the unit itself, PolicyCenter will synchronize the unit's settings with its PolicyCenter configuration to restore that command to the unit. If the time range for the scheduled command is not over, the command may run again. To permanently delete a command scheduled via PolicyCenter, you must remove the command from the unit's sharable PolicyCenter configuration, not just from the unit itself. When setting the time for a scheduled command, keep biannual time changes into consideration. For example, if you set a command to execute at 2:30am in the United States, the command will not be executed when the clock changes ahead one hour for Daylight Saving Time. You can ensure a command will be executed during a clock change by specifying a time range (such as 02:00-04:00). schedule new [<day option>] <time_range>[utc] <cmd>|{-f[d] <cmd_file>} [mail:<address>] [id:<item_id>] [disable]
439
Specifies the day(s) the schedule should run. If you dont specify the <day option>, the scheduled item will run every day. Specify one of the following for <day option>: now today | + <n> [once:]<date>[,<date>] [once:]weekday | weekend | <dow>[,<dow>] [once:]<dom>[,<dom>] +<n> is <n> days from today. For example, +1 is tomorrow. <date> is a specific date in the format mm/dd. The date is assumed to be a future date, within the next twelve months. For example, if today is 5/30/02 and you specify the date 5/29, the item will be scheduled for execution on May 29, 2003. You can specify up to 10 dates separated by commas. The once: option, that optionally precedes the <date> and the following options, specifies that the item should be executed once for each of the specified dates. If you dont specify once:, the item will be executed on an ongoing basis, according to the date(s) you specified. weekday executes the item on weekdays only (Monday through Friday). weekend executes the item on weekends (Saturday and Sunday). These two options are useful for setting different policies for weekdays and weekends. For example, you might want music file sharing to have less bandwidth during the week than on the weekend.
[<day option>]
440
<dow> is the day of the week, specified with the first three letters of the day (mon, tue, wed, thu, fri, sat, sun). If you specify more than one day, each day is separated by a comma and no space, for example, mon,wed. You can specify up to seven days of the week. <dom> is a specific day of the month, for example, 15 for the fifteenth of the month. You can specify up to 31 days, separated by commas. Specifies the time at which the command or command file should be executed. The syntax is: hh:mm[.ss][-hh:mm[.ss] where hh is the hour from 0 to 23, and mm and ss are minutes and seconds from 0 to 59. For example, to specify the time 5pm, enter 17:00. If a range is not specified, PacketWise will <time_range>[utc] attempt to execute the command within a 40second window. If you want to allow more time for the command(s) to be executed, you can specify a range (for example, 08:00-08:02). The legacy syntax hhmm.ss is supported for backward compatibility. Use the optional suffix utc to specify a coordinated universal time (UTC). Specifying times in UTC (similar to Greenwich mean time) is useful when managing units in different time zones. For example, 1800Z is 1pm in Eastern standard time and 4pm in Pacific standard time.
441
The CLI command <cmd> to be executed. The command should be enclosed in quotation marks. The name of the file (-f <cmd_file>) that contains a list of CLI commands. Specify a path to the <cmd_file> unless the file is in the default directory (9.256/ cmd). The filename should be eight characters or less and have a .CMD extension.
Use the d option if you want the command file to be deleted after it is executed, for example fd policy.cmd. Sends the output of the command or command file execution to the specified email address (es), allowing you to confirm that the command executed at the specified date and time. You can specify up to four email addresses, separated by commas. In order to use this feature, you must configure a mail server. See setup email. Assigns the specified ID to the scheduled item. <item_id> can be up to eight characters long and can contain the numbers 0-9 and the letters A-F and a-f. This parameter is primarily used to override inherited entries when using shared mode (PolicyCenter). The ID is shown in the list of scheduled entries via the schedule show command. If you dont specify an ID, PacketWise assigns a random number. Note: Its recommended that you allow PacketWise to automatically create the ID rather than manually assign the ID with the id option. If you do manually assign an ID, make sure you follow the guidelines for ID names, as described above.
[mail:<address>]
[id:<item_id>]
442
[disable]
Disables the scheduled item so that it won't be executed. If you want to enable or disable the item after it is created, use the schedule enable or schedule disable command.
You will typically want to create scheduled items in complementary pairs. For example, you can create one scheduled item for a policy that is applicable during work hours and another schedule for a policy that is applicable after hours. schedule new weekday 08:00 policy apply rate /inbound/gnutella 4800 9600 2 4800 4800 schedule new weekday 18:00 policy apply rate /inbound/gnutella 128k 256k 4 256k 256k If you use the mail:<address> parameter, an email message containing the command output will be sent to the specified <address> shortly after the schedule is executed. Note: PacketWise's diagnostic commands (arp, dns, ping, net, sys, uptime) and utility commands (cat, cd, cmp, cp, date, du, echo, head, history, ls, mkdir, more, mv, pwd, rm, rmdir, and tail) cannot be executed from a command file or used with the schedule command. For situations and examples of when you might want to use the schedule command, see: Control Instant Messaging Adjust Management Strategy According to Time of Day Command Change History Release Modification 8.0.1 8.0.0 now <day option> introduced no change
443
schedule show
List the currently scheduled commands. schedule show [-time] [-utc] Sorts schedules by time, with the earliest start time listed first. Without the -time switch, schedules are sorted by ID. Lists schedules in their original time input. If time was entered in coordinated universal time (UTC) format, the UTC time will be displayed with a Z after the time (for example, 00:00:00-00:00:40Z). If the time was specified in local time, the local time will be displayed. [-utc] Without the -utc switch, all times are listed in local time; in other words, any UTC times are converted to local time on the display. An L displays after the converted UTC time (for example, 08:00:00-08:00:40L).
[time]
This command produces output similar to the following: Id 00000001: 2DA2B03E: 7EC07402: 5545F94E: Time Range 08:00:0008:00:40 18:00:0018:00:40 06:00:0006:00:40 06:00:0006:00:40 Issued 1 1 1 0 Date weekday weekday weekend daily Command Mail recipients "p2pday. test@abc.com cmd"* [disabled] "p2peve. test@abc.com cmd"* "p2psat. cmd"* "test. cmd"* test@abc.com
Each scheduled event has a unique ID, which can be used to delete items from a schedule. The number in the "Issued" column indicates how many times the command has executed. An asterisk (*) flags command-file items. If [disabled]
444
appears (as in the first entry), the item has been disabled with the schedule disable command and will not be executed.
PacketGuide for PacketWise 8.3
445
send email
Define an email message. Include this command in an adaptive response action file to trigger an email notification of a change in the status of a unit or your network. send email <address> "<subject>" ["<body>"] <address> <subject> <body> Email address of the recipient Text to be included on the subject line Text to be included in the body of the email message
The total maximum length of the send email command is 256 characters. Note: You must first configure a mail server with the setup email command before you can issue the send email command.
PacketGuide for PacketWise 8.3
446
send syslog
Define a syslog message that will be sent to a syslog server. send syslog FDBK <severity> <mnemonic> ["<string>"] <severity> Specify one of the following severity levels: Emergency, alert, critical, error, warn, notice, info, debug See Severity Levels for more information about security levels.
<mnemonic> "<string>"
Any 9-character string that can be used to categorize the message Text to be included in the syslog entry
Note: You must configure a syslog server with the setup syslog command before you can use you can use send syslog command to send an syslog message. Including this command in an adaptive response action file triggers a syslog message to be sent to a previously defined syslog server. If you include action file variables in this command, the agent automatically enters the values for the variables as the action file is run. The user cannot change the values of these variables; their values come from the agent only. The following example command could be included in an action file for a "High Bandwidth Host" agent: send syslog FDBK error $agentname "$scorecolor: $namelist is the biggest violator." The High Bandwidth Host agent will automatically fill in the $agentname, $scorecolor, and $namelist variables with the name of the agent, the agent's status color at the time the action file was triggered, and the name of the host.
447
send trap
Define an SNMP (Simple Network Management Protocol) trap that will be sent to an SNMP trap listener. send trap "<name>" <color> ["<description>"] <name> <color> <description> Name of an agent for which you want to send a trap. If the agent name has a space, enclose it in quotation marks, for example, "My Agent." Agent's status color at the time of the trap: red, yellow, green, or blue Description of what happened at the time of a trap
Including this command in an adaptive response action file triggers a trap to be sent to a previously defined SNMP trap destination. When you include adaptive response agent action file variables in this command, the agent automatically enters the values for the variables as the file is run. The user cannot change the values of these variables; their values come from the agent only. The following example command could be included in a red action file for a Packet Drops agent: send trap "$agentname" $scorecolor "$classname is the biggest violator." The Packet Drops agent will automatically fill in the $agentname, $scorecolor and $classname variables with the name of the agent, the agent's status color at the time of the trap, and the name of the traffic class. If excessive packet drops in the traffic class /Inbound/HTTP triggered the red action file, the action file variables would made the action file read as follows: send trap "Packet Drops" red "/Inbound/HTTP is the biggest violator" Note: In order to send SNMP traps, PacketWise needs to know where to send the traps. See Configure PacketWise for SNMP Support.
448
449
all
secure-http
secure-telnet
450
451
452
setup adaptiveresponse
Turns all configured adaptive response agents on or off, or returns all agents to their default state. Note: To enable or disable a single agent, use instead the commands agent on or agent off. setup adaptiveresponse on|off|default
PacketGuide for PacketWise 8.3
453
setup capture
Capture PacketWise's configuration. The output can be created in a portable form (without specific IP addresses) or complete form (IP addresses included). The output file includes commands to recreate the configuration. Note: This command is not intended to be a substitute for backing up PacketWise configurations. setup capture [[portable|complete] [<filename>]] [portable | complete] Indicate the format of the output. Portable is the default, if no output format is specified. The portable file "comments out" the unit-specific details, such as the setup commands for the IP addresses. The complete file contains address information. The filename is limited to an eight-character name with a three-character suffix. If no filename is specified, the file /cmd/config.cmd is created. If you specify a filename, you must also specify the format type: portable or complete. If you specify a filename without a suffix, the .cmd suffix is appended to the filename. The file is placed in the /cmd directory, unless you specify an explicit pathname.
<filename>
Notes:
q
To restore the captured configuration, use the run command (for example, run config.cmd). Auto-discovered port classes and customer portal customers are not recreated when you run the CMD file created with the setup capture complete command. When setup capture is run from migration mode, both legacy and enhanced mode configuration will be captured. When the setup capture command is executed while the unit is in legacy tunnel mode, only legacy configuration settings are captured; the CMD file can be run in legacy or migration mode (not enhanced). When the configuration is captured in enhanced mode, only enhanced configuration settings are captured; the CMD file can be run in enhanced or migration mode (not legacy).
454
setup compression
applicable to legacy compression tunnels only; the equivalent command for enhanced tunnels is tunnel compression Turn compression on or off. setup compression on|off|default on Turns on compression. When compression is turned on, PacketWise will automatically create and use a tunnel to transport compressed data between compression-enabled PacketShaper units. Turns compresssion off. Turns compression to default on/off state (off). Note that it does not reset other compression-related settings.
off default
To avoid inducing latency unnecessarily, applications that are unlikely to achieve useful gains from compression are not compressed. Voice Over IP, video streaming, and encrypted data are examples of non-compressible traffic; to see a complete list of the non-compressible services, use the setup compression show services command. Although Xpress has default settings for which services are compressed, you can override these defaults using commands to turn compression on and off for individual classes. See the class compress on and class compress off commands. Note that Xpress compresses data by service type, which is not necessarily the same as a traffic class. For example, the FTP traffic class has matching rules for several different services: FTP-Cmd-Clear (command channel), FTP-Cmd-Secure (secure FTP command channel, FTP-Data-Clear (FTP data transport channel), and FTP-Data-Secure (secure FTP data transfer channel). PacketWise compresses only the FTP-Cmd-Clear service; the other three services dont benefit from compression, so they are not compressed. By default, any host can use the compression facility. If you want to limit the hosts, use the setup compression hosts command. To limit the PacketShaper units that can be tunnel partners, use the setup compression partners command.
455
Note: Compression is an option that must be purchased separately. See also: Xpress Overview setup compression show Compression Measurement Variables
PacketGuide for PacketWise 8.3
456
457
setup compression hosts default <side> where: add defines a host remove deletes a previously-defined host. If the unit is subscribed to PolicyCenter, remove <side> all removes all the hosts in the local configuration but does not allow the unit to inherit any hosts from the parent configuration. default sets compression hosts to default (no hosts specified) for the designated side (inside or outside). If the unit is subscribed to PolicyCenter, the default option tells PolicyCenter to remove all the hosts in the local configuration and inherit from the parent configuration. show lists the defined tunnel hosts The hosts location (inside or outside), relative to the unit. Typically inside hosts are located on the LAN and outside hosts are on the WAN or Internet. Designate the hosts to be added or removed, using one of the following specifications: <ip-addr>[/<cidr>] host IP address or a CIDR network address; the CIDR number specifies the number of constant bits in the address range <ip-addr> <subnet> the name of the subnet list:<hostlist> the name of a host list file all removes all defined hosts so that all hosts can use tunnels
<side>
Examples: setup compression hosts add inside 10.7.38.1 setup compression hosts add outside 10.7.38.0/24 (illustrated example) To remove all defined outside hosts:
459
setup compression hosts remove outside all After this command is issued, no outside hosts will be restricted from using the tunneling facility. To view a list of defined tunnel hosts: setup compression hosts show Notes:
q
You can also define tunnel hosts with the tunnel discovery host command.
460
461
main|upper|lower| right|left
<ipaddr>
Subnet mask
462
<ingress gateway>
IP address of the ingress router (optional). When an <ingress gateway> is configured, it will be used for inbound detunneled packets (that is, traffic that has been accelerated, compressed, and/or packed in an Xpress tunnel). The <gateway> will be used for outbound tunneled traffic. IP address of the egress router; specify none if there isn't a gateway. The gateway is required if the compression partner is not on the same subnet.
<gateway>|none
<vlanid>
q
A maximum of three VLAN IDs can be assigned per PacketShaper (one for each device). An Xpress-IP configured with a VLAN must be on a different subnet from the management IP address.
802.1P VLAN priority (0-7) <priority> If your network isn't using VLAN IDs but you want to set a VLAN priority, you must set a VLAN ID of 0 (zero).
Notes:
q
If you are using Xpress with Packeteers direct standby feature, the LEM that is used for direct connection cannot be configured for Xpress. (Note: Direct standby is supported in legacy tunnel mode only.)
463
The setup compression ip configure command is the same as the tunnel ip configure command. (You may use either command.) When you assign or change XIP addresses with the setup compression ip configure command, Xpress will tear down existing tunnels and establish new tunnels using the new Xpress-IP addresses. If you upgraded from v7.x to v8.x, Xpress will automatically use the same addresses you configured in v7.x. PacketWise 8.0 has the additional requirement that the Xpress-IP address cannot be the same as the management IP address. If they are the same, you will see the following error message on the Info tab (in the browser) or in the CLI banner after you log in: Warning: No XIP addresses have been configured. Compression will be disabled until you configure the Xpress-IP address.
Examples: To set the XIP address of an upper LEM: setup compression ip configure upper 172.21.18.161 255.255.0.0 172.21.0.1 For VLAN environments, you can specify the VLAN ID and/or VLAN priority. If you specify only one VLAN parameter, PacketWise will assume it is the VLAN ID. In the following example, all compressed packets going through the main interface will be assigned a VLAN ID of 2176: setup compression ip configure main 192.168.0.6 255.255.255.0 192.168.0.1 2176 If you only want to use VLAN priority, you have to set a VLAN ID of zero. For example, to assign a VLAN priority of 2 to all compressed packets going through the lower LEM interface, you must set the VLAN ID to 0 (zero): setup compression ip configure lower 192.168.0.5 255.255.255.0 192.168.0.1 0 2 To clear the VLAN settings without clearing the Xpress-IP settings, use the setup compression ip configure command without the VLAN parameters: setup compression ip configure lower 192.168.0.5 255.255.255.0 192.168.0.1 See also:
464
Command Change History Release Modification 8.2.0 8.1.1 No longer required to enable the tnlEnableIngress variable in order to activate the ingress gateway. (The tnlEnableIngress system variable has been removed.) [<ingress gateway>] option introduced
465
main interface: 172.21.18.160 main interface: 255.255.255.0 main interface: 172.21.0.1 (Outside at main interface: none
The Gateway address may initially show as "Resolving" while Xpress is in the process of resolving the gateway. When you reissue the command, if Xpress was able to resolve the gateway, the output will show the interface (outside or inside) and the MAC address. "Resolving" may also appear if the link is down. If the tnlEnableIngress system variable is enabled, the output of the show command will list the Ingress Gateway settings.
PacketGuide for PacketWise 8.3
466
legacy
Supports both types of tunnels: legacy and enhanced. Use this mode when migrating from earlier versions of PacketWise. By default, 50 percent of compression memory is allocated to legacy compression tunnels and 50 percent is assigned to enhanced migration [<ratio>] Xpress tunnels. To change the percentage of compression memory assigned to legacy Xpress, specify a <ratio> (20-80). For example, a <ratio> of 30 would allocate 30 percent to legacy, 70 percent to enhanced. Uses new 8.x tunnel infrastructure. In enhanced mode, a tunnel serves multiple purposes: compression, acceleration, and packing.
enhanced
467
default
The new tunnel mode will not take effect until you reset the PacketShaper. After issuing the command, you will be asked if you want to reset immediately. If you decline, you will need to issue the reset command at a convenient time in order to activate the new tunnel mode. Notes:
q q
Another way to change the mode is to use the tunnel mode set command. Migration mode has special considerations. See Information about Migration Mode for details.
468
Xpress tunnels are configured to run in migration mode. 50% of compression memory is assigned to legacy mode. The remaining 50% is assigned to enhanced mode.
See also: setup compression mode set tunnel mode show
469
470
add defines a PacketShaper unit that can be a tunnel partner remove deletes a previously-defined partner. If the unit is subscribed to PolicyCenter, remove all removes all the partners in the local configuration but does not allow the unit to inherit any partners from the parent configuration. default sets tunnel partners to default (no partners specified). If the unit is subscribed to PolicyCenter, the default option tells PolicyCenter to remove all the partners in the local configuration and inherit from the parent configuration. show lists defined tunnel partners
Designate the PacketShapers to be added or removed, <ip-addr> using one of the following specifications: [/<cidr>] <ip-addr>[/<cidr>] PacketShaper IP address or <ip-addr> range; the CIDR number specifies the number of <subnet> constant bits in the address range list: <ip-addr> <subnet> the name of the subnet <hostlist> list:<hostlist> the name of a host list file all all removes all defined compression tunnel partners so that all units can use tunnels
Examples: setup compression partners add 10.7.38.0-10.7.38.200 setup compression partners add 10.7.38.0/24 To remove all defined tunnel partners: setup compression partners remove all After this command is issued, all PacketShapers will be able to use the tunneling facility. To see a list of defined compression tunnel partners: setup compression partners show Notes:
471
You can also define tunnel partners with the tunnel discovery partner command.
472
auto
manual show
default
<ipaddr>
473
-h <limit>
Maximum number of hops, including routers and PacketShapers (1-123) Default: 123 hops
-t <time>
Examples:
474
setup compression tracepath 172.16.2.101 Tracing between 172.16.3.143 [main outside] and 172.16.2.101 1 (hop= 2 (hop= 1) 2) 501ms 502ms 172.16.3.174/main 172.16.3.156/main
--- 172.16.2.101 tracepath statistics --2 shapers found in 3 seconds, 2 packets received. Trace complete.
setup compression tracepath 172.16.2.101 -t 5 Tracing between 172.16.3.143 [main outside] and 172.16.2.101 1 (hop= 2 (hop= 1) 2) 1ms 1ms 172.16.3.174/main 172.16.3.156/main
--- 172.16.2.101 tracepath statistics --2 shapers found in 5 seconds, 2 packets received. Trace complete.
Notes:
q
q q
If Xpress is unable to find the target host, "Could not resolve the destination host" is displayed. If no PacketShapers are found between the source PacketShaper and the target host, "0 shapers found..." is displayed. This command does not work in look mode or watch mode. Depending on the destination routers ARP cache, the setup compression tracepath output may not give accurate results on the first attempt (if the router has to ARP for the destination). Correct results will appear after reissuing the command.
475
-i <LEM>
Interface on the source unit from which connectivity is to be tested. <LEM> is one of the following: main built-in interface upper upper LAN Expansion Module (LEM) lower lower LEM right right LEM left left LEM If no interface is specified, the main interface will be used.
-c <count>
Number of pings (sets of test packets) to transmit (1-10) Default: 4 (4 RSVP packets, 4 IPComp packets total of 8 packets transmitted)
-t <time>
Maximum time to wait for a reply packet (1-10 seconds) Default: 2 seconds
Examples:
setup compression xping 172.16.3.164 Xping 172.16.3.164 from 172.16.3.175 (main:outside) Reply from rsvp: Reply from rsvp: 2ms pscomp: 1ms pscomp: 1ms <1ms
476
1ms 1ms
--- 172.16.3.164 xping statistics --4 RSVP and 4 IPCOMP packets transmitted, 8 packets received, loss round-trip min/avg/max = 0/1/2 ms
0% packet
setup compression xping 172.16.2.101 -i lower -c 2 Xping 172.16.3.164 from 172.16.3.175 (lower:outside) Reply from rsvp: 2ms pscomp: 1ms Reply from rsvp: 1ms pscomp: 1ms --- 172.16.3.164 xping statistics --2 RSVP and 2 IPCOMP packets transmitted, 4 packets received, loss round-trip min/avg/max = 1/1/1 ms
Notes:
q
0% packet
If Xpress is unable to find the target PacketShaper, "Could not resolve the destination host" is displayed. This command does not work in look mode or watch mode.
477
setup date
View or set the date and/or time. When initially setting the date and time, use setup timezone. setup date [<yyyymmddhhmm>[<.ss>]] Note that this comand has the same functionality as the date command.
478
setup discover
Turn traffic discovery on or off for the default inbound and outbound classes. When you turn on traffic discovery, the PacketWise software monitors the traffic going through the unit and classifies the traffic by service type. The traffic discovery process inserts classes into your traffic tree. setup discover off|on Use class services to list supported protocols and services. Use class discover to enable/disable traffic discovery within a specific class.
479
setup dns
Configure one or more DNS servers for PacketWise to access. setup dns none|default|<ipaddress> ... Specify up to eight IP addresses, separating each with a space, or use none to clear previously set addresses. Note: At least one DNS server must be configured in order to use the Prefetch acceleration feature (see tunnel acceleration prefetch).
480
setup domain
Define a default domain name that PacketWise can append to domain name lookups that are not fully qualified. setup domain none|default|<domain_name>
PacketGuide for PacketWise 8.3
481
setup email
Configure email settings for use with the scheduled command, adaptive response action files, and/or user event features. setup email <address>[:<port>] [<sender name>] | none | default <address> [:<port>] [<sender name>] Specify the email server using either its DNS name or IP address. The default SMTP port is port 25. To specify a nonstandard port for email messages, enter number. The <sender name> will appear in the From line of any email message that the user event or scheduled command feature sends out.Specify a complete mail address, including the domain name for example, john_doe@example.com Note: In the prompting mode for this command, full form can also be used for the sender that is, a quoted name followed by the explicit email address. For example: "Bob" <bob@examplecompany.com>
After PacketWise has been configured to send email using the setup email command, use setup show to view the configuration. To clear the email settings: setup email none If you are using PolicyCenter, use the default option to remove the local override. This command allows the child configuration to inherit the parent's email setting: setup email default
PacketGuide for PacketWise 8.3
482
setup failover
Bandwidth on a WAN link can change, causing the router to fail over to a secondary link. PacketWise can be configured to detect this failover condition and enforce the new, lower link speed. This feature applies only to site routers that have been configured for failover. PacketWise polls the site router every two seconds to determine the status of the links. If the site router has two links sharing the load and one of the links goes down, PacketWise uses the failover settings to adjust its link speed. If the site router has a primary and a backup link configured, and the primary link fails, PacketWise also handles the failover condition. setup failover none|show setup failover none|show|(<primary ifIndex> <secondary ifIndex> [<backup speed>|either]) none show <primary ifIndex> <secondary ifIndex> <backup speed> Turn off failover mode. Display current failover statistics. Specify the SNMP index number of the first router interface. Specify the SNMP index number of the secondary router interface. Set the speed to be used if failover is activated. Rates may be specified as integer bits per second, followed by a k (thousands), M (millions), or G (billions). Use either when the two interfaces are being used for load balancing, not as primary and backup links.
either
483
Example To assign an ID of 12 to the current PacketShaper: setup flowrecords engineID 12 All records emitted from this PacketShaper to all defined NetFlow-5 collectors will have a value of 12 in the header's engineID field. Thus, the source PacketShaper is easily identifiable when interpreting the flow detail records.
484
To define an include list so that flow detail records are always emitted for traffic that matches the specified classes, services, and/or subnets. This approach is recommended when you want flow detail records for only a few specific classes, services, and/or subnets. Flow detail records will not be emitted for traffic that does not match the class, service, or subnets specified on the include list. or
To define an exclude list so that flow detail records are never emitted for traffic that matches the specified classes, services, and/or subnets. This approach is recommended when you want flow detail records for all traffic except that which matches the classes, services, and/or subnets on the exclude list.
setup flowrecords filters [add|remove|show] [class|service|subnet] include|exclude [[<class name>|<class id>]|[<service name>]|[<ip: netmask>|<ip/netmask>|<ip>]] add adds the specified class, service, or subnet to the include or exclude list remove removes the specified class, service, or subnet from the include or exclude list show displays the classes, services, and subnets on both the include and exclude lists [class|service|subnet] Indicates that the FDR filter applies to a class, service, or subnet
[add|remove|show]
485
include specifies that flow detail records will always be emitted for traffic that matches the class, service, and/or subnet include|exclude exclude specifies that flow detail records will never be emitted for traffic that matches the class, service, and/or subnet
The name of the class or the class id The name of the service The IP address and subnet mask subject to the IP filter, where netmask is the subnet mask in decimal notation The IP address and subnet mask subject to the IP filter, where netmask is an integer (the CIDR value) that specifies the number of binary 1s in a mask The IP address subject to the IP filter
<ip/netmask>
<ip>
Examples When you add classes to the include list, FDRs are emitted only for those classes. To add a class to the include list: setup flowrecords filters add class include /Inbound/SNMP To add the FTP service to the include list: setup flowrecords filters add service include ftp To add subnets specified by IP address in decimal notation to the include list: setup flowrecords filters add subnet include 10.10.10.01:255.255.255.255
486
To add subnets specified by IP address and CIDR value to the include list: setup flowrecords filters add subnet include 10.10.10.01/32 To add an IP address and all of its subnets to the include list: setup flowrecords filters add subnet include 10.10.10.01
When you add classes, services, and subnets to the exclude list, FDRs are emitted for all classes, services, and subnets except for those specified on the exclude list. For example, to add a class to the exclude list: setup flowrecords filters add class exclude /Inbound/SNMP
To remove a class, service, or subnet from the include or exclude list, use the remove keyword. For example: setup flowrecords filters remove class include /Inbound/SNMP setup flowrecords filters remove class exclude /Inbound/SNMP setup flowrecords filters remove service include ftp setup flowrecords filters remove subnet include 10.10.10.01
To show all FDR filters: setup flowrecords filters show See also: Flow Detail Records Overview Command Change History
487
Release Modification 8.2.0 7.5.0 Integrated command into PacketWise 8.x., and extended functionality so that the services and subnets can be added to FDR filter lists. Command introduced
488
setup flowrecords id
Define the settings for a flow detail record (FDR) collector. Up to four collectors can be defined. setup flowrecords id [<ID> <collectorDefinition>|off|on|none|default] <ID> Identifying number of the collector (1, 2, 3, or 4) where <collectorDefinition> is <recordType> <ipaddr> [<port> on|off] <recordType> is the type of record format to be emitted (netflow-5, packeteer-1, or <collectorDefinition> packeteer-2) <ipaddr> is the IP address of the collector <port> is the UDP port number of the collector (default = 9800) on enables the collector. When a collector is enabled, PacketWise will emit flow detail records to the collector. off disables the collector; flow detail records will not be emitted. none clears the collector settings; the row will be empty in the setup flowrecords show output. default removes the local settings for the ID so that the unit inherits the collector settings of the parent configuration. If the parent configuration doesn't have any settings for this ID, the local settings will be cleared so that the unit can inherit any future collector settings that are set. This command is only applicable to shared mode with PolicyCenter. You can enable/disable a collector when you are defining it:
489
off|on|none|default
setup flowrecords id 1 netflow-5 10.10.10.10 9800 on or, after a collector has been defined: setup flowrecords id 1 off
A collector is defined by its record type (NetFlow-5, Packeteer-1, or Packeteer-2) and its location (IP address and UDP port number). You can define collectors with the same IP address but different record types, or with the same record type but different IP address. For example, you can create two collectors with the same IP address (but different ports), with one collector collecting NetFlow data records and the other collecting Packeteer-2 data records. To view your collector settings, use the setup flowrecords show command. Examples To define a collector that collects Packeteer-2 flow detail records: setup flowrecords id 1 packeteer-2 10.10.10.1 9800 on Because 9800 is the default port and "on" is the default, you can use the following alternative command: setup flowrecords id 1 packeteer-2 10.10.10.1 To turn off collector 1 (assuming collector 1 has been previously defined): setup flowrecords id 1 off With the above command, PacketWise will stop emitting flow detail records to collector 1, but will retain the collector settings. To start emitting records again, use this command: setup flowrecords id 1 on To clear the settings for collector 3:
490
491
In the above sample output, two collectors have been defined. The first collector (ID of 1) collects Packeteer-2 flow detail records and is currently enabled. The second collector (ID of 2) collects NetFlow-5 records but is not currently disabled. Collector IDs 3 and 4 have not been defined. See also: Flow Detail Records Overview
492
setup gateway
Configure a gateway to handle network operations initiated from the unit. For example, ping, FTP, or image load require a gateway for non-local routing. setup gateway <ipaddress> | none Specify none if there isn't a gateway or to clear the gateway setting.
