XOS Command Reference Guide

Version #: XOS Version 9.5.1

Part Number 03393L March 2011

Copyright and Trademark Information

Copyright 2011 by Crossbeam Systems Boxborough, MA, USA All Rights Reserved The products, specifications, and other technical information regarding the products contained in this document are subject to change without notice. All information in this document is believed to be accurate and reliable, but is presented without warranty of any kind, expressed or implied, and users must take full responsibility for their application of any products specified in this document. Crossbeam Systems disclaims responsibility for errors that may appear in this document, and it reserves the right, in its sole discretion and without notice, to make substitutions and modifications in the products and practices described in this document. This material is protected by the copyright and trade secret laws of the United States and other countries. It may not be reproduced, distributed, or altered in any fashion by any entity (either internal or external to Crossbeam Systems), except in accordance with applicable agreements, contracts, or licensing, without the express written consent of Crossbeam Systems. For permission to reproduce or distribute please contact your Crossbeam Systems account executive. This product includes software developed by the Apache Software Foundation: www.apache.org. Crossbeam, Crossbeam Systems, X-Series, XOS, X20, X30, X45, X60, X80, X80-S, and any logos associated therewith are trademarks or registered trademarks of Crossbeam Systems, Inc. in the U.S. Patent and Trademark Office, and several international jurisdictions. All other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies.

Contents
About This Guide
Intended Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Typographical Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Cautions, Warnings, and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IPv6 Address Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Customer Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 17 18 18 19 20 22

Chapter 1: Introduction to the Command Line Interface

Accessing the Command-Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using a Serial Connection to Access the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using an Ethernet Connection to Access the CLI over a LAN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Understanding Command Structure and Command Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Understanding CLI Contexts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Understanding Command Privilege Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Editing the Command Line. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Entering User-defined Strings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Understanding CLI Syntax Error Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Getting Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Logging Out of the CLI Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 24 25 26 27 28 29 31 32 33 34 34

Chapter 2: CLI Command Changes in XOS V9.5.1

New and Changed XOS CLI Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Removed Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Commands Unavailable on the X20, X30, and/or X60 Chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Chapter 3: Basic CLI Console Commands

Commands for Moving to a Higher-Level CLI Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . end . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Navigating the Directory Structure on the CPM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . cd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . dir . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . pwd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Configuring the CLI Console Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . clear-screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure terminal history. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . terminal history. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . enable more . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CLI Help Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Question Mark (?) Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vrrp detail-status-help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 42 43 44 44 45 46 47 47 47 48 49 50 51 52 52 54 56

Chapter 4: Commands for Configuring the X-Series Platform to Enable System Management
Commands for Configuring System Management Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 calendar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 configure dns search-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

XOS Command Reference Guide

configure dns server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 configure hostname . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 configure ip domainname. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 configure ip forwarding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 configure ip ftp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 configure ip ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 configure ip telnet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 configure ldap-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 configure ldap-parameter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 cp-next-boot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 configure np-reload-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 configure np-reset-wait-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 configure ntp server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 configure operating-mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 configure radius-server host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 configure system-identifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 configure system-internal-network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 configure timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 configure timezone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 configure web-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 configure web-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 configure web-wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Commands for Configuring X-Series Platform Management Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . 79 configure management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 enable (conf-mgmt-gig context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 access-list (conf-mgmt-gig context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 ip-addr (conf-mgmt-gig context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 ip-alias (conf-mgmt-gig context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 ip-nat inside (conf-mgmt-gig context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 ip-nat outside (conf-mgmt-gig context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 mac-addr (conf-mgmt-gig context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 mtu (conf-mgmt-gig context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 speed (conf-mgmt-gig context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 show (conf-mgmt-gig context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 configure management ip-route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 configure management default-gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 configure management arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 configure access-list <ID_number> {deny | permit} ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 configure access-list <ID_number> {deny | permit} tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 configure access-list <ID_number> {deny | permit} udp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 configure access-list <ID_number> {deny | permit} icmp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 configure access-list <ID_number> {deny | permit} protocol-number . . . . . . . . . . . . . . . . . . . . . . . 108 Commands for Configuring User Accounts and Managing User Access to the X-Series Platform . . . . 111 configure username . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 configure password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 configure reset-password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 configure privilege level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 enable level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 configure enable password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 disconnect ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 broadcast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 lock-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 logout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Commands for Configuring System Alarms and Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 audit-trail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 configure enable alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 configure facility-alarm cpu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 configure facility-alarm cpu-core . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Contents

configure facility-alarm disk-usage-boot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure facility-alarm disk-usage-cbconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure facility-alarm disk-usage-mgmt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure facility-alarm disk-usage-root . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure facility-alarm disk-usage-tftpboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure facility-alarm disk-usage-var . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure facility-alarm free-memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure snmp-server community. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure snmp-server host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure snmp-server contact. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure snmp-server location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure snmp-server engine-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure snmp-user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure rmon event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure rmon alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure logging console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure logging monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure logging server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Configuring Chassis Resource Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure chassis-resource-protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . flow-table-partition (conf-resource-protection context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . flow-table-profile (conf-flow-table-partition context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . table-limit-action (conf-rp-table-profile context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . backup-flow-info (conf-rp-table-profile context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . fragment-handling-options (conf-resource-protection context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . selective-drop (conf-rp-frag-handlings context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . allow-fragment-overlap (conf-rp-select-drop context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . limit-fragment-queue (conf-rp-select-drop context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ip-id-validation (conf-rp-frag-handlings context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . tcp-overlap-protection (conf-rp-frag-handlings context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . tcp-flow-validation (conf-resource-protection context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bypass-tcp-flow-setup-validation (tcp-flow-validation context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . packet-validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . validate-ip-packet (conf-pkt-validation context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . validate-tcp-packet (conf-pkt-validation context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . validate-tcp-xsum (conf-pkt-validation context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Configuring CPM Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure cp-redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . set (config-cp-redundancy context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure management vip-addr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure cp-action {cp1 | cp2} disk-error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . cp-unknown-state. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Accessing Other Systems from the CPM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CLI command: ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Unix Commands: ftp, telnet, ssh, rsh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

128 129 130 132 133 134 136 137 138 139 140 141 142 144 145 148 150 152 152 153 153 154 155 156 156 157 157 158 158 159 159 159 160 161 161 162 163 164 164 165 166 166 167 169 169 170

Chapter 5: Commands for Configuring and Managing VAP Groups

Commands for Creating and Configuring a VAP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure vap-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vap-count (config-vap-grp context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . max-load-count (config-vap-grp context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . max-reload-count (config-vap-grp context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ap-list (config-vap-grp context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . load-balance-vap-list (config-vap-grp context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . load-priority (config-vap-grp context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . preemption-priority (config-vap-grp context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . raid (config-vap-grp context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 173 175 177 178 178 180 182 183 185

XOS Command Reference Guide

enable-ipv6 (conf-vap-grp context) (IPv6) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 ip-forwarding-ipv6 (enable-ipv6 context) (IPv6) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 ip-flow-rule (config-vap-grp context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 non-ip-flow-rule (config-vap-grp context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 ip-forwarding (config-vap-grp context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 fail-to-host (config-vap-grp context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 flow-proxy (config-vap-grp context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 jumbo-frame (config-vap-grp context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 scatter-gather (config-vap-grp context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 reload-timeout (config-vap-grp context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 vg-reset-wait-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 delay-flow (config-vap-grp context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 application-monitor (config-vap-group context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 master-failover-trigger application (config-vap-grp context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 master-holddown (config-vap-grp context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 dhcp-relay-server-list (config-vap-grp context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 rp-filter (config-vap-grp context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 log-martians (config-vap-grp context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 show (config-vap-grp context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 Commands for Managing User Access to a VAP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 configure host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 vap-group-password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 vap-group-password-expiration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 Commands for Installing, Configuring, and Managing an Application on a VAP Group . . . . . . . . . . . . 214 application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214 application-update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 application-upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 application-remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 show application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 show application vap-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 archive-vap-group backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 archive-vap-group restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 archive-vap-group delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 archive-vap-group show. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230 Commands for Installing, Configuring, and Managing Routing Software and Routing Protocols on a VAP Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 routing-protocol vap-group install. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 routing-protocol vap-group update. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 routing-protocol vap-group configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237 routing-protocol vap-group save . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238 routing-protocol vap-group restore. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 routing-protocol vap-group uninstall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242 routing-protocol vap-group status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 configure routing-protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244 routing-protocol-services vap-group configure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 routing-protocol-services vap-group save . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247 routing-protocol-services vap-group restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 routing-protocol-services vap-group status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 routing-protocol-services vap-group upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251 routing-protocol-services vap-group update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252

Chapter 6: Commands for Configuring and Managing Flow Provisioning

Commands for Configuring System-Level Flow Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure system-ip-flow-rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . action drop (conf-system-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . action allow (conf-system-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . action pass-to-masters (conf-system-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . action broadcast (conf-system-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254 255 256 257 258 259

Contents

direction (conf-system-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . skip-port-protocol (conf-system-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . generate-reversed-flow (conf-system-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . source-addr (conf-system-ip-flow context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . destination-addr (conf-system-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . source-port (conf-system-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . destination-port (conf-system-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . protocol (conf-system-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . domain (conf-system-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . incoming-circuit-group (conf-system-ip-flow context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . timeout (conf-system-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . trace (conf-system-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . priority (conf-system-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . activate (conf-system-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show (conf-system-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure system-non-ip-flow-rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . action drop (conf-system-non-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . action pass-to-masters (conf-system-non-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . action broadcast (conf-system-non-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . encapsulation ethernet (conf-system-non-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . encapsulation lsap (conf-system-non-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . encapsulation snap (conf-system-non-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . activate (conf-system-non-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show (conf-system-non-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Configuring VAP-Group Level Flow Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ip-flow-rule (config-vap-grp context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . action load-balance (ip-flow-rule context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . action drop (ip-flow-rule context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . action allow (ip-flow-rule context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . action pass-to-master (ip-flow-rule context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . action pass-to-vap (ip-flow-rule context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . action broadcast (ip-flow-rule context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bypass-tcp-flow-setup-validation (ip-flow-rule context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . direction (ip-flow-rule context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . skip-port-protocol (ip-flow-rule context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . generate-reversed-flow (ip-flow-rule context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . source-addr (ip-flow-rule context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . destination-addr (ip-flow-rule context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . source-port (ip-flow-rule context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . destination-port (ip-flow-rule context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . protocol (ip-flow-rule context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . domain (ip-flow-rule context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . incoming-circuit-group (ip-flow-rule context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . timeout (ip-flow-rule context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . trace (ip-flow-rule context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . priority (ip-flow-rule context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . core-assignment (ip-flow-rule context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . activate (ip-flow-rule context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bypass-tcp-flow-setup-validation (ip-flow-rule context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show (ip-flow-rule context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . non-ip-flow-rule (config-vap-grp context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . action drop (non-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . action pass-to-master (non-ip-flow context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . action broadcast (non-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . encapsulation ethernet (non-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . encapsulation lsap (non-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . encapsulation snap (non-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . core-assignment (non-ip-flow-rule context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . activate (non-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

259 261 262 263 264 266 267 268 270 271 273 275 276 277 278 287 289 290 291 292 293 295 296 297 301 302 304 305 306 307 308 309 310 310 312 312 314 315 317 318 319 321 322 324 326 327 329 330 331 331 340 342 342 343 345 346 348 350 351

XOS Command Reference Guide

show (non-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Monitoring Flows and Managing Flow Rule Conflicts . . . . . . . . . . . . . . . . . . . . . . . . . . show flow active. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show flow-path active. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show flow distribution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show npm-originated-flow-stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure check-flow-rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Clearing Flows from the X-Series Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . clear flow-active . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . clear interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . clear netstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . clear switch-data-path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . clear vdf-status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

351 356 357 370 382 385 387 388 388 390 392 393 393

Chapter 7: Commands for Configuring Interfaces for a VAP Group

Commands for Configuring Circuits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396 configure circuit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397 device-name (conf-cct context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399 link-state-resistant (conf-cct context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400 proxy-arp (conf-cct context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402 tcp-rst-injection (conf-cct context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402 incoming-circuit-group (conf-cct context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403 configure incoming-circuit-group-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405 vap-group (conf-cct context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406 ip (conf-cct-vapgroup context) (IPv6 and IPv4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407 alias (conf-cct-vapgroup-ip context) (IPv6 and IPv4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 ip-flow-rule-priority (conf-cct-vapgroup context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415 verify-next-hop-ip (conf-cct-vapgroup context) (IPv6 and IPv4). . . . . . . . . . . . . . . . . . . . . . . . . . . . 416 default-egress-vlan-tag (conf-cct-vapgroup context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417 replace-vlan-tag (conf-cct-vapgroup context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419 management-circuit (conf-cct-vapgroup context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421 dhcp-relay (conf-cct-vapgroup context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422 promiscuous-mode (conf-cct-vapgroup context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423 mac-addr (conf-cct-vapgroup context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424 mtu (conf-cct-vapgroup context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427 ip-forwarding (conf-cct-vapgroup context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428 icmp-redirect (conf-cct-vapgroup) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429 enable (conf-cct-vapgroup) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430 show (conf-cct context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431 configure bridge-mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445 circuit (conf-bridge-mode context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447 show (conf-bridge-mode context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449 Commands for Configuring IP Routes and Managing Destination MAC Address Resolution for VAP Groups 451 configure ip route (IPv6 and IPv4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452 metric (config-ip-route context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454 verify-next-hop (config-ip-route context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455 configure ip default-network (IPv6 and IPv4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456 metric (conf-ip-default-network context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458 verify-next-hop (conf-ip-default-network context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459 configure arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460 configure neighbor-discovery (IPv6) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461 configure ipv6-tunnel (IPv6) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463 path-mtu-discovery (conf-tunnel-<tunnel_type> context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464 source-address (conf-tunnel-<tunnel_type> context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465 time-to-live (conf-tunnel-<tunnel_type> context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465 Commands for Configuring Physical and Logical Interfaces for a VAP Group . . . . . . . . . . . . . . . . . . . 466 configure interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467

Contents

logical (conf-intf-gig or conf-intf-10gig context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . circuit (intf-gig-logical or intf-10gig-logical context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show (intf-gig-logical or intf-10gig-logical context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . logical-all (conf-intf-gig or conf-intf-10gig context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . circuit (intf-gig-logical-all or intf-10gig-logical-all context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . standby-only (conf-intf-gig or conf-intf-10gig context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . pause-frame (conf-intf-gig or conf-intf-10gig context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . auto-negotiate (conf-intf-gig context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . duplex-mode (conf-intf-gig context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . media-speed (conf-intf-gig context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . enable (conf-intf-gig or conf-intf-10gig context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show (conf-intf-gig or conf-intf-10gig context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure interface-internal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . logical (conf-intf-internal context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . logical-all (conf-intf-internal context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . circuit (conf-intf-internal-log or conf-intf-internal-log-all context) . . . . . . . . . . . . . . . . . . . . . . . . . . . configure group-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . mode (conf-group-intf context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . interface-type (conf-group-intf context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . pause-frame (conf-grp-intf-gig or conf-grp-intf-10gig context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . auto-negotiate (conf-grp-intf-gig context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . duplex-mode (conf-grp-intf-gig context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . media-speed (conf-grp-intf-gig context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . enable (conf-grp-intf-gig or conf-grp-intf-10gig context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . interface (conf-group-intf context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . enable (conf-grp-intf-intf context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . logical (conf-group-intf context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . circuit (conf-group-intf-logical context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show (conf-group-intf context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure acl-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . direction (conf-acl-intf context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vlan (conf-acl-intf context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ether-type (conf-acl-intf context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . source-mac (conf-acl-intf context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . destination-mac (conf-acl-intf context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure interface-status-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure acl-interface-mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Configuring Interface Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure redundancy-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . failovermode (conf-intf-redun context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

469 471 473 475 477 479 480 481 482 483 485 485 488 490 492 494 496 497 500 502 503 504 506 508 510 512 514 516 519 524 526 527 529 531 533 535 536 541 541 545

Chapter 8: Commands for Configuring and Managing Multi-System High-Availability

configure management high-availability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . auto-negotiate (conf-mgmt-ha context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . duplex-mode (conf-mgmt-ha context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . speed (conf-mgmt-ha context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure remote-box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure vrrp failover-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . priority (conf-vrrp-group context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . preemption (conf-vrrp-group context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . advertise-interval (conf-vrrp-group context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . monitor-circuit (conf-vrrp-group context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . priority-delta (conf-vrrp-failover-cct context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . monitor-interface (conf-vrrp-group context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . priority-delta (conf-intf-gig or conf-intf-10gig context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . monitor-group-interface (conf-vrrp-group context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . priority-delta (conf-vrrp-failover-grpintf) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ospf-cost-increment (conf-vrrp-group context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . virtual-router (conf-vrrp-group context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550 551 551 552 553 554 555 556 557 557 558 559 561 562 563 564 565

XOS Command Reference Guide

backup-stay-up (conf-vrrp-failover-vr context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . dist-port-threshold (conf-vrrp-failover-vr context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . mac-usage (conf-vrrp-failover-vr context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . priority-delta (conf-vrrp-failover-vr context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vap-group (conf-vrrp-failover-vr context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ip (conf-vrrp-vr-vapgroup context) (IPv6 and IPv4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . verify-next-hop-ip (conf-vrrp-vr-vapgroup context) (IPv6 and IPv4). . . . . . . . . . . . . . . . . . . . . . . . . priority-delta (conf-vrrp-vr-verify-next-hop context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . virtual-ip (conf-vrrp-vr-vapgroup context) (IPv6 and IPv4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . enable (conf-vrrp-group context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure vrrp vap-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . active-vap-threshold (conf-vrrp-vap-group context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . enable (conf-vrrp-vap-group context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . failover-group-list (conf-vrrp-vap-group context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . hold-down-timer (conf-vrrp-vap-group context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . priority-delta (conf-vrrp-vap-group context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vrrp-relinquish-master . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

566 567 567 568 569 570 573 574 575 578 578 579 580 580 581 582 583

Chapter 9: Commands for Managing X-Series Platform Hardware and Software Upgrades and Maintenance
automated-workflow-menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . automated-workflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show automated-workflow-progress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . cp-disk-scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show cp-disk-scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure cp-action disk-error (config context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . reload all . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . reload module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . reload offline-cp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . reset-cp-serial . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . reload vap-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . reset-configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . sleep . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . in-service (upgrade context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . batch-<n> (in-service-upgrade context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . batch-default (in-service-upgrade context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . clear-batches (in-service-upgrade context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . install (in-service-upgrade context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show (in-service-upgrade context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . install (upgrade context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . remove (upgrade context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show current-running-release (upgrade context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show new-release (upgrade context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show release (upgrade context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . verify-system (upgrade context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586 586 587 587 588 588 589 590 591 592 592 593 593 594 595 596 596 597 598 598 599 600 601 601 602 602 603

Chapter 10: Commands for Managing XOS Configuration Files

Commands for Managing Startup and Running Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . copy running-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . copy startup-config. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . logout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . reset-configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Displaying Startup and Running Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . grep . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606 606 607 609 609 611 611 612

Contents

10

show running-config. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613 show startup-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616

Chapter 11: Advanced XOS Configuration Commands

alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . auto-promote . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . echo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . exec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . unix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 622 622 623 624 625 626 626

Chapter 12: Commands for Displaying XOS Configuration Settings

Commands for Displaying All Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . grep . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show audit-trail. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show running-config. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show startup-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vsx-configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show resource-statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . clear resource-statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Displaying X-Series Platform Hardware and XOS Software Version Information. . . . . show system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Displaying X-Series Platform Management Configuration Settings . . . . . . . . . . . . . . . show arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show neighbor-discovery (IPv6). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show dns-search-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show dns-server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show hostname . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show ip addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show ip default-network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show ip domainname . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show ip forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show ip ftp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show ip route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show ip ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show ip telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show ldap-parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show ldap-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show cp-next-boot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show np-reload-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show np-reset-wait-time. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show ntp-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show operating-mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show radius-server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show system-identifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show system-internal-network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show timezone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show web-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show web-session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show web-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show web-wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Displaying X-Series Platform Management Interface Configuration Settings . . . . . . . . show management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 628 628 629 630 632 632 636 639 641 642 643 643 644 647 647 648 651 652 652 653 653 653 654 654 654 656 656 657 657 658 658 659 659 660 660 661 661 662 662 662 663 664 664 665 665