493
setup guide
Execute the automatic setup feature to configure the unit. setup guide For Guided Setup details, see Run Guided Setup.
PacketGuide for PacketWise 8.3
494
495
Security Alert
497
currently in effect. Use setup https show to see the HTTPS port number that is in effect. For information about verifying the certificate, see Secure Logins.
499
setup ipaddress
Update the unit's IP address and subnet mask. Use dotted-decimal address notation for both the IP address and net mask for example, 10.10.10.10. setup ipaddress <addr> <netmask>
500
501
502
Specify auto (auto-negotiate) to automatically configure the unit for the appropriate mode. If you do not specify a state, it defaults to auto. For gigabit Ethernet you can specify auto or 1000b. (1000b actually does the same thing as auto; manual setting to gigabit Ethernet is not part of the 802.3 Ethernet standard.) Notes:
q
Whenever you wish to change Network Interface Card (NIC) settings, always select auto-negotiate first, then select a different value if desired. Do not change from one non-auto setting to another non-auto setting directly; re-negotiation may fail and the setup ishaper show command may show the link is down. The word switch can be substituted for the word ishaper in the syntax of this command without changing the resulting output.
503
iShaper_main_inside: UP PS_main_inside: UP iShared_Local_Area_Connection: UP iShared_Local_Area_Connection4: UP Maximum Packet Length = 9216 Broadcast Storm Control is Disabled
Notes:
q q
Broadcast Storm Control is permanently disabled on an iShaper appliance. The word switch can be substituted for ishaper in the syntax of this command without changing the resulting output.
504
setup keys
Software keys enable you to change your product specifications for example, increasing shaping capacity from 128 Kbps to 512 Kbps. Upgrades of this type can be purchased from your reseller. When your order is fulfilled, you will be supplied with a key and installation instructions. To install a product, use the following key-enabling command: setup keys add <name> <value> <code>|remove <name> <code>|show For example: setup keys add linksize 6M e09w8djjioy123ig The key name, value, and code are provided with the purchased product. Note: Upgrades of this type are outside of the scope of your standard PacketCare support contract, and must be purchased separately.
PacketGuide for PacketWise 8.3
505
setup link
Configure the access link capacity. To effectively manage the traffic on the link, PacketWise must know the capacity it is managing. Note: PacketWise will enforce the link size that you set. setup link inbound|outbound|default [<size_bps>|default] Specify a rate as either a bits-per-second value or a symbolic name, as shown in the following list of valid link sizes. <n> <n>k <n>m <n>g T1 E1 T3 Examples: setup link inbound 1500000 setup link outbound 1.5m setup link inbound T1 Size in bits per second Size in kilobits per second Size in megabits per second Size in gigabits per second 1.5 Mbps 2 Mbps 45 Mbps
Considerations
q
For full-duplex Ethernet, enter the total link speed for the inbound and outbound rates. Because full-duplex has wires that can simultaneously communicate in both inbound and outbound directions, you should enter the same rate for Inbound Rate and Outbound Rate. For example, if you have two T1 lines (3 Mbps), you should enter 3M for Inbound Rate and 3M for Outbound Rate.
506
For half-duplex Ethernet, split the rate between the inbound and outbound links. For example, if you are managing 10 Mbps Ethernet, you could configure 5 Mbps for the inbound rate and 5 Mbps for the outbound rate. If your unit is using LAN Expansion Modules (LEMs) to manage different WAN links and you dont want to control each LEM separately, the rate should be the size of the smallest LEM. For example, if you have two 100 Mbps LEMs managing two links, you should specify 100M for the rate. On the other hand, if you want to control each link separately, the rate should be the sum of the link speeds on all devices. For example, if the built-in device is controlling a T1 line (1.5 Mbps) and a LEM is managing two T1 lines (3.0 Mbps), you should specify 4.5M for the rate. To control traffic across each link separately, you can create a class for each device (for example, Builtin_LEM and Upper_LEM) and assign partitions that match the link size (1.5M for the Builtin_LEM class and 3.0M for the Upper_LEM class). If your unit is using two LEMs to manage a single WAN link, specify the WAN link speed for the rate. Although the Info page will give you an error message (such as Link speed of 155 Mbps exceeds outside NIC speed of 100 Mbps) in the latter situation, it is still appropriate to specify the actual size of the link for the rate.
When using the direct standby feature in a load-sharing topology, you should set the link speed to the sum of both WAN links. Because each unit receives copied packets from its partner, the PacketShaper must have overall Inbound and Outbound partition sizes that will support that level of extra traffic. Note: In this situation, you may want to use the access-link monitoring feature (advanced mode) to monitor the routers WAN interfaces and avoid over-subscribing the WAN bandwidth. Software configuration determines maximum shaping capacity. See PacketShaper or PacketShaper ISP Configuration Limits. Note: 10BaseT links rarely reach the 10 Mbps limit. Keep Ethernet's practical limits in mind when configuring rates.
507
setup load
Install a new configuration file and reboot to activate the configuration. This installation replaces the cfg/basic.cfg file. setup load <path> Specify the explicit file pathname. Note: To load the traffic configuration and sharable configuration settings (such as passwords, site router, SNMP, email, SNTP, and Syslog), use the class load command.
508
setup loadshedding
Configure the load shedding feature. This feature prevents the PacketShaper from being overloaded with packets due to viruses or attacks that spew out a high volume of traffic (such as ICMP or DCOM). Note that this feature is not designed to block all traffic from infected or misbehaving clients; it is designed to shed just enough traffic to keep the PacketShaper out of an overload condition. It allows enough of the "bad" traffic through so that you can use Packeteer diagnostic tools (traffic history, hostdb info, policy flowlimit, packetcapture) to analyze and contain the problem. setup loadshedding enable|disable new on|off clientFPM|serverFPM|failedFPM|TCBConn|UCBConn <value>|default exception add|del list:<hostlist>|<ip-addr>|<dnsname>|all show where enable|disable new on|off Enable or disable the load shedding feature. Default is disable. Drop packets of new flows only (on) or drop packets regardless of whether they are new or existing (off). Default is on (but is not in effect unless load shedding is enabled). Adjust the parameters for new flows per minute (client, server, failed) or connections (TCP or UDP). If the parameters are not specified, the default values are used. New flows per minute is the rate of initiation of new flows from a host (client) or to a host (server). TCBConn is the number of active TCP flows that a particular host has at a given time. UCBConn is the number of non-TCP flows a particular host has at a given time. Failed flows are TCP flows that do not establish a complete connection, such as TCP connection requests from a SYN flood attack.
Add the host list name, IP address, or DNS name of a host to be excluded from load shedding (packets will not be dropped from these servers). To specify multiple hosts, use a space between each one. For example: setup loadshedding exception add 10.1.1.1 172.19.5.6 olympia Use exception del to remove a host that you have previously added to the host exception list, or exception del all to remove all hosts. (Note: The all parameter is used with del only.)
show
Load shedding is disabled by default. To enable load shedding: setup loadshedding enable The load shedding feature drops packets intelligently when the PacketShaper sees an excessive amount of traffic. For client flows, packets will be dropped as the unit approaches its load capacity and when both of the following conditions are true:
q q
New flows per minute for the client exceeds the clientFPM value, AND The number of TCP flows for the client exceeds the TCBConn value OR the number of UDP flows for the client exceeds the UCBConn value
Load shedding works similarly for server flows per minute. Packets will be dropped as the unit approaches its load capacity and when both of these conditions are true:
q q
New flows per minute for the server exceeds the serverFPM value, AND The number of TCP flows for the server exceeds the TCBConn value OR the number of UDP flows for the server exceeds the UCBConn value
For failed flows, packets will be dropped as the unit approaches its load capacity and failed flows per minute for the client or server exceeds the failedFPM value. Note: To see the current values of each host's new flows per minute, use the hostdb info command. By default, load shedding will drop packets of new flows only existing flows will not be dropped. If you want to remove this limitation, use the following command: setup loadshedding new off Use the setup loadshedding show command to display the current, default, minimum, and maximum parameters for load shedding.
Load Shedding: Disabled Shed New Flows Only: Enabled ========================================================================= Load Shedding Parameters Current Default Min Max ========================================================================= Client FPM 1000000 1000000 10 1000000 Server FPM 1000000 1000000 10 1000000 Failed FPM 1000000 1000000 10 1000000 TCBConn 100 100 5 1000000 UCBConn 100 100 5 1000000
Load Shedding Host Exception List: 179.21.1.3 server2.test.com 10.1.1.1 main.test.com 10.1.1.2 server1.test.com
510
If you have certain hosts that you want to exclude from load shedding (for example, you don't want load shedding to drop packets from DNS servers), you can create a host exception list. You can either:
q
Create a host list with the hl new command and then specify the host list with the setup loadshedding exception add list:<hostlist> command. or
Add the hosts individually with the setup loadshedding exception add <ip-addr>| <dnsname> command.
To see which hosts have exceeded the load shedding thresholds and have flows being shed, use the hostdb info command. A "+" next to the New Flows Per Minute value for Client, Server, or Failed indicates load shedding is occurring or has recently occurred.
PacketGuide for PacketWise 8.3
511
setup managementport
Available only for models with a MGMT port Enable the Ethernet management port (MGMT) so that the PacketShaper can be accessed and managed only through this port. When the management port is enabled, the unit cannot be accessed from other networks. Enabling management port access will cause loss of remote connectivity to the unit through all other ports. setup managementport on|off|show on off show The PacketShaper can be accessed through the MGMT port only. The PacketShaper can be accessed through any port, including the MGMT port. Display the current setting for the management port
When considering whether to enable the dedicated management port feature, bear in mind that certain Packeteer features will not function properly unless the network administrator provides outside hosts with a route to reach the PacketShaper through the MGMT port. These features include, but are not limited to, the following:
q q q q q q q q q
PolicyCenter Access Link Monitoring Frame Relay and ATM HP OpenView Flow Detail Records Adaptive response SNMP traps and polling from third-party applications Synthetic transactions Customer portal traffic (if the portal IP address is set to be the same as the management IP address)
Note: The MGMT port is considered an outside port. Therefore, securing the outside interface will secure the MGMT port as well. For example, to allow access from only two IP addresses issue the following command: setup secure outside list 10.1.1.100 10.1.12.1.
512
setup message
Configure a message that will display before logging into the Packeteer unit. The message displays before you login via the browser login page, before logging in using a remote login utility (such as Telnet), and when you first console connect to the unit. This feature is useful for informing users about the company's access policies and consequences for unauthorized use. setup message {set <message>}|show|default where Defines the message text. The text should be enclosed in quotation marks and can be up to 511 characters long. Dispays the content of the login message Clears the message text. In PolicyCenter's shared mode, the unit will then be able to inherit the message of the parent configuration.
Examples
setup message set "Access to this system is restricted to authorized users only." Message set to: "Access to this system is restricted to authorized users onl... setup message show Configured Message: Access to this system is restricted to authorized users only.
Notes
q
Quotation marks indicate the beginning and end of the login message. You cannot use a quotation mark within the body of the login message. If you want to display a message that is longer than 511 characters, you can create a text file that contains your message text. Name the file login.txt and upload it to the 9.256/ directory. The first 2048 characters of the text file will display after any message that is configured with the setup message set command. Thus, the text file is appended to the message text, allowing the message to have a total approximate length of 2500 characters. Note that quotation marks are allowed in the login.txt file. The setup message show command does not display the content of the login.txt file. No login message is displayed when accessing the PacketShaper via FTP. The message can be configured in the browser interface as well. See Specify Security Settings.
PacketGuide for PacketWise 8.3
513
setup modem
Configure a modem setting so that if the modem drops its carrier connection, PacketWise will log out the console user. Be sure to configure your modem to drop DSR when the call is disconnected. setup modem off|on|default When this option is set to off, the console session will not be logged off until the user types exit at the command line. For security reasons, if you have a modem connected to the serial port, set this option to on.
PacketGuide for PacketWise 8.3
514
setup nic
Set the PacketShaper's speed and duplex state. setup nic <device> auto|autoneg-only|{10bt|100bt half|full}|{1000b full} where <device> is the interface name or number: Device Number 0 1 2 3 4 5 7
Device Name inside outside lower_inside left_inside lower_outside left_outside upper_inside right_inside upper_outside right_outside management
Note: The device numbers vary according to the number of LEMs installed. If two LEMs are installed, the above numbers are correct. If only one LEM is installed (regardless of whether it's installed in the upper/right or lower/left position), the LEM interfaces will be assigned device numbers 2 and 3. If no LEMs are installed, the management port's device number is 3. Specify auto (auto-negotiate) to automatically configure the unit for the appropriate mode. If you do not specify a state, it defaults to auto. Notes:
q
Whenever you wish to change Network Interface Card (NIC) settings, always select auto-negotiate first, then select a different value if desired. Do not change from one non-auto setting to another non-auto setting directly; re-negotiation may fail and In Link Down or Out Link Down appears on the LCD.
515
The management parameter is only applicable to models with MGMT ports (such as the 3500 and 7500). Although you can specify different fixed speeds on the Inside and Outside interfaces, such a configuration will result in a network interruption if the PacketShaper is turned off because the end devices will not be able to negotiate the correct speed for the link. PacketWise does not support a 1000b half-duplex interface
Gigabit Fiber-Optic
If auto is specified for gigabit fiber-optic units and auto-negotiation signals are not received from the other side, the negotiation will time out in one second and the interface will be set at 1000 fixed. To force auto-negotiation without timing out, use the autoneg-only option. Gigabit Ethernet supports the full-duplex option only.
Gigabit Ethernet
For gigabit Ethernet you can specify auto or 1000b. (1000b actually does the same thing as auto; manual setting to gigabit Ethernet is not part of the 802.3 Ethernet standard.) Gigabit Ethernet supports the full-duplex option only.
516
setup password
Configure a touch (read/write) or look (read-only) password. setup password look|touch You will be prompted to enter the old password, type a new password, and retype the password to confirm. For example:
setup password touch Old touch password: (none) New touch password: Confirm touch password: Changed the touch password
Passwords can be up to nineteen characters long and are case sensitive. They can consist of a combination of letters, numbers, and all special characters. To abort this command and return to the command prompt, press Ctrl-D. To enable look mode, use the look command. To enable touch mode, use the touch command. If you forget the touch password, you can use the password recovery method to access the unit and reset the password.
PacketGuide for PacketWise 8.3
517
setup portal ip
Assign a second IP address to the customer portal. This allows customers to directly display the customer portal login page using this address instead of the http://x.x.x.x/customer URL. setup portal ip <address> [<mask>] where <address> is the IP address assigned to the customer portal and <mask> is the subnet mask for the network where the unit resides. The address must be on a different subnet from the main portal address and should not be the same address as an Xpress-IP address. To clear the address, use: setup portal ip none Notes:
q
This command is not available on the PacketShaper 1200 or 1400 Lite models. Customer portal IP addresses must be configured before configuring XpressIP addresses on the LEMs. If you configure the Xpress-IP addresses first, you will not be able to configure a customer portal IP address.
518
519
520
primary| secondary
To turn the service on or off, or to return the service to its default off value, use: setup radius acct on|off|default Example: setup radius acct primary 10.10.10.10 bobolink setup radius acct secondary 10.10.20.10 parrot setup radius acct on
521
This example defines a primary accounting server at 10.10.10.10 which has a shared secret of bobolink, as well as a secondary server at 10.10.20.10. The third command line enables RADIUS accounting service. Once this service is configured and enabled, PacketWise will send a PW_STATUS_START accounting message to the accounting server when a user logs in and a PW_STATUS_STOP message when a user logs off or is disconnected.
522
To turn the service on or off, or to return the service to its default off value, use: setup radius auth on|off|default Example: setup radius auth primary 10.10.10.10 bobolink setup radius auth on This example first defines a primary authentication server at 10.10.10.10 which
523
has a shared secret of bobolink. The second command line enables RADIUS authentication service. Once this is configured and enabled, PacketWise will prompt users for user name and password when they log into PacketWise.
524
525
526
528
529
setup reset
Return to the factory-default configuration and reboot the unit. setup reset [all|clear] Resets the PacketShaper settings (for example, NIC speed and IP address, but not the traffic tree) to the factory default state, and then reboots the unit Resets all settings and the configuration to the factory default state set reset all Note: Use setup reset all only when you want to reset all configuration settings basic configuration, the traffic tree with its classes, policies, and partitions; measurement data; and events to the factory-default settings. Clears all files on the flash drive (9.256/), in addition to resetting all settings and the configuration to the factory default state
set reset
These commands reset the unit's IP address to 207.78.98.254, making it unreachable on your network until it is reconfigured using Guided Setup. (See Run Guided Setup for details.) Note: The setup reset command works differently in shared mode. To reboot the unit without modifying the settings, use the reset command. Command Change History Release Modification 8.3.0 The clear parameter is introduced.
530
When issued for a child configuration, all the child's setup settings are returned to their default state and the child configuration will inherit setup parameters from its parent configuration.
PolicyCenter is shut down and on reinvoking the application, you are taken through Guided Setup. The setup parameters are not changed for either a PolicyCenter configurations or units assigned to those configurations.
531
setup secure
Limit management access from the inside or outside interface. setup secure inside|outside on|off|default|list <addr>[:<mask>]... Use the setup secure outside on command to secure the outside interface, that is, the Internet. For example, when the outside interface is set to secure, Telnet, HTTP, FTP and ping requests from external sources will not be permitted. By default, the inside and outside interfaces are not secured. The list parameter enables access to up to eight listed IP addresses, separated by spaces. To specify a subnet, use the format: ipaddress:subnet_mask. Notes:
q
If you secure the interfaces, you will be able to access the unit only via a console connection. The browser interface will be disabled because you will not have management access over the network. Another way to secure the interface is to specify a list of IP addresses that can access the unit. For example, setup secure outside list 10.1.1.100 10.1.12.1 would allow access from only two IP addresses. Keep in mind that securing an interface means that queries such as DNS and SNTP cannot be made via the secured interface. Consider using the list option and including these servers and your gateway in the list. If you plan on using direct standby, do not set the outside interface to secure. For standby to work, each device must be able to communicate with the other device. If you set the outside interface to list, you must add both the partner's and the unit's IP addresses to the Outside security list. The PacketShaper will not be able to process local ARP requests via a secured interface. If you secure the outside interface and your gateway is on the outside, a "gateway not found" message will be displayed in the login banner or on the info page. In this state, tasks such as upgrading the software image from a non-local address will be disabled. The MGMT port (available on certain models) is considered an outside port. Therefore, securing the outside interface will secure the MGMT port as well.
532
setup shaping
When shaping is turned on, traffic is classified and measured, and control policies are enforced. When shaping is off, traffic is classified and measured but not managed. setup shaping on|off|bypass|passthru|watch Where: on off Turns traffic shaping on Turns off shaping mode (traffic, bypass, passthru, watch)
bypass
Sets the unit to pure bypass mode. Bypass mode prevents both packet shaping and further network management access; it is as if the unit were removed, and cables connected around it. Turns off all shaping, classification, and measurement
passthru
watch
Sets the unit into a non-inline, monitor-only mode. See Watch Mode Overview for additional information. Notes: The watch mode feature is not available on the PacketShaper 1200 or 1400 Lite models. Watch mode can be enabled only when the PacketShaper is set to legacy tunnel mode; it cannot be enabled in migration or enhanced tunnel mode.
533
setup show
Display the basic configuration. setup show The output is divided into non-sharable (local) and sharable settings. The sharable settings are part of the configuration file (config.ldi). If a configuration is loaded on another unit, the sharable settings will be copied to the other unit (see config save and config load).
Non-sharable (local) settings: IP address: Gateway: DNS server(s): Default domain: Date, time, timezone: SNMP sysName: SNMP sysLocation: SNMP sysContact: Inside nic speed: Outside nic speed: Installed Keys: 10.1.5.1 Subnet mask: 255.0.0.0 10.1.2.1 10.1.1.40 example.com Mon Aug 9 14:03:40 2005 PDT (LosAngeles) 172.21.18.160 The physical location of this unit The contact person for this managed unit auto-negotiate (100BaseT full-duplex) auto-negotiate (1000BaseT full-duplex) compatibility 1 control on linksize nolimit compression 1
Sharable settings: Site router: Inside interfaces: Outside interfaces: Look password: Touch password: Link speed: Packet shaping: Traffic discovery: SNMP config mode: SNMP look community: SNMP Trap destinations: Modem on Console: Email host:port: Email sender: SNTP Client: SNTP Primary Server:
(none) unsecure unsecure (none) (none) 1.5M (T1) off on simple public (none) off (none) (none) off time.nist.gov
534
SNTP Secondary Server: SNTP Poll Seconds: HTTPS port: SSH port: Syslog: Legacy Compression: Enhanced Compression: Packing: Acceleration: Adaptive Response:
535
Non-sharable (local) settings: IP address: 172.21.67.2 Subnet mask: 255.255.0.0 Gateway: 172.21.0.1 DNS server(s): (none) Default domain: (none) Date, time, timezone: Mon Jun 11 18:54:06 2007 PDT (LosAngeles) SNMP sysName: 172.21.67.2 SNMP sysLocation: The physical location of this unit SNMP sysContact: The contact person for this managed unit Inside 'iShaper' nic speed:auto-negotiate (link is down) Outside nic speed: auto-negotiate (100BaseT full-duplex) Backup_inside nic speed:auto-negotiate (link is down) Backup_outside nic speed:auto-negotiate (link is down) Installed Keys: control on linksize 100m compatibility 1 Sharable settings: Site router: Inside interfaces: Outside interfaces: Look password: Touch password: Link speed: Packet shaping: Traffic discovery: SNMP look community: SNMP Trap destinations: Modem on Console: Email host:port: Email sender: SNTP Client: (none) unsecure unsecure (none) (none) 1.5M (T1) off off public (none) off (none) (none) off
536
SNTP Primary Server: SNTP Secondary Server: SNTP Poll Seconds: HTTPS port: SSH port: Syslog: Adaptive Response:
537
setup siterouter
Configure the IP address of the access router for the managed link. setup siterouter none|(<addr> [<read-community>]) Alternatively, you can set PacketWise to manage all bandwidth independent of the destination by specifying none for the site router IP address. PacketWise maintains a cache of MAC addresses for non-IP traffic and for IP traffic if the site router is set to none; traffic is not passed when the source and destination addresses are on the same side of the access link. Also use this command to set the SNMP <read-community> string used by PacketWise to access the router when reacting to a router failover condition. If you have multiple routers, use the highav add command. The site router should be set to none if you are using acceleration. If a site router is defined, acceleration will not work.
538
<groupname>
noAuthNoPriv: Identifies a user for access control, but does not provide authentication. authNoPriv: Identifies a user for access control, and authenticates the user's password. authPriv: Identifies a user for access control, authenticates the user's password, and provides encryption.
If you do not specify a usm security model, the group will use the default noAuthnoPriv. Access groups have read (look) access to the information specified by the read view. To give the group read access to all MIB data, specify the predefined read <viewname> view name isoAll for the <viewname> parameter. To block all read access, specify isoNone. To limit a group's read access to a subset of available MIB data, enter the name of a user-defined view created with the setup snmp view command. If you do not specify a read view, the group will apply the default isoAll setting. Access groups have write (touch) access to the information specified by by the write view. To give the group write access to all MIB data, specify the predefined write <viewname> view name isoAll for the <viewname> parameter. To block all write access, specify isoNone. To limit a group's write access to a subset of available MIB data, enter the name of a user-defined view created with the setup snmp view command. If you do not specify a write view, the group will apply the default isoAll setting. Examples: setup snmp accessgroup new engineering usm authpriv read isoall write isoall setup snmp accessgroup new admin usm authpriv read snmpTraps write isoNone
To delete an access group, use: setup snmp accessgroup delete <groupname> where <groupname> name of the group you want to delete. Note that you will not be able to delete a group that currently has users assigned to it. Example: setup snmp accessgroup delete marketing
ok isoAll ok
540
<Index>
<Name> <SecurityName>
Enter a dash (-) to specify the local engine ID. PacketWise does not support any <ContextEngineID> other context engine IDs. Enter a dash (-) to indicate that SNMPv1 and SNMPv2c requests received with this community string will be accepted from a sender at any location. PacketWise does not support any other context names.
<ContextName>
541
<TransportTag>
If an snmp community transport tag is specified, a PacketShaper will only accept management requests from a specific list of transport endpoints. This <Transport Tag> parameter must match the <taglist> parameter of a Target Address table entry. If you do not want messages to and from this community to perform source address checking, then enter a dash (-). PacketShapers only support the nonVolatile storage type, indicating that PacketShaper will remember the entries in this table if the unit is restarted. This parameter can be defined by the word nonvolatile, or the number 3.
<Storage Type>
Example: setup snmp complex add community t0000000 public public - anywhereTag 3 Command Change History Release Modification 8.3.0 Command introduced
542
trap inform
PacketShapers only support the nonVolatile storage type, indicating that PacketShaper will remember the entries in this table if the <Storage Type> unit is restarted. This parameter can be defined by the word nonvolatile, or the number 3. Example: setup snmp complex add notify Informs InformTag inform nonvolatile
543
544
<ProfileName>
<Subtree>
<Mask>
trap inform
545
PacketShapers only support the nonVolatile storage type, indicating that PacketShaper will remember the entries in this table if the <Storage Type> unit is restarted. This parameter can be defined by the word nonvolatile, or the number 3. Calculating a Filter Subtree Mask You can calculate the <Mask> value for the Notify Filter table with a series of ones and zeros that mask out parts of the tree. A zero represents a wild card that matches anything, and a one indicates that an exact match is required. For example, the following value would would require an exact match on all fields except the table column (i.e., the 0 in ifEntry.0.2). OID Mask 1.3.6.1.2.1.2.2.1.0.2 11111111101
In the example above, the bits of the mask would be grouped into 8-bit bytes, and then the right end of the last byte padded with ones (if necessary) to fill out the last byte: byte 1 11111111 11111111 ff byte 2 101 10111111 bf original mask mask padded with 1s hex value of the padded mask
The <Mask> value for this table would be ff:bf Command Change History Release Modification 8.3.0 Command introduced
546
<Name>
<Storage Type>
547
548
<Timeout>
549
<TagList>
One or more tag values which select target addresses for a particular operation. This paramter must match the <tag> parameter of a Notify table entry in order for the notification to be sent to the <TDomain> address. If you specify more than one tag, the list of tags should be separated by spaces and enclosed in quotation marks. The name of a set of entries (as defined by the <name> parameter of a Target Parameters table entry), which contain the SNMP table entry values to be used when generating messages to this address
<Params>
PacketShapers only support the nonVolatile storage type, indicating that PacketShaper will remember the entries in this <Storage Type> table if the unit is restarted. This parameter can be defined by the word nonvolatile, or the number 3. Target transport mask mask for <TAddress>, in dotteddecimal format. If the ip address includes a port number, there must be a colon between the address and the port number. <TMask> For example, if <TDomain> is snmpUDPDomain, a valid mask would be 255.255.255.0:0. This mask is used in conjunction with the <TAddress> to determine if an incoming request has arrived from an authorized address. Example: setup snmp complex add targetaddr localHostV1 snmpUDPDomain 127.0.0.1:0 100 3 TrapTag v1ExampleParams nonvolatile 255.255.255.255:0 Command Change History Release Modification 8.3.0 Command introduced
PacketGuide for PacketWise 8.3
550
Select the security model for this notification by specifying snmpv1, snmpv2c or usm <SecurityModel> (for SNMPv3) The SNMPv3 user or SNMPv1/SNMPv2 <SecurityName> community string on whose behalf SNMP messages will be generated using this entry
551
noAuthNoPriv, communication without encryption or authentication. authNoPriv, Communication without encryption. authPriv, communication with 3DES, AES-128, AES-192, or AES-256 encryption. Provides authentication based on the HMAC-MD5 or HMACSHA algorithms.