XOS Command Reference Guide

11

show management-ip-alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show management-ip-nat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show access-list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Displaying User Account and User Access Configuration Settings . . . . . . . . . . . . . . . show lock-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show snmp-user. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show username . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show usernames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show autocommand. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show privilege . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show tree include-privilege . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Displaying System Alarm and Logging Configuration Settings . . . . . . . . . . . . . . . . . . . show alarm-enabled. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show facility-alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show snmp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show logging console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show logging setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show logging server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Displaying CPM Redundancy Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . show cp-redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show cp-disk-error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show cp-unknown-state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show management-vip. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Displaying VAP Group Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show archive-vap-group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show host. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show kernel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show routing-protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vap-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Displaying Flow Provisioning Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . show check-flow-rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show default-ip-flow-rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show default-non-ip-flow-rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show ip-flow-rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show non-ip-flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show system-ip-flow-rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show system-non-ip-flow-rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Displaying Circuits and Interface Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . show bridge-mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show circuit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show incoming-circuit-group-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show group-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show interface-status-group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show ip-mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show redundancy-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show status-grouping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show acl-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show acl-interface-mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Displaying Multi-System High-Availability Configuration Settings. . . . . . . . . . . . . . . . . show remote-box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vrrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vrrp circuit-ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vrrp detail-status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vrrp failover-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vrrp monitor-circuit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vrrp monitor-interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vrrp monitor-group-interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

666 666 667 668 668 668 669 670 671 672 673 674 674 674 676 677 679 679 681 681 682 682 683 684 684 687 687 688 688 690 690 690 691 692 693 694 695 696 696 697 698 699 700 705 706 707 707 708 708 710 712 712 713 714 718 720 722 724 726

Contents

12

show vrrp status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vrrp vap-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vrrp verify-next-hop. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vrrp virtual-router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Displaying Hardware and Software Maintenance Configuration Settings. . . . . . . . . . . show module admin-state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show module status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show reload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Displaying Advanced Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show auto-promote . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Displaying Console Display Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . show terminal history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

727 729 730 732 735 735 736 739 740 740 740 741 741

Chapter 13: Using swatch Scripts for System Monitoring

Introducing swatch Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using swatch Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . APM Switched Data Path Statistics (apmdevstats.swc) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . APM Interface Statistics (apmdevstats_slot.swc) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . APM Firewall Statistics (apmfwstats.swc) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . APM Firewall Statistics by Slot (apmfwstats_slot.swc) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . APM IP, ICMP, TCP, and UDP Statistics (apmsnmpstats.swc). . . . . . . . . . . . . . . . . . . . . . . . . . . . Crossbeam Daemon Status Script (cbsinitdstats.swc) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . NPM Fabric Packet Statistics (fabricstats.swc) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . NPM Flow Calculation Statistics (flowcalcstats.swc) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Flow Assignment and Scheduling Statistics (flowsched.swc) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Group Interface Statistics (groupintstats.swc) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CPU Activity for the APM and CPM (health_cpubsy.swc) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CPU Load, Utilization, and Memory Information (health_cpumem.swc) . . . . . . . . . . . . . . . . . . . . . CPU and Board Temperature (health_temp.swc) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module Uptime Statistics (moduleuptime.swc) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Local Network Interface Statistics (netifstats.swc). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . NPM Interface Statistics (npmdevstats.swc) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . NPM VDF Status (npmfragstats.swc) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 743 745 745 747 748 749 750 754 754 757 757 758 759 760 761 761 762 762 764

Chapter 14: Commands for Troubleshooting

Commands for Troubleshooting XOS Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . audit-trail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show audit-trail. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . validate-configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Troubleshooting X-Series Platform Hardware and Software . . . . . . . . . . . . . . . . . . . . show alarms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . clear alarms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show calendar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show chassis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show cpu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show current-release . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show current-running-release (upgrade context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show disk-usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show heartbeat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show logging console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show module admin-state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show module status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show release (upgrade context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show rmon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show snmp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 765 765 766 768 768 769 769 778 779 780 782 784 785 785 786 788 791 793 794 797 798 798

XOS Command Reference Guide

13

show ssh-session. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show switch-data-path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show traplog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show web-session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . who . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Troubleshooting X-Series Platform Network Connectivity . . . . . . . . . . . . . . . . . . . . . . ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show neighbor-discovery (IPv6). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show circuit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show flow active. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show flow-path active. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show flow distribution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show group-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show internal-ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show netstat. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show redundancy-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vdf-status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . clear vdf-status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show veth-stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Troubleshooting VAPs, VAP Groups, and Applications . . . . . . . . . . . . . . . . . . . . . . . . show ap-vap-mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show application vap-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Troubleshooting Multi-System High-Availability Issues . . . . . . . . . . . . . . . . . . . . . . . . show remote-box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vrrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vrrp circuit-ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vrrp detail-status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vrrp failover-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vrrp monitor-circuit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vrrp monitor-interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vrrp monitor-group-interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vrrp status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vrrp vap-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vrrp verify-next-hop. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vrrp virtual-router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Providing Troubleshooting Information to Crossbeam Customer Support . . . . . . . . . . show npm-tech. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show tech-crash. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show tech-support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Crossbeam Customer Support Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

799 800 801 802 803 803 804 804 805 805 808 810 823 835 837 838 843 845 845 846 849 850 852 852 854 855 858 858 859 860 863 865 868 870 871 873 874 875 877 880 880 883 885 890 890

Chapter 15: Using Unix Commands

Executing Unix Commands on a Designated VAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Executing Unix Commands on All VAPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Copying an Existing File to a VAP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Upgrading an Application on a VAP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 892 892 893 894

Chapter 16: Understanding CLI Error Messages

General Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Subsystem Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Threshold (RMON) Agent Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SNMP Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . WEB Access Control Related Error Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 896 897 898 899 899

Contents

14

Warning Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 899

Appendix A: Example XOS Running Configuration File Appendix B: Legal Single Line Command Groupings Appendix C: Configurable Command Privilege Levels Alphabetical Index of Commands Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 957

XOS Command Reference Guide

15

Contents

16

About This Guide

This guide provides descriptions of the XOS Command-Line Interface (CLI) commands for Crossbeam X-Series Platforms running XOS V9.5.1 or later. This guide assumes that you have installed the X-Series Platform hardware, and that you have a basic understanding of how the X-Series Platform is designed and operates. For a complete software version compatibility matrix, refer to the XOS Release Notes for the specific XOS version that you are using.

Intended Audience
This guide is intended for qualified service personnel responsible for installing, configuring, and managing software on Crossbeam X-Series Platforms.

Related Documentation
The following documents are provided on the Crossbeam USB Installer or on the Crossbeam Customer Support Portal. IMPORTANT: For the latest updates and revisions to X-Series Platform documentation, log into the Crossbeam Online Support Portal at http://www.crossbeam.com/support/online-support/. APM, CPM, and NPM Installation Notice X80-S Platform Hardware Installation Guide X60 Platform Hardware Installation Guide X20 and X30 Platform Hardware Installation Guide XOS Configuration Guide Multi-Application Serialization Configuration Guide Multi-System High Availability Configuration Guide Install Server User Guide USB Installer User Guide RSW Installation Guide (available with the RSW kit, purchased separately) XOS V9.5.1 Release Notes

XOS Command Reference Guide

17

Conventions
Typographical Conventions
For paragraph text conventions, see Table 1 on page 18. For command-line text conventions, see Table 2 on page 19.

Table 1. Typographical Conventions Used in Paragraph Text

Typographical Convention Bold Types of Information Elements on the graphical user interface. Usage Examples In the IP Address field, type the IP address of the first VAP in the group. Click OK to close the dialog. Select the Print to File check box. Courier Keys on the keyboard. File names, folder names, and command names. Any information that you must type exactly as shown. Program output text. Courier Italic File names, folder names, command names, or other information that you must supply. A sequence of commands from the task bar or menu bar. Press Esc to return to the main menu. Save the user.txt file in the user_install directory. Use the start command to start the application. In the Username field, type Administrator. The XOS CLI show calendar command displays the system calendar: Fri Mar 26 13:32:03 2010 In the Version Number field, type 8.5.patch_number.

>

From the taskbar, choose Start > Run. From the main menu, choose File > Save As... Right-click on the desktop and choose Arrange Icons By > Name from the pop-up menu.

About This Guide

18

Table 2. Typographical Conventions Used in Command-Line Text

Typographical Convention Courier Types of Information User prompts and program output text. Usage Examples CBS# show calendar Fri Mar 26 13:32:03 2010 [root@xxxxx]# md crossbeam

Courier Bold Information that you must type in exactly as shown. <Courier Italic> Angle brackets surrounding Courier italic text indicate file names, folder names, command names, or other information that you must supply. Square brackets contain optional information that may be supplied with a command. Separates two or more mutually exclusive options. Braces contain two or more mutually exclusive options from which you must choose one.

[root@xxxxx]# md <your_folder_name>

[]

CBS# configure dns server <IP_address> [vap-group <VAP_group_name>]

CBS# cp-unknown-state {cp1|cp2}

{}

CBS# configure vap-group <VAP_group_name> CBS(config-vap-grp)# raid {0|1}

Cautions, Warnings, and Notes

Caution: Lists precautions that you must take to avoid temporary data loss or data unavailability. Warning: Lists precautions that you must take to avoid personal injury, permanent data loss, or equipment damage.
IMPORTANT: Lists important steps that you must perform properly or important information that you must take into consideration to avoid performing unnecessary work. NOTE: Provides special information or tips that help you properly understand or carry out a task.

XOS Command Reference Guide

19

IPv6 Address Notation

Within this guide, two notation types are used to represent IPv6 addresses. Standard Notation Compressed Notation NOTE: XOS V9.5 does not support mixed notation IPv6 addresses.

Standard notation
The standard notation for IPv6 addresses is eight 16-bit hexadecimal words separated by colons. For example: 2001:BA95:AC10:0000:CF6A:000D:2145:3713 Specifying leading zeros is not required, provided that there is at least one numeric value in each field of the address. The above address can also be represented as: 2001:BA95:AC10:0:CF6A:D:2145:3713

Compressed notation
Many IPv6 addresses contain multiple fields of zeros. Use the double colon (::) notation to represent a single contiguous group of zero fields within an IPv6 address. For example: 1458:0:0:0:0:A03:5:AC17 AF06:0:0:0:BC:0:0:4 0:0:0:0:0:0:0:1 0:0:0:0:0:0:0:0 These can be represented as: 1458::A03:5:AC17 AF06::BC:0:0:4 ::1 :: NOTE: The AF06:0:0:0:BC:0:0:4 example is represented as AF06::BC:0:0:4 because only one ::'' is allowed in an address. In this guide, the example IPv6 addresses are taken from: The Unique Local Unicast address range (FC00::/7) because these addresses are not propagated over the Internet The 2002: address range as part of the prefix for IPv6 6to4 tunnels

About This Guide

20

NOTE: In accordance with the IANA IPv6 address space allocations, an XOS VAP of type xslinux_v3 ("V3"), xslinux_v5 ("V5"), xslinux_v5_64 ("V5_64"), or xsve will treat some address ranges as reserved. At this writing, the IANA range assignments are as follows (excerpted from http://www.iana.org/assignments/ipv6-address-space/): IPv6 Prefix 0000::/8 0100::/8 0200::/7 0400::/6 0800::/5 1000::/4 2000::/3 4000::/3 6000::/3 8000::/3 A000::/3 C000::/3 E000::/4 F000::/5 F800::/6 FC00::/7 FE00::/9 FE80::/10 FEC0::/10 FF00::/8 Allocation Reserved by IETF Reserved by IETF Reserved by IETF Reserved by IETF Reserved by IETF Reserved by IETF Global Unicast Reserved by IETF Reserved by IETF Reserved by IETF Reserved by IETF Reserved by IETF Reserved by IETF Reserved by IETF Reserved by IETF Unique Local Unicast Reserved by IETF Link Local Unicast Reserved by IETF Multicast Reference [RFC4291] [RFC4291] [RFC4048] [RFC4291] [RFC4291] [RFC4291] [RFC4291] [RFC4291] [RFC4291] [RFC4291] [RFC4291] [RFC4291] [RFC4291] [RFC4291] [RFC4291] [RFC4193] [RFC4291] [RFC4291] [RFC3879] [RFC4291]

With regard to reserved address blocks, some kernel versions make address-type determinations that are different from those made by other kernel versions. It should be noted that, in particular, V3 VAPs treat the following ranges as strictly reserved (that is, these addresses are reserved and are not treated as Global Unicast addresses), whereas V5 and V5_64 VAPs treat these ranges as reserved Global Unicast addresses: 0000::/8 0100::/8 0200::/7 0400::/6 For purposes of XOS circuit/interface configuration, it is recommended that the above "Reserved by IETF" ranges NOT be used unless warranted by special circumstances. In the general case, user-assigned XOS IPv6 unicast circuit/interface addresses should be allocated from the 2000::/3 (Global Unicast) and/or the FC00::/7 (Unique Local Unicast) address block(s).

XOS Command Reference Guide

21

Customer Support
Crossbeam Systems offers a variety of service plans designed to meet your specific technical support requirements. For information on purchasing a service plan for your organization, please contact your account representative or refer to http://www.crossbeam.com/support/technical-support/. If you have purchased a Crossbeam Systems product service plan and need technical assistance, you can report issues by telephone: United States: EMEA: Asia Pacific: Latin America: +1 800-331-1338 OR +1 978-318-7595 + 33 4 8986 0400 +1 978-318-7595 +1 978-318-7595

You can also report issues via e-mail to support@crossbeam.com. In addition, all of our service plans include access to the Crossbeam Customer Support Portal located at http://www.crossbeam.com/support/online-support/. The Crossbeam Customer Support Portal provides you with access to a variety of resources, including Customer Support Knowledgebase articles, technical bulletins, product documentation, and release notes. You can also access our real-time problem reporting application, which lets you submit new technical support requests and view all your open requests. Crossbeam Systems also offers extensive customer training on all of its products. For current course offerings and schedules, please refer to the Crossbeam Education Services Web pages located at http://www.crossbeam.com/support/training-services/.

About This Guide

22

1
Introduction to the Command Line Interface
This chapter explains how to access and use the XOS Command-Line Interface (CLI). This chapter contains the following sections: Accessing the Command-Line Interface on page 24 Using the CLI on page 26

XOS Command Reference Guide

23

Accessing the Command-Line Interface

You can access the XOS CLI through a direct, serial connection or through a remote Ethernet connection over a LAN.

Using a Serial Connection to Access the CLI

Perform the following steps to access the CLI through a serial connection: 1. Connect a cable terminated with a male DB9 connector to the port labeled Console on the active (primary) CPM, as shown in Figure 1 on page 24. Look at the LEDs to identify the active (primary) CPM. NOTE: If you connect to the backup CPM, you cannot access the XOS CLI. 2. 3. 4. Connect the other end of the cable to the console terminal or to a PC running a VT 100 emulation. Configure the terminal session with these settings: 9600 baud, 8 bits, 1 stop bit, no parity, no flow control. You are prompted to provide a username and password. The initial XOS configuration interview configures a default username and password of admin and admin.

Figure 1.

Connecting the CPM Console Port to a PC

CRITICAL

MAJOR

MINOR

10

11

12

13

14

NPM 8600
ACTIVE STANDBY FAILED

NPM 8600
ACTIVE STANDBY FAILED

APM 8600
ACTIVE STANDBY FAILED

APM 8600
ACTIVE STANDBY FAILED

APM 8600
ACTIVE STANDBY FAILED

CPM 8600
ACTIVE STANDBY FAILED

CPM 8600
ACTIVE STANDBY FAILED

USB

USB

6
Link 3 Link 2 Link 3 Link 2

H A

H A

M A N A G E M E N T

M A N A G E M E N T

10

10

CONSOLE

CONSOLE

CONSOLE

CONSOLE

CONSOLE

11

11

12

12

MODEM

MODEM

10

11

12

13

14

Introduction to the Command Line Interface

24

Using an Ethernet Connection to Access the CLI over a LAN

Perform the following steps to access the CLI through an Ethernet connection over a LAN: 1. 2. Connect to the CPM through the Console port, as described in Using a Serial Connection to Access the CLI on page 24. Configure an Ethernet port on the CPM as a management interface, and configure the CPM to enable access to the management interface using the protocol(s) of your choice (such as SSH or Telnet). Refer to the XOS Configuration Guide for instructions. Locate the physical port that you configured as the management interface on the CPM. Connect one end of a cable terminated with an RJ-45 connector to the port that you configured as the management interface, as shown in Figure 2 on page 25. Connect the other end of the cable to your LAN port. Open a connection to the management interface using the protocol of your choice (SSH or Telnet). You are prompted to provide a username and password. NOTE: During installation, XOS configures a default administrator-level CLI user account with the user name, admin. The XOS installation interview prompts you to enter a password for this account.

3. 4. 5. 6. 7.

Figure 2.

Connecting a CPM Management Port to a LAN

Switch

CRITICAL

MAJOR

MINOR

10

11

12

13

14

NPM 8600
ACTIVE STAN D BY FAILED

NPM 8600
ACTIVE STAN DBY FAILED

APM 8600
ACTIVE STAN DBY FAILED

APM 8600
ACTIVE STAN D BY FAILED

APM 8600
ACTIVE STAN D BY

CPM 8600
ACTIVE STAN DBY FAILED

CPM 8600
ACTIV E STAN D BY FAILED

FAILED

USB

USB

6
Link 3 Link 2 Link 3 Link 2

H A

H A

M A N A G E M E N T

M A N A G E M E N T

10

10

CONSOL E

CONSOL E

CONSOL E

CONSOL E

CONSOL E

11

11

12

12

MODE M

MODE M

10

11

12

13

14

XOS Command Reference Guide

25

Using the CLI

At the XOS CLI prompt, you can issue either CLI or Unix commands. To issue a command, type the command syntax at the CLI prompt, and press Enter. If you have administrator-level privileges, you can issue some Unix commands directly from the CLI prompt. These pass-through commands provide you with access to basic system functions, such as file copy, without compromising the systems integrity. You must use the unix CLI command to issue Unix commands that are not supported as pass-through commands. NOTE: Both CLI and Unix commands are case-sensitive; enter all CLI commands in lowercase. You can use the pound sign (#) to add a comment at the end of a CLI command line. The CLI truncates the command line at the pound sign (#), and treats any text that appears after the pound sign (#) as a comment. This section contains information about the following topics: Understanding Command Structure and Command Syntax on page 27 Understanding CLI Contexts on page 28 Understanding Command Privilege Levels on page 29 Editing the Command Line on page 31 Entering User-defined Strings on page 32 Understanding CLI Syntax Error Messages on page 33 Getting Help on page 34 Logging Out of the CLI Session on page 34

Introduction to the Command Line Interface

26

Understanding Command Structure and Command Syntax

CLI command structure includes the following basic components: Command Performs a specific operation or places the user in a specific CLI command context. (See Understanding CLI Contexts on page 28.) Parameter Works only in conjunction with a specific command. Specifies an object on which the command performs an operation or specifies the value of a configuration setting that the command creates or changes. CLI command syntax consists of the following components: command required_argument {required_argument | required_argument} <variable> [optional_argument] [optional_argument | optional_argument] NOTE: Except when otherwise noted, any argument that contains whitespace characters must be surrounded by quotation marks ( ). command required_argument Identifies an operation to be performed (for example, configure vap-group). Indicates a required argument to the command. A required argument may be either a parameter or another command. Any argument specified without square brackets ( [ ] ) or curly braces ( { } ) around it is required. {required_argument |required_argument} Curly braces ( { } ) contain two or more mutually exclusive required arguments separated by a bar ( | ). You must specify one of these arguments. A required argument may be either a parameter or another command. Do not type the curly braces or the bars. [optional_argument] Indicates a single, optional argument. An argument may be either a parameter or another command. Do not type the square brackets ( [ ] ). [optional_argument | optional_argument] Square brackets ( [ ] ) may contain two or more mutually exclusive optional arguments separated by a bar ( | ). You can only specify one of these arguments. An argument may be either a parameter or another command. Do not type the square brackets or the bars. <variable> Indicates a variable for which you must supply a value. Replace the italic text with the desired value. Do not type the angle brackets (<>). NOTE: A variable can be a required or optional argument to a command.