<SecurityLevel>
q
<Storage Type>
PacketShapers only support the nonVolatile storage type, indicating that PacketShaper will remember the entries in this table if the unit is restarted. This parameter can be defined by the word nonvolatile, or the number 3.
Examples: setup snmp complex add targetprms v1ExampleParams snmpv1 snmpv1 public noauthnopriv nonvolatile setup snmp complex add targetprms v2cExampleParams snmpv1 snmpv2c public authnopriv nonvolatile setup snmp complex add targetprms v3ExampleParams snmpv3 usm root authnopriv nonvolatile Command Change History Release Modification 8.3.0 Command introduced
PacketGuide for PacketWise 8.3
552
<EngineID>
<Name>
553
Select the type of authentication required for messages between this user and the SNMP engine identified by the EngineID in this table, if any.
q
<AuthProtocol>
usmNoAuthProtocol: Messages to or from the user do not require authentication. usmHMACMD5AuthProtocol: Messages to or from the user must use authentication based on the HMAC-MD5 algorithms. usmHMACSHAAuthProtocol: Messages to or from the user must use authentication based on the HMAC-SHA algorithms.
Specify usmNoPrivProtocol if the messages from this user do not need to be protected from disclosure. If this user requires privacy protection, specify the type of privacy protocol which is used.
q
<PrivProtocol>
usmDESPrivProtocol: CBC-DES Symmetric Encryption Protocol usm3DESPrivProtocol: 3DES-EDE Symmetric Encryption Protocol usmAES128CfbPrivProtocol: 128bit AES (Advanced Encryption Standard) usmAES192CfbPrivProtocol:192- bit AES usmAES256CfbPrivProtocol: 256-bit AES
PacketShapers only support the nonVolatile storage type, indicating that PacketShaper <Storage Type> will remember the entries in this table if the unit is restarted If set, this table entry value will enable source address checking for messages between this user and a list of SNMP engines in the Target Address table. If you do not want messages to and from this user to perform source address checking, then enter a dash (-).
554
<TargetTag>
<AuthKey>
Users authentication password. Enter this table entry value as a string of alphanumerical characters. To specify a password with more than one word, enclose the words in quotation marks, e.g. "auth key". Note: This field should only contain a dash (-) if the <AuthProtocol> table entry value is set to usmNoAuthProtocol. Users privacy password. Enter this table entry value as a string of alphanumerical characters. To specify a password with more than one word, enclose the words in quotation marks, e.g. "priv key".
<PrivKey>
Note: This field should only contain a dash (-) if the <PrivProtocol> table entry value is set to usmNoPrivProtocol. Example: setup snmp complex add usmuser localSnmpID root usmHMACMD5AuthProtocol usmDESPrivProtocol nonvolatile anywhereTag authpass privpass Command Change History Release Modification 8.3.0 Command introduced
PacketGuide for PacketWise 8.3
555
<GroupName>
<ContextPrefix>
<SecurityModel>
556
noAuthNoPriv, communication without encryption.Uses a community string match for authentication. authNoPriv, Communication without encryption.Uses a username match for authentication. authPriv, communication without encryption. Provides authentication based on the HMAC-MD5 or HMACSHA algorithms.
<SecurityLevel>
<ContextMatch>
Specify either exact or prefix to indicate how the context of a request must match the ContextPrefix table entry value. If, for example, an management request is sent in context Packeteer, and the value of ContextPrefix and ContextMatch are Packetand prefix, then the context name from the request is identified as a valid match to the values in this table entry. This text string defines the view subtrees accessible for Get, GetNext, and GetBulk requests, and must match the <name> parameter of a Vacm View table entry. If <ReadViewName> is empty, no active view exists for read access.
<ReadViewName>
This text string defines the view subtrees accessible for Set requests, and must match the <name> parameter of a Vacm <WriteViewName> View table entry. If the <WriteViewName> table entry is empty, no active view exists for write access. This text string defines the view subtrees accessible for notify access, and must match the <name> parameter of a Vacm <NotifyViewName> View table entry. If the <NotifyViewName> table entry is empty, no active view exists for notify access.
557
<Storage Type>
PacketShapers only support the nonVolatile storage type, indicating that PacketShaper will remember the entries in this table if the unit is restarted. This parameter can be defined by the word nonvolatile, or the number 3.
Example: setup snmp complex add vacmacc public - snmpv1 noauthnopriv exact ApplicationsView - ApplicationsView nonvolatile Command Change History Release Modification 8.3.0 Command introduced
PacketGuide for PacketWise 8.3
558
A human readable string which identifies an SNMPv3 user name, or an SNMPv2c or SNMPv1 community string. This <SecurityName> <SecurityName> parameter must match the <name> parameter of a Usm User table entry. <GroupName> A user group (and its associated access rights). This <GroupName> parameter must match the <name> parameter of a Vacm Access table entry.
559
<Storage Type>
PacketShapers only support the nonVolatile storage type, indicating that PacketShaper will remember the entries in this table if the unit is restarted. This parameter can be defined by the word nonvolatile, or the number 3.
Example: setup snmp complex add vacmsec usm DayShiftSupervisor ShiftSupervisor nonvolatile Command Change History Release Modification 8.3.0 Command introduced
PacketGuide for PacketWise 8.3
560
<Mask>
<Type>
PacketShapers only support the nonVolatile storage type, indicating that PacketShaper will remember the entries in this table if the <Storage Type> unit is restarted. This parameter can be defined by the word nonvolatile, or the number 3.
561
Example: setup snmp complex add vacmview restrictedView system - included nonvolatile Calculating a View Tree Mask You can calculate the mask value for the VacmView table with a series of ones and zeros that mask out parts of the tree. A zero represents a wild card that matches anything, and a one indicates that an exact match is required. For example, the following value would would require an exact match on all fields except the table column (i.e., the 0 in ifEntry.0.2). OID Mask 1.3.6.1.2.1.2.2.1.0.2 11111111101
In the example above, the bits of the mask would be grouped into 8-bit bytes, and then the right end of the last byte padded with ones (if necessary) to fill out the last byte: byte 1 11111111 11111111 ff byte 2 101 10111111 bf original mask mask padded with 1s hex value of the padded mask
562
563
564
<ProfileName> <Subtree>
Example: setup snmp complex delete notifyflt wellKnownTraps snmpTraps Command Change History Release Modification 8.3.0 Command introduced
PacketGuide for PacketWise 8.3
565
566
567
568
569
<GroupName> <ContextPrefix>
570
Specify the number that corresponds to the security levels of the table you want to delete:
q
1: noAuthNoPriv, communication without encryption. Uses a community string match for authentication. 2: authNoPriv, Communication without encryption. Uses a username match for authentication. 3: authPriv, communication without encryption. Provides authentication based on the HMAC-MD5 or HMACSHA algorithms.
<SecurityLevel>
Example: setup snmp complex delete vacmacc public - 1 1 Command Change History Release Modification 8.3.0 Command introduced
PacketGuide for PacketWise 8.3
571
The SecurityName entry in the table you want to delete. This entry will be either a <SecurityName> human readable string which identifies the SNMPv3 user name, or a SNMPv2c or SNMPv1 community string. Example: setup snmp complex delete vacmsec 3 DayShiftSupervisor Command Change History Release Modification 8.3.0 Command introduced
572
<Subtree> The Subtree entry in the table record to be deleted Example: setup snmp complex delete vacmview restrictedView system Command Change History Release Modification 8.3.0 Command introduced
PacketGuide for PacketWise 8.3
573
Index Name - ------------ -----t0000011 public t0000111 public t0000010 eng12 local pub1 4 entries.
No entries for the notify table. No entries for the notifyflt table. No entries for the notifyfltpr table. No entries for the targetaddr table. No entries for the targetprms table. usmuser table entries:
Con.EngineID Name Auth. Protocol Priv. Protocol Storage Type Target Tag ------------ ------ ----------------- ----------------- ------------ ---------localSnmpID public usmNoAuthProtocol usmNoPrivProtocol nonVolatile vacmacc table entries:
Group Prefix SecMod. Sec. Level Match Read Write Notify Storage Type ------ ------ ------- ------------ ------ ------- ------- ------- -----------574
public -
isoAll
isoAll
nonVolatile
Sec. Model Security Name Security Group Storage Type ---------- -------------------- -------------------- -----------snmpv1 public public nonVolatile
No entries for the vacmview table. Command Change History Release 8.3.0 See also: setup snmp complex add|modify community
PacketGuide for PacketWise 8.3
575
Index: t00000012 Name: pub1 SecurityName: pub1 ContextEngineID: 0000091E000000A1AC152BE0 ContextName: TransportTag: anywhereTag StorageType: nonVolatile Command Change History Release Modification 8.3.0 See also: setup snmp complex add|modify community
PacketGuide for PacketWise 8.3
Command introduced
577
578
579
Command introduced
581
582
TagList: InformTag Params: v2cExampleParams StorageType: nonVolatile TMask: 255.255.0.0:0 Name: opsCenter TDomain: snmpUDPDomain TAddress: 10.1.2.0:0 Timeout: 0 RetryCount: 0 TagList: operationsCenterTag Params: none StorageType: nonVolatile TMask: 255.255.255.0:0 Name: opsConsole TDomain: snmpUDPDomain TAddress: 10.1.2.100:0 Timeout: 0 RetryCount: 0 TagList: operationsConsoleTag Params: none StorageType: nonVolatile TMask: 255.255.255.255:0 Name: SnmpResearchTrapSink TDomain: snmpUDPDomain TAddress: 172.21.3.15:0 Timeout: 100 RetryCount: 3 TagList: TrapTag Params: v3ExampleParams StorageType: nonVolatile TMask: 255.255.0.0:0 Command Change History Release Modification 8.3.0 See also: setup snmp complex add|modify targetaddr
PacketGuide for PacketWise 8.3
Command introduced
583
SecurityModel: usm SecurityName: root SecurityLevel: authNoPriv StorageType: nonVolatile Command Change History Release Modification 8.3.0 See also: setup snmp add|modify targetprms
PacketGuide for PacketWise 8.3
Command introduced
585
586
Command Change History Release Modification 8.3.0 See also: setup snmp complex add|modify usmuser
PacketGuide for PacketWise 8.3
Command introduced
587
vacmacc table entries: Group.............: public Prefix............: Security model....: snmpv1 Security level....: noAuthNoPriv Context match.....: exact Read view.........: isoAll Write view........: Notify view.......: isoAll Storage type......: nonVolatile
588
Command Change History Release Modification 8.3.0 See also: setup snmp complex add|modify vacmacc
PacketGuide for PacketWise 8.3
Command introduced
589
590
Command Change History Release Modification 8.3.0 See also: setup snmp complex add|modify vacmsec
PacketGuide for PacketWise 8.3
Command introduced
591
StorageType: nonVolatile Name: restrictedView Subtree: snmpTraps Mask: Type: included StorageType: nonVolatile Command Change History Release Modification 8.3.0 See also: setup snmp add|modify vacmview
PacketGuide for PacketWise 8.3
Command introduced
593
default
594
For additional information on configuring SNMP, see also: SNMP Overview Command Change History Release Modification 8.3.0 Command introduced
595
596
To see the current settings for the look or touchcommunity string values, use the setup show command. Examples: setup snmp look lookpwd1# setup snmp look touchpwd2! setup snmp show SNMP SNMP SNMP SNMP config mode: simple look community: lookpwd1# touch community: touchpwd2! Trap destinations: (none)
0 0
Refs ok ok
Status
597
setup snmp oids traps n Name 436 snmpInTraps 445 snmpOutTraps 446 snmpEnableAuthenTraps 801 snmpTraps
Note: The output of this command can be over 1,000 lines long. You may need to increase the buffer size of your command window in order to view the entire list. Command Change History Release Modification 8.3.0 Command introduced
598
<username>
<EngineID>
<auth-pw>
des: CBC-DES Symmetric Encryption Protocol 3des: 3DES-EDE Symmetric Encryption Protocol aes128: 128- bit AES (Advanced Encryption Standard) aes192:192- bit AES aes256: 256-bit AES
<priv-pw>
Privacy password for the user. Passwords can have up to 32 characters; hyphens, underscores, and periods are acceptable.
Examples: setup snmp remoteuser new "Jane Killick" auth md5 authpwd12$ priv aes245 privpwd12! 0000091E000000A1AC1512AC setup snmp remoteuser new "Nonsecure user"
setup snmp remoteuser delete <username> Example: setup snmp remote user delete "Sean Wood "
600
setup snmp show SNMP SNMP SNMP SNMP config mode: look community: touch community: Trap destinations: simple lookpwd1 touchpwd2 172.21.18.166 172.21.18.167
Northwest Corner of Building 4 Jill Smith PKTR_9500_42 0000091E000000A1AC1512AA SubtreeOID 1.3.6.1.6.3.1 iso iso snmpTraps Model Level usm authPriv usm usm v1 v2c authPriv noAuthNoPriv ReadViewName all_mib all_mib isoAll isoAll isoAll Type included included excluded included WriteViewName isoNone Traps isoAll isoAll isoAll Refs Status 2 ok 10 1 1 ok ok
AccessGroupName admin ok engineering 2 ok test_1 1 ok v1only 1 ok v2 0 ok UserName Status Amit ok IT ok Marcia ok RemoteUserName IT_remote 4 ok sys admin none 3 ok Todd Gray 1 ok TargetName System admin
Refs Status 1
Refs Status
des
ViewName isoAll
Target_it V1traps
172.21.18.170 172.21.18.160
IT_remote public
isoAll isoAll
trap v3 trap v1
um ok v1 ok
602
603
604
605
<targetname>
<port>
version v1|v2|v3
type trap|inform
Specify whether the user should receive trap notifications or just informs. If no parameter is specified, the default setting will be trap. Note: SNMPv1 supports trap notifications only. To allow the remote user to receive all types of MIB notifications, specify the predefined view name isoAll for the <notifyview> parameter. To limit the user's access to a subset of available MIB notifications, enter the name of a userdefined view created with the setup snmp view command. If you do not specify a notify view, the group will apply the default isoAll setting.
view <notifyview>
606
Maximum round trip time for communications between the PacketShaper and the SNMP target address, in seconds. Valid timeout values 1-60 , and the default value is 10. timeout <seconds> If an inform message is sent to this address but a response is not received within this specified time frame, the PacketShaper will assume that there will be no response. retry <n> Number of times the PacketShaper should attempt to retransmit an inform message when it does not receive a response. Valid retry values are 1-10, and the default value is 3 retries.
Delete a Target
To delete a target, use: setup snmp target delete <target> Example: setup snmp target delete "admin_target"
Ml usm ok usm ok v1 ok
607
<username>
<groupname>
auth {md5|sha}
<auth-pw>
608
Specify one of the following privacy protection protocols only if the user's access group uses the authpriv security level. Otherwise, this parameter is not required. priv {des|3des|aes128|aes192| aes256}
q
q q
des: CBC-DES Symmetric Encryption Protocol 3des: 3DES-EDE Symmetric Encryption Protocol aes128: 128- bit AES (Advanced Encryption Standard) aes192:192- bit AES aes256: 256-bit AES
<priv-pw>
Privacy password for the user. Passwords can have up to 32 characters; hyphens, underscores, and periods are acceptable.
Examples: setup snmp user new "Kim Johnson" snmpv3Eng auth md5 authpwd123 priv aes245 privpwd123 setup snmp user new "v1_user" snmpv1Group setup snmp user modify "Kim Johnson" snmpv3Eng auth md5 new_pwd1 priv aes245 new_pwd2
Delete a User
To delete a user, use: setup snmp user delete <username> Example: setup snmp user delete "Ken Traum"
609
UserName Amit Example_v1 IT Jane Doe Kim Johnson Tom Jones VP_Marcia Wendy Ho
AuthProt PrivProt Status md5 des ok none none ok md5 des ok md5 des ok md5 des ok md5 none ok md5 des ok md5 des ok
610
<viewname>
The setup snmp view new command only allows you to specify a single OID. To include or exclude an additional OID in the view, use the command setup snmp view add. Examples:
611
setup snmp view new sysadmin 1.3.6.1.6.3.18 exclude setup snmp view add sysadmin 1.3.6.1.6.3.15.1.2.2 exclude There are two different commands to modify view settings. Modify view settings on a PacketShaper in local mode or a top-level PolicyCenter configuration with the command setup snmp vew modify. Override and modify inherited settings on a PacketShaper in shared mode or a PolicyCenter child configuration with the command setup snmp view override. When you modify or override snmp view settings, all OIDs defined for that view are removed and replaced with the one OID specified in the setup snmp view modify or setup snmp view overide command. To add additional OIDs to the modified view, use setup snmp view add. Examples: setup snmp view modify sysadmin 1.3.6.1.6.3.19 exclude setup snmp view add sysadmin 1.3.6.1.6.3.15.1.2.2 exclude
Delete a View
To delete a view, use: setup snmp view delete <viewName> Example: setup snmp vew delete IT_view
setup snmp view show ViewName adminview iface_view B isoAll B isoNone sysadmin Traps
Refs Status 8 ok 12 ok 24 ok 2 ok 3 ok 5 ok
612
613
setup sntp
Set or display the Simple Network Time Protocol (SNTP) configuration. SNTP is used to synchronize the time in PacketWise to a server configured to propagate highly accurate time information through the Internet. setup sntp on|off|servers {<primary> [<secondary>]|none}|poll|reset| sync Enter a standard dotted-decimal IP address.
614
615
616
617
setup standby
Configure a PacketShaper for direct standby mode. The direct standby function allows two PacketShapers to work in a redundant network topology, with each unit connected to a different router. The two units are directly connected to each other, through the OUTSIDE port on the upper-most or right-most LEM, or through the port labeled BACKUP OUTSIDE on a PacketShaper 1400. Both units are considered active and each unit can receive and forward traffic. When a unit directly receives traffic, it will copy that traffic and transmit it to the other unit. The other unit will classify the traffic, just as if it had received it directly, but it will never forward the traffic on to the LAN. As a result, each unit is ready at any time to take over full PacketShaper responsibility should the other unit go down. Note: The standby feature requires a hardware modification and special cabling. Before enabling standby mode, see Connect PacketShapers into Redundant Topologies for complete details. setup standby direct|none|show Where: Enables the unit for direct standby direct Notes: Packeteer's watch mode and direct standby features cannot be used together. Disables standby mode Displays the status of a standby unit
none show
To enable direct standby mode, use: setup standby direct Note: A loss of connectivity could occur right after direct standby is enabled or disabled. This loss of connectivity is transient and recoverable after the new paths and routes have been established. After the paths and routes have stabilized, you may have to start a new CLI session. To check the status of a standby unit: setup standby show
618
619
host:<ipaddress>
output:<facility>, <level>
datetime
For example: setup syslog add host:10.7.38.100 output:local1,3 datetime If you need to modify any of the settings later, you need to remove the server and then add it again (see setup syslog remove). Messages are not sent until you enable the logging feature. See setup syslog on. If you want a PacketWise event to be recorded in a Syslog, you need to specify this option when registering the event (see event register).
Facility Types
You can enter the keyword or value specified in the following table. Description Kernel User Processes Electronic Mail Background System Processes Authorization System Logging Printing Usenet News Unix-to-Unix Copy Program Clock Daemon Security FTP Daemon NTP Subsystem Log Audit Log Alert Clock Daemon For Local Use Keyword kern user mail sysd auth sysl lpr news uucp clkd sec2 ftpd ntp audit alert clkd2 local0local7 Value 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16-23
Severity Levels
621
You can enter the keyword or value specified in the following table. Set the level to specify which messages to suppress to the Syslog server. For example, setting the severity level to 3 allows messages with levels 0 3 and suppresses messages with levels 4 7. If you don't specify a severity level, 7 is used. With the default severity level, messages of all levels will get sent to the Syslog server. Description System unusable Take immediate action Critical condition Error message Warning message Normal but significant condition Informational (includes PacketWise user events) Debug message Keyword Value emerg alert crit err warn notice info debug 0 1 2 3 4 5 6 7
At the "warn" level, Packeteer will send the following types of messages to the Syslog server:
q q q q q
Login failed Hard drive status Measurement Engine status Direct standby status Plug-in status
See Packeteer Syslog Warn Messages for a list of these messages. User events that are configured to send a syslog message when a threshold is crossed are sent at the info severity level (6). See event register for more information on configuring an event to send a syslog message. Adaptive response action files that include the send syslog command can designate the severity level at which the message is sent to the Syslog server; any level can be specified.
PacketGuide for PacketWise 8.3
622
623
624
Server Addr Facility Level -----------------------------------10.7.38.200 local4, 20 warn, 4 10.7.38.100 local4, 20 warn, 4 If you specify an <ipaddress>, the settings for a single Syslog server are displayed. For example: setup syslog show 10.7.38.200 Server Addr: 10.7.38.100 UDP Port: 514 DateTime Option: Not Enabled ------------------------------------Facility Level ------------------------------------local4, 20 warn, 4
Message Format
When viewing the messages at the Syslog server, you will see the format of a Syslog message is as follows: ReceiveDateTime address SendDateTime module-severity-MNEMONIC:
625
description The date and time the message was received by the Syslog server (may not ReceiveDateTime be included, depending on the setup of the Syslog server) address SendDateTime The PacketShaper units IP address The date and time the message was sent to the Syslog server (if the datetime parameter was specified when defining the syslog server) A four-byte string that identifies the type of message. For example, USRE is a user event and SYSW is a system warning. A single digit code (07) that reflects the severity of the condition; see Severity Levels A code that uniquely identifies the error message for example, BAD_WR (bad write) or INSERT_F (insert into a list fails) A text string describing the condition
module
severity
Aug 6 17:06:27 10.7.38.5 SYSW-4-LOG_WARN: Hard drive is down. Or, if the datetime parameter was specified: Aug 6 17:07:25 10.7.38.5 Mon Aug 6 17:05:01 2001 BST (London) SYSW-4LOG_WARN: Hard drive is down.
626
627
primary| secondary
override
To turn the service on or off, or to return the service to its default off value, use: setup tacacs acct on|off|default Example: setup tacacs acct primary 10.10.10.10 P4assw0rd1
628
setup tacacs acct secondary 10.10.20.10 Paa55w0rd2 setup tacacs acct on This example defines a primary accounting server at 10.10.10.10 which has a shared secret of P4ssw0rd1, as well as a secondary server at 10.10.20.10. The third command line enables the TACACS+ accounting service. Once this service is configured and enabled, PacketWise will send a PW_STATUS_START accounting message to the accounting server when a user logs in and a PW_STATUS_STOP message when a user logs off or is disconnected. Command Change History Release Modification 8.3.0 Command introduced
629
override
To turn the service on or off, or to return the service to its default off value, use: setup tacacs auth on|off|default Example:
630
setup tacacs auth primary 10.10.10.10 CupServ44 setup tacacs auth on This example first defines a primary authentication server at 10.10.10.10 which has a shared secret of CupServ44. The second command line enables TACACS+ authentication service. Once this is configured and enabled, PacketWise will prompt users for user name and password when they log into PacketWise.
631
ASCII (American Standard Code for Information Interchange): With ASCII, the username and password are transmitted in clear, unencrypted text. PAP (Password Authentication Protocol): With PAP, the username and password are transmitted in clear, unencrypted text. ASCII or PAP authentication is required for TACACS+ configurations that require access to clear text passwords (for example, when passwords are stored and maintained in a database external to the TACACS+ server) CHAP (Challenge Handshake Authentication Protocol): In other environments, CHAP may be preferred for greater security. The TACACS server sends a challenge that consists of a session ID and an arbitrary challenge string, and the username and password are encrypted before they are sent back to the server. MS-CHAP (Microsoft Challenge Handshake Authentication Protocol): This protocol is very similar to CHAP, but with MS-CHAP authentication, the TACACS+ server can store an encrypted version of a user password to validate the challenge response. Standard CHAP authentication requires that the server stores unencrypted passwords. Note: MS-CHAP v1 and v2 are supported. PacketWise attempts authentication with MS-CHAP v2 first. If the remote server doesn't support v2 or if authentication is denied, PacketWise re-attempts authentication with MS-CHAP v1.
setup tacacs method ascii|pap|chap|mschap|default The default authentication method is ascii. See also: Configure TACACS+ Authentication Service Log In and Out with TACACS+ Command Change History Release Modification
632
8.3.0
Command introduced
633
setup tacacs show TACACS Setup values: Tacacs Method Authentication Accounting Timeout : : : : ASCII on off 10
634
635
setup timezone
When you configure a time zone, PacketWise can change its local time automatically at the start and end of daylight savings time. It also can retrieve time updates from time servers. setup timezone [<name>|custom <timezone_spec>] Each time zone has a unique name usually the name of the best-known city in that zone. The default time zone is Los Angeles, CA. To display the valid time zones, use setup timezone help. <timezone_spec> is a string defined by POSIX.1 as: <std><offset>[<dst>[<offset>],<date>[/<time>],<date>[/<time>]] Where: <std> and <dst> 3 or more characters specifying the standard and daylight saving time (DST) zone names <offset> [-]hh:[mm[:ss]] specifies the offset west of UTC. The default DST offset is one hour ahead of standard time
<date>[/<time>] Specifies the beginning and end of DST. If this is absent, the system applies US DST rules (first Sunday of April at 2:00 AM to last Sunday of October at 2:00 AM) <time> hh:[mm[:ss]] with a default of 02:00
636
<date>
One of the following forms: Jn (1<=n<=365): origin-1 day number, not counting February 29 n (0<=n<=365): origin-0 day number, counting February 29, if present Mm.n.d (0[Sunday]<=d<=6[Saturday], 1<=n<=5, 1<=m<=12): for the dth day of week n of month m of the year, where week 1 is the first week in which day d appears, and 5 stands for the last week in which day d appears (which may be either the 4th or 5th week)
For example, you could configure a time zone for Cairo, Egypt with the command: setup timezone custom EET-2EEST,M4.5.5/01:00,M9.5.5/03:00 setup timezone Current time zone: Time zone name: Custom Time zone desc: Custom time spec in POSIX format Time zone spec: EET-2EEST,M4.5.5/01:00,M9.5.5/03:00 Time zone offset: GMT+02:00 DST offset: 60 minutes DST starts: Last Friday of April at 01:00 AM DST ends: Last Friday of September at 03:00 AM In this example, the standard time, known as EET, is two hours ahead of GMT and daylight savings time, known as EEST, is the default 60 minutes ahead of EET. Rather than using US default rules, EEST begins on the last Friday of April at 1:00 AM and ends on the last Friday of September at 3:00 AM.
637
setup variable
Change a default variable setting. setup variable [<variable> <value>|default] | [-reset|-nd] where <variable> is one of the variables listed below and <value> is the value you want to set the variable to. The default, minimum, and maximum values for each <variable> are listed in the table. Note: After changing a variable's setting, you will need to reset the unit in order for the change to take effect. To reset all system variables to their defaults, use the setup variable -reset command. To reset a specific variable to its default, use the setup variable <variable> default command. To see a list of all variables that have non-default settings, use the setup variable -nd command. Variable/ Description accelerationStrictHostCheck When this variable is enabled, outbound TCP flows will be accelerated only if the source host is configured (or discovered) on the local device and the destination host is configured/discovered as a remote host via the outbound tunnel. Likewise, inbound accelerated flows will not be intercepted unless the source host is configured/discovered as a remote host via the inbound tunnel and the destination host is configured/discovered on the local device. Certain topologies require this variable to be enabled in order for acceleration to work properly:
q q
Default Value
Min. Value
Max. Value
which traffic accelerated at the edge PacketShaper will pass through an intermediate PacketShaper at the central site Notes:
q
0 (off)
0 (off)
1 (on)
Enabling this variable may result in a slight degradation of performance for XTP acceleration, since lookup and validation of local and remote hosts are done per packet. SCPS acceleration does not have this side effect. If packets pass through the same PacketShaper multiple times, it may be necessary to restrict hosts (using the tunnel discovery host command), to manually provision hosts on a particular side (using the hostdb side manual command), or to disable host discovery (using the tunnel discovery command).
autoCreateSameSide When this variable is enabled, the SameSide class is created automatically. When disabled, the SameSide class will not be autocreated. You may want to disable this variable if traffic is being misclassified into the SameSide class.
1 (on)
0 (off)
1 (on)
639
bridgePassThru With bridgePassThru enabled, the PacketShaper forwards packets that have a source and destination MAC address on the same side of the unit. When bridgePassThru is disabled and traffic shaping is enabled, the Packeteer unit drop packets that have source and destination MAC addresses on the same side. cmprsnDiffservInterop Preserve TOS (Type-of-Service) IP header values on compressed packets. When this option is enabled, TOS values will be preserved on IPComp packets. When it is disabled, TOS values will not be preserved on compressed packets. Note: This variable is applicable to legacy compression tunnels only. cmprsnDiffservReapply Reapply network-modified TOS IP header values to decompressed packets. When this option is enabled, the decompressing PacketShaper will compare the original TOS value of the compressed packets to the TOS value in the IPComp packets IP header. If the network modified the TOS value of the IPComp packet, Xpress will apply this modified TOS value to the original packets as they are decompressed. Notes:
q
1 (on)
0 (off)
1 (on)
1 (on)
0 (off)
1 (on)
0 (off)
0 (off)
1 (on)
The cmprsnDiffservInterop variable must also be enabled. This variable is applicable to legacy compression tunnels
640
only. cmprsnEnablePacking When packing is enabled, multiple packets are combined into a single "super packet," in order to save on overhead. Packing increases compression rates because less data is being sent out on the wire. On very busy links, packing doesn't cause much latency because the packets are bundled and sent off quickly. On less active links, Xpress may have to wait to get enough packets in a bundle, possibly creating application performance problems. If you are experiencing latency, try lowering the packing hold time or disabling it altogether. Note: This variable is applicable to legacy compression tunnels only. cmprsnFirewallSupport Enables/disables firewall support for the Xpress compression feature. If set to 0, Xpress firewall support is disabled; use this setting when there is not a firewall between partner units. When there is a firewall between partner units, you should enable firewall support by selecting either 1 or 2:
q
0 (off)
0 (off)
1 (on)
1: Firewall support is enabled only when compression is ON. 2: Firewall support stays enabled for persistent flows even after disabling compression. When compression is turned off, any TCP flows already hidden from the firewall continue to be
641
hidden (tunneled), but new TCP flows are not hidden. Note: This variable is applicable to legacy compression tunnels only. cmprsnHostEntries The maximum number of hosts and partners that can be defined to use the compression facility * 0 indicates that the default system limit will be used; the system limit depends on the amount of memory installed in the unit 0* 2 99999
cmprsnInsideHostMode Set inside host lists to be inclusive or exclusive. If inclusive, inbound traffic destined to inside hosts on the host list are eligible for tunneling. If exclusive, traffic destined to the 0 listed hosts are not sent through the (inclusive) Xpress tunnel but all other inside hosts are eligible for tunneling. Use the tunnel discovery host command to create the list. cmprsnMaxRetransmissions The maximum consecutive retransmissions of a packet before a compression tunnel is shut down
0 (inclusive)
1 (exclusive)
99
642
cmprsnOutsideHostMode Set outside host lists to be inclusive or exclusive. If inclusive, outbound traffic destined to outside hosts on the host list are eligible for tunneling. If exclusive, traffic destined to the listed hosts are not sent through the Xpress tunnel but all other outside hosts are eligible for tunneling. Use the tunnel discovery host command to create the list. cmprsnPackingHoldTimeMsecs Maximum number of milliseconds packets will be held for packing. When PacketShaper receives a packet, it is held up to the maximum packing hold time (10ms by default), waiting to be combined with additional packets. After that time expires, Xpress compresses all the accumulated packets into a super packet and sends it out. Note: This variable is applicable to legacy compression tunnels only. cmprsnPartnerMode Set tunnel partner lists to be inclusive or exclusive. If inclusive, Xpress creates tunnels only with the listed PacketShapers. If exclusive, Xpress does not establish tunnels with the listed PacketShapers; only PacketShapers not listed will have tunnels established. Use the tunnel discovery partner command to create the list.
0 (inclusive)
0 (inclusive)
1 (exclusive)
10
1024
0 (inclusive)
0 (inclusive)
1 (exclusive)
643
cmprsnRSVPPathDiscard When cmprsnRSVPPathDiscard is disabled (the default), the PacketShaper will respond to an RSVP (Resource Reservation Protocol) message from another PacketShaper and continue to pass the original RSVP packet to the inside to any other PacketShapers that may be downstream. When this variable is enabled, the PacketShaper will respond to the RSVP message but will not send the packet on. Note that the packet will be discarded only when compression is enabled and when the RSVP packet is moving inwards. Note: This variable is applicable to legacy compression tunnels only. cmprsnTransparentTrigger The number of consecutive retransmissions of a packet before Xpress disables the compression tunnel and sends packets in the clear (uncompressed). The tunnel will resume normal operation after it gets an acknowledgment for the retransmitted packets; if acknowledgment is not received before the Tunnel shutdown threshold is reached, the tunnel will be shut down. Note: This variable is applicable to legacy compression tunnels only.
0 (off)
0 (off)
1 (on)
99
644
DiffservClassSortPref Controls the sort order of the traffic tree, with respect to Diffserv classes (those with DSCP marks). Three settings are available: 0 Diffserv classes are sorted below IP-address-based classes, but above port-based classes (the default). 1 Diffserv classes are sorted above IP-address-based classes 2 Legacy sort order (Diffserv classes are sorted after IP-address-based classes, port-based classes, and auto-discovered classes) Note: The new sort order doesn't take effect until the unit is rebooted. discoveryThresholdDynamicPort The number of new connections of an identifiable service to a port greater than 1024 that must be identified within a one-minute timeframe before PacketWise creates a class discoveryThresholdNonIP The number of new non-IP connections of a given type that must be identified within a oneminute timeframe before PacketWise creates a class discoveryThresholdNormal The number of new connections of an identifiable service to a port less than or equal to 1024 that must be identified within a one-minute timeframe before PacketWise creates a class 0 0 2
1000000
1000000
1000000
645
discoveryThresholdPort The number of new connections to a particular port within a one-minute timeframe before PacketWise creates a Port_#### class in the DiscoveredPorts folder It may be necessary to increase this value on Internet link deployments to prevent excessive number of DiscoveredPorts classes being created. If you dont want any Port_#### classes discovered, set this variable to its maximum value. dynPtnActiveReuseSeconds The number of seconds a dynamic partition will be retained after an established flow has sent packets Note: If no other user needs a dynamic partition, the partition will be retained indefinitely. dynPtnIdleReuseSeconds The number of seconds a dynamic partition will be retained after an established flow has not sent or received packets Note: If no other user needs a dynamic partition, the partition will be retained indefinitely. dynPtnSequestrationCount The number of partitions reserved for static partitions; all other partitions can be used for dynamic or static partitions (applicable to PacketShaper 1200 and 1500 only) 100 1 1000000
300 (5 min)
10
7200 (2 hrs)
30
10
7200 (2 hrs)
99
646
enableCongestion Enable/disable the calculation of packet exchange time. When this variable is disabled, the Pkt Exch column on the Monitor Traffic page will not appear, RTM will not be available, and the packet exchange time and RTM measurement variables will always have a value of 0. Note: This variable is not supported on the PacketShaper 1200 model. After disabling the enableCongestion variable, you should reset the unit. enableLatency Enable/disable the calculation of VoIP metrics. When this variable is enabled, PacketWise collects data that measure packet loss, jitter, and latency for VoIP flows. Notes:
q
1 (on)
0 (off)
1 (on)
VoIP metrics can only be measured between PacketShapers with the VoIP metrics feature enabled. The VoIP metrics feature can measure traffic only from VoIP applications whose data is classified as RTP-I. For instance, latency metrics are not provided for DialPad, iChat, Vonage, and Skype.
0 (off)
0 (off)
1 (on)
647
enableSupportForSSHv1 Enable/disable support for Secure Shell version 1 (SSH v1) for secure access to the PacketShaper. When this variable is enabled, the PacketShaper can be accessed with SSHv1 and SSHv2 clients. When this variable is disabled, only SSH clients using the SSHv2 protocol version are supported. Note that this variable doesnt take effect until the PacketShaper is reset. enableWinnyClassification Enable/disable classification of the Winny service. For optimal performance, enable only when management of Winny traffic is required. Note: The Winny peer-to-peer application is used primarily in Japan. flowRecordsIntermediateTimeout Number of milliseconds between generation and sending of intermediate flow detail records when traffic is present flowRecordsPktr0Timeout Number of seconds between generation and sending of Packeteer0 flow records. flowRecordsPktrPTimeout Number of seconds between generation and sending of PacketeerP flow records.
1 (on)
0 (off)
1 (on)
0 (off)
0 (off)
1 (on)
1500
1000
36000
3600
10
5000
60
10
5000
648
flowRecordsResetCounters Controls whether or not the counter fields in FDR packets are reset with each intermediate FDR sent Note: This variable only affects Packeteer-1 and Packeteer-2 format FDRs: counter fields are always reset in the NetFlow-5 format. flowRecordsSendIntermediate Enable/disable the intermediate flow detail records feature. When this variable is enabled, PacketWise emits intermediate FDRs at the interval specified by the flowRecordsIntermediateTimeout variable. Note: Enable the intermediate flow detail records feature only when using a suitably-instrumented collector, such as Cisco-based Netflow-5 collectors. ReportCenter version 3.1 and earlier ignore intermediate FDRs. flowRecordsSendPktrP Enable/disable emission of PacketeerP packets to Packeteer flow detail record collectors. Packeteer-P packets contain statistics that are not related to particular flows, but rather provide information about utilization on the PacketShaper at the time flows are recorded. If this variable is enabled, Packeteer-P records are sent after each UDP flow record packet is sent to Packeteer-1 or Packeteer-2 collectors (not more than once per minute).
1 (on)
0 (off)
1 (on)
0 (off)
0 (off)
1 (on)
0 (off)
0 (off)
1 (on)
649
flowRecordsSendPktr0 Enable/disable emission of Packeteer0 packets to Packeteer flow detail record collectors. Packeteer-0 packets are mapping messages that allow collectors to decipher Packeteer-related information in the FDRs they receive. For example, in the FDRs ClassID field, a value identifies the traffic class. In order for the collector to understand what class is actually associated with the ID, it uses the class map a list that contains each traffic class on the unit along with the identifying number assigned to each class. If this variable is enabled, Packeteer-0 mappings are sent out approximately once each hour. Note that this variable needs to be enabled only if the collector does not know this information through other means. frameMaxRouteEntries The maximum number of route entries PacketWise can import from a FRAD or ATM routing table. Note: This variable is not supported on the PacketShaper 1200 or 1400 Lite models.
0 (off)
0 (off)
1 (on)
300
25
2000
650
graphTimeoutSeconds The maximum number of seconds a graph can take to generate in the browser interface; if the graph takes longer to generate than this value, a system timeout error message will appear. Note: Increasing this setting can make the browser interface appear to "freeze" while PacketWise is generating some of the more complex graphs. Sometimes the browser will not display the page until all of the graphs are generated. hostTspecCacheInside Enable/disable caching of IP addressbased classes on the inside. Change this setting to outside (0) to increase performance of classification if the majority of IP addresses in manually created classes are on the outside, rather than the inside. To disable the caching of inside IP address-based classes, use the setup variable hostTspecCacheInside 0 command. After you reset the PacketShaper, IP address-based classes will be cacheable on the outside. To re-enable caching for inside classes, use the setup variable hostTspecCacheInside 1 command. 60 1 600 (10 min)
1 (inside)
0 (outside)
1 (inside)
651
httpStealth503 Control the display of the 503 Service unavailable server error message when a connection is refused because of admission control (such as a never-admit policy). 0 The 503 - Service unavailable message will be customized with the text This message is sent by Packeteer PacketShaper. 1 The PacketShaper text is not displayed with the 503 - Service unavailable message. 2 PacketWise performs a TCP reset and drops the HTTP request; the error message will likely be The attempt to load http://... failed. LFNSupport When enabled, this setting improves performance on Long Fat Networks (LFN) which require larger TCP window sizes. An LFN is a long distance network with large bandwidth and long delay; for example, high-capacity satellite channels are LFNs. linkOverheadBytes Number of bytes that are added to each packet to account for WAN protocol header overhead
0 (off)
0 (off)
1 (on)
256
652
linkOverheadPpt Number of parts per thousand* by which packet sizes are increased to account for link overhead. This adjustment is useful for links that do bit stuffing. (Bit stuffing is the practice of adding bits to a stream of data. Bit stuffing is required by many network and communications protocols, for example to prevent data from being interpreted as control information.) * to be more precise, its actually parts per 1024 mirrorLinks Enable/disable link state mirroring. With link state mirroring, PacketWise will bring down the second port of a NIC pair if the first goes down. This feature allows each PacketShaper to sit between a WAN router and a switch without blocking detection of switch outages by the router. Link state mirroring is automatically enabled when direct standby is enabled and the redundant management port is connected. Note: Link state mirroring is not active on the LEM being used for the direct link; this allows you to disconnect the redundant management port without impacting connectivity. However, link state mirroring is disabled when the redundant management link is disconnected.
35 (3.5%)
1024
0 (off)
0 (off)
1 (on)
653
mplsSecondLabelIndex Designates the MPLS label stack position (1-5) to be looked at for classification purposes. By default, PacketWise looks at the top MPLS label (1), which identifies the path through the core. If you want to classify by other MPLS labels (2-5) in the MPLS stack, you need to change this system variable to identify the stack position. PolicyFlowLimitForAllClasses Enables/disables the policy flow limit feature. When enabled, PacketWise will enforce all policy flow limits that have been set on traffic classes. When disabled, all policy flow limits will be ignored. For additional information, see policy flowlimit. probeIntervalSeconds Number of seconds between the issuance of VoIP latency probes that measure VoIP metrics, enabled by the enableLatency variable. rtoInboundClampMsecs Number of milliseconds delay for clamping early retransmission timeout on Inbound packets. Puts a maximum on retransmit time. rtoOutboundClampMsecs Number of milliseconds delay for clamping early retransmission timeout on Outbound packets. syntheticReadTimeoutSeconds Number of seconds after which a synthetic transaction will end when the response received is incomplete Note: This variable is not supported on PacketShaper ISP models.
1 (on)
0 (off)
1 (on)
60
1600
0 (disable)
3000 (3 sec)
1600
0 (disable)
3000 (3 sec)
1000
654
syntheticWriteTimeoutSeconds Number of seconds after which a synthetic transaction will be canceled if the server fails to respond to a request Note: This variable is not supported on PacketShaper ISP models. tcpClipInitialWindow When tcpClipInitialWindow is enabled, the PacketShaper will always reduce the initial TCP window size to 1x MSS (maximum segment size). When this variable is disabled, new flows will ramp up faster but enforcement of small rate policies and/or partitions may not work at the begininng of flows. tcpMssInbound Maximum segment size of TCP packets on Inbound flows. This setting can help avoid packet fragmentation when using VPN and not being able to support 1500-byte packets (the default size) through the VPN tunnel. tcpMssOutbound Maximum segment size of TCP packets on Outbound flows tcpSmallMssLinkSpeed Link speeds slower than this value will force the use of smaller MSS (maximum segment size). Prevents PacketWise from changing the MSS on large WAN links.
60
10
5000
1 (on)
0 (off)
1 (on)
1460 bytes
65535
1460 bytes
65535
384000 bps
512000
655
tnlDontSpanPackets When packets are being packed into super packets, this variable determines whether a packet's contents will be spanned across two super packets. By default, packets are not spanned. tnlInheritInbound Determines how Xpress selects an outbound tunnel when a destination host is reachable via multiple routes. When this variable is enabled, Xpress will choose the tunnel that first serviced the inbound flow. When this variable is disabled, Xpress will choose the tunnel it discovered first. tnlLocalArpDiscovery One of three mechanisms for discovering local hosts for Xpress tunnels. When localArpDiscovery is enabled, Xpress extracts the source IP address from a valid ARP request or response and adds it as a local host for Xpress tunnels. This mechanism is enabled by default but only operates when global host discovery is enabled with the tunnel discovery command. This variable can be disabled for troubleshooting host discovery on different network topologies. Note: This variable is applicable to enhanced tunnels only.
1 (on)
0 (off)
1 (on)
0 (off)
0 (off
1 (on)
1 (on)
0 (off)
1 (on)
656
tnlLocalIpDiscovery One of three mechanisms for discovering local hosts for Xpress tunnels. When localIpDiscovery is enabled, Xpress extracts the IP addresses of all inside hosts and adds them to the local host list for Xpress tunnels. This mechanism is enabled by default but only operates when global host discovery is enabled with the tunnel discovery command. This variable can be disabled for troubleshooting host discovery on different network topologies. Note: This variable is applicable to enhanced tunnels only. tnlLocalOspfDiscovery One of three mechanisms for discovering local hosts (subnets) for Xpress tunnels. When OSPF (Open Shortest Path First) routing protocol is configured on a router, the router will broadcast link-state advertisement (LSA) messages to its subnets. When localOspfDiscovery is enabled, Xpress will examine these LSA messages, looking for any subnets that are local to the PacketShaper. These hosts will then be added to the local host list. This mechanism will not work in a redundant topology and is disabled by default. In a non-redundant topology, you have the option of enabling this variable if you so chose. Note: This variable is applicable to enhanced tunnels only. 1 (on) 0 (off) 1 (on)
0 (off)
0 (off)
1 (on)
657
tnlRemoteRsvpDiscovery A mechanism for discovering remote hosts for Xpress tunnels. When remoteRsvpDiscovery is enabled, Xpress sends RSVP Path request messages and if another Xpress unit along the path recognizes the host (host being probed for) as a local host, it will respond with an RSVP Resv reply message. If an RSVP Resv reply message is received for a host, the host will be added to the list of remote hosts. This mechanism is enabled by default but only operates when global host discovery is enabled with the tunnel discovery command. This variable can be disabled for troubleshooting host discovery on different network topologies. Note: This variable is applicable to enhanced tunnels only. tnlTcpServerPort The TCP port number that Xpress tunnels use for transport. Notes:
q
1 (on)
0 (off)
1 (on)
Traffic from any user machine sourcing from this port will not be accelerated. When you change the TCP port number, only new tunnels (those formed after the change) will use the new port. If there were any tunnels using the old port, be sure to delete them so that all tunnels use the same port.
64600
65535
658
trafficIsAsymmetric By turning on this setting, PacketWise will automatically assume all flows are asymmetric and stop TCP Rate Control. In topologies where there are a large percentage of asymmetric flows, this may be more efficient than attempting to apply regular rate control. In addition to disabling rate control, turning on this setting disables all layer 7 classification activities (PacketWise must see traffic in both directions in order to classify layer 7). userEventExtSnmpVersion Enable/disable the extended SNMP trap for user events. When this variable is turned on, there will be an additional field in the trap that indicates the type of situation that triggered the trap. The field indicates violated (when the threshold was exceeded) or rearm (when the rearm value was crossed). userEventMaxDefinitions The maximum number of events that can be user-defined userEventMaxRegistrations The maximum number of events that can be registered
0 (off)
0 (off)
1 (on)
0 (off)
0 (off)
1 (on)
32
32
128
32
32
128
659
wccpRedirectUseShaperMAC This variable determines which source MAC address will be used for packets that are rejected by the cache device in WCCP redirection mode. When this variable is enabled, the MAC address of the PacketShaper will be used as the source. When the variable is disabled, the MAC address of the paired cache device will be used. This variable should be disabled when the cache device and the clients are on different subnets in a VLAN topology. Other supported topologies, as well as the iShaper, should use the default setting (on). xpressLegacyMemoryRatio Percent of memory to assign to legacy tunnels when in migration mode. For example, a ratio of 30 would allocate 30 percent of memory to legacy compression tunnels and 70 percent to enhanced Xpress tunnels. xpressMode Mode for Xpress tunnels.
q
1 (on)
0 (off)
1 (on)
50
20
80
0 Legacy mode uses the PacketWise v6.x/7.x tunnel infrastructure. In legacy mode, the commands and capabilities are limited to those that were available in PacketWise 7.x. A tunnel's sole capability in legacy mode is to transport compressed data. 1 Enhanced mode uses the new PacketWise 8.x tunnel infrastructure. In enhanced mode, a tunnel serves multiple purposes and can include one or more of
1 or 2
660
the following features: compression, acceleration, and packing. 2 Migration mode supports both types of tunnels: legacy and enhanced. Use this mode when migrating from earlier versions of PacketWise. For more information about migration mode, see Information about Migration Mode.
The default mode for new installations is enhanced mode. The default for units that have upgraded to 8.x is migration mode.
Command Change History Release Modification 8.3.0 diffservClassSortPref and mplsSecondLabelIndex variables introduced browserHttpAcceleration variable removed autoCreateSameSide, cmprsnRSVPPathDiscard, tcpClipInitialWindow, and wccpRedirectUseShaperMAC variables introduced tnlEnableIngress variable removed 8.1.1 8.0.1 enableSupportForSSHv1 variable introduced tnlInheritInbound, userEventExtSnmpVersion variables introduced
8.2.0
661
The following variables were introduced: flowRecordsSendIntermediate, flowRecordsIntermediateTimeout, flowRecordsResetCounter, enableLatency, probeIntervalSeconds, enableWinnyClassification 8.0.0 The following Xpress variables were introduced: tnlLocalArpDiscovery, tnlLocalIpDiscovery, tnlLocalOspfDiscovery, tnlRemoteRsvpDiscovery, tnlDontSpanPackets, tnlTcpServerPort, accelerationStrictHostCheck
662
synthetic add
Create a new synthetic transaction. Using synthetic transactions allows PacketWise to initiate web or other TCP transactions at periodic intervals to verify the availability of critical hosts. Note: The synthetic transaction feature is not available on PacketShaper ISP models. synthetic add <interval>[,<repeat>] [<id>] <url> Number of minutes between issuance of the transaction (the maximum interval is 1440) Number of times to issue the request on the established TCP connection (default is 1; the maximum is 100) String that identifies the synthetic transaction; if omitted, PacketWise will automatically create a unique eight-character ascii ID for each transaction. <id> Note: Do not specify a transaction ID for a synthetic transaction on a PolicyCenter sharable configuration, as PolicyCenter requires that each synthetic transaction has a unique auto-generated transaction ID. Type of transaction to issue, in the following format: <type>://<host>[:<port>][/<path>] where: <type> is http, https, icmp, pop3, smtp, ftp, echo, or custom Note: The <type> must be entered in lowercase. <host> is the IP address or DNS name of the host
663
<interval> [, <repeat>]
<url>
<port> is the TCP port number to connect to; the default varies by type (for example, for http the default is port 80) <path> is additional information necessary for the request (such as a directory name or a file name) Additional information about each type:
q
The http type will issue a GET request for the file specified by the <path> parameter. (The default port is 80.) The https type does an SSL handshake and issues a GET request for the file specified by the <path> parameter. (The default port is 443.) The icmp type sends a ping request to the designated server, using the ICMP-ECHO Protocol (RFC 792). Example: synthetic add 17,2 "icmp:// www.packeteer.com" The smtp and pop3 types also do not send or receive mail; they issue a single command over the channel to elicit a response. (The default port is 25.) The ftp type will issue a single retrieve command (RETR) for the file specified in the <path> parameter but doesnt do any user authentication. (The default port is 21.) The echo type sends a string to the designated host and the host echos it back. TCP echo requires that the target host have an echo server process running and listening on port 7. The optional <path> argument has the format <length>[/<fill>] where <length> is the number of bytes to send on each request (the default is 512) and <fill> is a string to fill the request buffer. The <fill> string can be up to 511 bytes. For example: echo://test.domain.com/10/xyz The above example sends requests containing xyzxyzxyzx (10 bytes).
The custom type allows you to specify a series of requests to be sent alternatively for as many messages as requested by the <repeat> parameter. The request strings are separated by the | character. For example: custom://my.test.com:25/HELO|MAIL FROM:<bob>|RCPT TO:<brett>| DATA|hey|. The above example sends a simple message to a mail server on port 25
664
Command Change History Release Modification Auto-generated transaction IDs are required for synthetic transactions on PolicyCenter configurations The <url> parameter supports IP addresses as well as DNS names 8.0.1 8.0.0 icmp <type> introduced no change
8.3.0
665
synthetic delete
Delete a synthetic transaction. (Note: The synthetic transaction feature is not available on PacketShaper ISP models.) synthetic delete <id> where <id> is the identifying name specified in the synthetic add command. To view IDs of all synthetic transactions, use the synthetic show command. When a synthetic transaction is deleted, its corresponding Inbound/ SyntheticTransactions or Outbound/SyntheticTransactions traffic class is not deleted, so that measurement data can still be retrieved from that traffic class. Even after the synthetic transaction is deleted, network traffic may still be classified in that traffic class until the class is also manually removed.
666
synthetic options
Create traffic classes for the hosts specified in synthetic transactions. The classes will be created in the SyntheticTrasactions class. (Note: The synthetic transaction feature is not available on PacketShaper ISP models.) synthetic options create-classes show|on|off|default The default value is on. If you have already created traffic classes for your critical hosts and you want synthetic transaction measurement data to be recorded in these classes, set this option to off. Notes:
q
If you use the CLI command synthetic options create-classes on to create traffic classes for synthetic transactions hosts and then later issue the command synthetic options create-classes off to turn off this option, any traffic classes already created for previous synthetic transactions will remain a part of the configurations traffic tree. When the synthetic option create-classes default command is issued for an individual Packetshaper or a PolicyCenter parent configuration at the top of the PolicyCenter configuration tree, this command restores the default on value. When this command is issued for a PolicyCenter child configuration, the child configuration clears its local setting and inherits the synthetic option create-classes on|off value from its parent configuration. Command Change History
Release Modification Synthetic transaction classes created as children of Localhost class instead of in a SyntheticTransactions folder <host> cannot be an IP address 8.0.0 no change
8.0.1
667
synthetic show
Display information about synthetic transactions. (Note: The synthetic transaction feature is not available on PacketShaper ISP models.) synthetic show The output displays all the active synthetic transactions, when they are next scheduled to run, and a count of how many TCP connections have been attempted and were accepted. Transaction ID URL Repeat Next Scheduled Attempts Connections
Interval
st2
st3
st1
668
sys
These diagnostic commands are intended to be used only under the guidance of Customer Support and are not covered in this guide.
PacketGuide for PacketWise 8.3
669
sys limits
List the PacketShaper's configuration limits. For each object (such as classes, partitions, and policies), the sys limits output lists the maximum number of objects allowed, currently used, and remaining. For example, you can use this command to determine how many more classes you can create on your unit.
sys limits Statically allocated objects Current Remaining Total ------------------------------------------------------------------Traffic classes 800 224 1024 Partitions 2 510 512 Dynamic Partitions 0 10000 10000 Policies 4 1020 1024 Matching rules 1896 3224 5120 Classes with worst clients/servers 0 16 16 Classes with top talkers/listeners 0 12 12 TCP flows 36 199964 200000 Other IP flows 82 99918 100000 Legacy flows 8 9992 10000 Concurrent Hosts 6250 93750 100000 MAC Cache Entries 321 14679 15000 Fragment Cache Entries 0 8000 8000 Command Contexts 6 24 30 Compression tunnels 1 229 230 Compression entries 82 3598 3680 Dynamically allocated objects Current Potential Total
------------------------------------------------------------------Matching rule host references Host list DS entries DNS names Customer Portal users 7 0 10 0 10253 24044 59064 1024 10260 24044 59074 1024
Note: "Potential" for each object is an estimate allocating all remaining dynamic memory to that object type.
The table below describes the items of interest in the sys limits output.