XOS Command Reference Guide

27

Understanding CLI Contexts

You execute each command from within a specific CLI context. The CLI context in which you execute a command determines the type of operation that the command will perform and may also determine the specific object on which command will perform the operation. IMPORTANT: Many commands have different functions when executed under different CLI contexts. For example, under the configuration context (config), the vap-group command configures a VAP group. However, under the circuit configuration context (conf-cct), the vap-group command maps a VAP group to the circuit being configured. CLI contexts have a nested tree structure, similar to the directory tree structure on a PC. The main CLI context is the highest level of the structure. All other CLI contexts are nested within the main CLI context. You can use the show tree command to display the complete CLI command tree structure for XOS V9.5.1. In this Guide, each command definition includes a section called either Context or Contexts and Subcommands, which contains the following information: Context(s) from which you can execute the command Additional commands (if any) that you can use to enter the commands context from the main CLI context Lower-level context(s) (if any) that you enter when you execute the command Additional commands (if any), called subcommands, that you can execute from within the lower-level context(s) that you enter when you issue the command

Navigating CLI Contexts

You move from a higher-level CLI context into a lower-level (nested) CLI context by issuing a single command or a series of commands from within the higher-level context. For example, the configure command moves you from the main CLI context into the configuration context (config), from which you can execute configuration commands. The vap-group command moves you from the configuration context into the VAP group configuration context (config-vap-grp), from which you can execute VAP group configuration commands that apply only to the specified VAP group (test_name, in this example). CBS# configure CBS(config)# vap-group test_name CBS(config-vap-grp)# To move up to the next-highest CLI context level, use the exit command: CBS(config-vap-grp)# exit CBS(config)# To move up to the main CLI context from any other CLI context, use the end command: CBS(config-vap-grp)# end CBS#

Executing a Command in a Specific CLI Context

To successfully execute a command in a specific CLI context, you must do one of the following: Execute the command(s) that move you into the required context and then execute the target command from within the required context, as shown in the example above. Execute a compound command, which includes all the commands that would move you into the desired CLI context and the specific command that you want to execute. For example, the following compound command includes the configure command and the vap-group command. CBS# configure vap-group test_name

Introduction to the Command Line Interface

28

Understanding Command Privilege Levels

Each CLI command has a configurable privilege level, and each CLI user account also has a configurable privilege level. To execute a command, a users privilege level must be greater than or equal to the commands privilege level. Valid values for both command privilege level and user privilege level range from 0 (the lowest privilege level) to 15 (the highest privilege level).

Command Privilege Levels

By default, each CLI command privilege level is set to either 0 or 15. Use the following command to display the privilege level for a specific CLI command: CBS# show privilege <root_level_command> [<first_level_subcommand>] [<second_level_subcommand>] ... [<nth_level_subcommand>] Where <root_level_command> is a command that you access from the main CLI context, <first_level_subcommand> is a command that you access from the root-level commands context, <second_level_subcommand> is a command that you access from the first-level subcommands context, and so on. For example, the following command shows the privilege level for the vap-group command under the configuration context. In this example, configure is the <root_level_command> and vap-group is the <first_level_subcommand>. CBS# show privilege configure vap-group Command configure vap-group at privilege level 15 Use the following command to change the privilege level for a specific command: CBS# configure privilege level <level> <root_level_command> [<first_level_subcommand>] [<second_level_subcommand>] ... [<nth_level_subcommand>] For example, the following command sets the privilege level to 10 for the vap-group command under the configuration context: CBS# configure privilege level 10 configure vap-group CBS# NOTE: To determine whether a user is allowed access to a command, XOS compares the privilege level of the command and the privilege level of the parent command to the privilege level of the user. If the privilege level of either the parent command or the sub-command is higher than the privilege level of the user, access is denied. For example, you have configured these privilege levels: User: 10 Sub-command: 0 Parent command: 15 Although the intent was to allow the user to access the sub-command, the privilege level of the parent command prevents this. NOTE: See Appendix C, Configurable Command Privilege Levels on page 931, for a list of XOS commands, along with the default privilege level for each command.

XOS Command Reference Guide

29

User Privilege Levels

The admin user account on each X-Series Platform has a default privilege level of 15. Use the following command to assign a privilege level to a new or existing user: CBS# configure username <username> privilege <level> Use the following command to display the CLI command privilege level assigned to the current user or to the specified user: CBS# show username [<username>] For example, if you are logged in as guest and you have a privilege level of 0, the show username command has the following output: CBS# show username Username Assigned CLI Privilege Level Current CLI Privilege Level GUI Access Level Maxdays (1 row) : : : : : admin 15 15 Administrator 30

For example, the following command shows the privilege level assigned to the admin user: CBS# show username admin Username Assigned CLI Privilege Level Current CLI Privilege Level GUI Access Level Maxdays (1 row) : : : : : admin 15 15 Administrator 30

Use the following command to display the CLI command privilege level assigned to every user account configured on the X-Series Platform: CBS# show usernames For example: CBS# show usernames Username : admin Assigned CLI Privilege Level : 15 GUI Access Level : Administrator Maxdays : 30 Username : admin2 Assigned CLI Privilege Level : 15 GUI Access Level : Administrator Maxdays : 28 Username : guest Assigned CLI Privilege Level : 15 GUI Access Level : Guest Maxdays : 30 (3 rows)

Introduction to the Command Line Interface

30

Editing the Command Line

Use the following editing commands when typing commands in the CLI: Delete or Backspace Ctrl-d Ctrl-u Ctrl-k Ctrl-a Ctrl-e Ctrl-p Ctrl-n Ctrl-b Ctrl-f Ctrl-w Ctrl-t Ctrl-z Ctrl-l Esc-b Esc-f Esc-c Esc-l Esc-d Erase characters Delete current character Delete from the beginning of the line up to the cursor Delete from cursor to the end of line Move to the beginning of the line Move to the end of line Get prior command from history Get next command from history Move cursor left one character Move cursor right one character Delete from the beginning of a word up to the cursor Transpose current and previous character Enter command and return to the main CLI context Refresh input line Move back one word Move forward one word Convert rest of word to uppercase Convert rest of word to lowercase Delete remainder of word

You can get help about the editing keystrokes by typing help edit at the CLI prompt. You can also abbreviate commands to the fewest number of letters required to make the commands unique. For example, you can enter sho to execute the show command. You can also use the Tab key to complete abbreviated commands. Enter the fewest number of letters required to make the command unique and press Tab. The CLI then completes the command. For example if you press Tab after typing the following: CBS# conf The CLI completes the command and you can press Enter to execute it: CBS# configure CBS(config)# The output of some commands may exceed the screen length. When this occurs, you can press the any key except Q or Enter to display the next screen of the output, or press Enter to display the next line of the output. Press Q to quit the output display and return to the command prompt.

XOS Command Reference Guide

31

Entering User-defined Strings

You enter user-defined strings when you assign names to VAP groups, circuits, devices, interfaces, and other items during the configuration process. Using the name of a subcommand to begin a user-defined string can interfere with Tab key auto-completion or Help (?) for the subcommand, and may create undesirable effects in the configuration. Observe the following when you enter a user-defined string: 1. 2. Do not use any CLI subcommand as a user-defined string. To view the subcommands for the current CLI context, type ? and press Enter. To avoid conflict with a CLI subcommand you can begin the user-defined string with an upper-case letter. CLI commands are case-sensitive and are always lower-case.

IMPORTANT: If you create a user-defined string that includes upper-case letters, you must always enter the string with the correct case. Otherwise, the command will fail, or may have unintended results. For example, you have created a VAP group named Test_name: CBS# configure vap-group Test_name xslinux_v5 CBS(config-vap-grp)# You then want to modify the configuration of the VAP group, and enter: CBS# configure vap-group Test_name CBS(config-vap-grp)# The CLI places you in the config-vap-grp context, from which you can modify the configuration of the VAP group Test_name. However, if you enter the command without the upper-case letter, you are instructing XOS to create a new VAP group named test_name. If you continue, XOS creates a new VAP group, and the CLI places you in the config-vap-grp context for the new VAP group. CBS# configure vap-group test_name CBS(config-vap-grp)#

Introduction to the Command Line Interface

32

Understanding CLI Syntax Error Messages

When you enter a command with the correct syntax: If the operation succeeds, the CLI displays the commands output (if any) and returns you to the CLI prompt without displaying any additional messages. If the operation fails, the CLI displays an error message that identifies the reason for the failure. (See Understanding CLI Error Messages on page 895 for more information on these types of error messages.) When you enter a command with the incorrect syntax, the CLI displays a caret character (^) that points to the incorrect portion of the command, along with one of the following syntax error messages: % Ambiguous command You have entered an abbreviated command, but the initial command sequence or character set is not unique to a single, complete command. For example, the following abbreviated command results in an error because there are four different configure commands that begin with a (access-list, acl-interface, acl-interface-mapping, alias, arp, and automated-workflows). CBS# configure a ^ % Ambiguous command % Invalid input detected at '^' marker The command or argument to which the caret (^) is pointing is spelled incorrectly, or is otherwise invalid. For example, the following command results in an error because configure acl-interface is spelled incorrectly. CBS# configure acl-intfs ^ % Invalid input detected at '^' marker % Missing parameter You have omitted one or more required arguments. For example, the following command results in an error because you must specify a new or existing user name as a parameter to this command. (See configure username on page 111 for more information.) CBS# configure username % Missing parameter

XOS Command Reference Guide

33

Getting Help
You can access the CLI online help using any of the following methods: To display help for the next expected commands available from the current CLI context, enter the help command or enter a question mark (?) at the command prompt. To display help for a specific command available from the current CLI context, specify that command as a parameter to the help command (help <command>). To display help for all of a commands legal arguments, enter a question mark (?) in place of an argument to that command. To display help for the available commands that start with a particular character set, enter the character set as a parameter to the help command (help <character_set>). To display a list of the available commands and command aliases (without descriptions) that start with a particular character set, you can do one of the following: Enter an abbreviated command immediately followed by a question mark (?). Enter an abbreviated command and press the Tab key. NOTE: Command aliases are displayed with an asterisk (*) after their names.

Logging Out of the CLI Session

To logout of the current CLI session, use the following command from any CLI context. CBS# logout You can also log out of the current CLI session by issuing the following command from the main CLI context. CBS# exit

Introduction to the Command Line Interface

34

2
CLI Command Changes in XOS V9.5.1
This chapter provides information on CLI changes implemented in XOS V9.5.1. This chapter contains the following sections: New and Changed XOS CLI Commands on page 36 Removed Commands on page 39

XOS Command Reference Guide

35

New and Changed XOS CLI Commands

There are no new or changed commands in XOS V9.5.1. The following new CLI commands and existing CLI command changes were implemented in XOS V9.5.

Command Names application-remove <app_id> release <release_#> version <version_#> automated-workflows purge-log-files configure incoming-circuit-groupname <icg> <icgname> show incoming-circuit-groupname configure circuit <circuit_name> link-state-resistant configure circuit <circuit_name> vap-group <VAP_group_name> ip <IP_address> alias <alias_IP_address> floating configure interface-internal

Changes The parameters release and version have been added to the application-remove command to allow you to specify the release and version of the application you want to remove. The automated-workflows purge-log-files command removes the automated workflow log files. Configures the name of a specified incoming circuit group. The range of values available for the incoming circuit group number is now <2-255>. This command displays all incoming circuit groups, giving the number and name of each one. When a circuit is mapped to an external interface, configuring the circuit as link-state-resistant ensures that the circuit stays up regardless of the state of the external interface. The floating parameter assigns the alias IP address to the master VAP, allowing traffic, cluster management, and synchronization communication to go directly to the master VAP. If a new master VAP is elected, the address floats to the new master.

This command defines an internal interface that can be used for internal connectivity between VAPs or VAP groups that include circuits assigned to the internal interface. Use this command to enable internal communication between VAPs or a serialized connection between VAP groups. This command ties the status of interfaces or group-interfaces together. If all interfaces and group-interfaces in an interface-status-group are UP, then the state of the interface-status-group is UP. If any interface or group-interface in the interface-status-group is DOWN, then the interface-status-group state is DOWN. This command sets the time in seconds the system will wait before resetting an NPM if no connectivity is detected. This command displays the time in seconds the system will wait before resetting an NPM if no connectivity is detected. When creating a system-ip-flow-rule, in addition to specifying the number of an incoming-circuit-group, you can now specify any. This parameter acts as a wild card.

configure interface-status-group

configure np-reset-wait-time show np-reset-wait-time configure system-ip-flow-rule <flow_rule_name> incoming-circuit-group any

CLI Command Changes in XOS V9.5.1

36

Command Names configure vap-group <name> xsve

Changes The xsve parameter defines a virtual environment VAP operating system for use with virtualized applications. Using this parameter creates an xsve VAP group that is preconfigured for one or more virtual machines. During the application installation, the virtual machine is created on the APM (the host). The fail-to-host parameter has been added to the configure vap-group command in a virtualized environment to configure the action of the host when the guest has failed. Configuring this parameter enables the host to process traffic intended for the guest. Using the no parameter disables this behavior. The flow-proxy parameter has been added to the configure vap-group command. In a virtualized environment, the host flow management cannot determine the destination of any flow that is passed to the guest. The flow-proxy parameter improves performance by indicating to the host flow management that flows will be consumed by the guest and do not need to be managed by the host. When creating an ip-flow-rule for a vap-group, in addition to specifying the number of an incoming-circuit-group, you can now specify any. This parameter acts as a wild card.

configure vap-group <VAP_group_name> fail-to-host

configure vap-group <VAP_group_name> flow-proxy

configure vap-group <VAP_group_name> ip-flow-rule <ip_flow_rule_name> incoming-circuit-group any configure vap-group <VAP_group_name> vg-reset-wait-time configure vrrp failover-group <failover_group_name> monitor-group-interfaces <priority_delta> <dist-port-threshold>

The vg-reset-wait-time sub-command has been added to the configure vap-group command to configure the wait time before resetting the VAP if no connectivity is detected. The monitor-group-interfaces command has been added to the configure vrrp failover-group context to enable you to configure health monitoring for the specified vrrp group interface. The priority_delta parameter sets the priority delta value for the group interface. The dist-port-threshold parameter sets the minimum number of ports that must be in the active, distributing state. If the number of ports in that state falls below this threshold, the priority delta value is subtracted from failover group priority. The floating parameter assigns the virtual IP address to the master VAP, allowing traffic, cluster management, and synchronization communication to go directly to the master VAP. If a new master VAP is elected, the address floats (is assigned) to the new master. In a VRRP configuration, the floating parameter assigns the virtual IP address to the master VAP on the new master chassis in the event of a failover. This command is used to select a different disk partitioning scheme than the current one. When you execute this command, you set the value of the configured scheme. After the next CPM reboot, the value that you configured is used to reconfigure the disk partitioning scheme. The show cp-disk-scheme command displays the current and configured disk partitioning scheme. The show acl-mapping command has been renamed to show acl-interface-mapping.

configure vrrp failover-group <failover_group_name> virtual-router <vr_name> vap-group <VAP_group_name> virtual-ip <IP_address> floating cp-disk-scheme

show cp-disk-scheme show acl-interface-mapping

XOS Command Reference Guide

37

Command Names show alarms {active | history | model} clear alarms {id {<id#> | <lowest_id#> <highest_id#>} | all} show cp-next-boot show interface detail [phy | ipv4 | ipv6 | non-ipv4] show interface high-availability clear interface high-availability show remote-box <remote_system_id> show tech-support -bundle show tech-support -paging show vrrp monitor-group-interfaces [<failover_group_name>] show|copy running-config bridge-mode <circuit_name> show|copy running-config interface-internal <interface-internal_ name> show|copy running-config interface-status-group <interface-status_group_ name> show|copy startup-config interface-internal <interface-internal_ name> show|copy startup-config interface-status-group <interface-status_group_ name>

Changes This command now requires either the active or history parameter to display alarms data. Additional parameters enable you to filter output by severity, source, alarm ID, date, and to display verbose output. The model parameter displays the XOS alarms model. This command enables an administrator to clear a user-clearable alarm from the active alarms table. The privilege level of this command has been changed from 15 to 0 to support the GEM application. The phy, ipv4, ipv6, and non-ipv4 parameters have been added to the show interface detail command to enable you to filter the verbose output of the command. The high-availability parameter has been added to the show interface command to display the high-availability port configuration and statistics. The high-availability parameter has been added to the clear interface command to clear the counters on the high-availability interface. The show remote-box command can now be used with the <remote_system_id> as a parameter. When used this way, a specific remote system can be specified. The bundle parameter has been added to the show tech-support command to capture additional diagnostic information in tar.gz format. The paging parameter has been added to the show tech-support command to enable paging the output one screen at a time. The new default behavior is to write all of the output to the screen. The monitor-group-interfaces command displays the VRRP configuration and current status of all monitored group-interfaces, or displays all monitored group-interfaces assigned to circuits that belong to the specified failover group. The bridge-mode parameter has been added enable you to specify the bridge circuit whose configuration will be displayed or copied. The interface-internal parameter has been added enable you to specify the interface-internal whose configuration will be displayed or copied. The interface-status-group parameter has been added to enable you to specify the interface-status-group whose configuration will be displayed or copied. The interface-internal parameter has been added enable you to specify the interface-internal whose configuration will be displayed or copied. The interface-status-group parameter has been added to enable you to specify the interface-status-group whose configuration will be displayed or copied.

CLI Command Changes in XOS V9.5.1

38

Removed Commands
No commands were removed in XOS V9.5.1. The following commands were removed in XOS V9.5.

Command Names configure automated-workflows log-file-maxdays configure circuit <circuit_name> internal configure group-interface group <group_interface_name> configure group-interface interface-internal configure group-interface mode [bridge | transparent] configure group-interface <group_interface_name> mode multi-link circuit <circuit_name> interface <slot/port> device-name configure group-interface status-grouping configure management-server show acl-mapping

Changes The configure automated-workflows command and the sub-command log-file-maxdays have been removed. See automated-workflows in the previous table. The internal command is no longer available in this context. The functions of the internal command have been replaced. See configure interface-internal and configure circuit <circuit_name> link-state-resistant in the previous table. The group command has been removed.

The interface-internal command is no longer available in this context. See configure interface-internal in the previous table. The bridge and transparent sub-commands are no longer available in this context. Use configure bridge-mode or configure bridge-mode <circuit_name> transparent. The device-name command is no longer available in this context. It is not applicable to a multi-link configuration.

The status-grouping command is no longer available in this context. See configure interface-status-group in the previous table. The management-server command has been removed. The show management-server command has also been removed. The show acl-mapping command has been renamed to show acl-interface-mapping.

Commands Unavailable on the X20, X30, and/or X60 Chassis

Command Names cp-unknown-state show cp-unknown-state configure cp-action disk-error Changes This command assumes the presence of two CPMs and does not apply on an X20 or X30 chassis. This command assumes the presence of two CPMs and does not apply on an X20 or x30 chassis. This command assumes the presence of two CPMs and does not apply on an X20 or X30 chassis.

XOS Command Reference Guide

39

Command Names show cp-disk-error configure web-timeout show web-timeout configure web-wizard show web-wizard

Changes This command assumes the presence of two CPMs and does not apply on an X20 or X30 chassis. This EMS command is not supported on X20, X30, or X60 chassis. This EMS command is not supported on X20, X30, or X60 chassis. This EMS command is not supported on X20, X30, or X60 chassis. This EMS command is not supported on X20, X30, or X60 chassis.