670
Description A logical grouping of traffic flows that share the same characteristics a specific application, protocol, address, or set of addresses. See Traffic Tree Overview. A bandwidth pipe assigned to a given traffic class to protect or restrict the total bandwidth available to that class. See Partition Overview. A type of partition that automatically creates subpartitions on the fly as users become active in a traffic class. This capability allows service providers or enterprise customers to guarantee each user a minimum amount of bandwidth at all times. See Create a Dynamic Partition. A rule assigned to a given traffic class that defines how a single flow will be handled during bandwidth allocation. See Policy Overview. A set of characteristics that identifies a specific traffic type. See Matching Rules. Clients or servers that have the highest percentage of transactions exceeding the total delay threshold. See Enable Worst Client and Server Analysis. An identified traffic class for which PacketWise has been configured to record the host names or IP addresses of the devices transmitting the greatest amounts of traffic (the "talkers") or receiving the greatest amounts of traffic (the "listeners"). See Track Hosts that Generate the Most Traffic. Unique sessions using Transmission Control Protocol. Unique sessions using non-TCP Internet protocols.
Traffic class
Partition
Dynamic partitions
Policy
Matching rule
671
Legacy flows
Traffic using a non-TCP/IP protocol, often encapsulated in a TCP or IP wrapper. The Current count for concurrent hosts is an indication of how many host addresses have been learned by the system, that is, the number of entries currently in the host database. Entries in the host database are not periodically aged out or cleared from memory instead, they are reused when needed for new hosts. Therefore a value of 0 in the Remaining column does not mean your unit can't accommodate any more hosts new hosts will simply replace hosts that are no longer active. It is normal and expected to see the number of concurrent hosts at its limit. A communications link that transfers compressed data between two PacketShapers. One PacketShaper compresses data and sends it through the tunnel and the PacketShaper unit at the other end of the tunnel decompresses the data. The number of tunnels can vary according to the number and size of dictionaries in use. The maximum value is user-definable; see Adjust System Variables. Note: The value for compression tunnels in the sys limits command assumes unidirectional tunnels with a single system default dictionary. The published configuration limits assumes bidirectional tunnels with two system default dictionaries.
Concurrent hosts
Compression tunnels
672
Compression entries
A service, class, or dictionary within a compression tunnel. For example, if HTTP is the first service to get compressed through a tunnel, two compression entries are created one for the HTTP service and one for its shared group dictionary. If a second compressible service, such as ICMP, is detected and it uses the same group dictionary, only one compression entry is created (for the ICMP service). The maximum value is user-definable; see Adjust System Variables.
Dynamically Allocated Objects (maximums can vary, depending on the amount of remaining dynamic memory) Matching rule host references Host list DS entries Unique domain names in matching rules. A set of IP addresses and/or DNS names that traffic class matching rules can reference. See Create a Host List. Unique domain names used in PacketWise configuration (in matching rules, configured SNTP time servers, configured RADIUS authentication and accounting servers, etc.) Use the dns names CLI command to see a list of domain names in use. Customer accounts set up in the customer portal feature. See Customer Portal Overview.
DNS names
673
tail
Display lines or characters from the beginning or end of a file; the default is to display the last 10 lines of the file. tail [+|-<number>] [c] <filename> [+|-<number>] A negative number indicates the number of lines or characters to be displayed from the end of the file. A positive number indicates the number of lines or characters to skip at the beginning of the file. For example, tail -5 myfile.cmd displays the last five lines of the file and tail +5 myfile.cmd skips the first five lines and displays the rest. Specifies that units are in characters (no argument is necessary for the default unit lines). For example, tail 20c myfile.cmd displays the last 20 characters of the file. The name of the file to be displayed.
PacketGuide for PacketWise 8.3
[c]
<filename>
674
touch
Set read/write access to the command-line interface. Note that this command does not set the access of the browser user interface. touch This command prompts for a password. In touch mode, all CLI commands are available. To enable read-only access, use the look command.
PacketGuide for PacketWise 8.3
675
traffic active
Display the current, maximum, and possible number of sessions for TCP, UDP, and Legacy traffic types. This command is a valuable tool for determining how close the unit is to reaching its capacity. It also gives a histogram of the number of host entries in various time buckets (based on idle time). traffic active TCP Flows (Current): Flows (Maximum): Flows (Possible): 13 27 50000 UDP 32 59 25000 Legacy 9 13 5000 Total 54 67 80000
Host Entries Histogram (based on idle time): <1s <1min <2min 5min <10min >10min 5 13 26 5 7 10184 Type of Flow TCP flows UDP flows Legacy flows Description Unique sessions using Transmission Control Protocol. Unique sessions using non-TCP Internet protocols, such as UDP. Traffic using a non-TCP/IP protocol, often encapsulated in a TCP or IP wrapper.
Flows are considered active (current) if they have had a packet within the last minute. The value listed for maximum flow is the maximum number that has been displayed when the traffic active command has been executed (since the last reset). In other words, maximum numbers are only recorded when this command is run, so the maximum counts are representative rather than authoritative values. The possible flows represent the unit's maximum number of concurrent flows allowed on the unit. PacketShaper can support more flows than the indicated
676
number, but these figures represent the ideal maximums for producing optimal results.
PacketGuide for PacketWise 8.3
677
traffic bandwidth
Display bandwidth utilization for a partition. traffic bandwidth [<tclass>] [clear] [<tclass>] [clear] The root traffic class of the partition to display. If you do not specify a traffic class, the outbound partition statistics are displayed. Clears the accounting data
When traffic shaping is turned off, the traffic bandwidth command displays the aggregate usage summary for both the inbound and outbound directions. Example: The inbound/http class has a 500k partition, burstable to 1Mb. The class also has a 0k rate policy with priority 3. Here is the output of the traffic bandwidth inbound/http command: inbound partition HTTP Programmed min bandwidth Adjusted min bandwidth Local reserved rate reserved peak ignored rate ignored peak 0 0 2220 12.0M 0 0 excess rate excess 0 0 0 500k 500k 500k unreserved rate/limit unreserved peak 0/0 0 max bandwidth max bandwidth 1.0M 1.0M
678
0 100
0 100
0 100
0 100
0 100
0 100
0 100
0 100
0 0 0 0
1 0 0 0
2 0 0 0
3 0 0 0
4 0 0 0
5 0 0 0
6 0 0 0
7 0 0 0
Refer to the following list for traffic bandwidth details: min bandwidth The partition size in bits per second (e.g., 500k bps); the Programmed (initially-configured) size and Adjusted (actual) size are displayed. Note: The Programmed and Adjusted values may differ from one another in a hierarchical partition. Because a child partition is a percentage of the parent partition, if a parent gets less bandwidth, the child will also get proportionally less. max bandwidth Maximum (burstable) partition size; the Programmed (initially-configured) size and Adjusted (actual) size are displayed. The total bandwidth currently in use by rate-based traffic The peak bandwidth usage by rate-based traffic The total bandwidth currently in use by priority traffic The peak bandwidth usage by priority-based traffic The current bandwidth in use by ignore-policy traffic classes and uncontrolled traffic The peak bandwidth usage by traffic classes with the ignore policy The total current guaranteed rate usage in bits per second The total current excess rate usage in bits per second The amount of guaranteed rate that currently is overallocated
reserved rate reserved peak unreserved rate/limit unreserved peak ignored rate ignored peak current guaranteed rate excess rate OVERalloc'ed guaranteed
679
Excess Rate priority Excess Rate demand Excess Rate % satisfied Priority Traffic priority Priority Traffic pkts relayed Priority Traffic exceptions
Priority levels (0-7) The excess rate demand at each priority level The percentage of excess rate demand that is currently being satisfied at each priority level Priority levels (0-7) Number of packets counted at each priority level PacketWise uses a rate anticipation mechanism to shape the rate of non-TCP traffic. When this mechanism fails to keep the desired rate from being exceeded, a rate exception is counted. When PacketWise determines that the desired rate is in danger of being exceeded, an exception anticipation event is counted.
PacketGuide for PacketWise 8.3
680
traffic flow
Display summary information about some or all currently active TCP connections and/or UDP sessions. traffic flow -tIo
TCP overview of non-idle flows UDP overview of non-idle flows lists help with all options
traffic flow -h
To display more detailed information, use: For TCP flows: traffic flow -t[aAcCfhiILmnNoOpPsSvVxX] For UDP flows: traffic flow -u[aAcCfhiInoOpPvVxX] -a -A <addr> -c <class> -C -f -h -i -I -L -m -n <num> -N -o -O -p -P <port> all (same as -pifvs: could wrap around on screen) address (only show conns for specified address) class (only show info for specified class name) class (show class names) flags (connection flags)
help (show this help) idle (show idle time) non-idle (don't show flows idle for one minute or more) license (display license state of TCP flows) mss (show mss info - tcp) num (show up to <num> flows) state (flows not in connected state - tcp) overview (show summary information only) overview (include summary information) ports (show port numbers) port (show only port <port>)
681
state (display state - tcp) When the -s flag is used, the output displays the following connection states in the S column: I=idle The connection is idle. C=connecting Client is trying to establish a TCP connection with server; client sends the first CONNECT/SYN segment to server. W=ackWait After sending the CONNECT/SYN segment, the client is waiting from ACK from the server. X=dataXfer Both sides of the TCP connection have exchanged SYN/ACK segments. H=halfDiscon The client/server has received a first FIN segment from the application and bandwidth resources were released for that half of the connection. The other side of the TCP connection has not received the final FIN segment. D=disconnected The final FIN is received. F=fading An event (such as a Ctrl-C from the application) causes the TCP connection to abort. -S <stat> -t -u -v -V <serv> -x Note: Must be used with either the -c or -C option. expanded (show full class names in multi-line output format) -X Note: Must be used with either the -c or -C option. When the -f option is used, the Flags column in the output displays one or more of the following: A B C D I Asymmetric bad seq or ack Fully classified data, no SYN or SYN-ACK Inbound closed state (only display conns in state <stat> - tcp) tcp (show TCP flows) non-TCP IP flows, such as UDP flows, RSVP, ICMP service (display service info) service (display only services matching <serv>) expanded (show full class names)
-s
682
O s S T W
If acceleration is enabled, the following additional flags are available: a c n r t Accelerated flow Classified non-accelerated flow No accelerated partner found Acceleration bypass Terminated
Note: If the service has not been determined, noted by a dash (-) in the Svc column, the side of the addresses may also be undetermined. For more information on which side of the unit a particular host is on, use the host show command. The traffic flow -tL command puts two columns in the output: LI (representing the inbound part of the TCP flow) and LO (outbound part of the flow). A + indicates flows have been granted a license, a - indicates flows have been denied a license. Note that some flows do not completely shut down, and are therefore listed until the unit is reset. Therefore, the -t or -u option, combined with the I option, provides a list of non-idle TCP or UDP flows. For example: traffic flow -tIpc inbound/http Num TCP Flows total = 3 (class HTTP) InAddr Port OutAddr Port Idle ClasI ClasO Svc
--------------------------------------------------------------------------10.10.254.249 10.10.254.249 10.10.254.249 1119 207.158.237.171 1120 207.158.237.171 1105 207.158.237.171 80 80 80 22m 22m 44s HTTP HTTP HTTP HTTP HTTP HTTP HTTP HTTP HTTP
6 (all classes)
InAddr OutAddr Idle ClasI ClasO Svc ------------------------------------------------------------------------------172.21.19.102 10.1.1.46 8m /Inbound/Default /Outbound/Default Telnet-Clear 172.21.1.39 10.100.99.30 10s /Inbound/Default /Outbound/Default KaZaA-Cmd 172.21.1.39 10.1.1.45 5m /Inbound/NetBIOS-IP /Outbound/Default NetBIOS-IP-SSN 172.21.1.39 10.1.1.20 15s /Inbound/Microsoft-ds /Outbound/Default Microsoft-ds
683
172.21.1.39 172.21.1.39
10.1.1.18 10.100.99.30
8s 8s
6 (all classes)
InAddr OutAddr Idle Svc ------------------------------------------------------------------------------172.21.19.102 10.1.1.46 8m Telnet-Clear Inbound Class: /Inbound/Default Outbound Class: /Outbound/Default
172.21.1.39 10.100.99.30 21s KaZaA-Cmd Inbound Class: /Inbound/Default Outbound Class: /Outbound/Default 172.21.1.39 10.1.1.45 5m Inbound Class: /Inbound/NetBIOS-IP Outbound Class: /Outbound/Default NetBIOS-IP-SSN
To see if a host is being classified correctly in the expected class: tr fl -tupXICA 209.210.203.33
1 (all classes)
InAddr Port OutAddr Port Idle Svc ------------------------------------------------------------------------------192.168.0.7 4721 209.210.203.33 80 19s HTTP Inbound Class: /Inbound/HTTP Outbound Class: /Outbound/HTTP
0 (all classes)
PacketGuide for PacketWise 8.3
684
traffic guaranteed
Display guaranteed rate utilization for a traffic class subtree. traffic guaranteed [<tclass>] [clear] [<tclass>] The root traffic class of the subtree display. The class' explicit path is required only if the class name itself is not unique. If you do not specify a traffic class, the guaranteed rate information for the entire tree is displayed. Clears the accounting data
[clear]
The command output displays a list of all child classes and the following associated information for classes with guaranteed rate policies:
q q q q
Current number of users Peak number of users Guaranteed bandwidth in bps Number of guaranteed rate failures
685
traffic history
Display recent traffic flows for a specific host or traffic class. traffic history recent|find <name> recent Lists recent flows for a specified traffic class. The output includes the date, time, IP address, port number, and URL of each flow in the specified class. Lists recent flows for a specified host. The output lists each class that the specified host uses, as well as the date, time, service name, IP address, port number, and URL of each flow in the class. With the recent argument, <name> is the traffic class name. With the find argument, <name> is the IP address or name of the host to be tracked.
find
<name>
Examples The traffic history find command is useful for determining the servers that a specified client IP address is transferring data with, or the clients that are retrieving data from a specific server. It can also be used to determine exactly what type of network applications a specified PC is using. traffic history find 10.10.1.6 -----( /Outbound/rsh )----07-Jan-2005 10:53:25 rsh 192.21.1.26 1023 raltman-t23.example.com 10.10.1.6 514 test2.example.com -----( /Inbound/rsh )----07-Jan-2005 10:53:25 rsh 192.21.1.26 1023 raltman-t23.example.com 10.10.1.6 514 test2.example.com The traffic history recent command is useful for analyzing the type of traffic
686
that is falling into a Default class, such as Inbound/Default in the following example. traffic history recent inbound/default -----( /Inbound/Default )----07-Jan-2005 13:01:19 192.21.1.26 3288 10.100.10.30 2687 07-Jan-2005 12:59:53 192.21.1.26 3299 192.21.0.20 389 07-Jan-2005 12:56:14 192.21.255.255 7741 192.21.31.251 32808 07-Jan-2005 12:42:16 192.21.0.25 9100 10.10.100.24 1995 07-Jan-2005 12:33:19 192.21.1.26 2967 10.10.10.18 2967 07-Jan-2005 11:01:29 192.21.1.26 38293 10.10.10.89 1046 07-Jan-2005 10:51:54 192.21.1.26 2606 216.148.237.145 80 akamaitechnologies.com 07-Jan-2005 10:51:54 192.21.1.26 2607 216.239.53.104 80 07-Jan-2005 10:51:54 192.21.1.26 2611 128.242.107.114 80 07-Jan-2005 10:44:53 255.255.255.255 631 192.21.1.34 631 UDP example-40vp63 mail.example.com UDP example-40vp63 dc-dev.example.com UDP opslab.example.com TCP phogle.example.com UDP example-40vp63 test.example.com UDP example-40vp63 test.example.com HTTP example-40vp63 a216-148-237-145.deploy. HTTP example-40vp63 HTTP example-40vp63 vrp1.sjc.xpc-mii.net UDP
687
traffic licenses
Show current license usage for classes that have had the number of TCP flows limited with the class licenses command. traffic licenses Sample output:
traffic flow -tIpc inbound/http Num TCP Flows total = 7 (class HTTP, licenses=7/40) InAddr Port OutAddr Port Idle ClasI ClasO Svc ------------------------------------------------------------------------------192.168.0.4 2694 64.236.43.54 80 39s HTTP HTTP HTTP 192.168.0.4 2676 216.148.237.36 80 48s HTTP HTTP HTTP 192.168.0.4 2671 64.12.174.57 80 40s HTTP HTTP HTTP 192.168.0.4 2687 64.236.43.54 80 39s HTTP HTTP HTTP 192.168.0.4 2689 64.236.43.54 80 39s HTTP HTTP HTTP 192.168.0.4 2670 64.12.174.57 80 39s HTTP HTTP HTTP 192.168.0.4 2690 64.236.43.54 80 39s HTTP HTTP HTTP
Note that the traffic flow command does not require that a limit be set with the class licenses command it will show the total number of active flows in any class you specify.
PacketGuide for PacketWise 8.3
688
traffic reclassify
Re-examine existing flows to see if they can successfully be classified based on PacketWise's knowledge of new flows that have started since the unit booted. It is automatically run every 15 minutes and so executing it manually should not normally be required. traffic reclassify
PacketGuide for PacketWise 8.3
689
traffic tree
The traffic tree command provides detailed information about how often classes and their associated policies are accessed by the PacketWise classification process, along with rate information for each class. traffic tree [<tclass>] [clear] [<tclass>] The traffic class tree to display, inbound or outbound. If omitted, this defaults to outbound. The class' explicit path must be supplied only if the class name itself is not unique. Clears the class and policy hit counts
[clear]
To view statistics for the entire traffic class tree, use the traffic tree command without supplying a specific class name. Class name Type Class hits Policy hits Cur rate 1 Min avg Peak rate
------------------------------------------------------------------------------------/Inbound Localhost FileMaker 0 HTTP POP3 SMTP SNMP DNS NetBIOS-IP SLP GRE ICMP CiscoDiscovery AppleTalk Default /Outbound Localhost DHCP FileMaker HTTP EntryPoint POP3 SMTP Telnet 0 0 0 0 0 0 62 0 140 2389 1310 235 968 0 13 229 392 12 14 0
690
+ PE 964
n/a 964
284 0
366 8
n/a 136k
n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a 4817 n/a 968 n/a n/a n/a n/a n/a n/a n/a
0 0 0 0 0 0 0 487 0 108 2391 1058 2298 n/a 372k 0 47.9k 80.1k 7338 49.0k 12.2k 0
P I + PE
29 75 129 27
0 0 0
0 0
150 975k 14
0 1.3M 9
920 3
The display shows all of the current traffic classes, with flags that indicate if a class has an associated policy (P), if it is an inheritable class (I), and if it is an exception class (E). A plus sign (+) next to a class represents a partition. This list also shows the number of times a class and its associated policy have been hit. For TCP and UDP traffic classes, PacketWise counts traffic flows, except for ICMP, for which packets are counted. For non-IP traffic classes, PacketWise counts packets. The rate statistics for the traffic through the class are also shown. If a class does not have a policy associated with it, the classification process searches down the tree for a matching sibling that has an inheritable policy. Typically, the default classes such as /Inbound/ Default show more policy hits than class hits. The policy hits for the /Inbound/Default class include policy hits for classes without policies listed earlier in the subtree. When a class does not have its own policy, it inherits a policy from a sibling in its subtree. Note: If data is compressed by the PacketShaper, then compressed packet sizes are used in the rate measurements shown in the traffic tree output. In addition, the rate measurements are calculated after rate control is applied.
PacketGuide for PacketWise 8.3
691
ttraceroute
Determines the route taken by packets across an IP network. The PacketShaper sends 192-byte ICMP packets to a specified host and lists the hops the packets take to reach the host. This command is useful for troubleshooting networking problems. ttraceroute <host> Example:
ttraceroute 206.110.20.121 traceroute to 206.110.20.121 (206.110.20.121), 30 hops max, 192 byte packets 1 172.21.0.1 (172.21.0.1) 1 ms 1 ms 1 ms 2 192.168.15.1 (192.168.15.1) 1 ms 0 ms 1 ms 3 12.104.153.1 (12.104.153.1) 1 ms 1 ms 1 ms 4 12.33.0.2 (12.33.0.2) 2 ms 1 ms 1 ms 5 12.124.47.125 (12.124.47.125) 133 ms12.124.46.233 (12.124.46.233) 195 ms12.124.47.249 (12.124.47.249) 19 ms 6 12.123.213.74 (12.123.213.74) 8 ms 7 ms 8 ms 7 12.122.11.81 (12.122.11.81) 9 ms 10 ms 11 ms 8 12.123.12.30 (12.123.12.30) 7 ms 16 ms 15 ms 9 192.205.33.110 (192.205.33.110) 7 ms 9 ms 7 ms 10 205.171.233.21 (205.171.233.21) 14 ms 8 ms 17 ms 11 67.14.12.6 (67.14.12.6) 15 ms 8 ms 9 ms 12 205.171.14.166 (205.171.14.166) 9 ms205.171.14.170 (205.171.14.170) 9 ms 13 63.145.224.14 (63.145.224.14) 20 ms 19 ms 10 ms 14 137.164.22.60 (137.164.22.60) 9 ms 9 ms 9 ms 15 137.164.32.165 (137.164.32.165) 10 ms 14 ms 11 ms 16 137.164.34.7 (137.164.34.7) 11 ms 12 ms 11 ms 17 137.164.13.90 (137.164.13.90) 23 ms 10 ms 11 ms 18 206.110.20.121 (206.110.20.121) 13 ms 14 ms 12 ms
Notes:
q
10 ms
The three timestamp values returned for each host along the path are the delay (latency) values, typically in milliseconds (ms), for each packet in the batch (three packets per batch). The output lists up to 30 hops. If more than 30 hops are required to reach the specified host, the extra hops will not be listed. If the PacketShaper is unable to find the target host, "Port or Network is unreachable!" is displayed. Command Change History
Release 8.3.0
692
tunnel acceleration
Enable/disable acceleration globally or for a specific Xpress tunnel. The Xpress acceleration feature improves the performance of TCP/IP over satellite links or long-delay terrestrial networks. Xpress acceleration allows you to maximize bandwidth utilization, speed up application response times, accelerate the transfer of large files, and minimize the impact of other problems that are common on high-latency links. See Xpress Overview for more information. tunnel acceleration on|off|default [<tunnel>] where <tunnel> is the name of a static tunnel. For a static tunnel, you can either disable acceleration (off) or specify that it use the global acceleration setting (default). You cannot enable acceleration for a tunnel if acceleration is globally disabled. By default, acceleration is disabled globally. Examples: To turn on acceleration for all tunnels (except for those tunnels that have disabled acceleration): tunnel acceleration on To disable acceleration for a tunnel named LA: tunnel acceleration LA off Notes:
q
The site router should be set to none if you are using acceleration. If a site router is defined, acceleration will not work. For best performance, Packeteer recommends that shaping be enabled when using acceleration.
PacketGuide for PacketWise 8.3
693
tunnel acceleration abort This command will terminate all accelerated flows. Are you sure you want to continue? (NO): y Acceleration has been set to "off". Connections aborted.
694
When congestion control is disabled, a more aggressive rate control mode will be used. SCPS requires that congestion control be enabled. If SCPS is enabled when you turn off congestion control, you be asked whether you want to disable SCPS. For example: tunnel acceleration congestion-control off Congestion control has been set to "off". This requires SCPS to be disabled. Would you like to disable SCPS? (YES): y If you choose not to disable SCPS by answering NO, the congestion control OFF setting will be ignored. (In other words, congestion control will still be on.) Command Change History
695
FastStart works on HTTP traffic running on ports 80 or 8080. It's possible to turn on FastStart while acceleration is disabled (although it will only take effect when acceleration is enabled). If acceleration is off when you enable FastStart, you will be prompted to turn on acceleration. Be aware that FastStart can result in false "connection established" messages.
PacketGuide for PacketWise 8.3
696
When prefetching is enabled, the PacketShaper and partner must be configured with the address of at least one DNS server. If more than one DNS server is provided, the prefetch logic will spread its requests equally among them. To configure a DNS server, see setup dns. Client Prefetch requires that FastStart be enabled. If FastStart isn't already enabled when you enable client Prefetch, FastStart will automatically be set to on. For example: tunnel acceleration prefetch client on
697
Client prefetch has been set to "on". Enabling client prefetch has also enabled FastStart.
698
FastStart and Prefetch are not available when using SCPS. Turning SCPS on or off will terminate all active accelerated connections. Outbound link rate is not used.
PacketGuide for PacketWise 8.3
699
Acceleration: Congestion control: SCPS: FastStart: Server Prefetch: Client Prefetch: Flows:
on on off on on on
2245 5000
Acceleration: Congestion control: SCPS: FastStart: Server Prefetch: Client Prefetch: Flows:
on on off on on on
2245 5000
InAddr OutAddr Port Flags Rate0 Rate1 PartnerAddr Svc ------------------------------------------------------------------------------172.21.18.253 172.21.18.254 2426 O Wa 27k 2.1M 172.21.18.225 HTTP
Notes:
q
The Flags column in the output displays one or more of the following: a c n Accelerated flow Classified non-accelerated flow No accelerated partner found
700
r A B C D I O s S T W
q
Acceleration bypass Asymmetric bad seq or ack Fully classified data, no SYN or SYN-ACK Inbound closed Outbound closed SYN, no SYN-ACK SYN-ACK, no SYN Tentative Web
If acceleration is off, the tunnel acceleration show output will indicate that other settings (FastStart, Server Prefetch, Client Prefetch) are disabled. For example:
off on off on (but disabled due to acceleration) on (but disabled due to acceleration) on (but disabled due to acceleration)
701
702
tunnel class export outbound This command will export the enhanced compression overrides for the traffic tree class /Outbound. Continue? (NO): y /Outbound contains 1 or more child classes. Export the overrides for those classes as well? (YES): y
Notes:
q
In the export process, the RETD algorithm is converted to ZLIB since RETD isn't available in legacy mode. After Pred2 dictionaries are exported, they will show up as having half the size in legacy mode as they did in enhanced mode. For example, a class with a Pred2 algorithm and 1M dictionary will have the Pred2-512k dictionary after exporting. To verify that the settings were exported to legacy mode, use the class show <tclass> command. Exporting enhanced class overrides will overwrite any legacy overrides that were previously defined for the class.
PacketGuide for PacketWise 8.3
703
tunnel class import outbound This command will import the legacy compression overrides for the traffic tree class /Outbound. Continue? (NO): y /Outbound contains 1 or more child classes. Import the overrides for those classes as well? (YES): y
Notes:
q
In the import process, the ZLIB algorithm is converted to RETD since ZLIB isn't available in enhanced mode. After Pred2 dictionaries are imported, they will show up as having twice the size in enhanced mode as they did in legacy mode. For example, Pred2-256k will become Pred2 with a 512k dictionary size after importing. This is because Pred2 uses two copies of the memory allotted (one for each pass). Note that Pred2 has always worked this way it just wasn't previously apparent. To verify that the settings were imported, use the tunnel class show command. Importing legacy class overrides will overwrite any enhanced overrides that were previously defined for the class.
PacketGuide for PacketWise 8.3
704
If acceleration is disabled for a tunnel, you can still enable acceleration for a class but it won't take effect until acceleration is enabled for the tunnel. An acceleration override will take effect on new connections only. If the acceleration state is changed on a traffic class while an accelerated flow is underway, the override will not apply. Use the tunnel class show command to see class acceleration settings. The all option can be useful for troubleshooting acceleration problems: turn acceleration off for all classes and then you can just turn it on for specific classes. If you have turned acceleration off for all classes and want to reverse this change, it would be best to return the acceleration settings back to their default (tunnel class default) rather than turn acceleration on for all classes (tunnel class set acceleration all on). In order to disable acceleration for a particular class, the acceleration override must be set on the PacketShaper on the client side of the
705
connection. Class overrides for acceleration are not effective on the server side PacketShaper. Command Change History Release Modification 8.1.1 all option introduced
706
Particular method used to shrink the size of transferred traffic, for example, ICNA, CNA, or PRED2. The default algorithm is CNA. To <algorithm> see a list of valid algorithms, use the tunnel compression show command. An identifying number (0-255) assigned to a particular class. The default group ID is 0. When you assign an ID, a compressor will be created specifically for this class to use. By giving a class its own compressor, you can potentially improve compression results. However, these additional compressors consume extra compression memory, so be sure to assign IDs only to your most critical and/or active classes. If you have classes with data patterns similar to a class that has its own compressor, you may want to share the compressor with these other classes; you can do this by assigning the similar classes the same <groupid> and <algorithm>.
<groupid>
707
Dictionary size specified as bytes. Optionally, you can enter a k (kilobyte) or m (megabyte) after the integer. For example, enter 2m for 2 megabytes or 512k for 512 kilobytes. <size> The default dictionary size is 1 MB. If there isn't enough RAM available for the <size> you specify, Xpress will select a size that will work with the available memory.