CLI Command Changes in XOS V9.5.1

40

3
Basic CLI Console Commands
This chapter describes the basic CLI console commands. You use these commands to navigate through CLI contexts, navigate through the directory structure on the CPM, configure the CLI console display, and display context-sensitive help for CLI commands and parameters. This chapter contains the following sections: Commands for Moving to a Higher-Level CLI Context on page 42 Commands for Navigating the Directory Structure on the CPM on page 44 Commands for Configuring the CLI Console Display on page 47 CLI Help Commands on page 52

XOS Command Reference Guide

41

Commands for Moving to a Higher-Level CLI Context

You move from a higher-level CLI context into a lower-level (nested) CLI context by issuing a single command or a series of commands from within the higher-level context. This section describes the commands that you can use to move from a lower-level CLI context to a higher-level CLI context. This section contains the following command descriptions: end on page 42 exit on page 43

end
Moves you up to the main CLI context from any lower-level CLI context. NOTE: You can also press Ctrl-z to enter a command and then return to the main CLI context.

Syntax
end

Context
You can access this command from any CLI context.

Restrictions
Default Privilege Level: 0

Example
In the following example, the end command is used to move up to the main CLI context from the VAP group configuration (config-vap-grp) CLI context. CBS(config-vap-grp)# end CBS#

Basic CLI Console Commands

42

exit
If you issue this command from a nested CLI context level, the command moves you up to the next-highest CLI context level. If you issue this command from the main CLI context, the command logs you out of the current CLI session.

Syntax
exit

Context
You can access this command from any CLI context.

Restrictions
Default Privilege Level: 0

Example
In the following example, the exit command is used to move up to the configuration (conf-vrrp-group) CLI context from the virtual router configuration (conf-vrrp-failover-vr) CLI context. CBS# configure vrrp failover-group fail1 failover-group-id 55 CBS(conf-vrrp-group)# virtual-router vrrp-id 55 circuit cct1 CBS(conf-vrrp-failover-vr)# exit CBS(conf-vrrp-group)#

XOS Command Reference Guide

43

Commands for Navigating the Directory Structure on the CPM

This section describes the commands that you can use to navigate through the directory structure on the CPM. This section contains the following command descriptions: cd on page 44 dir on page 45 pwd on page 46

cd
Standard Unix change directory command. You can specify a directory name, full path name, or relative path name to access a directory on the CPM. You can also specify the cd command without arguments to access your home directory. NOTE: Your home directory is: /tftpboot/.private/home/<user_name>

Syntax
cd [<directory_name> | <full_path_name> | <relative_path_name>]

Context
You can access this command from any CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <directory_name> <full_path_name> <relative_path_name> Description Specifies the name of the directory to which you want to navigate. The specified directory must be nested within the current directory. Specifies the full path to the directory to which you want to navigate. Specifies the relative path to the directory to which you want to navigate. For example: CBS# cd ../mytestdir CBS#

Restrictions
Default Privilege Level: 0

Example
The following command moves the user into the /crossbeam/rpm directory: CBS# cd /crossbeam/rpm CBS#

Basic CLI Console Commands

44

dir
Lists the existing files and directories in the specified directory. If you do not specify a directory name or full path name, the command lists the existing files and directories in the current directory. NOTE: This command is functionally equivalent to the standard Linux ls command, and you can use ls command options with the dir command.

Syntax
dir [<directory_name> | <full_path_name> | <relative_path_name>]

Context
You can access this command from any CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <directory_name> <full_path_name> <relative_path_name> Description Specifies the name of the directory whose contents you want to display. Specifies the full path to the directory whose contents you want to display. Specifies the relative path to the directory whose contents you want to display. For example: CBS# dir ../mytestdir CBS#

Restrictions
Default Privilege Level: 0

Example
The following command displays the contents of the admin users home directory: CBS# dir total 24 drwx-----drwxr-xr-x -rw-r--r--rw-r--r--rw-r--r--rw-r--r-CBS#

2 4 1 1 1 1

admin root admin admin admin admin

cbcli root cbcli cbcli cbcli cbcli

4096 4096 24 191 124 34

Mar Mar Mar Mar Mar Mar

2 4 2 2 2 2

17:58 13:53 17:58 17:58 17:58 17:58

. .. .bash_logout .bash_profile .bashrc .telnetrc

XOS Command Reference Guide

45

pwd
Displays the current directory path.

Syntax
pwd

Context
You can access this command from any CLI context.

Restrictions
Default Privilege Level: 0

Example
The following command displays the path to the home directory for the admin user. CBS# pwd /tftpboot/.private/home/admin CBS# NOTE: The example above assumes the user has not changed from the home directory.

Basic CLI Console Commands

46

Commands for Configuring the CLI Console Display

This section describes the commands that you can use to configure the CLI console display. This section contains the following command descriptions: clear-screen on page 47 configure prompt on page 47 prompt on page 48 configure terminal history on page 49 terminal history on page 50 enable more on page 51

clear-screen
Clears all text from the current CLI console screen.

Syntax
clear-screen

Context
You can access this command from any CLI context.

Restrictions
Default Privilege Level: 0

configure prompt
Configures the default CLI system prompt for the current CLI console session and all new CLI console sessions.

Syntax
configure prompt <prompt_string>

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <prompt_string> Description Default CLI prompt text string.

XOS Command Reference Guide

47

Restrictions
Default Privilege Level: 15 A CLI prompt text string must contain only alphanumeric characters. A CLI prompt text string cannot contain whitespace characters.

Example
The following command changes the default CLI prompt text to XOS_Expert: CBS# configure prompt XOS_Expert XOS_Expert#

prompt
Configures the CLI system prompt for the current CLI console session only.

Syntax
prompt <prompt_string>

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <prompt_string> Description CLI prompt text string used during the current CLI session.

Restrictions
Default Privilege Level: 0 A CLI prompt text string must contain only alphanumeric characters. A CLI prompt text string cannot contain whitespace characters.

Example
The following command changes the CLI prompt text to XOS Expert for the duration of the current CLI console session: CBS# prompt XOSExpert XOSExpert#

Basic CLI Console Commands

48

configure terminal history

Sets the number of commands stored in the terminal history buffer for the current CLI console session and all new CLI console sessions. The default is 70 commands. Use the no parameter to restore this default value. Use the show terminal history command to display the number of commands stored in the terminal history buffer for the current CLI console session. NOTE: The X-Series Platform stores the current users most recent CLI command entries in the terminal history buffer. Use the show history command to display the commands currently stored in the terminal history buffer. You can press the up arrow or press Ctrl-p to view and/or reissue the prior command in the terminal history buffer. You can press the down arrow or press Ctrl-n to view and/or reissue the next command in the terminal history buffer.

Syntax
configure terminal [no] history <number_of_commands>

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <number_of_commands> Description Number of previously entered CLI commands stored in the terminal history buffer. Valid values are 0 to 256. Default is 70.

Restrictions
Default Privilege Level: 15

Example
The following command sets the number of commands stored in the terminal history buffer to 100, for the current CLI console session and all new CLI console sessions: CBS# configure terminal history 100 CBS#

XOS Command Reference Guide

49

terminal history
Sets the number of commands stored in the terminal history buffer for the current CLI console session only. The default is 70 commands. Use the no parameter to restore this default value. Use the show terminal history command to display the number of commands stored in the terminal history buffer for the current CLI console session. NOTE: The X-Series Platform stores the current users most recent CLI command entries in the terminal history buffer. Use the show history command to display the commands currently stored in the terminal history buffer. You can press the up arrow or press Ctrl-p to view and/or reissue the prior command in the terminal history buffer. You can press the down arrow or press Ctrl-n to view and/or reissue the next command in the terminal history buffer.

Syntax
terminal [no] history size <number_of_commands>

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter size <number_of_commands> Description Required keyword Number of previously entered CLI commands stored in the terminal history buffer. Valid values are 0 to 256. Default is 70.

Restrictions
Default Privilege Level: 0

Example
The following command sets the number of commands stored in the terminal history buffer to 100, for the current CLI console session only: CBS# terminal history 100 CBS#

Basic CLI Console Commands

50

enable more
Enables or disables (using no) the CLI console displays paging feature for the current CLI session. This feature is enabled by default. When the paging feature is enabled, the CLI console displays only as much text as will fit on a single screen, and then prompts you to press a key to display more text. When the paging feature is disabled, the CLI console displays each commands output in its entirety, even if the text does not fit on a single screen. To see more than one screen full of command output, you will have to scroll up in the CLI console window. NOTE: This command applies only to the current CLI console session.

Syntax
[no] enable more

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0

Example
The following command disables the CLI console displays paging feature for the current CLI session: CBS# no enable more CBS#

XOS Command Reference Guide

51

CLI Help Commands

This section describes the commands that you can use to display context-sensitive help for CLI commands and parameters. This section contains the following command descriptions: Question Mark (?) Command on page 52 help on page 54 show vrrp detail-status-help on page 56

Question Mark (?) Command

Displays context-sensitive help for CLI commands and parameters. Use the question mark (?) command, as follows: To display help for the commands that are available within the current CLI context, enter a question mark (?) at the command prompt. To display a list of the available commands that start with a particular character set, enter the abbreviated command immediately followed by a question mark (?). To display help for a commands legal arguments, enter a question mark (?) in place of an argument at the command prompt.

Syntax
? <abbreviated_command>? <commands> [<arguments>] ?

Context
You can access this command from any CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <abbreviated_command> Description Initial characters used in one or more CLI commands. Issue the question mark (?) command immediately after an abbreviated command to display a list of the available commands that begin with those characters. For example, show ap? displays the two commands that start with show ap show ap-vap-mapping and show application. <commands> One or more CLI commands that can be entered on the command line from within the current context. Specify one or more commands followed by a space and then the question mark (?) command to display help for all legal arguments to the specified command(s).

Basic CLI Console Commands

52

Parameter <arguments>

Description One or more legal arguments to the CLI commands that are currently entered on the command line. Specify commands with one or more legal arguments followed by a space and then the question mark (?) command to display help for all legal commands and arguments that you can enter at the end of the current command line.

Restrictions
Default Privilege Level: 0

Examples
The following command displays help for the commands that you can issue from within the VRRP VAP group configuration (conf-vrrp-vap-group) CLI context: CBS(conf-vrrp-vap-group)# ? active-vap-threshold [no] enable [no] failover-group-list [no] hold-down-timer [no] priority-delta <cr> CBS(conf-vrrp-vap-group)# The following command displays help for the legal arguments to the configure vap-group command. Since one legal argument to this command is the name of an existing VAP group, the question mark (?) command also lists the existing VAP groups currently configured on the system. CBS# configure vap-group ? vap-group <WORD> Existing Vap Groups : es3, es4 - VAP Group name - Number of active VAPs required, or priority is reduced - Enables VRRP on the VAP group - Enables failover groups to be affected by this VAP group - Time to wait before becoming VRRP master - Reduces priority when insufficient active VAPs

The following command lists the commands that are available from the main CLI context and that begin with the characters show ap: CBS# show ap? ap-vap-mapping CBS# show ap application

XOS Command Reference Guide

53

help
Displays context-sensitive help for CLI commands and parameters, or displays help for command-line editing keystrokes. Use the help command, as follows: To display help for all commands available from the current CLI context, enter the help command without parameters. To display help for a specific CLI command available from the current CLI context, enter that command as a parameter to the help command (help <command>). To display help for any available commands that begin with a particular character set, enter that character set as a parameter to the help command (help <character_set>). To display help for all command-line editing keystrokes, enter help edit. For more information, see Getting Help on page 34 and Editing the Command Line on page 31.

Syntax
help [<command> | <character_set> | edit]

Context
You can access this command from any CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <command> Description CLI command available from the current CLI context. Specify a CLI command to display help for that command. NOTE: Commands that contain more than one keyword do not need to be surrounded by quotation marks. If you specify a command that is not available from the current CLI context, the help command results in an error. <character_set> Initial characters used in one or more CLI commands available from the current CLI context. Specify a set of characters to display help for all available commands that contain those characters. NOTE: The character set cannot contain spaces. If you specify a set of characters that is not part of any CLI command available from the current CLI context, the help command results in an error. edit Displays help for all command-line editing keystrokes.

Restrictions
Default Privilege Level: 0

Basic CLI Console Commands

54

Examples
The following command displays help for the commands that you can issue from within the VRRP VAP group configuration (conf-vrrp-vap-group) CLI context: CBS(conf-vrrp-vap-group)# help [no] vap-group - Configures a VAP group for High Availability active-vap-threshold - Number of active VAPs required, or priority is reduced [no] enable - Enables VRRP on the VAP group [no] failover-group-list - Enables failover groups to be affected by this VAP group [no] hold-down-timer - Time to wait before becoming VRRP master [no] priority-delta - Reduces priority when insufficient active VAPs CBS(conf-vrrp-vap-group)# The following command displays help for the configure vap-group command and all of its legal arguments. Since one legal argument is the name of an existing VAP group, the help command also lists the existing VAP groups currently configured on the system. CBS# help configure vap-group [no] vap-group vap-group <WORD> Existing Vap Groups : es3, es4 - Configures a VAP Group - VAP Group name

The following command displays help for the commands that are available from the main CLI context and that begin with the characters cp: CBS# help ro routing-protocol routing-protocol-services - Accesses requires - Accesses requires routing protocol commands, RSW routing protocol services, RSW

The following command displays help for all command-line editing keystrokes: CBS# help edit Available editing keystrokes Delete current character.....................Ctrl-d Delete text up to cursor.....................Ctrl-u Delete from cursor to end of line............Ctrl-k Move to beginning of line....................Ctrl-a Move to end of line..........................Ctrl-e Get prior command from history...............Ctrl-p Get next command from history................Ctrl-n Move cursor left.............................Ctrl-b Move cursor right............................Ctrl-f Move back one word...........................Esc-b Move forward one word........................Esc-f Convert rest of word to uppercase............Esc-c Convert rest of word to lowercase............Esc-l Delete remainder of word.....................Esc-d Delete word up to cursor.....................Ctrl-w Transpose current and previous character.....Ctrl-t Enter command and return to root prompt......Ctrl-z Refresh input line...........................Ctrl-l

XOS Command Reference Guide

55

show vrrp detail-status-help

Displays help for the command, show vrrp detail-status.

Syntax
show vrrp detail-status-help

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 15

Example
CBS# show vrrp detail-status-help FG ID - This column displays failover group ID Status - This column displays failover group status. Possible values are as follows: master, backup, down and init Priority - This column shows failover group priority (actual/configured) Delta - This column displays vrrp component's configured priority delta as well as information about its usage Example: 10 - priority delta of a component configured as 10 - failover group priority NOT decremented by this delta (no failure) -10 - priority delta of a component configured as 10 - failover group priority decremented by this delta (component failure) 10* - (or -10*) unknown next hop status (see Config Guide for details) Type - This column displays vrrp component type. Possible values are: vr - virtual router, mi - monitored interface, mc - monitored circuit, vg - active vap threshold, nh - next hop Component - This column gives detailed information about vrrp component type Format of this column depends on value of "Type" column: vr - virtual router circuit name/virtual router id mi - monitored interface mc - monitored circuit name vg - vap group (active-vap-threshold) nh - verify-next-hop IP/virtual router ID

Basic CLI Console Commands

56

4
Commands for Configuring the X-Series Platform to Enable System Management
This chapter describes the CLI commands that you can use to configure and manage the X-Series Platform. This chapter contains the following sections: Commands for Configuring System Management Settings on page 58 Commands for Configuring X-Series Platform Management Interfaces on page 79 Commands for Configuring User Accounts and Managing User Access to the X-Series Platform on page 111 Commands for Configuring System Alarms and Logs on page 124 Commands for Configuring Chassis Resource Protection on page 153 Commands for Configuring CPM Redundancy on page 164 Commands for Accessing Other Systems from the CPM on page 169

XOS Command Reference Guide

57

Commands for Configuring System Management Settings

This section describes the commands that you can use to configure system management settings for the X-Series Platform. This section contains the following command descriptions: calendar on page 59 configure dns search-name on page 60 configure dns server on page 61 configure hostname on page 62 configure ip domainname on page 63 configure ip forwarding on page 63 configure ip ftp on page 64 configure ip ssh on page 64 configure ip telnet on page 65 configure ldap-server on page 66 configure ldap-parameter on page 67 cp-next-boot on page 67 configure np-reload-timeout on page 68 configure ntp server on page 70 configure operating-mode on page 70 configure radius-server host on page 72 configure system-identifier on page 73 configure system-internal-network on page 74 configure timeout on page 75 timeout on page 75 configure timezone on page 76 configure web-server on page 77 configure web-timeout on page 77 configure web-wizard on page 78

Commands for Configuring the X-Series Platform to Enable System Management

58

calendar
This command sets the system calendar time and date. You must reboot all modules in the chassis (using the reload all command) to enable the calendar command to take effect. NOTE: The system calendar runs continuously, even if the X-Series Platform is powered off or rebooted. Use the show calendar command to display the current system calendar time and date.

Syntax
calendar <time> <day> <month> <year>

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <time> Description Current time in 24-hour format, using the following syntax: <hours>:<minutes>:<seconds> You must specify all three numbers, and you must specify all numbers in two-digit format (using a leading zero with single-digit numbers). For example, to specify 6:00 AM, enter 06:00:00. To specify 6:00 PM, enter 18:00:00. <day> <month> <year> Current day of the month. Valid values are from 1 to 31. Current month in three-letter format. Current year in four-digit format. Valid values are from 2000 to 2037.

Restrictions
Default Privilege Level: 15

Example
The following command sets the system calendar time and date to 4:30 PM on January 13, 2010. CBS# calendar 16:30:00 13 jan 2010

XOS Command Reference Guide

59

configure dns search-name

Adds a domain name to the list of domains that the CPM or the VAPs in the specified VAP group can append to a host name when performing a DNS lookup to resolve host names to IP addresses. Use the no parameter to delete the specified domain name from the list of domains that the CPM or the VAPs in the specified VAP group can append to a host name during a DNS query. Use the show dns-search-name command to display the domain names that CPMs and VAP groups can append to host names during DNS queries.

Syntax
configure [no] dns search-name <domain_name> [vap-group <VAP_group_name>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <domain_name> Description Domain name that you want to add to the list of domains that the CPM or the VAPs in the specified VAP group can append to a hostname during a DNS query. NOTE: You can define a maximum of 6 domain names for use by a single CPM or VAP group. The total number of characters in the domain names configured for use by a single CPM or VAP group cannot exceed 256. vap-group <VAP_group_name> Adds the specified domain name to the list of domains that the VAPs in the specified VAP group can append to a hostname during a DNS query. If you do not specify this parameter, the configure dns search-name command adds the specified domain name to the list of domains that the CPM can append to a hostname during a DNS query.

Restrictions
Default Privilege Level: 15 You can define a maximum of 6 domain names for use by a single CPM or VAP group. The total number of characters in the domain names configured for use by a single CPM or VAP group cannot exceed 256.

Example
The following command adds the domain name, crossbeamxseries.com, to the list of domains that the CPM can append to a hostname when performing a DNS lookup to resolve host names to IP addresses: CBS# configure dns search-name crossbeamxseries.com CBS#

Commands for Configuring the X-Series Platform to Enable System Management

60

configure dns server

Configures all virtual application processor (VAP) groups to use the Domain Name Server (DNS) with the specified IP address, or configures the specified VAP group to use the DNS with the specified IP address. Use the no parameter to delete the specified DNS server configuration. Use the show dns-server command to display the DNS servers configured for the VAP groups configured on the X-Series Platform.

Syntax
configure [no] dns server <IP_address> [vap-group <VAP_group_name>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <IP_address> vap-group <VAP_group_name> Description IP address of the DNS server. Configures the DNS server IP address to be used by the specified VAP group. If you do not specify this parameter, all VAP groups will use the specified DNS server IP address.

Restrictions
Default Privilege Level: 15 Maximum of 3 DNS servers can be specified

Example
The following command shows how to configure a DNS IP address to a firewall VAP group. CBS# configure dns server 192.168.2.1 vap-group fw_vap CBS#

XOS Command Reference Guide

61

configure hostname
Assigns a host name to the X-Series Platform or to the specified CPM. The default host name for the X-Series Platform is crossbeam. To restore this default setting, enter the configure hostname command without specifying the <host_name> parameter. Use the show hostname command to display the host name assigned to the X-Series Platform.

Syntax
configure hostname [<host_name>] [cp1 | cp2]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <host_name> [cp1 | cp2] Description Host name assigned to the X-Series Platform or to the specified CPM. The default host name is crossbeam. Assigns the host name only to the CPM with the specified module name (cp1 or cp2). Use the show chassis command to display the slot numbers and module names assigned to each CPM in your chassis. If you do not specify a module name, the configure hostname command assigns the specified host name to both CPMs.

Restrictions
Default Privilege Level: 15

Example
The following command assigns the host name XOSExpert to the X-Series Platform. CBS# configure hostname XOSExpert CBS#

Commands for Configuring the X-Series Platform to Enable System Management

62

configure ip domainname
Configures the domain name for the X-Series Platform. The default domain name is crossbeam. Use the no parameter to restore this default setting. Use the show ip domainname command to display the domain name configured for the X-Series Platform.

Syntax
configure [no] ip domainname <domain_name>

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <domain_name> Description Domain name that you want to assign to the X-Series Platform. The default domain name is crossbeam.

Restrictions
Default Privilege Level: 15

Example
The following command assigns the domain name example.com to the X-Series Platform: CBS# configure ip domainname example.com CBS#

configure ip forwarding
Enables or disables (using no) IP forwarding on the primary CPM. IP forwarding is disabled by default. Use the show ip forwarding command to determine whether IP forwarding is enabled on the primary CPM.

Syntax
configure [no] ip forwarding

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 15

XOS Command Reference Guide

63

configure ip ftp
Enables or disables (using no) the FTP server on the CPM. The FTP server is disabled by default.

Syntax
configure [no] ip ftp

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 15

configure ip ssh
Enables and disables (using no) the SSH server on the X-Series Platform, and configures SSH server authentication options. An attempted SSH connection is denied if any of the following conditions is true: The SSH server is disabled. By default, the SSH server is enabled. The user does not enter a valid username and password within the SSH connection timeout period. Default timeout period is 120 seconds. The user does not enter a valid username and password within the maximum number of SSH authentication attempts (retries) configured for the SSH server on the X-Series Platform. Default maximum number of SSH authentication attempts is 3. The user does not enter a valid username and password within the maximum number of SSH authentication attempts (retries) configured for the SSH client. Default maximum number of SSH authentication attempts is 3. NOTE: An attempted SSH connection is denied when the user reaches the maximum number of authentication retries for either the SSH client or the SSH server on the X-Series Platform. If the SSH client and the SSH server have different settings for maximum number of authentication retries, the lower setting applies. For example, if the setting for the SSH client is 3 and the setting for the SSH server on the X-Series Platform is 4, the maximum number of authentication retries allowed is 3. The no parameter has three possible functions, depending on its placement in the command line: Use the configure no ip ssh command to disable the SSH server on the X-Series Platform. Use the configure ip ssh no timeout command to restore the default SSH connection timeout period. Use the configure ip ssh no authentication-retries command to restore the default maximum number of SSH authentication retries. Use the show ip ssh command to display the SSH server configuration for the X-Series Platform.

Syntax
configure ip ssh [authentication-timeout <seconds> | authentication-retries <integer>] configure no ip ssh configure ip ssh no authentication-timeout configure ip ssh no authentication-retries
Commands for Configuring the X-Series Platform to Enable System Management 64

Context
You access this command from the main CLI context.

Inline Commands
The following table lists the CLI commands that you can use inline with the configure ip ssh command. Command [no] authentication-timeout <seconds> Description Configures the SSH connection timeout period (measured in seconds) for the X-Series Platform. An attempted SSH connection terminates if the user does not specify a valid username and password within the SSH authentication-timeout period. Range is 065535 seconds. Default timeout period is 120 seconds. Use the no parameter to restore the default setting. [no] authentication-retries <integer> Configures the maximum number of user authentication attempts (retries) for an SSH connection attempt on the X-Series Platform. An attempted SSH connection terminates if a user fails to provide a valid username and password within the maximum number of user authentication attempts. Default maximum number of user authentication attempts is 3. Use the no parameter to restore the default setting. NOTE: An attempted SSH connection is denied when the user reaches the maximum number of authentication retries for either the SSH client or the SSH server on the X-Series Platform. If the SSH client and the SSH server have different settings for maximum number of authentication retries, the lower setting applies. For example, if the setting for the SSH client is 3 and the setting for the SSH server on the X-Series Platform is 4, the maximum number of authentication retries allowed is 3.

Restrictions
Default Privilege Level: 15

configure ip telnet
Enables or disables (using no) the telnet server on the CPM. The telnet server is disabled by default. Use the show ip telnet command to determine whether the telnet server is enabled or disabled.

Syntax
configure [no] ip telnet

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 15
XOS Command Reference Guide 65

configure ldap-server
Configures the X-Series Platform to use the specified Lightweight Directory Access Protocol (LDAP) server. Use the no parameter to remove the specified LDAP server definition from the X-Series Platform configuration. The X-Series Platform supports a limited number of Lightweight Directory Access Protocol (LDAP) features to authenticate user logins. Use the show ldap-server command to display the LDAP server configuration (if any) for the X-Series Platform.

Syntax
configure [no] ldap-server {<host_name> | <IP_address>} [auth-port <UDP_destination_port_number>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter {<host_name> | <IP_address>} auth-port <UDP_destination_port_number> Description Host name or IP address of the LDAP server that you want the X-Series Platform to use. Configures the X-Series Platform to use the specified UDP destination port for LDAP server authentication requests. Valid values are 0 to 65535. Default UDP destination port number is 389.

Restrictions
Default Privilege Level: 15

Commands for Configuring the X-Series Platform to Enable System Management

66

configure ldap-parameter
Defines the parameters that the X-Series Platform uses to search for a valid Lightweight Directory Access Protocol (LDAP) server. For more information on using an LDAP server, see configure ldap-server on page 66. Use the configure no ldap-parameter command to remove all LDAP server search parameters defined for the X-Series Platform. Use the show ldap-parameters command to display the LDAP server search parameters defined for the X-Series Platform.

Syntax
configure ldap-parameter [version {2|3}] [distinguished-name <distinguished-name>] configure no ldap-parameter

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter version {2|3} distinguished-name <distinguished-name> Description LDAP version (2 or 3) used by the LDAP server(s) that you want the X-Series Platform to use. Default version number is 3. Distinguished name assigned to the LDAP server(s) that you want the X-Series Platform to use.

Restrictions
Default Privilege Level: 15

cp-next-boot
Configures the specified CPM to boot from the specified disk partition the next time that the CPM boots.

Syntax
cp-next-boot {cp1|cp2} {distribution 1 | distribution 2}

Context
You access this command from the main CLI context.

XOS Command Reference Guide

67

Parameters
The following table lists the parameters used with this command. Parameter {cp1|cp2} {distribution 1 | distribution 2} Description Specifies the CPM (cp1 or cp2) for which you want to configure the disk partition used for the next CPM boot. Specifies the disk partition (distribution 1 or distribution 2) that the specified CPM will use the next time it boots.

Restrictions
Default Privilege Level: 15

Example
The following command configures the CPM named cp1 to boot from the distribution 2 disk partition the next time the CPM reboots: CBS# cp-next-boot cp1 distribution 2

configure np-reload-timeout
Configures the time interval, measured in seconds, that the system waits for an NPM to reload. If an NPM reload is not completed within the specified time interval, the system declares the NPM inaccessible and resets the slot. The default time interval is 300 seconds. Use the no parameter to restore this default setting. If your configuration includes a large number of circuits, you may need to configure the system to wait longer for your NPMs to reload. Use the show np-reload-timeout command to display the NPM reload timeout interval configured for the X-Series Platform.

Syntax
configure [no] np-reload-timeout <time_interval>

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <time_interval> Description Amount of time, in seconds, that the system waits for an NPM to reload before declaring the NPM inaccessible and resetting the slot. Valid values are from 60 to 18000. Default is 300.

Restrictions
Default Privilege Level: 15
Commands for Configuring the X-Series Platform to Enable System Management 68

configure np-reset-wait-time
Configures the time interval, measured in seconds, that the system waits for a heartbeat signal from an NPM before resetting it. The default time interval is 5 seconds. Use the no parameter to restore this default setting. Use the show np-reset-wait-time command to display the NPM reset timeout interval configured for the X-Series Platform.

Syntax
configure [no] np-reset-wait-time <time_interval>

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <time_interval> Description Amount of time, in seconds, that the system waits for an NPM to reload before declaring the NPM inaccessible and resetting the slot. Valid values are from 0 to 60. Default is 5.

Restrictions
Default Privilege Level: 15

XOS Command Reference Guide

69

configure ntp server

Configures the X-Series Platform to use the specified Network Time Protocol (NTP) server. NOTE: If an X-Series Platform is using an NTP server, you cannot use the calendar command to configure the system calendar date and time for the X-Series Platform. Use the ntp no server <IP_address> command to delete the specified server from the X-Series Platform NTP server configuration. Use the no ntp server command to delete the X-Series Platform NTP server configuration. Use the show ntp-server to display the NTP server configuration for the X-Series Platform.

Syntax
configure ntp server <IP_address> configure no ntp server <IP_address> configure ntp no server <IP_address>

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <IP_address> Description IP address of the NTP server that you want the X-Series Platform to use.

Restrictions
Default Privilege Level: 15 If an X-Series Platform is using an NTP server, you cannot use the calendar command to configure the system calendar date and time for the X-Series Platform.

configure operating-mode
Configures the NPM operating mode settings for the X-Series Platform. Use these settings to: Configure the X-Series Platform to use one, two, or four NPMs. By default, the X-Series Platform is configured to use two NPMs. Configure the X-Series Platform to run in Series-6 NPM mode, which supports functionality available only when using NPM-86x0s. This is the default setting. IMPORTANT: You must issue the reload all command to enable an NPM operating mode configuration change to take effect. Use the no parameter to restore the default NPM operating mode settings listed above.

Commands for Configuring the X-Series Platform to Enable System Management

70

Use the show operating-mode command to display the current NPM operating mode settings for the X-Series Platform.

Syntax
configure operating-mode {single-np | dual-np | quad-np} series-6 configure no operating-mode

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter [single-np | dual-np | quad-np] Description Configures the X-Series Platform to use one, two, or four NPMs. Specify one of the following: single-np Configures the X-Series Platform to use only one NPM. This setting is valid only when used with X20, X30, X45, or X60 chassis. dual-np Configures the X-Series Platform to use two NPMs. This is the default setting. quad-np Configures the X-Series Platform to use four NPMs. This setting is valid only when used with X80 chassis. NOTE: The dual-np and quad-np parameters cannot be used on either the X20 or X30 chassis. series-6 Configures the X-Series Platform to run in Series-6 NPM mode, which supports functionality available only when using NPM-86x0s. This is the default setting.

Restrictions
Default privilege level: 15 The operating mode settings that you specify with this command must reflect the actual number and type of NPMs installed in the X-Series Platform.

Example
The following command configures the X-Series Platform to use four NPMs instead of two: CBS# configure operating-mode quad-np series-6 CBS# IMPORTANT: You must issue the reload all command to enable the above settings to take effect.

XOS Command Reference Guide

71

configure radius-server host

Configures the X-Series Platform to support RADIUS Authentication using the specified host as a RADIUS server, and configures RADIUS Authentication settings for the RADIUS server. Use the no parameter to delete the RADIUS server configuration. Use the show radius-server command to display the RADIUS server configuration for the X-Series Platform.

Syntax
configure [no] radius-server host {<host_name>|<IP_address>} [auth-port <auth_port_value>] [timeout <seconds>] [key <keyword>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter host {<host_name> | <IP_address>} Description Domain Name Server (DNS) searchable host name or IP address of the host that you want the X-Series Platform to use as a RADIUS server for RADIUS Authentication. Configures the X-Series Platform to use the specified UDP destination port for RADIUS Authentication requests. Valid values are 0 to 65535. Default UDP destination port number is 1812. timeout <seconds> Configures the timeout period, in seconds, for a RADIUS server connection attempt. If a RADIUS server host does not reply to a RADIUS Authentication request within the timeout period, the X-Series Platform terminates the connection to the RADIUS server host. Valid values are from 0 to 3600 seconds. Default is 3 seconds. key <keyword> Authentication and encryption key used for all RADIUS communications between the RADIUS server host and the RADIUS daemon. The key must match the encryption used on the RADIUS daemon. Invalid characters are ignored. Valid characters include all alphanumeric characters, as well as the following: $ _ @ / + ( ) . < > _

auth-port <UDP_destination_port_number>

Restrictions
Default Privilege Level: 15 The IP address for the RADIUS server host cannot be in the X-Series Platforms system internal network. The X-Series Platform uses the system internal network for communication between X-Series hardware modules and between X-Series chassis. (For more information, see configure system-internal-network on page 74.)

Commands for Configuring the X-Series Platform to Enable System Management

72

You cannot assign an IP address to a RADIUS server host if that IP address is already assigned to an existing element in the XOS configuration. For example, you cannot use an existing circuits IP address or an existing management IP address as the RADIUS server hosts IP address. NOTE: The IP address for the RADIUS server host can be in the same network as an existing circuit IP address and can be in the same network an existing management IP address.

configure system-identifier
Assigns a system identifier to the X-Series Platform and integrates the system identifier into the internal control network IP address. The internal control network IP address is in the format, a.b.xxx.0; the configured system identifier replaces xxx. The system identifier must be unique for each X-Series Platform. NOTE: Before migrating to XOS V9.5.1 from a previous release, you must ensure that a system identifier has been configured for the X-Series Platform. Use the show system-identifier command to display the system identifier (if any) assigned to the X-Series Platform.

Syntax
configure system-identifier <system_ID>

Context
You access this command from the main CLI context.

Example
On a system with an internal network of 5.8.0.0/16 and a system-identifier of 44, NPM1 would be assigned IP address 5.8.44.1, the primary CPM would be assigned 5.8.44.20, and APM1 would be assigned 5.8.44.32.

Parameters
The following table lists the parameters used with this command. Parameter <system_ID> Description System identifier assigned to the X-Series Platform. Valid values are from 1 to 255.

Restrictions
Default Privilege Level: 15 Each X-Series Platform must have a unique system identifier.

XOS Command Reference Guide

73

configure system-internal-network
Configures the internal control network for the X-Series Platform. Use the show system-internal-network command to display the configured and operational internal control network IP addresses for the X-Series Platform.

Syntax
configure system-internal-network {<IP_address> <subnet_mask> | <IP_address>/<0-16>}

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter {<IP_address> <subnet_mask> | <IP_address>/<0-16>} Description Internal control network assigned to the X-Series Platform. You can specify the internal control network as a separate network IP address and subnet mask, or you can specify the internal control network using CIDR format (for example, 10.15.0.0/16).

Restrictions
Default Privilege Level: 15 The system internal network IP address cannot be in Class D (224.0.0.0 - 239.255.255.255) or Class E (240.0.0.0 - 255.255.255.255). The configured and operational system internal network must be unique in the XOS configuration. This means that the configured and operational system internal network IP addresses cannot belong to the same network as any other configured IP address.

Defining the Control Network IP Address and Subnet Mask

The default value for the XOS system-internal-network is 1.1.0.0/16. IANA has recently (January 2010) allocated 1.0.0.0/8 to APNIC for use on the Internet. IMPORTANT: Be sure to reset the internal network value to an appropriate unused network, a private address range, or unallocated address blocks defined by IANA. This configuration change requires a chassis reload. XOS restricts IP routes whose destination network is the same or a more specific network match with the system-internal-network IP address. Traffic that matches this criteria will not pass through the X-Series Platform.

Commands for Configuring the X-Series Platform to Enable System Management

74

configure timeout
Defines the timeout interval for the current CLI console session and for all new CLI console sessions. The default timeout interval is 300 seconds. Use the configure no timeout command to disable the timeout functionality on the X-Series Platform. Use the show timeout command to display the timeout interval for the current CLI console session.

Syntax
configure timeout <seconds> configure no timeout

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <seconds> Description Timeout interval, in seconds, that you want to define for the current CLI console session and for all new CLI console sessions. Valid values are from 1 to 65535. Default is 300 seconds.

Restrictions
Default Privilege Level: 15

timeout
Defines the timeout interval for this CLI console session only. The default timeout interval is 300 seconds. Use the no timeout command to restore this default setting. Use the show timeout command to display the timeout interval for the current CLI console session.

Syntax
timeout <seconds> no timeout

Context
You access this command from the main CLI context.

XOS Command Reference Guide

75

Parameters
The following table lists the parameters used with this command. Parameter <seconds> Description Timeout interval, in seconds, used only for the current CLI session. Valid values are from 1 to 65535. Default is 300 seconds.

Restrictions
Default Privilege Level: 0

configure timezone
Configures the system time zone for the X-Series Platform. You can specify a time zone with the configure timezone command, or you can issue the command without parameters and allow the CLI to prompt you to select a time zone from a series of menus. NOTE: The time zone menu also provides you with the option to enter a specific GMT offset time for the system instead of selecting a time zone. Use the show timezone command to display the current system time zone setting for the X-Series Platform.

Syntax
configure timezone [<time_zone>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <time_zone> Description Specifies the name of the system time zone or specifies the area in which the system is being configured. <time_zone> must be a valid Unix time zone keyword. The <time_zone> string is case-sensitive. If you do not specify a time zone, the CLI provides you with a series of menu options that allow you to select a system time zone or enter a GMT offset time for the X-Series Platform.

Restrictions
Default Privilege Level: 15

Commands for Configuring the X-Series Platform to Enable System Management

76

configure web-server
Enables or disables (using no) access to the Web server on the X-Series Platform. By default, X-Series Platform Web server access is disabled. Enabling access to the Web server allows users to access and manage the X-Series Platform using EMS (Crossbeams Web-based X-Series Platform management GUI).

Syntax
configure [no] web-server

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 15

configure web-timeout
Configures the Web server timeout interval for all EMS sessions.

Syntax
configure web-timeout <minutes>

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <minutes> Description Web server timeout interval, in minutes, used for all EMS sessions. Valid values are from 1 to 65535. Default is 20 minutes.

Restrictions
Default Privilege Level: 15 This command is not available on the X20, X30, or X60 chassis.

Example
The following command sets the Web server timeout interval used for EMS sessions to 20 minutes. CBS# configure web-timeout 20

XOS Command Reference Guide

77

configure web-wizard
Configures the X-Series Platform to start the EMS Web Wizard whenever a user logs into the X-Series Platform using EMS.

Syntax
[no] configure web-wizard

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 15 This command is not available on the X20, X30, or X60 chassis.

Commands for Configuring the X-Series Platform to Enable System Management

78

Commands for Configuring X-Series Platform Management Interfaces

This section describes the commands that you can use to configure management interfaces for the X-Series Platform. This section contains the following command descriptions: configure management on page 80 enable (conf-mgmt-gig context) on page 81 access-list (conf-mgmt-gig context) on page 81 ip-addr (conf-mgmt-gig context) on page 83 ip-alias (conf-mgmt-gig context) on page 84 ip-nat inside (conf-mgmt-gig context) on page 85 ip-nat outside (conf-mgmt-gig context) on page 86 mac-addr (conf-mgmt-gig context) on page 86 mtu (conf-mgmt-gig context) on page 87 speed (conf-mgmt-gig context) on page 88 show (conf-mgmt-gig context) on page 89 configure management ip-route on page 91 configure management default-gateway on page 92 configure management arp on page 93 configure access-list <ID_number> {deny | permit} ip on page 93 configure access-list <ID_number> {deny | permit} tcp on page 95 configure access-list <ID_number> {deny | permit} udp on page 100 configure access-list <ID_number> {deny | permit} icmp on page 105 configure access-list <ID_number> {deny | permit} protocol-number on page 108

XOS Command Reference Guide

79

configure management
Defines a CPM port as an X-Series Platform management interface, and places you in the CLI context in which you can configure that management interface. Use the no parameter to delete an X-Series Platform management interface configuration.

Syntax
configure [no] management gigabitethernet <slot>/<port>

Contexts and Subcommands

You access this command from the main CLI context. The configure management gigabitethernet command places you in the conf-mgmt-gig context, in which you can configure the management interface on the specified Gigabit Ethernet CPM port. enable (conf-mgmt-gig context) on page 81 access-list (conf-mgmt-gig context) on page 81 ip-addr (conf-mgmt-gig context) on page 83 ip-alias (conf-mgmt-gig context) on page 84 ip-nat inside (conf-mgmt-gig context) on page 85 ip-nat outside (conf-mgmt-gig context) on page 86 mac-addr (conf-mgmt-gig context) on page 86 mtu (conf-mgmt-gig context) on page 87 speed (conf-mgmt-gig context) on page 88 show (conf-mgmt-gig context) on page 89

Inline Commands
The following table lists the CLI commands used inline with the configure management command. Command gigabitethernet Description Defines a Gigabit Ethernet port on a CPM as an X-Series Platform management interface.