Use the tunnel class show command to see the classes for which a compression algorithm has been specified. Example: tunnel class set algorithm outbound/Citrix icna 2 Notes:
q
Group IDs and dictionary sizes arent applicable to stateless algorithms (such as RETD). If you assign two classes the same algorithm, the same group ID, but different dictionary sizes, both classes will use the same dictionary size. In other words, one of the classes will not use the dictionary size you specified. (The override that is created first will be the one that is used for both classes.)
708
If compression is disabled for a tunnel, you can still enable compression for a class but it won't take effect until compression is enabled for the tunnel. Use the tunnel class show command to see class compression settings. The all option can be useful for troubleshooting compression problems: turn compression off for all classes and then you can just turn it on for specific classes. Be aware that a number of services arent compressible, so if you turn on compression for all classes, Xpress will waste resources trying to compress traffic that is uncompressible. If you have turned compression off for all classes and want to reverse this change, it would be best to return the compression settings back to their default (tunnel class default) rather than turn compression on for all classes (tunnel class set compression all on).
709
pack-n-go
710
sensitive
Traffic that is sensitive to delay; sets the wait time to the value associated with the sensitive category (1 ms by default)
Traffic that can handle some latency; sets the wait time to the value nonsensitive associated with the nonsensitive category (10 ms by default) Examples:
To set the packing wait time to 20 ms for the outbound/test class: tunnel class set holdtime outbound/test 20 To specify a packing wait time appropriate for latency-sensitive traffic: tunnel class set holdtime skype sensitive Notes:
q
If packing is disabled for the class, you can still set the hold time but it won't take effect until packing is enabled. Use the tunnel class show command to see the classes for which a packing wait time has been set. To enable/disable packing for a class, use tunnel class set packing. To change the value associated with a holdtime category, use the tunnel holdtime command. Note that the pack-n-go category is always set to 0 ms, and cannot be changed.
8.1.1
712
The maximum size of the super packet is determined by the MTU. See tunnel mtu. You can also enable/disable packing on a per-service basis. See tunnel service set packing. Note that class packing settings override service settings. Because different types of traffic can tolerate different amounts of latency, controls are available to fine tune the length of time the super packet is held to wait for additional packets to be packed into it. See tunnel class set holdtime. On very busy links, packing doesn't cause much latency because the packets are bundled and sent off quickly. On less active links, Xpress may have to wait to get enough packets in a bundle, possibly creating application performance problems. If you are experiencing latency, try lowering the packing hold time or disabling packing altogether. Use the tunnel holdtime, tunnel service set holdtime, or tunnel class set holdtime commands to fine tune the packing hold time.
713
If packing is disabled for a tunnel, you can still enable packing for a class but it won't take effect until packing is enabled for the tunnel. Use the tunnel class show command to see class packing settings. The all option can be useful for troubleshooting packing problems: turn packing off for all classes and then you can just turn it on for specific classes.
714
Pack. ----* * * * No
Holdtime ----------* * * * *
Group ----0 2 0 * *
Accel. -----* * * * *
Pack. ----*
Packtimer ----------*
Comp. ----Yes
Algo. ----PRED2
Group ----0
Size ---512K
Accel. -----*
715
tunnel compression
Enable/disable compression globally or for a specific Xpress tunnel. Xpress compression shrinks the size of transferred traffic, effectively increasing the amount of bandwidth available on a link. For more information about compression, see Xpress Overview. tunnel compression on|off|{<tunnel> off|default} where <tunnel> is the name of a static tunnel. For a static tunnel, you can either disable compression (off) or specify that it use the global compression setting (default). You cannot enable compression for a tunnel if compression is globally disabled. By default, global compression is disabled. Examples: To turn on compression for all tunnels (except for those tunnels that have disabled compression): tunnel compression on To disable compression for a tunnel named LA: tunnel compression LA off
716
<size>
default
717
tunnel compression dictionary ICNA Default dictionary algorithm has been set to ICNA.
To change the default dictionary size to 2M:
tunnel compression dictionary ICNA 2m Default dictionary algorithm has been set to ICNA 2M.
The algorithm and size specified can also be in the legacy format, such as:
For a list of compression algorithms and a range of dictionary sizes supported by your unit, use the tunnel compression show command. This command lists the current default algorithms (stateful and stateless) and dictionary size, as well. The default algorithm and dictionary size is CNA-1M. For accelerated connections, the default algorithm is RETD for Xpress tunnels and DEFLATE for SkyX tunnels. (Note that the algorithms for accelerated connections cannot be changed.) For more information about algorithms, see Compression Algorithms and Compressors.
PacketGuide for PacketWise 8.3
718
<lane>
<chain>
Xpress Configuration: ----------------------------Algorithms: CNA HDRIP HDRRTP HDRTCP HDRUDP HDRXTP ICNA NONE PRED1 PRED2 RETD UDPRT Default Stateless: RETD Default Stateful: CNA Default Dictionary Size: 1M Dictionary Size Range: 64K-16M Xpress Memory: 20448 KB / 262144 KB Xpress Totals: ----------------------------Total Bytes In: 8509280 Total Bytes Out: 224245 Total Bytes Saved: 8285035
719
Tunnels: 1 Name Partner Bytes In Bytes Out Bytes Saved % Saved -------------------------------------------------------------------------------test2 172.21.18.161 8.11MB 218.98KB 7.90MB 97
To display compression information about a specific tunnel (london, in this example): tunnel compression show london
Totals: Sent Bytes: 672758 Received Bytes: 188666 PreCompression bps: 2064 PreDecompression bps: 81k
672758 188666
Lane Bytes In Bytes Out Total Bytes Saved Memory Usage -----------------------------------------------------------0 9.56MB 258.81KB 9.31MB 1024KB
Description of fields in tunnel compression show output: Field Sent Bytes Description Number of bytes sent to the partner through this tunnel (includes compressed and non-compressible bytes), measured since the tunnel was formed Number of compressed bytes sent to the partner through this tunnel, measured since the tunnel was formed Number of bytes received from the partner through this tunnel (includes compressed and non-compressible bytes), measured since the tunnel was formed Number of bytes that needed to be decompressed from the partner through this tunnel, measured since the tunnel was formed Number of XTP accelerated bytes sent through this tunnel, before compression has been applied; measured since compression was activated on the tunnel Number of XTP accelerated bytes sent through this tunnel, after compression has been applied; measured since compression was activated on the tunnel Number of XTP accelerated bytes received on this tunnel, before decompression has been applied; measured since compression was activated on the tunnel Number of XTP accelerated bytes received on this tunnel, after decompression has been applied; measured since compression was activated on the tunnel.
Compressed Bytes
Received Bytes Decompressed Bytes XTP Precomp XTP PostComp XTP PreDecomp XTP PostDecomp
720
Bandwidth usage before compression has been applied to outbound traffic (includes only traffic that was sent through the compression tunnel). This PreCompression bps value is a moving average calculated at the time the tunnel compression show command is issued. Bandwidth usage after compression has been applied to outbound traffic (includes only traffic that was sent through the compression tunnel). This value is a moving average calculated at the time the tunnel compression show command is issued. Bandwidth usage before inbound traffic was decompressed (includes only traffic that was sent through the compression tunnel). This value is a moving average calculated at the time the tunnel compression show command is issued. Bandwidth usage after inbound traffic was decompressed (includes only traffic that was sent through the compression tunnel). This value is a moving average calculated at the time the tunnel compression show command is issued.
PostCompression bps
PreDecompression bps
PostDecompression bps
The following data is provided on a per-lane basis. If DiffServ support is not enabled, all traffic will go in Lane 0. If DiffServ is enabled, a lane is created for each unique DSCP value. For more information, see <lane> description above. Bytes In Bytes Out For compressible outbound traffic, the number of bytes before compression has been applied, measured since the lane was formed For outbound traffic sent through a compression tunnel, the number of bytes after compression has been applied, measured since the lane was formed The number of bytes that didnt have to traverse the link, due to compression; allows you to see how many bytes the compression feature actually saved on the link. Formula: Bytes In - Bytes Out Memory Usage Amount of memory dedicated to the body compressors on that lane. Does not include decompressors or header compressors.
721
tunnel delete
Remove an existing Xpress tunnel. tunnel delete <tunnel>|all The <tunnel> can be static (one that was added with the tunnel new command) or dynamic (one that was auto-discovered). To specify a dynamic tunnel, enter the name in the form of <xpress-IP>:<device> where <xpress-IP> is the XpressIP address of the tunnel partner and <device> is main (built-in) or upper, lower, left, or right (LEM). For example: 172.21.19.10:main. To remove all static and dynamic tunnels, use the tunnel delete all command.
722
tunnel diffserv
Enable/disable DiffServ (Differentiated Services) mode globally or for a specific static Xpress tunnel. DiffServ mode should be enabled when using compression and/or packing on a DiffServ network. If an Xpress tunnel has DiffServ enabled, Xpress will inspect all packets for its DiffServ Code Point (DSCP) value. Within the tunnel, it will create a separate lane for each DSCP value. When Xpress sees packets with a DSCP different from those seen before, it will create a new lane associated with that DSCP. Any packets with that DSCP are then sent through the associated lane. tunnel diffserv [<tunnel>] on|off|default When this mode is enabled globally, DiffServ will automatically be enabled on new tunnels unless otherwise specified. Examples: To turn on DiffServ mode for all Xpress tunnels (except for those tunnels that have disabled DiffServ mode): tunnel diffserv on To disable DiffServ mode for a tunnel named LA: tunnel diffserv LA off Notes:
q
When DiffServ mode is enabled, the tunneled super packets will inherit the DiffServ markings of the original packets. If a super packet is marked with a different DSCP value while it's inside the MPLS network, the partner PacketShaper at the other end of the tunnel will remark each of the original packets with this new value. Xpress supports up to five DSCP values. If your network exceeds the maximum, the super packets in the tunnel will not have DiffServ markings. However, if the super packet is marked with a different DSCP value while it's inside the MPLS network, the partner PacketShaper will remark each of the original packets with the new value.
723
tunnel discovery
Enable/disable the auto-discovery of hosts and partners for all Xpress tunnels or disable auto-discovery of hosts for a specific static Xpress tunnel. If you are manually configuring tunnels and hosts, you will want to disable automatic host discovery so that the tunnel only uses the hosts you have configured. Note: This command is applicable to enhanced mode only. tunnel discovery on|off|{<tunnel> off|default} Discovery cannot be enabled for enhanced tunnels when running in migration mode. When auto-discovery is enabled, you may want to limit the hosts and partners that can use the tunneling facility. To do this, use the tunnel discovery host and tunnel discovery partner commands. When auto-discovery is disabled, Xpress will not automatically discover hosts; you must add the hosts manually with the tunnel local add and tunnel remote add commands. Example: To disable automatic host discovery for a specific static tunnel: tunnel discovery LosAngeles off In this example, assume that host and partner auto-discovery is enabled globally (with the tunnel discovery on command) and host discovery is disabled for the LosAngeles tunnel using the above command. All tunnels will auto-discover hosts except for the LosAngeles tunnel. To check the status of tunnel discovery, use the tunnel summary command.
724
725
tunnel discovery host default <side> where: add defines a host remove deletes a previously-defined host. If the unit is subscribed to PolicyCenter, remove <side> all removes all the hosts in the local configuration but does not allow the unit to inherit any hosts from the parent configuration. default sets tunnel hosts to default (no hosts specified) for the designated side (inside or outside). If the unit is subscribed to PolicyCenter, the default option tells PolicyCenter to remove all the hosts in the local configuration and inherit from the parent configuration. show lists the defined hosts The hosts location (inside or outside), relative to the unit. Typically inside hosts are located on the LAN and outside hosts are on the WAN or Internet, on the far side of the tunnel.
<side>
Designate the hosts to be added or removed, using one <ip-addr> of the following specifications: [/<cidr>] <ip-addr>[/<cidr>] host IP address or a CIDR <network- network address; the CIDR number specifies the addr> number of constant bits in the address range <subnet> <network-addr> <subnet> the name of the list: subnet <hostlist> list:<hostlist> the name of a host list file all all removes all defined hosts so that all hosts can use Xpress tunnels
Examples: tunnel discovery host add inside 10.7.38.1 tunnel discovery host add outside 10.7.38.0/24 (illustrated example) To remove all defined outside hosts:
726
tunnel discovery host remove outside all After this command is issued, no outside hosts will be restricted from using tunnels. To view a list of defined hosts that can use tunnels: tunnel discovery host show Notes:
q
Changes to the discovery host list require that tunnels be restarted. There are two ways to do this. As described earlier, you can disable compression, packing, and/or acceleration before changing the list (and re-enable when youre done). Alternatively, if you have all dynamic tunnels, you can change the discovery host list, delete all the tunnels (tunnel delete all), and then let the tunnels reform automatically. You can also define tunnel hosts with the setup compression hosts command. Compression treats host lists differently than acceleration does because compression affects traffic in one direction while acceleration affects traffic bidirectionally. For instance, suppose an inside host is on the "inside exclude list" for the near PacketShaper but there is nothing on either list for the far PacketShaper. With compression, the inside host's requests will only be compressed in the direction going from near to far; with acceleration, the inside host's requests will not be accelerated in either direction.
727
728
729
add defines a PacketShaper unit that can be an Xpress tunnel partner remove deletes a previously-defined partner. If the unit is subscribed to PolicyCenter, remove all removes all the partners in the local configuration but does not allow the unit to inherit any partners from the parent configuration. default sets tunnel partners to default (no partners specified). If the unit is subscribed to PolicyCenter, the default option tells PolicyCenter to remove all the partners in the local configuration and inherit from the parent configuration. show lists defined Xpress tunnel partners
Designate the PacketShapers to be added or removed, <ip-addr> using one of the following specifications: [/<cidr>] <ip-addr>[/<cidr>] PacketShaper IP address or <ip-addr> range; the CIDR number specifies the number of <subnet> constant bits in the address range list: <ip-addr> <subnet> the name of the subnet <hostlist> list:<hostlist> the name of a host list file all all removes all defined tunnel partners so that all units can use tunneling
Examples: tunnel discovery partner add 10.7.38.0-10.7.38.200 tunnel discovery partner add 10.7.38.0/24 To remove all defined tunnel partners: tunnel discovery partner remove all After this command is issued, all PacketShapers will be able to use the tunneling facility. To see a list of defined Xpress tunnel partners: tunnel discovery partner show Notes:
730
Changes to the discovery partner list require that tunnels be restarted. There are two ways to do this. As described earlier, you can disable compression, packing, and/or acceleration before changing the list (and reenable when youre done). Alternatively, if you have all dynamic tunnels, you can change the discovery partner list, delete all the tunnels (tunnel delete all), and then let the tunnels reform automatically. You can also define tunnel partners with the setup compression partners command.
PacketGuide for PacketWise 8.3
731
tunnel firewall
Enable/disable firewall support globally or for a specific Xpress tunnel. If the PacketShaper will be sending or receiving tunneled traffic through a firewall, this setting must be enabled for those tunnels. Firewall support is disabled by default. tunnel firewall [<tunnel>] on|off|default When this setting is enabled globally, firewall support will automatically be enabled on new tunnels unless otherwise specified. Examples: To turn on firewall support for all tunnels (except for those tunnels that have disabled firewall support): tunnel firewall on To disable firewall support for a tunnel named LA: tunnel firewall LA off Notes:
q q
This feature will not work through a NAT device. It is not necessary to enable firewall support on each tunnel partner. When firewall support is enabled on one end of the tunnel, it will automatically act as if it is enabled on any tunnel partners (although the firewall setting is not actually physically changed on these partners). It is not recommended to enable firewall support on tunnels used just for acceleration.
PacketGuide for PacketWise 8.3
732
tunnel holdtime
Define the packing wait time in milliseconds associated with the packing timer categories. The packing hold time is the amount of time Xpress will wait for additional packets before sending a super packet through an Xpress tunnel. Three timer categories are available: global, sensitive, and nonsensitive. tunnel holdtime global|sensitive|nonsensitive <milliseconds> Each of the packing timer categories is described below. Setting Description The default packing wait time for services that don't have a predefined or user-defined value Default Examples
global
Abacast, Aimster, 10 ms Gnutella, KaZaA, YahooMsg Citrix, MPEGAudio, MPEGVideo, 1 ms SkypeData, Telnet-Clear, Vonage
sensitive
To change the default packing wait time to 25 ms: tunnel holdtime global 25 To change the value associated with the nonsensitive category to 30 ms: tunnel holdtime nonsensitive 30 To set the value associated with the nonsensitive category back to its default
733
If packing is disabled for the class, you can still set the hold time but it won't take effect until packing is enabled. Use the tunnel service show and tunnel class show commands to see the services and classes for which a packing wait time has been set. To set a packing wait time for a specific class or service, use tunnel class set holdtime or tunnel service set holdtime. To enable/disable packing for a class or service, use tunnel class set packing or tunnel service set packing. A fourth packing timer category is also available (pack-n-go), but its time cannot be adjusted; it's always set to 0ms.
PacketGuide for PacketWise 8.3
734
tunnel ip clear
Clear the Xpress-IP (XIP) address and VLAN settings for a PacketShaper device. Once settings are cleared, compression, packing, and acceleration will be disabled on that interface. tunnel ip clear main|upper|lower|left|right|all where main is the interface built into the unit, and upper|lower|left|right indicates the position of the installed LEM. The all parameter clears settings on all interfaces; if you clear all XIP addresses, compression, packing, and acceleration will automatically be disabled. Example: To clear all Xpress settings for the upper LEM: tunnel ip clear upper Notes:
q
If you want to clear the VLAN settings without clearing the XIP address settings, don't use the tunnel ip clear command; instead, use the tunnel ip configure command without the VLAN parameters. For example: tunnel ip configure upper 172.21.18.161 255.255.0.0 172.21.0.1
The tunnel ip clear command is the same as the setup compression ip clear command; you may use either command.
tunnel ip configure
Set an Xpress-IP (XIP) address or VLAN settings for a PacketShaper device; this is required when using the Xpress feature. tunnel ip configure main|upper|lower|left|right <ipaddr> <mask> [<ingress gateway>] <gateway>|none [<vlanid> [<priority>]] Where: PacketShaper device to configure: main built-in interface upper upper LAN Expansion Module (LEM) lower lower LEM left left LEM right right LEM IP address to assign to the device; each interface must have a unique address. Note that this address is used by the Xpress feature and is not for managing the PacketShaper. The XIP address can NOT be the same as the unit's management address or the same address as the secondary customer portal address. The address cannot be: <mask> loopback address (127.xx.xx.xx) network address (all host bits 0) broadcast address (all host bits 1) class D or class E address
main|upper|lower| left|right
<ipaddr>
Subnet mask
736
<ingress gateway>
IP address of the ingress router (optional). When an ingress gateway is configured, it will be used for inbound detunneled packets (that is, traffic that has been accelerated, compressed, and/or packed in an Xpress tunnel). The XIP gateway will be used for outbound tunneled traffic. IP address of the egress router; specify none if there isn't a gateway. The gateway is required when Prefetch server is enabled.
<gateway>|none
<vlanid>
q
A maximum of three VLAN IDs can be assigned per PacketShaper (one for each device). An XIP configured with a VLAN must be on a different subnet from the management IP address.
802.1P VLAN priority (0-7) <priority> If your network isn't using VLAN IDs but you want to set a VLAN priority, you must set a VLAN ID of 0 (zero).
Notes:
q
If you are using Xpress with Packeteers direct standby feature, the LEM that is used for direct connection cannot be configured for Xpress. (Note: Direct standby is supported in legacy tunnel mode only.) The tunnel ip configure command is the same as the setup compression ip configure command. (You may use either command.)
737
When you assign or change Xpress-IP addresses with the tunnel ip configure command, Xpress will tear down existing tunnels and establish new tunnels using the new Xpress-IP addresses. If you upgraded from v7.x to v8.x, Xpress will automatically use the same addresses you configured in v7.x. PacketWise 8.x has the additional requirement that the Xpress-IP address cannot be the same as the management IP address. If they are the same, you will see the following error message on the Info tab (in the browser) or in the CLI banner after you log in: Warning: No XIP addresses have been configured. Compression will be disabled until you configure the Xpress-IP address.
Examples: To set the XIP address of an upper LEM: tunnel ip configure upper 172.21.18.161 255.255.0.0 172.21.0.1 For VLAN environments, you can specify the VLAN ID and/or VLAN priority. If you specify only one VLAN parameter, PacketWise will assume it is the VLAN ID. In the following example, all compressed packets going through the main interface will be assigned a VLAN ID of 2176: tunnel ip configure main 192.168.0.6 255.255.255.0 192.168.0.1 2176 If you only want to use VLAN priority, you have to set a VLAN ID of zero. For example, to assign a VLAN priority of 2 to all compressed packets going through the lower LEM interface, you must set the VLAN ID to 0 (zero): tunnel ip configure lower 192.168.0.5 255.255.255.0 192.168.0.1 0 2 To clear the VLAN settings without clearing the Xpress-IP settings, use the tunnel ip configure command without the VLAN parameters: tunnel ip configure lower 192.168.0.5 255.255.255.0 192.168.0.1 See also: tunnel ip clear tunnel ip show
738
Command Change History Release Modification 8.2.0 8.1.1 No longer required to enable the tnlEnableIngress variable in order to activate the ingress gateway. (The tnlEnableIngress system variable has been removed.) [<ingress gateway>] option introduced
739
tunnel ip show
Show the Xpress-IP address and VLAN settings for a PacketShaper device. tunnel ip show [main|upper|lower|left|right] where main is the interface built into the unit, and upper|lower|left|right indicates the position of the installed LEM. If no device is specified, settings for all interfaces will be listed. Example: tunnel ip show main
The Gateway address may initially show as "Resolving" while Xpress is in the process of resolving the gateway. When you reissue the command, if Xpress was able to resolve the gateway, the output will show the interface (outside or inside) and the MAC address. "Resolving" may also appear if the link is down. If the tnlEnableIngress system variable is enabled, the output of the show command will list the Ingress Gateway settings.
PacketGuide for PacketWise 8.3
740
<host>
Host IP address
<range>
Range of IP addresses To specify a range, use a dash with no spaces between the low and high address in the range (for example, 192.168.1.100-192.168.1.200).
<subnet>/<cidr>
The address of the subnet; the CIDR number specifies the number of constant bits in the address range (for example, 10.0.0.0/8)
741
list:<hostlist>
The name of a host list created with the hl new command Notes:
q
You cannot use a host list that contains domain names. If you change the contents of a host list after you have added it the device's local list, you will need to add it again; the local list doesn't automatically update when the host list changes.
Examples: tunnel local add main 192.168.0.0-192.168.10.100 Multiple hosts can be added at once, for example: tunnel local add lower 10.0.0.0/8 192.168.0.0-192.168.0.60 192.168.10.12 Notes:
q
The list of eligible local hosts is communicated to tunnel partners at the time the tunnel is established and is updated as the list changes. The list is saved in the unit's configuration and will be re-applied after a system restart. (Note: Dynamic hosts are not saved.) Each time you issue the tunnel local add command for a device, the hosts will be added to the current list of local hosts for that device. In other words, you do not need to respecify hosts you've already added. Use the tunnel local show command to see the local hosts that are associated with a device. Use the tunnel local delete command to remove local hosts.
PacketGuide for PacketWise 8.3
742
<host> <range>
Host IP address Range of IP addresses To specify a range, use a dash with no spaces between the low and high address in the range (for example, 192.168.1.100-192.168.1.200).
<subnet>/<cidr>
The address of the subnet; the CIDR number specifies the number of constant bits in the address range (for example, 10.0.0.0/8)
Examples: tunnel local delete main 192.168.0.0-192.168.0.100 Multiple hosts can be removed at once, for example: tunnel local delete lower 10.0.0.0/8 192.168.0.0-192.168.0.60 192.168.10.12 Or, to remove all static local hosts from a device: tunnel local delete main all
743
Notes:
q
The hosts and ranges removed must exactly match the way they were configured. For example, if you added 10.0.0.0/8 as static local hosts, then that is how it must be specified when removed. Using the same example, you cannot remove the specific host 10.1.2.3 if the range originally added was 10.0.0.0/8. Use the command tunnel local show to see the list of local static hosts. The tunnel local delete command removes static hosts that were added with the tunnel local add command. It does not delete dynamic hosts that were discovered on a device. To remove dynamic hosts, use the tunnel local flush command.
744
list:<hostlist>
Descriptive name for the host list (up to 127 characters; the slash (/) and backslash (\) characters may not be used). If the host name already exists, the hosts will be appended to the contents of the existing list.
Before exporting, you may want to view a list of a device's local hosts; use the tunnel local show command. After exporting, use the hl show command to view the contents of the host list. Note that the lists may look different because Xpress will consolidate adjacent IP addresses into ranges during the export process. If the host list name you specify already exists, you will be notified that the exported hosts will be appended to the existing list. You are given the option of canceling the command if you don't want to do this. Example:
tunnel local export main list:mylist5 Exporting static list: exporting 172.21.18.0-172.21.18.255
745
exporting 172.21.19.5-172.21.19.6 exporting 172.21.20.17 exporting 172.21.22.10 Exported 4 entries to hostlist mylist5.
746
<range>
Range of IP addresses To specify a range, use a dash with no spaces between the low and high address in the range (for example, 192.168.1.100-192.168.1.200).
<subnet>/<cidr>
The address of the subnet; the CIDR number specifies the number of constant bits in the address range (for example, 10.0.0.0/8)
Examples: To clear a range of dynamic hosts discovered on the built-in device (main):
747
tunnel local flush main 192.113.0.0-192.113.0.100 To clear all dynamic hosts discovered on the lower LEM: tunnel local flush lower all To clear all dynamic hosts discovered on all devices: tunnel local flush all Note:
q
To see the list of auto-discovered hosts for a device, use the tunnel local show <device> command.
748
<device>
<host>
<subnet>/<cidr>
-f <file>
The maximum number of hosts that the tunnel local show command will display
749
on the console is 1000. If there are more than 1000 local hosts, you can choose to display the list anyway. Alternatively, you can filter the list to a more manageable size using the <host>, <subnet>, <range>, or -n <number> parameters. If a device or host isn't specified, the tunnel local show command lists hosts associated with each device on the PacketShaper. Examples: tunnel local show main
Static local list for Inside device: 172.21.18.0/24 172.21.18.16 172.21.19.5 172.21.19.6 172.21.20.17 172.21.22.10 172.50.16.25
Addresses or ranges in the static local list for Inside: 7. Addresses or ranges in the dynamic local list for Inside: 1.
tunnel local show 172.21.1.41
750
New parameters added: <subnet>/<cidr> <subnet> <mask> <range> -n <number> -f <file> Maximum number of hosts displayed on the console increased to 1000. To avoid the display of excessively long host lists, only the first 100 host entries are listed under Static list and Dynamic list in the tunnel local show output. If there are more than 100 host entries, a message will display indicating that there are too many entries to display.
8.3.0
8.2.0
751
752
Tunnel london events at time 0002687.7485 (50/50) 001 002 003 004 005 006 007 008 009 010 011 [0002622.2949] [0002622.2949] [0002624.2951] [0002624.2951] [0002624.2951] [0002624.2951] [0002624.2951] [0002624.2951] [0002624.2951] [0002624.2951] [0002661.6545] Tunnel state transition ("Restarting") Tunnel going to state: Initializing Tunnel state transition ("Initializing") Tunnel going to state: Resolving egress gateway Tunnel state transition ("Resolving egress gateway") Tunnel going to state: Resolving ingress gateway Tunnel state transition ("Resolving ingress gateway") Tunnel state transition ("Found Ingress gateway") Tunnel state transition ("Found partner") Tunnel going to state: Waiting for open reply Changing "Firewall" from 1 to 0
Notes:
q q
Tunnel logs are automatically created for all tunnels. Once a log has reached its maximum size, older entries will be cleared to make way for newer log entries. Log entries are cleared when the PacketShaper is reset and when you issue the tunnel logging clear command. Each entry has a timestamp, such as [0002622.2949]. The timestamp is the system uptime in seconds and milliseconds. For descriptions of common tunnel states, see Tunnel States.
753
754
legacy
Supports both types of tunnels: legacy and enhanced. Use this mode when migrating from earlier versions of PacketWise. By default, 50 percent of compression memory is allocated to legacy compression tunnels and 50 percent is assigned to enhanced migration [<ratio>] Xpress tunnels. To change the percentage of compression memory assigned to legacy Xpress, specify a <ratio> (20-80). For example, a <ratio> of 30 would allocate 30 percent to legacy, 70 percent to enhanced. Uses new 8.x tunnel infrastructure. In enhanced mode, a tunnel serves multiple purposes and can include one or more of the following: compression, acceleration, and packing.
enhanced
755
default
The new tunnel mode will not take effect until you reset the PacketShaper. After issuing the command, you will be asked if you want to reset immediately. If you decline, you will need to issue the reset command at a convenient time in order to activate the new tunnel mode. The default mode for new installations is enhanced mode. The default mode for units that have upgraded to 8.x depends on whether watch mode was enabled before the upgrade. If watch mode was enabled in 7.x, the unit will be in legacy mode after the upgrade. (This is because watch mode only operates in legacy mode.) If this feature was not enabled in 7.x, the unit will be in migration mode after the upgrade. tunnel mode show
Another way to change the mode is to use the setup compression mode set command. Migration mode has special considerations. See Information about Migration Mode for details.