Parameters
The following table lists the parameters used with this command. Parameter <slot> <port> Description Slot number for the CPM on which you want to define a port as an X-Series Platform management interface. Port number for the port that you want to define as an X-Series Platform management interface.

Commands for Configuring the X-Series Platform to Enable System Management

80

Restrictions
Default Privilege Level: 15

Example
The following example defines Gigabit Ethernet port 1 on the CPM in slot 14 as an X-Series Platform management interface. CBS# configure management gigabitethernet 14/1 CBS(conf-mgmt-gig)#

enable (conf-mgmt-gig context)

Enables or disables (using no) the X-Series Platform management interface that you are currently configuring. X-Series Platform management interfaces are enabled by default.

Syntax
[no] enable

Contexts
You access this command from the conf-mgmt-gig context. You can access either of these contexts from the main CLI context by issuing the configure management command.

Restrictions
Default Privilege Level: 15

access-list (conf-mgmt-gig context)

Configures the X-Series Platform to apply the specified access control list (ACL) to incoming or outgoing traffic passing through the management interface that you are configuring. Use the no parameter to delete the specified access list from the X-Series Platform management interface configuration. NOTE: Refer to the following sections for instructions on creating, configuring, and deleting ACLs: configure access-list <ID_number> {deny | permit} ip on page 93 configure access-list <ID_number> {deny | permit} tcp on page 95 configure access-list <ID_number> {deny | permit} udp on page 100 configure access-list <ID_number> {deny | permit} icmp on page 105 configure access-list <ID_number> {deny | permit} protocol-number on page 108 Use the show access-list command to display the configuration for each ACL defined for the X-Series Platform. Use the show (conf-mgmt-gig context) to display the ACLs configured for the X-Series Platform management interface that you are configuring.

XOS Command Reference Guide

81

Syntax
[no] access-list <ACL_ID_number> {input | output}

Contexts
You access this command from the conf-mgmt-gig context. You can access either of these contexts from the main CLI context by issuing the configure management command.

Parameters
The following table lists the parameters used with this command. Parameter <ACL_ID_number> {input | output} Description ID number assigned to the ACL that you want to add to or delete from the X-Series Platform management interface configuration. Specifies whether the CPM applies the ACL to incoming (input) or outgoing (output) traffic passing through the X-Series Platform management interface that you are currently configuring.

Restrictions
Default Privilege Level: 15

Example
The following commands configure the X-Series Platform to apply access control list (ACL) 5 to incoming traffic passing through the X-Series Platform management interface configured on Gigabit Ethernet port 1 on the CPM in slot 14. CBS# configure management gigabitethernet 14/1 CBS(conf-mgmt-gig)# access-list 5 input CBS(conf-mgmt-gig)#

Commands for Configuring the X-Series Platform to Enable System Management

82

ip-addr (conf-mgmt-gig context)

Assigns an IP address and subnet mask to the X-Series Platform management interface that you are configuring. Use the show (conf-mgmt-gig context) command to display the IP address assigned to the X-Series Platform management interface that you are configuring.

Syntax
ip-addr {<IP_address> <subnet_mask> | <IP_address>/<0-32>} [<broadcast_IP_address>]

Contexts
You access this command from the conf-mgmt-gig context. You can access either of these contexts from the main CLI context by issuing the configure management command.

Parameters
The following table lists the parameters used with this command. Parameter {<IP_address> <subnet_mask> | <IP_address>/<0-32>} Description IP address and subnet mask that you want to assign to the X-Series Platform management interface that you are configuring. You can specify a subnet mask in dotted-quad format (for example, 10.15.3.5 255.255.0.0), or you can specify an IP network using CIDR notation (for example, 10.15.0.0/16). <broadcast_IP_address> Assigns the specified broadcast IP address to the X-Series Platform management interface that you are currently configuring.

Restrictions
Default Privilege Level: 15

XOS Command Reference Guide

83

ip-alias (conf-mgmt-gig context)

Configures an alias IP address for the IP address assigned to the X-Series Platform management interface that you are currently configuring. Use the no parameter to delete the specified alias IP address from the X-Series Platform management interface configuration.

Syntax
[no] ip-alias {<IP_address <subnet_mask> | <IP_address>/<0-32>} [<broadcast_IP_address>]

Contexts
You access this command from the conf-mgmt-gig context. You can access either of these contexts from the main CLI context by issuing the configure management command.

Parameters
The following table lists the parameters used with this command. Parameter {<IP_address> <subnet_mask> | <IP_address>/<0-32>} Description Alias IP address and subnet mask that you want to assign to the X-Series Platform management interface that you are configuring. You can specify a subnet mask in dotted-quad format (for example, 10.15.3.5 255.255.0.0), or you can specify an IP network using CIDR notation (for example, 10.15.0.0/16). <broadcast_IP_address> Assigns the specified broadcast IP address to the alias IP address for the X-Series Platform management interface that you are currently configuring.

Restrictions
Default Privilege Level: 15

Commands for Configuring the X-Series Platform to Enable System Management

84

ip-nat inside (conf-mgmt-gig context)

Enables or disables (using no) Network Address Translation (NAT) for internal management traffic passing between the CPM whose management interface you are currently configuring and a specific VAP in an existing VAP group.

Syntax
[no] ip-nat inside <VAP_management_IP_address> vap-group <VAP_group_name> <VAP_index_number>

Contexts
You access this command from the conf-mgmt-gig context. You can access either of these contexts from the main CLI context by issuing the configure management command.

Parameters
The following table lists the parameters used with this command. Parameter Description

<VAP_management_IP_address> Management IP address assigned to the VAP for which you want to enable or disable NAT for internal management traffic. vap-group <VAP_group_name> <VAP_index_number> Specifies the VAP group that includes the VAP for which you want to enable or disable NAT for internal management traffic. Specifies the VAP index number for the VAP for which you want to enable or disable NAT for internal management traffic. NOTE: You can use the show ap-vap-mapping command to determine the VAP index number for each VAP in each VAP group configured on the X-Series Platform.

Restrictions
Default Privilege Level: 15

XOS Command Reference Guide

85

ip-nat outside (conf-mgmt-gig context)

Enables or disables (using no) Network Address Translation (NAT) for external management traffic passing between an external host used to manage the X-Series Platform and the CPM whose management interface you are currently configuring.

Syntax
[no] ip-nat outside <host_IP_address> <Internal_IP_address_for_CPM>

Contexts
You access this command from the conf-mgmt-gig context. You can access either of these contexts from the main CLI context by issuing the configure management command.

Parameters
The following table lists the parameters used with this command. Parameter <host_IP_address> Description IP address of the external host for which you want to enable or disable NAT on the X-Series Platform management interface that you are currently configuring. Internal IP address assigned to the CPM whose management interface you are currently configuring. NOTE: You can use the show internal-ip command to determine the internal IP address for the CPM.

<Internal_IP_address_for_CPM>

Restrictions
Default Privilege Level: 15

mac-addr (conf-mgmt-gig context)

Configures a user-defined MAC address for the X-Series Platform management interface that you are configuring. Use the no parameter to delete the user-defined MAC address for the management interface that you are configuring.

Syntax
[no] mac-addr <MAC_address>

Contexts
You access this command from the conf-mgmt-gig context. You can access either of these contexts from the main CLI context by issuing the configure management command.

Commands for Configuring the X-Series Platform to Enable System Management

86

Parameters
The following table lists the parameters used with this command. Parameter <MAC_address> Description MAC address that you want to assign to the X-Series Platform management interface that you are currently configuring. NOTE: You must specify the MAC address using the standard format (xx:xx:xx:xx:xx:xx). The MAC address cannot contain only 0s or only fs.

Restrictions
Default Privilege Level: 15 The MAC address assigned to a management interface cannot contain only 0s (0:0:0:0:0:0) or only fs (ff:ff:ff:ff:ff:ff).

mtu (conf-mgmt-gig context)

Sets the Maximum Transmission Unit (MTU), or maximum packet size, in bytes, for traffic passing through the X-Series Platform management interface that you are currently configuring. The default MTU is 1500 bytes. Use the no parameter to restore this default setting.

Syntax
[no] mtu <max_packet_size>

Contexts
You access this command from the conf-mgmt-gig context. You can access either of these contexts from the main CLI context by issuing the configure management command.

Parameters
The following table lists the parameters used with this command. Parameter <max_packet_size> Description Maximum Transmission Unit (MTU), or maximum packet size, in bytes, that you want to set for the X-Series Platform management interface that you are currently configuring. Valid values are from 68 to 1536. Default is 1500.

Restrictions
Default Privilege Level: 15

XOS Command Reference Guide

87

speed (conf-mgmt-gig context)

Configures the following settings for the X-Series Platform management interface that you are currently configuring. Use the speed command without any arguments to restore all default settings. Sets a fixed media speed or enables auto-negotiation of media speed for connections with the management interface. Auto-negotiation is enabled by default. Sets the duplex mode (full duplex or half duplex) for the management interface. The default mode is full duplex.

Syntax
speed [10 | 100 | 1000 | auto-negotiate] [half | full]

Contexts
You access this command from the conf-mgmt-gig context. You can access either of these contexts from the main CLI context by issuing the configure management command.

Parameters
The following table lists the parameters used with this command. Parameter [10 | 100 | 1000 | auto-negotiate] Description Sets a fixed media speed in Mbps (10, 100, or 1000) or enables auto-negotiation of media speed (auto-negotiate) for connections with the X-Series Platform management interface that you are currently configuring. By default, auto-negotiation is enabled, so there is no fixed media speed for the management interface. [half | full] Sets the duplex mode for the X-Series Platform management interface that you are configuring. Valid modes are half duplex (half) and full duplex (full). Default mode is full duplex.

Restrictions
Default Privilege Level: 15

Commands for Configuring the X-Series Platform to Enable System Management

88

show (conf-mgmt-gig context)

Displays the existing configuration settings for the X-Series Platform management interface that you are currently configuring.

Syntax
show

Contexts
You access this command from the conf-mgmt-gig context. You can access either of these contexts from the main CLI context by issuing the configure management command.

Command Output Fields

The following table defines the fields included in the output of this command. Field Management Interface Description Interface type, CPM slot number, and port number of the X-Series Platform management interface that you are configuring. This row displays information in the following format: {gigabitethernet | 10gigabitethernet} <slot>/<port> where: {gigabitethernet | 10gigabitethernet} indicates whether this is a Gigabit Ethernet management interface or a 10 Gigabit Ethernet management interface. <slot> is the chassis slot number assigned to the CPM on which you are configuring the management interface. <port> is the CPM port number assigned to the management interface. See configure management on page 80 for information about configuring an Ethernet port on a CPM as an X-Series Platform management interface. Enabled (true/false) Indicates whether the X-Series Platform management interface is enabled (t) or disabled (f). See enable (conf-mgmt-gig context) on page 81 for information about enabling and disabling an X-Series Platform management interface. IP Address IP address assigned to the X-Series Platform management interface. See ip-addr (conf-mgmt-gig context) on page 83 for information about configuring a primary IP address for an X-Series Platform management interface. Netmask Subnet mask assigned to the X-Series Platform management interface IP address. See ip-addr (conf-mgmt-gig context) on page 83 for information about configuring a primary IP address and subnet mask for an X-Series Platform management interface.

XOS Command Reference Guide

89

Field Broadcast Address

Description Broadcast IP address assigned to the X-Series Platform management interface. See ip-addr (conf-mgmt-gig context) on page 83 for information about configuring a broadcast IP address for an X-Series Platform management interface.

Auto Negotiate Enabled (true/false)

Indicates whether auto-negotiation of media speed is enabled (t) or disabled (f) for the X-Series Platform management interface. See speed (conf-mgmt-gig context) on page 88 for information about configuring the media speed setting for an X-Series Platform management interface.

Media Speed (Mbits)

Fixed media speed (in Mbps) configured for the X-Series Platform management interface. NOTE: This field only appears if auto-negotiation is disabled. See speed (conf-mgmt-gig context) on page 88 for information about configuring a fixed media speed for an X-Series Platform management interface.

Input Access List

ID number assigned to the access control list (ACL) that the CPM applies to incoming traffic passing through the X-Series Platform management interface. See access-list (conf-mgmt-gig context) on page 81 for information about configuring an ACL for an X-Series Platform management interface.

Output Access List

ID number assigned to the access control list (ACL) that the CPM applies to outgoing traffic passing through the X-Series Platform management interface. See access-list (conf-mgmt-gig context) on page 81 for information about configuring an ACL for an X-Series Platform management interface.

Restrictions
Default Privilege Level: 15

Example
The following commands display the existing management interface configuration settings for Gigabit Ethernet port 1 on the CPM in slot 14. CBS# configure management gigabitethernet CBS(conf-mgmt-gig)# show Management Interface : Enabled (true/false) : IP Address : Netmask : Broadcast Address : Auto Negotiate Enabled (true/false) : Input Access List : Output Access List : (1 row) CBS# 14/1 gigabitethernet 14/1 t 192.168.15.109 255.255.255.0 192.198.100.255 t 1001 1002

Commands for Configuring the X-Series Platform to Enable System Management

90

configure management ip-route

Configures a static IP route for X-Series Platform management traffic. The primary CPM must use the specified IP route for all packets whose destination IP addresses are in the specified destination network. NOTE: This command defines static IP routes for X-Series Platform management traffic only. This command does not define static IP routes for VAP group traffic. To define a static IP route for VAP group traffic, use the configure ip route (IPv6 and IPv4) command. When a packets destination IP address belongs to the destination IP networks defined for multiple static IP routes, the CPM uses the static IP route whose destination IP network address matches the most bits in the packets destination IP address. Optionally, you can specify the metric command inline with the configure management ip-route command to assign a metric value to the specified IP route. If a packets destination IP address matches the same number of bits in the destination IP network addresses defined for multiple static IP routes, the CPM uses the static IP route with the lowest metric value. The no parameter has one of two functions, depending on its position in the command line: configure management ip-route {<IP_address> <subnet_mask> | <IP_address>/<0-32>} <next_hop_IP_address> no metric Deletes the metric value configured for the specified management IP route. configure management no ip-route {<IP_address> <subnet_mask> | <IP_address>/<0-32>} <next_hop_IP_address> Deletes the specified management IP route.

Syntax
configure management ip-route {<IP_address> <subnet_mask> | <IP_address>/<0-32>} <next_hop_IP_address> [metric <metric_value>] configure management ip-route {<IP_address> <subnet_mask> | <IP_address>/<0-32>} <next_hop_IP_address> no metric configure management no ip-route {<IP_address> <subnet_mask> | <IP_address>/<0-32>} <next_hop_IP_address>

Context
You access this command from the main CLI context.

Inline Commands
The following table lists the CLI commands used inline with the configure management ip-route command. Command [no] metric <metric_value> Description Configures the X-Series Platform to assign the specified metric value to the management IP route that you are configuring. Valid values are 1 to 255. Use the no parameter to delete the metric assigned to the specified IP route.

XOS Command Reference Guide

91

Parameters
The following table lists the parameters used with this command. Parameter {<IP_address> <subnet_mask> | <IP_address>/<0-32>} Description Destination network for which the static IP route is defined. You can specify the destination network as a separate network IP address and subnet mask, or you can specify the destination network using CIDR format (for example, 10.15.0.0/16). Next hop IP address that packets must use to reach the specified destination network.

<next_hop_IP_address>

Restrictions
Default Privilege Level: 15 The destination IP address configured for an IP route cannot be the same as either the configured system internal network IP address or the operational system internal network IP address.

configure management default-gateway

Defines a default IP route (also called a default gateway) for X-Series Platform management traffic. When the primary CPM is unable to assign a single user-defined static IP route to a packet, the primary CPM uses the specified default management IP route. NOTE: This command defines the default IP route used for X-Series Platform management traffic only. This command does not define the default IP route used for VAP group traffic. To define a default IP route for VAP group traffic, use the configure ip default-network (IPv6 and IPv4) command. Use the no parameter to delete the specified default gateway from the management interface.

Syntax
configure [no] management default-gateway <IP_address>

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <IP_address> Description Default gateway IP address that you want to configure for X-Series Platform management traffic.

Restrictions
Default Privilege Level: 15

Commands for Configuring the X-Series Platform to Enable System Management

92

configure management arp

Adds a new static Address Resolution Protocol (ARP) entry to the ARP table on the primary CPM. Use the no parameter to delete the specified static ARP entry from the ARP table on the primary CPM.

Syntax
configure [no] management arp <IP_address> <MAC_address>

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <IP_address> <MAC_address> Description IP address of the static ARP entry. MAC address of the static ARP entry. NOTE: The MAC address cannot contain only 0s or only fs.

Restrictions
Default Privilege Level: 15 The MAC address included in the ARP entry cannot contain only 0s (0:0:0:0:0:0) or only fs (ff:ff:ff:ff:ff:ff).

configure access-list <ID_number> {deny | permit} ip

Configures an access control list (ACL) for Internet Protocol (IP) traffic passing through the primary management interface on the CPM. By default, the interface drops all incoming IP packets. When you use this command to configure an ACL, the X-Series Platform applies the specified action (deny or permit) to IP packets that meet the specified source and destination IP address matching criteria. Use configure no access-list <ID_number> to delete the specified ACL.

Syntax
configure access-list <ID_number> {deny | permit} ip {source-any | source-ip <IP_address> <wildcard_mask>} {destination-any | destination-ip <IP_address> <wildcard_mask>} [log] configure no access-list <ID_number>

Context
You access this command from the main CLI context.

XOS Command Reference Guide

93

Parameters
The following table lists the parameters used with this command. Parameter <ID_number> {deny | permit} Description Assigns an ID number to the ACL. Sets the ACLs action to deny (drop packet) or permit (allow packet to pass through the primary management interface on the CPM). The X-Series Platform applies the specified action to IP packets that meet the matching criteria configured for the ACL. Default action for all IP packets is deny. (Drop all IP packets.) log Enables packet information logging for the ACL. By default, logging is disabled. If logging is enabled, the X-Series Platform logs an informational message about each packet that meets the matching criteria configured for the ACL.

Inline Commands
The following table lists the CLI commands used inline with the configure access-list <ID_number> {deny | permit} ip command. Command source-any Description Sets the source IP address matching criteria for the ACL to any source IP address. The X-Series Platform applies the ACLs action without considering a packets source IP address. source-ip <IP_address> <wildcard_mask> Configures the source IP address matching criteria for the ACL. The X-Series Platform applies the ACLs action (deny or permit) to a packet only if its source IP address matches the specified IP address when the specified wildcard mask is applied. You must specify the wildcard mask as a reverse mask in four-part dotted-decimal format (for example, 0.0.0.255). However, the X-Series Platform applies the wildcard mask in four-part dotted-binary format (for example, 00000000.00000000.00000000.11111111), where 1s indicate wildcard bits. A packets source IP address matches the specified IP address if all their non-wildcard bits match. To apply the ACLs action only to packets with the specified source IP address, use a wildcard mask of 0.0.0.0. To apply the ACLs action without considering a packets source IP address, use a wildcard mask of 255.255.255.255. destination-any Sets the destination IP address matching criteria for the ACL to any destination IP address. The X-Series Platform applies the ACLs action without considering a packets destination IP address.

Commands for Configuring the X-Series Platform to Enable System Management

94

Command destination-ip <IP_address> <wildcard_mask>

Description Configures the destination IP address matching criteria for the ACL. Applies the ACLs action (deny or permit) to a packet only if its destination IP address matches the specified IP address when the specified wildcard mask is applied. You must specify the wildcard mask as a reverse mask in four-part dotted-decimal format (for example, 0.0.0.255). However, the X-Series Platform applies the wildcard mask in four-part dotted-binary format (for example, 00000000.00000000.00000000.11111111), where 1s indicate wildcard bits. A packets destination IP address matches the specified IP address if all their non-wildcard bits match. To apply the ACLs action only to packets with the specified destination IP address, use a wildcard mask of 0.0.0.0. To apply the ACLs action without considering a packets destination IP address, use a wildcard mask of 255.255.255.255.

Restrictions
Default Privilege Level: 15

configure access-list <ID_number> {deny | permit} tcp

Configures an access control list (ACL) for Transmission Control Protocol (TCP) traffic passing through the primary management interface on the CPM. By default, the interface drops all incoming TCP packets. When you use this command to configure an ACL, the X-Series Platform applies the specified action (deny or permit) to TCP packets that meet the specified source and destination IP address matching criteria and the specified source and destination port matching criteria. Use configure no access-list <ID_number> to delete the specified ACL.

Syntax
configure access-list <ID_number> {deny | permit} tcp {source-any | source-ip <IP_address> <wildcard_mask>} {source-port-any | source-port-name <port_name> | source-port {<port_number> | <lowest_port_number> <highest_port_number>}} {destination-any | destination-ip <IP_address> <wildcard_mask>} {destination-port-any | destination-port-name <port_name> | destination-port {<port_number> | <lowest_port_number> <highest_port_number>}} [log] configure no access-list <ID_number>

Context
You access this command from the main CLI context.

XOS Command Reference Guide

95

Parameters
The following table lists the parameters used with this command. Parameter <ID_number> {deny | permit} Description Assigns an ID number to the ACL. Sets the ACLs action to deny (drop packet) or permit (allow packet to pass through the primary management interface on the CPM). The X-Series Platform applies the specified action to TCP packets that meet the matching criteria configured for the ACL. Default action for all TCP packets is deny. (Drop all TCP packets.) log Enables packet information logging for the ACL. By default, logging is disabled. If logging is enabled, the X-Series Platform logs an informational message about each packet that meets the matching criteria configured for the ACL.

Inline Commands
The following table lists the CLI commands used inline with the configure access-list <ID_number> {deny | permit} tcp command. Command source-any Description Sets the source IP address matching criteria for the ACL to any source IP address. The X-Series Platform applies the ACLs action without considering a packets source IP address. source-ip <IP_address> <wildcard_mask> Configures the source IP address matching criteria for the ACL. The X-Series Platform applies the ACLs action (deny or permit) to a packet only if its source IP address matches the specified IP address when the specified wildcard mask is applied. You must specify the wildcard mask as a reverse mask in four-part dotted-decimal format (for example, 0.0.0.255). However, the X-Series Platform applies the wildcard mask in four-part dotted-binary format (for example, 00000000.00000000.00000000.11111111), where 1s indicate wildcard bits. A packets source IP address matches the specified IP address if all their non-wildcard bits match. To apply the ACLs action only to packets with the specified source IP address, use a wildcard mask of 0.0.0.0. To apply the ACLs action without considering a packets source IP address, use a wildcard mask of 255.255.255.255. source-port-any Sets the source port matching criteria for the ACL to any source port. The X-Series Platform applies the ACLs action without considering a packets source port.

Commands for Configuring the X-Series Platform to Enable System Management

96

Command source-port-name <port_name>

Description Configures the source port matching criteria for the ACL to include only the specified port name. The X-Series Platform applies the ACLs action (deny or permit) to a packet only if its source port name matches the specified port name. Valid source port names are: ftp-data File Transfer Protocol Data (port 20) ftp File Transfer Protocol (port 21) ssh Secure SHell (port 22) telnet Telecommunications Network Protocol (port 23) smtp Simple Mail Transfer Protocol (port 25) time Time (port 37) domain Domain Name Server (port 53) bootps Bootstrap Protocol Server Protocol (port 67) bootpc Bootstrap Protocol Client Protocol (port 68) tftp Trivial File Transfer Protocol (port 69) http Hyper Text Transfer Protocol or www or www-http (port 80) rtelnet Remote Telecommunications Network Protocol (port 107) pop3 Post Office Protocol Version 3 (port 110) nntp Network News Transfer Protocol (port 119) ntp Network Time Protocol (port 123) imap Internet Message Access Protocol (port 143) snmp Simple Network Management Protocol (port 161) ldap Lightweight Directory Access Protocol (port 389) https Secure Hyper Text Transfer Protocol (port 443) isakmp Internet Security Association and Key Management Protocol (port 500)

source-port {<port_number> | <lowest_port_number> <highest_port_number>}

Configures the source port matching criteria for the ACL to include only the specified port number or range of port numbers. The X-Series Platform applies the ACLs action (deny or permit) to a packet only if its source port number matches the specified port number or is included in the specified range of port numbers. Sets the destination IP address matching criteria for the ACL to any destination IP address. The X-Series Platform applies the ACLs action without considering a packets destination IP address.

destination-any

XOS Command Reference Guide

97

Command destination-ip <IP_address> <wildcard_mask>

Description Configures the destination IP address matching criteria for the ACL. Applies the ACLs action (deny or permit) to a packet only if its destination IP address matches the specified IP address when the specified wildcard mask is applied. You must specify the wildcard mask as a reverse mask in four-part dotted-decimal format (for example, 0.0.0.255). However, the X-Series Platform applies the wildcard mask in four-part dotted-binary format (for example, 00000000.00000000.00000000.11111111), where 1s indicate wildcard bits. A packets destination IP address matches the specified IP address if all their non-wildcard bits match. To apply the ACLs action only to packets with the specified destination IP address, use a wildcard mask of 0.0.0.0. To apply the ACLs action without considering a packets destination IP address, use a wildcard mask of 255.255.255.255.

destination-port-any

Sets the destination port matching criteria for the ACL to any destination port. The X-Series Platform applies the ACLs action without considering a packets destination port.

Commands for Configuring the X-Series Platform to Enable System Management

98

Command destination-port-name <port_name>

Description Configures the destination port matching criteria for the ACL to include only the specified port name. The X-Series Platform applies the ACLs action (deny or permit) to a packet only if its destination port name matches the specified port name. Valid destination port names are: ftp-data File Transfer Protocol Data (port 20) ftp File Transfer Protocol (port 21) ssh Secure SHell (port 22) telnet Telecommunications Network Protocol (port 23) smtp Simple Mail Transfer Protocol (port 25) time Time (port 37) domain Domain Name Server (port 53) bootps Bootstrap Protocol Server Protocol (port 67) bootpc Bootstrap Protocol Client Protocol (port 68) tftp Trivial File Transfer Protocol (port 69) http Hyper Text Transfer Protocol or www or www-http (port 80) rtelnet Remote Telecommunications Network Protocol (port 107) pop3 Post Office Protocol Version 3 (port 110) nntp Network News Transfer Protocol (port 119) ntp Network Time Protocol (port 123) imap Internet Message Access Protocol (port 143) snmp Simple Network Management Protocol (port 161) ldap Lightweight Directory Access Protocol (port 389) https Secure Hyper Text Transfer Protocol (port 443) isakmp Internet Security Association and Key Management Protocol (port 500)

destination-port {<port_number> | <lowest_port_number> <highest_port_number>}

Configures the destination port matching criteria for the ACL to include only the specified port number or range of port numbers. The X-Series Platform applies the ACLs action (deny or permit) to a packet only if its destination port number matches the specified port number or is included in the specified range of port numbers.

Restrictions
Default Privilege Level: 15

XOS Command Reference Guide

99

configure access-list <ID_number> {deny | permit} udp

Configures an access control list (ACL) for User Datagram Protocol (UDP) traffic passing through the primary management interface on the CPM. By default, the interface drops all incoming UDP packets. When you use this command to configure an ACL, the X-Series Platform applies the specified action (deny or permit) to UDP packets that meet the specified source and destination IP address matching criteria and the specified source and destination port matching criteria. Use configure no access-list <ID_number> to delete the specified ACL.

Syntax
configure access-list <ID_number> {deny | permit} udp {source-any | source-ip <IP_address> <wildcard_mask>} {source-port-any | source-port-name <port_name> | source-port {<port_number> | <lowest_port_number> <highest_port_number>}} {destination-any | destination-ip <IP_address> <wildcard_mask>} {destination-port-any | destination-port-name <port_name> | destination-port {<port_number> | <lowest_port_number> <highest_port_number>}} [log] configure no access-list <ID_number>

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <ID_number> {deny | permit} Description Assigns an ID number to the ACL. Sets the ACLs action to deny (drop packet) or permit (allow packet to pass through the primary management interface on the CPM). The X-Series Platform applies the specified action to UDP packets that meet the matching criteria configured for the ACL. Default action for all UDP packets is deny. (Drop all UDP packets.) log Enables packet information logging for the ACL. By default, logging is disabled. If logging is enabled, the X-Series Platform logs an informational message about each packet that meets the matching criteria configured for the ACL.

Commands for Configuring the X-Series Platform to Enable System Management

100

Inline Commands
The following table lists the CLI commands used inline with the configure access-list <ID_number> {deny | permit} udp command. Command source-any Description Sets the source IP address matching criteria for the ACL to any source IP address. The X-Series Platform applies the ACLs action without considering a packets source IP address. source-ip <IP_address> <wildcard_mask> Configures the source IP address matching criteria for the ACL. The X-Series Platform applies the ACLs action (deny or permit) to a packet only if its source IP address matches the specified IP address when the specified wildcard mask is applied. You must specify the wildcard mask as a reverse mask in four-part dotted-decimal format (for example, 0.0.0.255). However, the X-Series Platform applies the wildcard mask in four-part dotted-binary format (for example, 00000000.00000000.00000000.11111111), where 1s indicate wildcard bits. A packets source IP address matches the specified IP address if all their non-wildcard bits match. To apply the ACLs action only to packets with the specified source IP address, use a wildcard mask of 0.0.0.0. To apply the ACLs action without considering a packets source IP address, use a wildcard mask of 255.255.255.255. source-port-any Sets the source port matching criteria for the ACL to any source port. The X-Series Platform applies the ACLs action without considering a packets source port.

XOS Command Reference Guide

101

Command source-port-name <port_name>

Description Configures the source port matching criteria for the ACL to include only the specified port name. The X-Series Platform applies the ACLs action (deny or permit) to a packet only if its source port name matches the specified port name. Valid source port names are: ftp-data File Transfer Protocol Data (port 20) ftp File Transfer Protocol (port 21) ssh Secure SHell (port 22) telnet Telecommunications Network Protocol (port 23) smtp Simple Mail Transfer Protocol (port 25) time Time (port 37) domain Domain Name Server (port 53) bootps Bootstrap Protocol Server Protocol (port 67) bootpc Bootstrap Protocol Client Protocol (port 68) tftp Trivial File Transfer Protocol (port 69) http Hyper Text Transfer Protocol or www or www-http (port 80) rtelnet Remote Telecommunications Network Protocol (port 107) pop3 Post Office Protocol Version 3 (port 110) nntp Network News Transfer Protocol (port 119) ntp Network Time Protocol (port 123) imap Internet Message Access Protocol (port 143) snmp Simple Network Management Protocol (port 161) ldap Lightweight Directory Access Protocol (port 389) https Secure Hyper Text Transfer Protocol (port 443) isakmp Internet Security Association and Key Management Protocol (port 500)

source-port {<port_number> | <lowest_port_number> <highest_port_number>}

Configures the source port matching criteria for the ACL to include only the specified port number or range of port numbers. The X-Series Platform applies the ACLs action (deny or permit) to a packet only if its source port number matches the specified port number or is included in the specified range of port numbers. Sets the destination IP address matching criteria for the ACL to any destination IP address. The X-Series Platform applies the ACLs action without considering a packets destination IP address.

destination-any

Commands for Configuring the X-Series Platform to Enable System Management

102

Command destination-ip <IP_address> <wildcard_mask>

Description Configures the destination IP address matching criteria for the ACL. Applies the ACLs action (deny or permit) to a packet only if its destination IP address matches the specified IP address when the specified wildcard mask is applied. You must specify the wildcard mask as a reverse mask in four-part dotted-decimal format (for example, 0.0.0.255). However, the X-Series Platform applies the wildcard mask in four-part dotted-binary format (for example, 00000000.00000000.00000000.11111111), where 1s indicate wildcard bits. A packets destination IP address matches the specified IP address if all their non-wildcard bits match. To apply the ACLs action only to packets with the specified destination IP address, use a wildcard mask of 0.0.0.0. To apply the ACLs action without considering a packets destination IP address, use a wildcard mask of 255.255.255.255.

destination-port-any

Sets the destination port matching criteria for the ACL to any destination port. The X-Series Platform applies the ACLs action without considering a packets destination port.

XOS Command Reference Guide

103

Command destination-port-name <port_name>

Description Configures the destination port matching criteria for the ACL to include only the specified port name. The X-Series Platform applies the ACLs action (deny or permit) to a packet only if its destination port name matches the specified port name. Valid destination port names are: ftp-data File Transfer Protocol Data (port 20) ftp File Transfer Protocol (port 21) ssh Secure SHell (port 22) telnet Telecommunications Network Protocol (port 23) smtp Simple Mail Transfer Protocol (port 25) time Time (port 37) domain Domain Name Server (port 53) bootps Bootstrap Protocol Server Protocol (port 67) bootpc Bootstrap Protocol Client Protocol (port 68) tftp Trivial File Transfer Protocol (port 69) http Hyper Text Transfer Protocol or www or www-http (port 80) rtelnet Remote Telecommunications Network Protocol (port 107) pop3 Post Office Protocol Version 3 (port 110) nntp Network News Transfer Protocol (port 119) ntp Network Time Protocol (port 123) imap Internet Message Access Protocol (port 143) snmp Simple Network Management Protocol (port 161) ldap Lightweight Directory Access Protocol (port 389) https Secure Hyper Text Transfer Protocol (port 443) isakmp Internet Security Association and Key Management Protocol (port 500)

destination-port {<port_number> | <lowest_port_number> <highest_port_number>}

Configures the destination port matching criteria for the ACL to include only the specified port number or range of port numbers. The X-Series Platform applies the ACLs action (deny or permit) to a packet only if its destination port number matches the specified port number or is included in the specified range of port numbers.

Restrictions
Default Privilege Level: 15

Commands for Configuring the X-Series Platform to Enable System Management

104

configure access-list <ID_number> {deny | permit} icmp

Configures an access control list (ACL) for Internet Control Message Protocol (ICMP) traffic passing through the primary management interface on the CPM. By default, the interface drops all incoming ICMP packets. When you use this command to configure an ACL, the X-Series Platform applies the specified action (deny or permit) to ICMP packets that meet the specified source and destination IP address matching criteria and the specified message matching criteria. Use configure no access-list <ID_number> to delete the specified ACL.

Syntax
configure access-list <ID_number> {deny | permit} icmp {source-any | source-ip <IP_address> <wildcard_mask>} {destination-any | destination-ip <IP_address> <wildcard_mask>} {icmp-message <message_name> | icmp-type <type_number>} [log] configure no access-list <ID_number>

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <ID_number> {deny | permit} Description Assigns an ID number to the ACL. Sets the ACLs action to deny (drop packet) or permit (allow packet to pass through the primary management interface on the CPM). The X-Series Platform applies the specified action to ICMP packets that meet the matching criteria configured for the ACL. Default action for all ICMP packets is deny. (Drop all ICMP packets.) log Enables packet information logging for the ACL. By default, logging is disabled. If logging is enabled, the X-Series Platform logs an informational message about each packet that meets the matching criteria configured for the ACL.

XOS Command Reference Guide

105

Inline Commands
The following table lists the CLI commands used inline with the configure access-list <ID_number> {deny | permit} icmp command. Command source-any Description Sets the source IP address matching criteria for the ACL to any source IP address. The X-Series Platform applies the ACLs action without considering a packets source IP address. source-ip <IP_address> <wildcard_mask> Configures the source IP address matching criteria for the ACL. The X-Series Platform applies the ACLs action (deny or permit) to a packet only if its source IP address matches the specified IP address when the specified wildcard mask is applied. You must specify the wildcard mask as a reverse mask in four-part dotted-decimal format (for example, 0.0.0.255). However, the X-Series Platform applies the wildcard mask in four-part dotted-binary format (for example, 00000000.00000000.00000000.11111111), where 1s indicate wildcard bits. A packets source IP address matches the specified IP address if all their non-wildcard bits match. To apply the ACLs action only to packets with the specified source IP address, use a wildcard mask of 0.0.0.0. To apply the ACLs action without considering a packets source IP address, use a wildcard mask of 255.255.255.255. destination-any Sets the destination IP address matching criteria for the ACL to any destination IP address. The X-Series Platform applies the ACLs action without considering a packets destination IP address. destination-ip <IP_address> <wildcard_mask> Configures the destination IP address matching criteria for the ACL. Applies the ACLs action (deny or permit) to a packet only if its destination IP address matches the specified IP address when the specified wildcard mask is applied. You must specify the wildcard mask as a reverse mask in four-part dotted-decimal format (for example, 0.0.0.255). However, the X-Series Platform applies the wildcard mask in four-part dotted-binary format (for example, 00000000.00000000.00000000.11111111), where 1s indicate wildcard bits. A packets destination IP address matches the specified IP address if all their non-wildcard bits match. To apply the ACLs action only to packets with the specified destination IP address, use a wildcard mask of 0.0.0.0. To apply the ACLs action without considering a packets destination IP address, use a wildcard mask of 255.255.255.255.

Commands for Configuring the X-Series Platform to Enable System Management

106

Command icmp-message <message_name>

Description Configures the ICMP message matching criteria for the ACL to include only the specified message name. The X-Series Platform applies the ACLs action (deny or permit) to a packet only if its message name matches the specified message name. Enter the text string, for example, network-redirect. As an alternative, see the next row in this table for information on how to enter the icmp-type followed by the type number. A list of names, types, and codes is located here: http://www.iana.org/assignments/icmp-parameters Valid message names are: echo-reply echo-reply messages (type 0) destination-unreachable unreachable messages (type 3) network-unreachable net-unreachable messages (type 3) host-unreachable host-unreachable messages (type 3) protocol-unreachable protocol-unreachable messages (type 3) port-unreachable port-unreachable messages (type 3) fragmentation-needed packet-too-big messages (type 3) source-route-failed source-route-failed messages (type 3) network-unknown network-unknown messages (type 3) host-unknown host-unknown messages (type 3) network-prohibited dod-net-prohibited messages (type 3) host-prohibited dod-host-prohibited messages (type 3) tos-network-unreachable net-tos-unreachable messages (type 3) tos-host-unreachable host-tos-unreachable messages (type 3) communication-prohibited administratively-prohibited messages (type 3) host-precedence-violation host-precedence-unreachable messages (type 3) precedence-cutoff precedence-unreachable messages (type 3) source-quench source-quench messages (type 4) redirect redirect messages (type 5) network-redirect net-redirect messages (type 5) host-redirect host-redirect messages (type 5) tos-network-redirect net-tos-redirect messages (type 5) tos-host-redirect host-tos-redirect messages (type 5)

XOS Command Reference Guide

107

Command icmp-message <message_name> (continued)

Description echo-request echo messages (type 8) router-advertisement router-advertisement messages (type 9) router-solicitation router-solicitation messages (type 10) time-exceeded time-exceeded messages (type 11) ttl-zero-during-transit ttl-exceeded messages (type 11) ttl-zero-during-reassembly reassembly-timeout messages (type 11) parameter-problem parameter-problem messages (type 12) ip-header-bad general-parameter-problem messages (type 12) required-option-missing option-missing messages (type 12) timestamp-request timestamp-request messages (type 13) timestamp-reply timestamp-replace messages (type 14) address-mask-request mask-request messages (type 17) address-mask-reply mask-reply messages (type 18)

icmp-type <type_number>

Configures the ICMP message matching criteria for the ACL to include only packets with the specified message type. The X-Series Platform applies the ACLs action (deny or permit) to a packet only if its message type number matches the specified message type number. Valid message type numbers are from 0 to 255.

Restrictions
Default Privilege Level: 15

configure access-list <ID_number> {deny | permit} protocol-number

Configures an access control list (ACL) for traffic using the specified protocol passing through the primary management interface on the CPM. By default, the interface drops all incoming packets. When you use this command to configure an ACL, the X-Series Platform applies the specified action (deny or permit) to IP packets that meet the specified source and destination IP address matching criteria. Use configure no access-list <ID_number> to delete the specified ACL.