756
Xpress tunnels are configured to run in migration mode. 50% of compression memory is assigned to legacy mode. The remaining 50% is assigned to enhanced mode.
See also: tunnel mode set setup compression mode show
757
tunnel mtu
Set the Maximum Transmission Unit (MTU) used for packing and acceleration. When packing is enabled via the tunnel packing command, packets are combined into a single "super packet" before being sent through the Xpress tunnel; the MTU defines the maximum size of the super packet. The MTU can be set globally or for an individual tunnel. MTU is the largest datagram than can be transmitted by an IP interface (without it needing to be broken down into smaller units). tunnel mtu auto|<mtu>|default tunnel mtu <tunnel> <mtu>|default Set the global MTU. auto lets the system set the MTU automatically. <mtu> is the MTU size in bytes. Valid MTU values are 100-1500; the default is 1500. default removes the local setting so that the unit inherits the MTU setting of the parent configuration. If the parent configuration doesn't have an MTU setting, the local setting will be cleared so that the unit can inherit any future MTU value that is set. Set the MTU for a static Xpress <tunnel>. <tunnel> <mtu>| default <mtu> is the MTU size in bytes. Valid MTU values are 100-1500; the default is 1500. default sets a tunnel's MTU to the global MTU setting. Examples: To change the global MTU for all tunnels: tunnel mtu 1450
758
To change the MTU of a tunnel named tunnel2: tunnel mtu tunnel2 1440 To have the system select an appropriate MTU for all tunnels: tunnel mtu auto
759
tunnel new
Manually add an Xpress tunnel. This tunnel is static, as opposed to the dynamic tunnels that are created automatically, either through auto-discovery or creation by a tunnel partner. (When a static tunnel is created by one PacketShaper, it appears as a dynamic tunnel on the partner PacketShaper.) tunnel new <device> <ipaddress> <tunnel> [<options>...] Where: PacketShaper device to configure on the local unit: main built-in interface upper upper LAN Expansion Module (LEM) lower lower LEM left left LEM right right LEM
<device>
Xpress-IP address of the partner PacketShaper, or in the case of SkyX tunnels, <ipaddress> the IP address of the SkyX device Descriptive name to be assigned to the tunnel; the name can be up to 24 characters long and may include alphanumeric characters and the following special characters: . - _ : @ # $ % = + [ ] { } Spaces are not allowed. The following names are reserved for other uses and are prohibited as tunnel names: acceleration, all, class, compression, default, delete, dictionary, diffserv, discovery, faststart, firewall, force, global, high, holdtime, host, information, ip, local, logging, low, mem, mtu, new, normal, off, on, packing, partner, password, ping, prefetch, priority, remote, remove, scps, service, show, state, static, xtpping, undefined.
<tunnel>
760
Note: Tunnels cannot be renamed so choose your name carefully. If you later decide that you want to rename a tunnel, you'll need to remove it and create a new one. If you want the tunnel to have special parameters different from the default settings, specify any of the following tunnel settings while creating the tunnel: acceleration off | default Disable acceleration for the tunnel or use the global setting for acceleration. compression off | default Disable compression for the tunnel or use the global compression setting. diffserv on | off | default Enable/disable Diffserv (Differentiated Services) mode for a specific tunnel. Diffserv mode should be enabled when using compression or packing on a Diffserv network. discovery off | default Disable automatic host discovery for the tunnel or use the global discovery setting. When the discovery option is disabled, Xpress will not automatically discover hosts for the tunnel; you must add the hosts manually with the tunnel local add and tunnel remote add commands. firewall on | off | default Enable/disable firewall support for the tunnel. If the PacketShaper will be sending or receiving tunneled traffic through a firewall, this setting must be enabled. mtu <mtu> Set the Maximum Transmission Unit (MTU) used for packing. The MTU defines the maximum size of the super packet. (100-1500 bytes)
761
<options>
packing off | default Disable packet packing for the tunnel or use the global packing setting. When packing is enabled, multiple packets are combined into a single super packet before being sent through the Xpress tunnel. Packing saves on overhead and improves compression rates (if compression is enabled) because less data is being sent out on the wire. skyx on | off When skyx is enabled, the Xpress unit will be able to create an acceleration tunnel with a SkyX device. Notes:
q
Make sure that "acceptall-xtp" mode is enabled on the SkyX device. If necessary, use the skyx set accept-all-xtp on command to enable this mode. The only other <options> that are applicable to SkyX tunnels are acceleration, compression, and mtu. The SkyX option is intended for accelerating flows between a PacketShaper unit and a SkyX device. Although Xpress allows you to create a SkyX tunnel between two PacketShapers, it's not supported or recommended, nor does it serve any useful purpose.
verbose on | off When verbose is enabled, messages are displayed as the tunnel is being established; this is useful for
762
troubleshooting tunnel setup problems. It is only necessary to statically configure a tunnel on one side of the link. The tunnel creation process will provide the partner with the various configuration parameters for the tunnel so that it can be handled the same way in both directions.
763
tunnel packing
Enable/disable packet packing globally or for a static compression tunnel. When packing is enabled, multiple packets are combined into a single super packet before being sent through the compression tunnel. Since fewer packets are sent, packing saves on overhead introduced by packet headers. Note that packing is a feature of the Xpress compression key. tunnel packing on|off|{<tunnel> off|default} where <tunnel> is the name of a static tunnel. For a static tunnel, you can either disable packing (off) or specify that it use the global packing setting (default). You cannot enable packing for a tunnel if packing is globally disabled. Packing is disabled by default. When this setting is enabled globally, packing will automatically be enabled on new compression tunnels unless otherwise specified. Those services that can benefit from packing are pre-marked as packing capable, and traffic in those services will automatically be packed as soon as packing is enabled globally. Examples: To turn on packing for all compression tunnels (except for those tunnels that have disabled packing): tunnel packing on To disable packing for a tunnel named LA: tunnel packing LA off Notes:
q
The maximum size of the super packet is determined by the MTU. See tunnel mtu. In addition to turning packing on and off on a per-tunnel basis, you can enable/disable packing on a per-service and a per-class basis. See tunnel class set packing and tunnel service set packing. Because different types of traffic can tolerate different amounts of latency, controls are available to fine-tune the length of time the super packet is
764
held to wait for additional packets to be packed into it. See tunnel class set holdtime and tunnel service set holdtime.
q
Due to the inherent delay in the process of combining packets, packing will increase network latency. On very busy links, packing doesn't cause much latency because the packets are bundled and sent off quickly. On less active links, Xpress may have to wait to get enough packets in a bundle, possibly creating application performance problems. If you are experiencing latency, try lowering the packing hold time or disabling packing altogether. Packing is most efficient and effective when dealing with small packets or packets that can be reduced in size with compression.
PacketGuide for PacketWise 8.3
765
tunnel password
For security purposes, you should configure a community password for Xpress tunnels. This authentication mechanism is used to determine whether tunnel partners can be "trusted" for purposes of receiving host updates. When partners of an established tunnel have matching passwords, the tunnels will be in secure mode and will exchange host updates. tunnel password [<password>|default] where <password> Sets the tunnel password for the PacketShaper. Passwords can be up to nine characters long and are case sensitive. They can consist of a combination of letters, numbers, and all special characters. Clears the password
default
If you type tunnel password without specifying a password, you will be prompted to enter the password. If you press Enter without typing a password, the password will be cleared (as if the default option was used). You will be prompted to type a new password and retype the password to confirm. For example:
tunnel password For security reasons, a tunnel partner password can be defined. If set, this will restrict tunnel partners to units that share the same password. Set the new tunnel password: Confirm the new password: The new tunnel partner password has been set.
Notes:
q
After a new tunnel password is set, any existing tunnels will be reset (closed). Static tunnels will re-initialize themselves and come back up. Dynamic tunnels will re-establish themselves according to the normal process (for example, a tunnel will automatically form when flows are destined for hosts on the other side of a PacketShaper). If you forget the tunnel password, you can assign a new password without having to know the old one. Or, to display the currently configured password, use the tunnel summary -pw command in touch mode. If passwords are not configured on partner PacketShapers and discovery is off, a tunnel will form, but no data will be sent in the tunnel (that is, data will not be compressed, packed, or accelerated), unless remote hosts have been statically configured. When discovery is on, but passwords aren't configured or don't match the partner, a tunnel will form, remote host discovery will work, and data will be sent through the tunnel (that is, data will be compressed, packed, and/or accelerated). However, when passwords aren't correctly configured, local host discovery does not operate and statically configured local
766
q q
hosts are ignored. While tunnel features still work, host discovery is not as fast and efficient. In this situation, the tunnel is not operating in secure mode. To check whether a tunnel is in secure mode, use the tunnel show <tunnel> comand; if the output shows Secure Mode: Yes, the tunnel is in secure mode and can exchange host updates with the partner. If passwords are not configured on partner units and the unit is in migration mode, only remote static hosts are used (remote hosts are not dynamically discovered). The tunnel password is included in the output of the setup capture command. In PolicyCenter, the tunnel password is an inheritable attribute.
767
tunnel ping
Test connectivity of an Xpress tunnel or a partner PacketShaper to determine the tunneling capability between two units. This command is useful for troubleshooting tunnel setup problems. The ping command tests that the partner understands enhanced Xpress mode and has it enabled. tunnel ping <tunnel> | {<device> <target ip-address>} [<pingsize> <count>] <tunnel> Name of the static or dynamic tunnel for which you want to test connectivity. To specify a dynamic tunnel, enter the name in the form of <xpress-IP>:<device> where <xpress-IP> is the Xpress-IP address of the tunnel partner and <device> is main (built-in) or upper, lower, left, or right (LEM). For example: 172.21.19.10:main.
<device>
Interface on the local unit from which connectivity is to be tested. <device> is one of the following: main built-in interface upper upper LAN Expansion Module (LEM) lower lower LEM left left LEM right right LEM
<target ip-address>
The Xpress-IP address of an interface (main, upper LEM, lower LEM, left LEM, right LEM) on the partner PacketShaper Note: Each interface on a PacketShaper has a unique Xpress-IP address.
<ping size>
768
<count>
Ping Messages
The ping output indicates the round trip time in milliseconds of each packet sent, as well as summary statistics of the number of transmitted packets, the number of received packets, and a calculation of the percentage of packet loss. After issuing the ping command, you will see one of the following messages: Sample Message 1 packets transmitted, 1 packets received, 0% packet loss 5 packets transmitted, 0 packets received, 100% packet loss 20 packets transmitted, 18 packets received, 10% packet loss Description Successful ping attempt: Xpress was able to connect to the specified tunnel/ partner Unsuccessful ping attempt: Xpress was not able to connect to the specified tunnel/partner Partially successful attempt: Xpress was able to connect to the specified tunnel/ partner but some packets were lost Tunnel name is invalid or doesn't exist; you either typed the tunnel name incorrectly or the tunnel isn't up Use the tunnel show command to see a list of valid tunnel names and states. Device name is invalid or doesn't exist; you either typed the device name incorrectly or the unit doesn't have the device installed
769
<target ip-address> entered was on the local unit. It should be the IP address of the partner unit.
Examples:
tunnel ping london 32 bytes from 172.21.18.161, seq=0, time=10 ms --- 172.21.18.161 tunnel ping statistics --1 packets transmitted, 1 packets received, 0% packet loss
tunnel ping 172.31.4.85:main 1000 bytes from 172.31.4.85, 1000 bytes from 172.31.4.85, 1000 bytes from 172.31.4.85, 1000 bytes from 172.31.4.85,
ms ms ms ms
--- 172.31.4.85 tunnel ping statistics --5 packets transmitted, 4 packets received, 20% packet loss
Notes:
q
If the local PacketShaper isn't able to get a response from the partner, try pinging the IP address using the standard ping command. If this ping request is successful, there are two possible explanations. (1) The address is not an XIP address. (2) The PacketShaper associated with the XIP is not running PacketWise v8.x. (Only PacketShapers running v8.x respond to the tunnel ping command.) If a PacketShaper running v8.1.1 or higher pings a PacketShaper running v8.0.x or v8.1.0 and a <pingsize> is specified, the response will always come back as 32 bytes, as opposed to the actual size specified. However, the fact that the 8.0.x or 8.1.0 PacketShaper responded means the ping was received. This happens because the previous versions didn't have the <pingsize> parameter. The tunnel xtpping command is similar to the tunnel ping command, but the difference is that a tunnel xtpping sends XTP packets while a tunnel ping sends ICOMP (protocol 99) packets. The tunnel xtpping command is useful for diagnosing any acceleration-related difficulties, especially with
770
routing and/or firewalls. The tunnel ping command is useful for general tunnel troubleshooting. Command Change History Release Modification 8.1.1 [<ping size> <count>] parameters introduced
771
<host>
Host IP address
<range>
Range of IP addresses To specify a range, use a dash with no spaces between the low and high address in the range (for example, 192.168.1.100-192.168.1.200).
<subnet>/<cidr>
The address of the subnet; the CIDR number specifies the number of constant bits in the address range (for example, 10.0.0.0/8)
list:<hostlist>
The name of a host list created with the hl new command Notes:
q
You cannot use a host list that contains domain names. If you change the contents of a host list after you have added it the tunnel's remote list, you will need to add it again; the remote list doesn't automatically update when the host list changes.
772
Examples: tunnel remote add tunnel3 192.168.0.0-192.168.10.100 Multiple hosts can be added at once, for example: tunnel remote add tun1 10.0.0.0/8 192.168.0.0-192.168.0.60 192.168.10.12 Notes:
q
If you want to specify the entire Internet as remote to a tunnel, specify the range 0.0.0.0-255.255.255.255 on the edge PacketShaper. You will also need to disable the tnlRemoteRsvpDiscovery system variable. See setup variable. The list of eligible remote hosts is communicated to tunnel partners at the time the tunnel is established and is updated as the list changes. The list is saved in the unit's configuration and will be re-applied after a system restart. (Note: Dynamic hosts are not saved.) Each time you issue the tunnel remote add command for a tunnel, the hosts will be added to the current list of remote hosts for that tunnel. In other words, you do not need to respecify hosts you've already added. Use the tunnel remote show command to see the remote hosts that are associated with a tunnel. Use the tunnel remote delete command to remove remote hosts. Do not add PacketShaper management IP addresses to the remote host list.
PacketGuide for PacketWise 8.3
773
<host>
Host IP address
<range>
Range of IP addresses To specify a range, use a dash with no spaces between the low and high address in the range (for example, 192.168.1.100-192.168.1.200).
<subnet>/<cidr>
The address of the subnet; the CIDR number specifies the number of constant bits in the address range (for example, 10.0.0.0/8)
Examples: tunnel remote delete tunnel2 192.168.0.0-192.168.0.100 Multiple hosts can be removed at once, for example: tunnel remote delete tun1 10.0.0.0/8 192.168.0.0-192.168.0.60 192.168.10.12 Or, to remove all static remote hosts from a tunnel: tunnel remote delete tun1 all Notes:
q
The hosts and ranges removed must exactly match the way they were configured. For example, if you added 10.0.0.0/8 as static remote hosts, then that is how it must be specified when removed. Using the same
774
example, you cannot remove the specific host 10.1.2.3 if the range originally added was 10.0.0.0/8. Use the tunnel remote show command to see the list of remote static hosts.
q
The tunnel remote delete command removes static hosts that were added with the tunnel remote add command. It does not remove dynamic hosts that were discovered on a tunnel. To remove dynamic hosts, use the tunnel remote flush command.
775
list:<hostlist>
Descriptive name for the host list (up to 127 characters; the slash (/) and backslash (\) characters may not be used). If the host name already exists, the hosts will be appended to the contents of the existing list.
Before exporting, you may want to view a list of a tunnel's remote hosts; use the tunnel remote show command. After exporting, use the hl show command to view the contents of the host list. Note that the lists may look different because Xpress will consolidate adjacent IP addresses into ranges during the export process. If the host list name you specify already exists, you will be notified that the exported hosts will be appended to the existing list. You are given the option of canceling the command if you don't want to do this. Example:
tunnel remote export tunnel4 list:tunnellist4 Exporting static list: exporting 172.21.18.16 exporting 172.21.20.17 exporting 172.21.22.10 exporting 192.168.0.12-192.168.13.99 Exported 4 entries to hostlist tunnellist4.
776
<range>
Range of IP addresses To specify a range, use a dash with no spaces between the low and high address in the range (for example, 192.168.1.100-192.168.1.200).
<subnet>/<cidr>
The address of the subnet; the CIDR number specifies the number of constant bits in the address range (for example, 10.0.0.0/8)
To see the list of auto-discovered hosts for a tunnel, use the tunnel remote show <tunnel> command. Example: To clear a range of dynamic hosts discovered on a tunnel (LA): tunnel remote flush LA 192.113.0.0-192.113.0.100 To clear all dynamic hosts discovered on a tunnel (LA):
777
tunnel remote flush LA all To clear all dynamic hosts discovered on all tunnels: tunnel remote flush all See also: tunnel remote delete tunnel remote show
778
<device>
Device on the PacketShaper: main built-in interface upper upper LAN Expansion Module (LEM) lower lower LEM right right LEM left left LEM
<tunnel>
Name of the static or dynamic tunnel for which you want to show hosts To specify a dynamic tunnel, enter the name in the form of <xpress-IP>:<device> where <xpress-IP> is the Xpress-IP address of the tunnel partner and <device> is main, upper, lower, right, or left. For example: 172.21.19.10:main Lists the remote hosts in the specified subnet; the CIDR number specifies the number of constant bits in the address range Example: 192.168.1.0/24 Lists the remote hosts for the designated subnet and mask Example: 128.10.1.0 255.255.255.0
<subnet>/<cidr>
<subnet> <mask>
779
<range>
Lists the remote hosts in the specified IP address range Example: 172.21.18.160-172.21.18.190
-n <number>
Limits the number of host entries displayed. For example, if 10 is the <number>, 10 static host entries and 10 dynamic hosts are displayed. Saves output to file named <file>. The filename must be in 8.3 format (for example, hostfile.txt). The file is created in the current directory unless you specify a different path. It may be useful to output the list to a file and then open the file in a text editor to review and search.
-f <file>
Remote hosts for tunnel "tunnel3": Static list: <none> Dynamic list: 192.168.92.80 192.168.93.1 192.168.93.254 Addresses or ranges in the static list of remote hosts: 0. Addresses or ranges in the dynamic list of remote hosts: 3.
tunnel remote show 172.21.16.2
780
New parameters added: <subnet>/<cidr> <subnet> <mask> <range> -n <number> -f <file> Maximum number of hosts displayed on the console increased to 1000. To avoid the display of excessively long host lists, only the first 100 host entries are listed under Static list and Dynamic list in the tunnel remote show output. If there are more than 100 host entries, a message will display indicating that there are too many entries to display.
8.3.0
8.2.0
781
782
783
An identifying number (0-255) assigned to a particular class. The default group ID is 0. When you assign an ID, a compressor will be created specifically for this class to use. By giving a class its own compressor, you can potentially improve compression results. However, these additional compressors consume extra compression memory, so be sure to assign IDs only to your most critical and/or active classes. If you have classes with data patterns similar to a class that has its own compressor, you may want to share the compressor with these other classes; you can do this by assigning the similar classes the same <groupID> and <algorithm>. Dictionary size specified as bytes. Optionally, you can enter a k (kilobyte) or m (megabyte) after the integer. For example, enter 2m for 2 megabytes or 512k for 512 kilobytes. <size> The default size is 1 MB. If there isn't enough RAM available for the <size> you specify, Xpress will select a size that will work with the available memory.
<groupID>
Use the tunnel service show command to see the services for which a compression algorithm has been specified. Example: tunnel service set algorithm CitrixIMA-svr icna 2 Notes:
q
Group IDs and dictionary sizes aren't applicable to stateless algorithms (such as RETD). If you assign two services the same algorithm, the same group ID, but different dictionary sizes, both services will use the same dictionary size. In other words, one of the services will not use the dictionary size you specified. (The override that is created first will be the one that is used for
784
both services.) If a unit is assigned to a PolicyCenter configuration with compression dictionary that the unit cannot support, the unit will substitute a smaller compression dictionary of the same type. For example, if a 2500 series unit is assigned to a PolicyCenter configuration configured with a CNA-32M dictionary, the unit will use the largest CNA dictionary supported, in this case, CNA-16M. If the unit does not have the assigned compression plugin, it will use its currently configured compression dictionary.
785
If compression is disabled for a tunnel, you can still enable compression for a service but it won't take effect until compression is enabled for the tunnel. Use the tunnel service show command to see the service compression settings. The all option can be useful for troubleshooting compression problems: turn compression off for all services and then you can just turn it on for specific services. Be aware that a number of services arent compressible, so if you turn on compression for all services, Xpress will waste resources trying to compress traffic that is uncompressible. If you have turned compression off for all services and want to reverse this change, it would be best to return the compression settings back to their default (tunnel service default) rather than turn compression on for all services (tunnel service set compression all on).
pack-n-go
787
sensitive
Traffic that is sensitive to delay; sets the wait time to the value associated with the sensitive category (1 ms by default)
Traffic that can handle some latency; sets the wait time to the value nonsensitive associated with the nonsensitive category (10 ms by default)
Many PacketWise services have a built-in holdtime default that is appropriate in most situations. The holdtime command allows you to fine tune the settings if you need to. Examples: To set the packing wait time to 20 ms for the http service: tunnel service set holdtime http 20 To specify a packing wait time appropriate for latency-sensitive traffic, such as Skype data: tunnel service set holdtime skypedata sensitive Notes:
q
If packing is disabled for the service, you can still set the hold time but it won't take effect until packing is enabled. Use the tunnel service show command to see the services for which a packing wait time has been pre-configured or user-defined. To enable/disable packing for a service, use tunnel service set packing. To change the value associated with a holdtime category, use the tunnel holdtime command. Note that the pack-n-go category is always set to 0 ms. and cannot be changed.
788
789
The maximum size of the super packet is determined by the MTU. See tunnel mtu. You can also enable/disable packing on a per-class basis. See tunnel class set packing. Note that class packing settings override service settings. Because different types of traffic can tolerate different amounts of latency, controls are available to fine tune the length of time the super packet is held to wait for additional packets to be packed into it. See tunnel service set holdtime. On very busy links, packing doesn't cause much latency because the
790
packets are bundled and sent off quickly. On less active links, Xpress may have to wait to get enough packets in a bundle, possibly creating application performance problems. If you are experiencing latency, try lowering the packing hold time or disabling packing altogether.
q
If packing is disabled for a tunnel, you can still enable packing for a service but it won't take effect until packing is enabled for the tunnel. The all option can be useful for troubleshooting packing problems: turn packing off for all services and then you can just turn it on for specific services.
791
Service Name -------------------Aimster-Data Apple-iTunes Ares AsheronsCall Audiogalaxy Battle.net BGP BitTorrent Blubster BulkDataXfer
Pack. ----No No No * No * No No No No
Comp. ----No No No * No * No No No No
Algo. ----* * * * * * * * * *
Group ----* * * * * * * * * *
Size ---* * * * * * * * * *
Accel. -----* * * * * * * * * *
The * means that the setting uses the default value. If you specify a <service>, the command output will show all services that contain the characters you type (regardless of where they appear in the service name). For example, if you type http for <service>, you will see a list of all services that have HTTP in the name. tunnel service show http
Pack. ----* *
Holdtime ----------* *
792
Comp. ----* *
Algo. ----* *
Group ----* *
Size ---* *
Accel. -----* *
HTTP-Tunnel SOAP-HTTP
* *
* *
* *
* *
* *
* *
* *
4 services shown.
793
tunnel show
Display tunnel information for all enhanced tunnels, a subset of tunnels, or a specific tunnel. Specifics on each tunnel are displayed: tunnel partner, bytes sent and received, and tunnel state. You can sort the list by different criteria (such as age, performance, and activity) and filter the list by IP address, tunnel characteristics, or device. tunnel show [<tunnel>] | all | [sort <criteria>] [filter <criteria>|<wildcard ipaddress>] [limit <limit>] [configuration|state] Where: Name of the static or dynamic tunnel for which you want to show information To specify a dynamic tunnel, enter the name in the form of <xpress-IP>:<device> where <xpress-IP> is the Xpress-IP address of the tunnel partner and <device> is main (built-in) or upper, lower, left, or right (LEM). For example: 172.21.19.10:main. Note that some dynamic tunnels may also have an ID at the end of the name (for example, 172.21.19.10:main:1); the ID is appended in situations where a static tunnel already had the same name. Displays two tunnel lists: open tunnels and a log of recently closed tunnels (historical information) Sorts the tunnel list by one of the following <criteria>: active - most active tunnel first (tunnels that are not closed) alphabetic - alphabetically (the default) badness - worst performing tunnel first (based on number of compressed, packed, and/or accelerated bytes) goodness - best performing tunnel first (based on number of compressed, packed, and/or accelerated bytes) idle - most idle tunnel first newest - newest tunnel first oldest - oldest tunnel first Filters the tunnel list by one of the following <criteria>: acceleration - display only tunnels that have acceleration enabled active - display only active tunnels (tunnels that are not closed) all - display all tunnels cached - display cached tunnels (including ones that were removed recently) closed - display only closed tunnels compression - display only tunnels that have compression enabled dynamic - display only auto-discovered tunnels firewall - display only firewalled tunnels
794
<tunnel>
all
sort <criteria>
filter <criteria> |
<wildcard ipaddress>
idle - display only idle tunnels (for example, tunnels that don't have a partner or are in the process of initializing) skyx - display only SkyX tunnels static - display only static (manually configured) tunnels up - display only tunnels in up state main - display only tunnels created on the built-in ports lower - display only tunnels created on the lower LEM upper - display only tunnels created on the upper LEM right - display only tunnels created on the right LEM left - display only tunnels created on the left LEM With <wildcard ipaddress>, you can use the "*" wildcard character with an IP address (tunnel show filter 172.16.*) Maximum number of tunnels to display where <limit> is any integer Lists the configuration settings of each tunnel: partner's IP address, device, acceleration, compression, packing, firewall, DiffServ, host/partner discovery, and MTU value. This parameter is not available when you issue this command from PolicyCenter. For each tunnel, list the reason why the tunnel was last closed (if applicable) and the tunnels current state. This parameter is not available when you issue this command from PolicyCenter.
limit <limit>
configuration
state
To display similar information about legacy compression tunnels, use the setup compression show command. Examples: tunnel show
Tunnels: 3 Name Partner Bytes Sent Bytes Recv State ------------------------------------------------------------------------------test 172.21.18.166 0 0 Initializing... tunnel2 172.21.18.170 0 0 Up - Idle 172.21.18.160:main 172.21.18.160 547.03KB 126.75KB Up - dataXfer
tunnel show configuration Tunnels: 3 Name Partner Device Acc Comp Pack Fire Diff Disc MTU ------------------------------------------------------------------------------skyx3 172.21.18.170 Main on OFF OFF OFF OFF OFF* 1500 test 172.21.18.165 Main on off ON* off off on 1500 tunnel1 172.21.18.160 Main on off off off off on 1500 Attributes set to use default values will display as "on" or "off".
795
Attributes set to specific overrides will display as "ON" or "OFF". A "*" displayed next to an attribute indicates a difference from the Global Tunnel values.
tunnel show test
Name: test 172.21.18.165 Type: static 21s State: Up - DataXfer Last Closed State: Open request timed out
Secure Mode: Yes Egress Device: Outside Egress IP: 0.0.0.0 Egress MAC: 00:00:00:00:00:00 Partner MAC: 00:60:fb:60:49:9a
on off on 1500
Totals: Static Local Hosts: Dynamic Local Hosts: Total Sent Packets: Sent Data Bytes: Sent Mesg Bytes: Avg Sent Packet Size:
Static Remote Hosts: Dynamic Remote Hosts: Total Received Packets: Received Data Bytes: Received Mesg Bytes: Avg Received Packet Size:
Lane Packets In Packets Out Bytes Out Avg Pkt/Pkt Eff% Avg Bytes Saved ------------------------------------------------------------------------0 9.74K 4.81K 400.71KB 2 13 22
Explanation of the fields in the tunnel show output: Field Static Local Hosts Dynamic Local Hosts Dynamic Remote Hosts Description Number of local hosts configured on the device
Static Remote Hosts Number of remote hosts configured on this tunnel Number of local hosts auto-discovered on the device Number of remote hosts auto-discovered on this tunnel
796
Total Sent Packets Total Received Packets Sent Data Bytes Received Data Bytes Sent Mesg Bytes Received Mesg Bytes Avg Sent Packet Size
Number of packets sent to the partner through this tunnel Number of packets received from the partner through this tunnel Number of bytes of data sent to the partner through this tunnel Number of bytes of data received from the partner through this tunnel Number of bytes of tunnel protocol messages sent to the partner through this tunnel Number of bytes of tunnel protocol messages received from the partner through this tunnel Average packet size sent to the partner through this tunnel Formula: (Sent Data Bytes + Sent Mesg Bytes) / Total Sent Packets Average packet size received from the partner through this tunnel
Formula: (Received Data Bytes + Received Mesg Bytes) / Total Received Packets
The following data is provided on a per-lane basis. If DiffServ support is not enabled, all traffic will go in Lane 0. If DiffServ is enabled, a lane is created for each unique DSCP value. For more information, see tunnel diffserv. Packets In Packets Out Bytes Out Avg Pkt/Pkt Formula: Packets In / Packets Out Eff% Avg Bytes Saved Notes:
q
Number of outbound packets sent into the "packer" for packing Number of packed packets sent out of the packer (after packing); in other words, the number of super packets Number of bytes sent through the tunnel (includes data and tunnel protocol message traffic) Average number of packets packed into each super packet
q q
If packing is turned off for a tunnel and it has only one lane (0), the values of Total Sent Packets, Packets In, and Packets Out will be the same. The packet and byte statistics include data traffic and tunnel protocol message traffic. A tunnel is in secure mode when the tunnel is established and both partners have the same tunnel password. For SkyX tunnels, the output from the tunnel show <tunnel> command does not display the ingress and egress devices. (This information is displayed for regular Xpress tunnels.) To determine the device a SkyX tunnel uses, go to the xpress tab in the browser interface. If you enable compression for a PolicyCenter sharable configuration before a PacketShaper assigned to that configuration obtains its compression license keys, the PacketShaper may display errors when you issue the CLI command tunnel show from that unit. Resolve this problem by turning compression off and then back on from the command-line or browser interface of the PacketShaper. Command Change History
797
tunnel static
Convert a dynamic Xpress tunnel to a static tunnel so that the settings can be fine tuned. Because certain settings (such as manually adding hosts) can be configured for static tunnels only, you'll need to convert the tunnel to static if you want to adjust these settings. tunnel static <tunnel> [<new tunnel name>] where <tunnel> Name of the dynamic tunnel (for example, 172.21.20.16:main)
Descriptive name to be assigned to the tunnel; the name can be up 31 characters long and may include alphanumeric characters and the following special characters: . - _ : @ # $ % = + [ ] { } Spaces are not allowed. The following names are reserved for other uses and are prohibited as tunnel names: acceleration, all, class, compression, default, delete, dictionary, diffserv, discovery, faststart, firewall, force, global, high, holdtime, host, information, ip, local, logging, low, mem, mtu, new, normal, off, on, packing, partner, password, ping, prefetch, priority, remote, remove, scps, service, show, state, static. Notes:
q
Tunnels cannot be renamed so choose your name carefully. If you later decide that you want to rename a tunnel, you'll need to remove it and create a new one. If you don't specify a <new tunnel name>, Xpress will assign the static tunnel the name of the dynamic tunnel.
798
799
tunnel summary
Display the Xpress tunnel summary. The summary displays the Xpress-IP addresses, the number of Xpress tunnels, current configuration settings, the amount of traffic sent and received through tunnels, compression memory, available algorithms, default compression dictionary, and number of service and class overrides. tunnel summary [-pw] The -pw parameter displays the PacketShaper's tunnel password (in touch mode only) in addition to the other tunnel information.
Xpress IP Configuration: Main: Address: 172.21.18.163 Netmask: 255.255.0.0 Gateway: 172.21.0.1 Tunnels: active: 3 priority: 2 idle: 2 manual: 2 firewall: 0 SkyX: 0 Tunnel Manager: tunnel count: tunnel cache:
3 0
Tunnel Global Configuration: Acceleration: on Compression: on DiffServ: on Discovery: on Maintenance: off Firewall: on Packing: on Automatic MTU: on (but disabled due to shaping mode) MTU: 1500 Password: <not configured>
800
Acceleration Settings: Congestion control: SCPS: FastStart: Server Prefetch: Client Prefetch: Packing Timers: global: pack-n-go: latency sensitive: latency nonsensitive: Tunnel Traffic: Received: Sent:
Compression Memory: Enhanced (free): 118751 KB, 115 MB Enhanced (total): 118751 KB, 115 MB Algorithms: Stateless: Header: Normal: Total: Default Algorithm: CNA 1M Overrides: Service Table Overrides: User-created overrides: Number of services with overrides: Traffic Class Overrides: User-created overrides:
RETD UDPRT HDRIP HDRUDP HDRTCP HDRXTP HDRRTP NONE RETD CNA ICNA PRED1 PRED2 UDPRT 12 algorithms
0 201 1
801
tunnel xtpping
Test connectivity of an Xpress tunnel or a partner PacketShaper. The tunnel xtpping command is similar to the tunnel ping command, but the difference is that a tunnel xtpping sends XTP packets while a tunnel ping sends IPComp (IP Payload Compression Protocol) packets. The xtpping command is useful for diagnosing any acceleration-related difficulties, especially with routing and/or firewalls. tunnel xtpping <tunnel> | {<device> <target ip-address> [<bind ip-address>]} <tunnel> Name of the static or dynamic tunnel for which you want to test connectivity. To specify a dynamic tunnel, enter the name in the form of <xpress-IP>: <device> where <xpress-IP> is the Xpress-IP address of the tunnel partner and <device> is main (built-in) or upper, lower, left, or right (LEM). For example: 172.21.19.10:main.
<device>
Interface on the local unit from which connectivity is to be tested. <device> is one of the following: main built-in interface upper upper LAN Expansion Module (LEM) lower lower LEM left left LEM right right LEM
<target ip-address>
The Xpress-IP address of an interface (main, upper LEM, lower LEM, left LEM, right LEM) on the partner PacketShaper Note: Each interface on a PacketShaper has a unique Xpress-IP address.
[<bind ip-address>]
The IP address from which packets appear to originate. If not specified, the source address is the XIP of the interface. By specifying a bind address, the PacketShaper can emit a packet that appears to be coming from a local host detecting if a firewall is blocking local traffic, but letting PacketShaper traffic through.
Ping Messages
The ping output indicates the round trip time in milliseconds of each packet sent, as well as summary statistics of the number of transmitted and received packets. After issuing the tunnel xtpping command, you will see one of the following messages: Sample Message Sent 5 packets, received 5. Description Successful ping attempt: Xpress was able to connect to the specified tunnel/partner
802
Unsuccessful ping attempt: Xpress was not able to connect to the specified tunnel/partner Partially successful attempt: Xpress was able to connect to the specified tunnel/ partner but some packets were lost Tunnel name is invalid or doesn't exist; you either typed the tunnel name incorrectly or the tunnel isn't up Use the tunnel show command to see a list of valid tunnel names and states.
Device name is invalid or doesn't exist; you either typed the device name incorrectly or the unit doesn't have the device installed <target ip-address> entered was on the local unit. It should be the IP address of the partner unit.
Examples: In the following example, all XTP packets were successfully received:
tunnel xtpping london ...binding to address 172.21.18.161 80 bytes from 172.21.18.163: icmp_seq=0 80 bytes from 172.21.18.163: icmp_seq=1 80 bytes from 172.21.18.163: icmp_seq=2 80 bytes from 172.21.18.163: icmp_seq=3 80 bytes from 172.21.18.163: icmp_seq=4 Sent 5 packets, received 5.
ms ms ms ms ms
tun xtpping test ...binding to address 172.21.18.161 80 bytes from 172.21.18.163: icmp_seq=0 80 bytes from 172.21.18.163: icmp_seq=2 80 bytes from 172.21.18.163: icmp_seq=3 80 bytes from 172.21.18.163: icmp_seq=4 Sent 5 packets, received 4.
ms ms ms ms
tunnel xtpping main 172.21.18.165 ...binding to address 172.21.18.161 No response from 172.21.18.165. No response from 172.21.18.165. No response from 172.21.18.165. No response from 172.21.18.165.
803
804
unit assign
For PolicyCenter only Assign a unit to a different PolicyCenter configuration. When a PacketShaper subscribes to PolicyCenter, PolicyCenter creates a unique configuration for that unit at the top of the configuration tree, then assigns the unit to that configuration. PacketShapers running PacketWise 7.5 or later releases are not assigned directly to a sharable PolicyCenter configuration. When you assign a unit running 7.5 or later to a sharable configuration, the unit remains attached to its individual unique unit configuration, so that unit configuration will appear in the configuration tree below the sharable parent configuration to which it is assigned. Because the unit is not directly assigned to a sharable configuration, changes made to the individual unit configuration will not affect its sharable parent configuration. The unit will, however, continue to inherit the settings from its sharable parent. PacketShapers running versions of PacketWise released before PolicyCenter 7.5.0 can be assigned directly to a PolicyCenter sharable configuration. Any change to that individual unit via the command-line or browser interface of the unit will alter the sharable configuration to which it is assigned, and any child configurations of that sharable parent. A unit running a pre-7.5.0 version of PacketWise will not appear in the PolicyCenter configuration tree. If you assign multiple units directly to the same sharable configuration, each of these pre-7.5.0 units must have a unique unit name. If you wish to assign a pre-7.5.0 unit to a sharable configuration that already has a unit with the same name, you must first rename one of the units. unit assign <unit_name>|<unit_sn> [cfg_path] <unit_name> <unit_sn> <cfg_path> The name of the unit The serial number of the unit The path of the unit's new configuration. If you omit this parameter, the unit will be assigned to the current active configuration.
Note: You cannot assign a unit to a draft configuration. To try a draft configuration on a unit, use the command draft try.
PacketGuide for PacketWise 8.3
805
unit clean
For PolicyCenter only Deletes old unit status entries from the directory server, so that they will no longer clutter the config show command's output. You can specify the minimum age of entries to be deleted, where age is the number of seconds since the corresponding unit has reported status to the directory server. Does not delete any configurations. unit clean [<age in seconds>]
PacketGuide for PacketWise 8.3
806
unit details
Display detailed information about the selected unit, such as model number, serial number, IP address, image version, PolicyCenter information, and the unit's banner messages. unit details <unit_name>|<unit_sn> <unit_name> <unit_sn> The name of the unit The serial number of the unit
Serial number Unit name Model Status update age Uptime IP address HTTPS port Domain name Configuration name Image Version Description
085-10000215 Unit1 8500 19 136 hrs 172.21.18.160 ? (unknown) /default PacketWise v7.2.1 (none)
banner /compression, notice, 05 Oct 04 14:07, Notice: Compression is turned off. banner /dioutl/power1, warn, 05 Oct 04 14:07, Power supply 1 FAILED. banner /traffic/setup/shaping_state, notice, 05 Oct 04 14:07, Packet shaping: off.
The status update age is the number of seconds that has elapsed since the unit confirmed its connection to PolicyCenter, while the uptime is the number of hours that the unit has reported a consistent connection. (After resetting the unit, the uptime will be 0.)
807
unit migrate
(for PolicyCenter and Units in Shared Mode) Assign a PacketShaper in shared mode to a different PolicyCenter directory server. When you assign PacketShapers from the core directory server to a nearby edge directory server, that edge server assumes much of processing load previously managed by the core directory server, allowing for faster response times by both servers. Important: Only assign PacketShapers running PacketWise version 7.5 or later releases to an edge directory server. Assigning a unit running an earlier version of PacketWise to an edge directory server can cause errors on the unit. Assign units with earlier versions of software to the core directory server only. unit migrate <unit_name>|<unit_sn> <ds host> <unit_name> <unit_sn> <ds host > The name of the unit The serial number of the unit The IP address of the edge or core directory server to which the unit will be assigned.
808
unit rename
Give a new name or assign a different name to a PacketShaper. You can identify the unit by unit name or serial number. unit rename <unit_name>|<unit_sn> <unit_name> <unit_name> <unit_sn> The name of the PacketShaper; the name can be up 20 characters long and may include alphanumeric characters, dashes (-), underlines (_), and periods (.) and may not contain spaces. The serial number of the PacketShaper
The following example identifies a unit by its serial number, and gives it the name ShaperOne. unit rename 025-10000215 ShaperOne
809
unit show
Display information for all PacketShapers assigned to PolicyCenter, such as serial number, unit name, the name of its assigned PolicyCenter configuration, the unit's domain name and IP address. unit show Note: Although unit names can be up to 20 characters long, the unit show output displays only the first 16 characters of the name.
810
unit versions
Identify the software version of each unit assigned to PolicyCenter. unit versions For example: unit versions Checksum IP Address Type Version v7.0.0g1 200507-19 v7.0.0g1 200507-19 v7.0.0g1 200507-19 v6.2.0g1 200505-19
4066331225 172.21.18.170 STD 4066331225 172.21.18.172 STD 4066331225 172.21.18.173 STD 2043423021 172.21.18.152 ISP
811
unzip
Extract files from a ZIP file. For example, after uploading a zipped set of customer portal pages, you can use the unzip command to extract the files. If no options are specified, all files in the ZIP file are extracted to the current directory and you will be prompted to overwrite existing files. Optionally, you can specify a list of files to extract or not to extract, and place the extracted files in their own directory. unzip [<modifiers>] <file>[.zip] [<list>] [-x <xlist>] [-d <exdir>] where valid modifiers are: lists the files in the archive, along with their size, date, and time dont overwrite existing files overwrite existing files without prompting quiet operation gives no feedback during the unzipping process (the command output doesnt list the files as they are being extracted). However, you will still be prompted to overwrite existing files unless the -o option is used.
-l -n -o -q
When you specify multiple modifiers, you need only one dash for example, -oq. The other optional parameters you can use are: a list of files to be extracted from the archive; separate each filename with a space <list> Note: You must enter the filenames with the same upperand lower-case that appears in the ZIP file.
812
a list of files that should not be extracted from the archive; separate each filename with a space -x <xlist> Note: You must enter the filenames with the same upperand lower-case that appears in the ZIP file.
-d the name of the directory to place the extracted files. If <exdir> the directory doesnt exist, it will be created automatically. Examples: unzip config.zip <--all the files in the ZIP are extracted
Archive: config.zip Length Date Time -------------64032 07-30-04 15:20 3364 08-04-04 11:35 600 12-16-03 09:46 -------67996
unzip -qo test.zip <--all the files in the ZIP are extracted and existing files are automatically overwritten; there is no screen output because of the -q modifier unzip config config.ldi settings.cfg <-- only two files in the ZIP are extracted
Archive: config.zip replace config.ldi? [y]es, [n]o, [A]ll, [N]one, [r]ename: A inflating: config.ldi extracting: settings.cfg
813
unzip config -d testdir <-- extracts all files and puts them in testdir directory
814
update
Check the availability of plug-ins on the Packeteer update server and download specific or all available plug-ins. Note that this command won't work on all networks (for instance if the corporate LAN is private or a security policy or firewall is in place); in this situation, you will need to download the plug-in file from the Packeteer support website using a computer that is not subject to these restrictions. update [-id] [class|comp|wui] where: Interactive mode displays a list of available plugins and allows you to select which ones to download. It lists all plug-ins that are applicable for the version of PacketWise you are using. You can specify the plug-in(s) you want to download by typing any of the following:
q
-i
q q
the index number next to the plug-in name (to download a single plug-in) range of valid index numbers, for instance: 13 (to download a range of plug-ins) index numbers and ranges separated by commas, for instance: 2,4, 6-8, 10 (to download several plug-ins) all (to download all listed plug-ins) exit (to exit the command without downloading any plug-ins)
Show detailed information about each plug-in, including filename, description, and type -d Note: If you want to list details on each plug-in plus have the ability to select which plug-ins to dowload, use both the -i and -d parameters (for example, update -id or update -i -d).
By default, the update command checks the availability of all types of new plug-ins. Alternatively, you can specify a plug-in type:
q q q
The update command copies the plug-in files to the PLG directory on the flash drive (9.256/), but are not activated until you reset the unit using the reset command. Example:
update -i
Index Name Version Type -----------------------------------------------------1 SMS Pre-SP2 1.0.1.0 Classification 2 SSL 1.0.0.0 Classification 3 Winny 1.0.0.0 Classification
Do you want to download them now? [1,2-5,7] or [all] or [exit]: 1,3 Downloading file sms.plg... Done! Downloading file winny.plg... Done!
PacketGuide for PacketWise 8.3
816
uptime
Determine how long the unit has been up and running. It measures the time since the unit was booted, either from a power-up or a software reset. uptime
PacketGuide for PacketWise 8.3
817
version
Display the PacketWise software version, model, serial number, and memory capacity. Use the verbose option to list the part number, the inside and outside MAC addresses, installed keys, and installed plug-ins. version [verbose]
818
watch add
Add a router to the watch mode router list (the routers whose traffic is being monitored). Note: The watch mode feature is not available on the PacketShaper 1200 or 1400 Lite models. watch add <name> <IP address>|<MAC address> where Description of router; up to 32 characters (no spaces are allowed, the only special characters allowed are colon, dash, underline, and period.) IP address of the router, for example 172.21.18.190 <IP address> | <MAC address> MAC address of the router, for example 08:00:20: c0:56:a6 Note: Enter IP address or MAC address not both.
<name>
Example: watch add router1 10.10.10.10 A PacketShaper in watch mode can monitor traffic from up to 256 routers. You can identify a router by its IP or MAC address; if you enter an IP address, PacketWise will attempt to resolve its MAC address. Note that when the PacketShaper doesn't have two-way communication with the end host, you will need to define the router by its MAC address. For example, when the PacketShaper is connected to a switch's SPAN port, the unit is receiving copies of the packets that go through the switch, but communication is one way so it cannot send ARP requests to determine the router's MAC address. In this case, you would need to define the router by its MAC address, not IP address. See also: Watch Mode Overview Watch Mode Address Resolution
819
820
watch delete
Delete a router from the watch mode router list. Note: The watch mode feature is not available on the PacketShaper 1200 or 1400 Lite models. watch remove <name> where <name> is the name that was defined when the router was added. To see a list of defined router names, use the watch show command. Example: watch remove router1 See also: watch add
821
watch interval
Modify the watch mode resolve interval. The interval is the frequency at which the PacketShaper sends out ARP requests to resolve MAC addresses, when the IP address is configured. The default is 1800 seconds (30 minutes). The minimum interval is 300 seconds (5 minutes) and the maximum is 7200 seconds (2 hours). Note: The watch mode feature is not available on the PacketShaper 1200 or 1400 Lite models. watch interval <seconds> To see what the current resolve interval is, use the watch show command.
822
watch show
Display the watch mode configuration. The output lists the current management port, resolve interval, and configured watch mode routers. Note: The watch mode feature is not available on the PacketShaper 1200 or 1400 Lite models. watch show Example: watch show Watch Mode Status: Enabled Management Port: Outside port(s) Resolve Interval: 1800 seconds Name IP Address MAC Address ---------------------------------------------------------------router8 172.21.18.104 (unresolved) router7 172.21.18.103 (unresolved) router6 172.21.18.102 00:10:7b:3c:30:39 router5 172.21.18.101 08:00:20:c0:56:a6 router4 172.21.18.100 00:03:e3:6b:46:c2 router3 172.14.57.180 00:03:e3:6b:46:c2 router2 (none) 01:02:03:04:05:06 router9 172.21.18.106 (unresolved) router10 172.21.18.109 00:60:fb:60:1f:16 The following information is displayed in this screen: Field Watch Mode Status Description Indicates whether watch mode is currently enabled or disabled
823
Indicates which port PacketWise has determined will be used to manage the unit. Possible choices are: MGMT The MGMT port (certain models only) Inside The built-in INSIDE port Upper_Inside The INSIDE port on the upper LEM Lower_Inside The INSIDE port on the lower LEM Right _Inside The INSIDE port on the right LEM Left_Inside The INSIDE port on the left LEM Outside port(s) No MGMT or INSIDE port is connected; you can manage the unit through whichever OUTSIDE port is connected to the network Management Port The management port is not user-definable. PacketWise decides which port to use for management access by checking which ports are connected. If an INSIDE or MGMT port isnt connected to a network, the OUTSIDE port can be used for management. If more than one INSIDE port is connected, only one will be active and pass traffic; the other connected ports will provide redundant management access. PacketWise decides which port to use for management access according to the following order: MGMT (if available), built-in INSIDE, upper/ right LEM INSIDE, lower/left LEM INSIDE. Note: If the Dedicated Management Port feature is enabled, you will only be able to access the unit through the MGMT port; you cannot manage via any other port. Resolve Interval The frequency that an ARP request is sent out to resolve an IP address to its MAC address; the default is 1800 seconds (30 minutes). See watch interval.
824
The list of configured routers. If a router is defined by its IP address, PacketWise will poll the router to determine its MAC address and fill it into the MAC Address column. If unresolved appears in the MAC Address column, the router's MAC address has not yet been resolved. If none appears in the IP Address column, the router was defined by its MAC address. Use the watch add command to configure routers and the watch delete command to remove them from the list.
825
826
827
wccp default
Returns redirection to its default on/off state. The default is off for PacketShapers and PolicyCenter and on for iShapers. wccp default
828
This command does not enable redirection. (You must use the wccp on command to begin redirection.) When a device isnt configured, the INSIDE built-in interface will be used for redirection.
829
830
After you remove the last device, redirection will automatically be disabled (as if you had run the wccp off command). Command Change History
831
Address of the subnet; the CIDR number specifies the number of constant bits in the <ip-address>/<cidr> address range Example: 10.0.0.0/8 The <port> can be a single TCP port number (for example, 80) or a range of port numbers (such as 1-80). Examples: To redirect port 80 for all hosts: wccp filter add src ip all dst ip all port 80 or simply:
832
wccp filter add port 80 To redirect from a subnet: wccp filter add src ip 10.7.38.0/24 To redirect all ports for destination servers 1.1.1.1 and 2.2.2.2: wccp filter add dst ip 1.1.1.1 port all wccp filter add dst ip 2.2.2.2 port all To redirect port 80 for destination server 1.1.1.1: wccp filter add dst ip 1.1.1.1 port 80 Note: If the service ID is set to 0 (zero), PacketShaper will redirect port 80 (HTTP) traffic only and the ports portion of the filter will be ignored. (See wccp service-id.)
833
The address of the subnet; the CIDR number specifies the number of constant bits in the <ip-address>/<cidr> address range Example: 10.0.0.0/8 The <port> can be a single TCP port number (for example, 80) or a range of port numbers (such as 1-80). Examples: To remove a subnet source filter: wccp filter remove src ip 10.7.38.0/24 To remove filters for port 80 traffic to destination server 1.1.1.1: wccp filter remove dst ip 1.1.1.1 port 80
834
Notes:
q
You must remove the same filter that was added; you cannot remove a subset. For example, if you added a filter for a range of addresses (1.1.1.11.1.1.5), you cannot remove a single address in this range (1.1.1.4). Command Change History
835
wccp filter show Redirection filters: Source: all, destination: 1.1.1.1, port: 80 Source: 10.7.38.0-10.7.38.255, destination: all, port: all Total filters: 2
836
wccp off
Disable WCCP-based traffic redirection. PacketShaper will no longer redirect traffic to a cache device (e.g., iShared appliance). wccp off [<device>] [<device>] You can simultaneously disable redirection and remove the interfaces for redirection by specifying one or two devices, where <device> is one of the following: inside (or main_inside) outside (or main_outside) lower_inside, left_inside, or backup_inside lower_outside, left_outside, or backup_outside upper_inside or right_inside upper_outside or right_outside Notes:
q
If only one device is specified (but two are configured), the specified device will be removed but redirection will still be enabled on the remaining configured device. Redirection stops immediately after the wccp off command is issued. However, the session remains active for about a minute. If no devices are specified, redirection is disabled but devices remain configured. If all configured devices are specified, the devices are removed and redirection is disabled.
837
wccp on
Enable WCCP-based traffic redirection to the cache device (e.g., iShared appliance). By default, redirection is off for PacketShapers and PolicyCenter and on for iShapers. wccp on [<device>] [<device>] You can simultaneously enable redirection and define the interfaces for redirection by specifying one or two devices, where <device> is one of the following: inside (or main_inside) outside (or main_outside) lower_inside, left_inside, or backup_inside lower_outside, left_outside, or backup_outside upper_inside or right_inside upper_outside or right_outside If two interfaces are specified, they must be on the same device.
838
wccp password
Set or clear an MD5 password for authentication. wccp password set <password> | clear The password can be up to 19 characters in length. To enter a password containing spaces, enclose the string in quotes. To avoid confusion, do not use leading or trailing spaces in the password or specify an empty string (""). Because MD5 authentication is not supported in iShared, setting the password in PacketShaper will prevent it from being paired with iShared. The password should only be used when redirecting traffic to a cache device that supports the password function of WCCPv2. To view the password, use the wccp show -pw command. Example wccp password set "test password"
839
wccp reset
Remove all WCCP configuration settings devices, filters, password, and so forth returning all settings to their defaults. wccp reset You will be asked to confirm the reset before the settings are cleared.
840
wccp service-id
Set the WCCP v2 service group ID number. wccp service-id <id> where <id> is 0 or a number 51-255. The default service ID is 99, which is the default ID used by iShared. The service ID configured on the PacketShaper must match the ID configured on iShared. If service group ID 0 is specified, the PacketShaper will redirect port 80 (HTTP) traffic only, and the port portion of any defined filters will be ignored. Note: If iShared disconnects from a service group, all client connections will be disconnected.
841
wccp show
Show the current configuration for redirection. wccp show [all|config|filter|status] [-pw] where config Display configuration settings only filter Displays a list of configured filters Shows the run-time status of redirection: whether redirection is occurring (an active status), the IP address of the cache device status PacketShaper is connected to, the number of redirected packets, and the number of packets that were returned because the traffic couldnt be optimized. all -pw Displays configuration settings and filters Displays the PacketShapers redirection password (in touch mode only) in addition to the other redirection configuration settings
Examples
wccp show Configuration: WCCP admin status: Redirection device: Service-id: Cache-ip filter: Password: Redirection filters:
enabled Main_inside <not configured> (using 99) 172.21.18.160 <not configured> <configured>
wccp show filter Redirection filters: Source: all, destination: 1.1.1.1, port: 80 Source: all, destination: all, port: 333 Source: 10.7.38.0-10.7.38.255, destination: all, port: all Total filters:
Notes:
q
The parameters can be strung together in one command. For instance, if you want to view the filters and the status, you can issue the command wccp show filter
842
status.
843
zip
Compress one or more files on the PacketShaper into a standard ZIP file. You can use the zip command to compress files before downloading them to a PC. For example, you can compress a set of customer portal files, measurement data dumps that have been exported to text files, or diagnostic logs in the 9.258/measure directory. Files are copied into the ZIP file, not moved. zip [-r|-q|-v|-h] <zipfile> <filelist> where recurse into directories zips all of a directorys contents, including any nested directories quiet operation gives no feedback during the zipping process (the command output doesnt list the files as they are being added) verbose operation lists additional details about the zipping process, such as original file sizes, compressed file sizes, and totals help displays the zip command usage name of the zip file (up to 8 characters); typing the ZIP extension is optional it will be appended automatically <zipfile> If <zipfile> already exists, the files will be added to the existing file. names of files to be zipped, each name separated by a space
-r -q
-v -h
<filelist>
adding: config.ldi(0) (deflated 94%) adding: settings.cfg(0) (stored 0%) adding: basic.cfg(0) (stored 0%)
zip -q config.zip config.ldi settings.cfg basic.cfg <-- there is no screen output because of the -q modifier
844
zip -v config.zip config.ldi settings.cfg basic.cfg <-- the v(erbose) option lists additional details
adding: config.ldi(0) (in=64032) (out=4146) (deflated 94%) adding: settings.cfg(0) (in=3364) (out=3364) (stored 0%) adding: basic.cfg(0) (in=600) (out=600) (stored 0%) total bytes=67996, compressed=8110 -> 88% savings
845