Syntax
configure access-list <ID_number> {deny | permit} protocol-number <p_number> {source-any | source-ip <IP_address> <wildcard_mask>} {destination-any | destination-ip <IP_address> <wildcard_mask>} [log] configure no access-list <ID_number>

Commands for Configuring the X-Series Platform to Enable System Management

108

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <ID_number> {deny | permit} Description Assigns an ID number to the ACL. Sets the ACLs action to deny (drop packet) or permit (allow packet to pass through the primary management interface on the CPM). The X-Series Platform applies the specified action to IP packets that meet the matching criteria configured for the ACL. Default action for all IP packets is deny. (Drop all IP packets.) <p_number> Standard protocol number assigned to the protocol for which the ACL restricts traffic over the primary management interface on the CPM. For example, if you specify 6 as the <p_number>, the X-Series Platform applies the ACLs action (deny or permit) to all TCP packets that meet the ACLs matching criteria. Valid values for <p_number> are from 0 to 255. log Enables packet information logging for the ACL. By default, logging is disabled. If logging is enabled, the X-Series Platform logs an informational message about each packet that meets the matching criteria configured for the ACL.

Inline Commands
The following table lists the CLI commands used inline with the configure access-list <ID_number> {deny | permit} protocol-number command. Command source-any Description Sets the source IP address matching criteria for the ACL to any source IP address. The X-Series Platform applies the ACLs action without considering a packets source IP address.

XOS Command Reference Guide

109

Command source-ip <IP_address> <wildcard_mask>

Description Configures the source IP address matching criteria for the ACL. The X-Series Platform applies the ACLs action (deny or permit) to a packet only if its source IP address matches the specified IP address when the specified wildcard mask is applied. You must specify the wildcard mask as a reverse mask in four-part dotted-decimal format (for example, 0.0.0.255). However, the X-Series Platform applies the wildcard mask in four-part dotted-binary format (for example, 00000000.00000000.00000000.11111111), where 1s indicate wildcard bits. A packets source IP address matches the specified IP address if all their non-wildcard bits match. To apply the ACLs action only to packets with the specified source IP address, use a wildcard mask of 0.0.0.0. To apply the ACLs action without considering a packets source IP address, use a wildcard mask of 255.255.255.255.

destination-any

Sets the destination IP address matching criteria for the ACL to any destination IP address. The X-Series Platform applies the ACLs action without considering a packets destination IP address.

destination-ip <IP_address> <wildcard_mask>

Configures the destination IP address matching criteria for the ACL. Applies the ACLs action (deny or permit) to a packet only if its destination IP address matches the specified IP address when the specified wildcard mask is applied. You must specify the wildcard mask as a reverse mask in four-part dotted-decimal format (for example, 0.0.0.255). However, the X-Series Platform applies the wildcard mask in four-part dotted-binary format (for example, 00000000.00000000.00000000.11111111), where 1s indicate wildcard bits. A packets destination IP address matches the specified IP address if all their non-wildcard bits match. To apply the ACLs action only to packets with the specified destination IP address, use a wildcard mask of 0.0.0.0. To apply the ACLs action without considering a packets destination IP address, use a wildcard mask of 255.255.255.255.

Restrictions
Default Privilege Level: 15

Commands for Configuring the X-Series Platform to Enable System Management

110

Commands for Configuring User Accounts and Managing User Access to the X-Series Platform
This section describes the commands that you can use to: Create, configure, and manage X-Series Platform user accounts and passwords. Set CLI command privilege levels. Manage user access to the X-Series Platform. Manage user access to specific services on the X-Series Platform. This section contains the following command descriptions: configure username on page 111 configure password on page 114 configure reset-password on page 114 configure privilege level on page 115 enable level on page 117 configure enable password on page 119 disconnect ssh on page 121 broadcast on page 121 lock-config on page 122 logout on page 123

configure username
Creates and configures a new user account or configures the specified existing user account. Use the no parameter to delete the specified user account. By default, the admin user account is the only user account configured on the X-Series Platform. NOTE: When you use this command to create a new CLI/GUI user account, the X-Series Platform also creates a Unix user account and adds it to the default user group. By creating and configuring multiple user accounts, you can provide multiple users with secure access to the X-Series Platform, and you can control each users ability to view and change XOS configuration settings. Use the privilege parameter to set the specified users CLI privilege level. To execute a CLI command, a users CLI privilege level must be greater than or equal to the commands privilege level. See configure privilege level on page 115 for more information on configuring command privilege levels. See Understanding Command Privilege Levels on page 29 for a more detailed discussion of CLI privilege levels. Valid values for both command privilege level and user privilege level are from 0-15. The default privilege level for the admin user account is 15. However, when you configure a new account using the configure username command, the default privilege level is 0. If you use the configure username command to configure an existing user account and you do not specify the privilege parameter, the users existing CLI privilege level remains unchanged. Use the gui-level parameter to set the GUI privilege level for the specified user account. The default privilege level for a new user account is guest, which provides the user with read-only access to the X-Series Platforms management GUI. However, if you do not specify the gui-level parameter when configuring an existing user account, the X-Series Platform retains the users current GUI command privilege level. By default, when you create a new user account, the CLI prompts you twice to enter the users initial password. The X-Series Platform then encrypts the password and stores the encrypted password in the running configuration file. Optionally, you can use the crypted-password parameter to enter a user-encrypted password.

XOS Command Reference Guide

111

NOTE: The users initial password must be at least six characters in length, but does not have to meet any other standards for secure passwords. If you enter a valid password that does not meet IT industry standards for secure passwords, the CLI implements the new password assignment, but issues a warning message. A user can change his/her password at any time by issuing the configure password command. A user must change his/her personal password immediately upon logging into his/her account if one of the following conditions is true: This is the first time a new user has logged into his/her account. The users personal password has expired. NOTE: You can use the maxdays parameter to set the maximum number of days that a user account password remains valid before it expires and must be changed upon the users next login. The default maxdays parameter value is 30 days. If the user forgets his/her password, an X-Series Platform system administrator can use the configure reset-password command to reset the users password.

Syntax
configure [no] username <user_name> [privilege <privilege_level>] [gui-level {unauthorized | guest | network-operator | service-operator | administrator}] [crypted-password <encrypted_password>] [autocommand <command>] [maxdays <number_of_days>]

Parameters
The following table lists the parameters used with this command. Parameter <user_name> Description User name assigned to the new user account that you are creating or the existing user account that you are configuring. If you specify a user name for which a user account does not exist, the configure username command creates and configures a new user account with the specified user name. If you specify a user name for which a user account does exist, the configure username command configures that user account. privilege <privilege_level> Sets the CLI privilege level for the user account that you are creating or configuring. To execute a CLI command, a users CLI privilege level must be greater than or equal to the commands privilege level. Valid values are from 0-15. The default CLI privilege level for a new user account is 0. If you do not specify the privilege parameter when configuring an existing user account, the users CLI privilege level remains unchanged.

Commands for Configuring the X-Series Platform to Enable System Management

112

Parameter gui-level {unauthorized | guest | network-operator | service-operator | administrator}

Description Sets the GUI privilege level for the user account that you are creating or configuring. Valid GUI privilege levels are as follows: unauthorized User cannot access the GUI at all. guest User has read-only access to the GUI. User can view current X-Series Platform configuration settings, but cannot change any settings using the GUI. network-operator User can view current X-Series Platform configuration settings and can change network connectivity configuration settings such as NPM interface configuration settings. service-operator User can view current X-Series Platform configuration settings and can change service provisioning configuration settings such as VAP group configuration settings. administrator User can view and change all current X-Series Platform configuration settings. The default setting for new user accounts is guest. However, when configuring an existing user account, if you do not specify the gui-level parameter, the X-Series Platform retains the users current GUI privilege level.

crypted-password <encrypted_password>

The crypted-password command is generally used only when configuring a chassis. By running the command show running-config echo-password, the current usernames are shown along with the encrypted password strings. The actual passwords are not displayed. A system administrator can use this information to create a new username with the same password as an existing username. The administrator copies the encrypted password string for an existing username and pastes it into the configure username command after the crypted-password parameter. This enables the system administrator to create the new username without needing to know the actual password associated with either username. Using the same method, a system administrator could create usernames on another chassis, copying the encrypted password strings without knowing the actual passwords.

Caution: If you enter an unencrypted string after the crypted-password parameter, you cannot enter that string later as the password.
NOTE: The crypted-password command is also used with the configure enable password command. autocommand <command> maxdays <number_of_days> Configures the login script for the specified user account to execute the specified CLI command each time the user logs into the account. Sets the maximum number of days that a user account password can remain valid before it expires. When a password expires, the user must change the password upon his/her next login. The default maxdays parameter value is 30 days. The valid range is 0 - 65355.

Restrictions
Default Privilege Level: 15
XOS Command Reference Guide 113

configure password
Initiates a password change for the current user. When you issue this command, the CLI first prompts you to enter your old password and then prompts you to enter your new password. The CLI then implements the password change and issues a confirmation message. NOTE: A users password must be at least six characters in length and must meet IT industry standards for secure passwords. If you enter a new password that does not meet these requirements, the CLI issues a warning message and prompts you to enter a different new password.

Syntax
configure password

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0

Example
In the following example, a user called test issues the configure password command and enters his current and new passwords when prompted. Note that in this example, the user is prompted to enter the new password twice: When prompted the first time, the user enters a new password that is not secure. The CLI then issues a error message and prompts the user to enter another new password. When prompted the second time, the user enters a secure password. The CLI then implements the new password and issues the confirmation message, Password changed. NOTE: The CLI does not display passwords as you type them. CBS# configure password Changing password for user test. Changing password for test (current) UNIX password: New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. CBS#

configure reset-password
Initiates a new password assignment for the specified user. When you issue this command, the CLI prompts you to enter the new password for the specified user account and then re-enter the new password to confirm it. The CLI then implements the new password assignment and returns you to the main CLI context. NOTE: The new password must be at least six characters in length, but does not have to meet any other standards for secure passwords. If you enter a valid password that does not meet IT industry standards for secure passwords, the CLI implements the new password assignment, but issues a warning message.

Commands for Configuring the X-Series Platform to Enable System Management

114

Syntax
configure reset-password <user_name>

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <user_name> Description User name for the account whose password you want to create or change.

Restrictions
Default Privilege Level: 15

Examples
In the following example, the administrator assigns a new password to a user called test, but the CLI warns that the password is not secure. NOTE: For security, the CLI does not display passwords as you type them. CBS# configure reset-password test Password: Retype password: %WARNING: Password updated successful with warning Detail: Warning in replacing password: Warning BAD PASSWORD: it is too simplistic/systematic CBS# In the following example, the administrator assigns another, more secure password to the user called test. NOTE: For security, the CLI does not display passwords as you type them. CBS# configure reset-password test Password: Retype password: CBS#

configure privilege level

Assigns the specified privilege level to the specified command with the lowest CLI context level. NOTE: You can use the show privilege command to display a commands current privilege level. To execute a command, a users privilege level must be greater than or equal to the commands privilege level. See configure username on page 111 for more information on setting a users privilege level. See Understanding Command Privilege Levels on page 29 for a more detailed discussion of CLI privilege levels. Valid values for both command privilege level and user privilege level are from 0-15.

XOS Command Reference Guide

115

By default, each command has a privilege level of either 0 or 15. Use the no parameter to restore the default privilege level of the specified command with the lowest CLI context level. See Appendix C, Configurable Command Privilege Levels on page 931, for a list of commands that have configurable command privilege levels, along with the default privilege level for each command.

Syntax
configure [no] privilege level <level> <root_level_command> [<first_level_subcommand>] [<second_level_subcommand>] ... [<nth_level_subcommand>] NOTE: To determine whether a user is allowed access to a command, XOS compares the privilege level of the command and the privilege level of the parent command to the privilege level of the user. If the privilege level of either the parent command or the sub-command is higher than the privilege level of the user, access is denied. For example, you have configured these privilege levels: User: 10 Sub-command: 0 Parent command: 15 Although the intent was to allow the user to access the sub-command, the privilege level of the parent command prevents this. NOTE: Arguments containing whitespace characters are valid; do not enclose these arguments in quotation marks ( ).

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <level> Description Privilege level that you want to assign to the specified command. Valid values are from 0-15. By default, each command has a privilege level of either 0 or 15. Use the show privilege command to display a commands current privilege level. <root_level_command> <first_level_subcommand> <second_level_subcommand> ... <nth_level_subcommand> Specifies the sequence of commands, starting from the main CLI context, that you use to first access and then execute the command whose privilege level you want to change. For example, to change the privilege level for the vap-group command under the configuration context, you would specify the command sequence, configure vap-group. In this example, configure is the <main_context_command> and vap-group is the <second_context_level_command>.

Commands for Configuring the X-Series Platform to Enable System Management

116

Restrictions
Default Privilege Level: 15

Examples
The following command sets the privilege level to 10 for the vap-group command under the main configuration context: CBS# configure privilege level 10 configure vap-group CBS# The following command sets the privilege level to 10 for the vap-group command under the circuit configuration context: CBS# configure privilege level 10 configure circuit vap-group CBS# If you change the privilege level of a command, the new privilege level appears at the beginning of the output of the {show | copy} running-config and startup-config commands. The following example shows this output. CBS# show running-config #Do not remove after this line # Last time the configuration was saved on Wed Feb 23 14:08:10.831535 2011 EST # Configuration generated by CLI on Wed Feb 23 14:23:52 2011 # CLI Version 9.5.1 [Feb 19 2011 02:15:42] (bldmgr) # Kit Number: xx #Do not remove above this line # configure # privilege level 10 configure vrrp # hostname TestChassis-X45 cp1

enable level
Changes your CLI user privilege level for the current CLI console session only. Valid values for CLI user privilege level are from 0-15. IMPORTANT: If you specify a CLI user privilege level higher than your current privilege level, the CLI prompts you to enter the password assigned to the desired privilege level. See configure enable password on page 119 for information on configuring a password for each CLI user privilege level. Use the no parameter to restore your default CLI user privilege level. Use the show username command to display your default CLI user privilege level. To execute a CLI command, your CLI user privilege level must be greater than or equal to the CLI commands privilege level. Use the show privilege command to display the privilege level for a specific CLI command. See Understanding Command Privilege Levels on page 29 for a more detailed discussion of CLI privilege levels.

XOS Command Reference Guide

117

Syntax
[no] enable level <level>

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <level> Description CLI user privilege level that you want to assign to yourself for the remainder of the current CLI console session. Valid values are from 0-15.

Restrictions
Default Privilege Level: 0

Example
In the following example, the current user, test, has a default CLI user privilege level of 0: CBS# show username Username Assigned CLI Privilege Level Current CLI Privilege Level GUI Access Level Maxdays (1 row) CBS# The configured privilege level for the configure vap-group command is 9: CBS> show privilege configure vap-group Command 'configure vap-group' at privilege level 9 So, when the user tries to execute the configure vap-group command, he gets an error: CBS> configure vap-group es3 ^ % Invalid input detected at '^' marker CBS> Then, the user executes the enable level command to change his CLI user privilege level to 10: CBS> enable level 10 Password: CBS> NOTE: For security, the CLI does not display the password that the user types. With a CLI user privilege level of 10, the user can successfully execute the configure vap-group command: CBS> configure vap-group es3 CBS(config-vap-grp)> : : : : : test 0 0 Guest 30

Commands for Configuring the X-Series Platform to Enable System Management

118

configure enable password

Enables or disables (using no) password protection for the specified CLI user privilege level, and initiates password assignment for the specified CLI user privilege level. If you do not specify a CLI user privilege level, this command applies to CLI user privilege level 15. By default, when you issue this command to enable password protection, the CLI prompts you twice to enter the password that you want to assign to the specified CLI user privilege level. The X-Series Platform then encrypts the password, stores the encrypted password in the running configuration file, and implements the new password assignment. The CLI then returns you to the main CLI context. NOTE: Each password must be at least six characters in length, and must meet IT industry standards for secure passwords. If you enter a password that does not meet these requirements, the CLI issues a warning message and returns you to the main CLI context. You must then re-issue the configure enable password command and enter a different, secure password when prompted. Optionally, you can use the crypted-password parameter to specify a user-encrypted password for access to the specified privilege level. When a user issues the enable level command to change his/her CLI user privilege level, the CLI prompts him/her to enter the password for the requested CLI user privilege level. IMPORTANT: To maintain X-Series Platform security, you should always configure a password for privilege level 15. By default, CLI user privilege levels do not have passwords. If a privilege level does not have a configured password, the user can press Enter at the enable level password prompt to implement the requested CLI user privilege level change.

Syntax
configure [no] enable password [level <level>] [crypted-password <password>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter level <level> Description Specifies the CLI user privilege level for which you want to enable or disable password protection. Valid values are from 0-15. If you do not specify this parameter, the configure enable password command enables or disables password protection for CLI user privilege level 15.

XOS Command Reference Guide

119

Parameter crypted-password <password>

Description The crypted-password command is generally used only when configuring a chassis. By running the command show running-config echo-password, the current usernames are shown along with the encrypted password strings. The actual passwords are not displayed. A system administrator could copy the encrypted password string for a user and paste it into the configure enable password command after the crypted-password parameter. The password for all commands that have the specified privilege level is set to the password of that user.

Caution: If you enter an unencrypted string after the crypted-password parameter, you cannot enter that string later as the password.
NOTE: If you do not specify the crypted-password command, the CLI prompts you (twice) to enter a password and then encrypts the password. NOTE: The crypted-password command is also used with the configure username command.

Restrictions
Default Privilege Level: 15

Example
In this example, the students in a training class have been given user accounts that have the default CLI user privilege level of 0. The instructor wants to teach the class how to configure a VAP group, but all of the VAP group configuration CLI commands have a privilege level of 15. Therefore, before beginning the lesson, the instructor uses the following command to enable use of a password for CLI user privilege level 15. When prompted, the instructor enters BlueDuck1 as the privilege level 15 password. He then shares this password with the class CBS# configure enable password level 15 Password: Retype password: CBS# NOTE: For security, the CLI does not display the password that the instructor types. Next, each student in the class issues the following command to request temporary access to CLI user privilege level 15. When prompted, each student enters BlueDuck1 as the password. CBS> enable level 15 Password: CBS# NOTE: For security, the CLI does not display the password that the student types. Upon entering the correct password, each student gets CLI user privilege level 15 until the end of his/her current CLI console session. The instructor can now teach the class how to configure a VAP group, since each student now has the CLI user privilege level required to execute VAP group configuration commands.

Commands for Configuring the X-Series Platform to Enable System Management

120

When the lesson is over, the instructor tells the students to log out of their accounts. The instructor then uses the following command to change the password for access to CLI user privilege level 15. When prompted, the instructor enters the old password, BlueDuck1, once. He then enters the new password twice. CBS# configure enable password level 15 Current Password: New Password: Retype password: CBS# NOTE: For security, the CLI does not display the passwords that the instructor types. The next time the students log into their user accounts, they will each have the default CLI user privilege level of 0, and they will no longer have the correct password required to access CLI user privilege level 15.

disconnect ssh
Terminates the existing SSH network connection with the specified session identifier.

Syntax
disconnect ssh <session_identifier>

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <session_identifier> Description SSH session identifier assigned to the SSH network connection that you want to terminate. Use the show ssh-session command to display a list of the active SSH network connections, along with their session identifiers.

Restrictions
Default Privilege Level: 15

broadcast
Sends the specified broadcast message to all CLI users currently logged into the X-Series Platform.

Syntax
broadcast <message>

XOS Command Reference Guide

121

Context
You can access this command from any CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <message> Description Text message that you intend to send to all users currently logged into the X-Series Platform.

Restrictions
Default Privilege Level: 0

lock-config
Locks the current XOS configuration so that only you can change it. (Only you can write to the running configuration file.) Use the no parameter to unlock the configuration.

Syntax
[no] lock-config [force]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter force Description Forces the configuration lock to take effect, even if the configuration is already locked by another user. You can also use the no lock-config force command to force the configuration to become unlocked, even if the configuration has been locked by another user.

Restrictions
Default Privilege Level: 15

Commands for Configuring the X-Series Platform to Enable System Management

122

logout
Logs the current user out of the current CLI console session. NOTE: If you are currently at the main CLI context level, you can also use the exit command to log out.

Syntax
logout [save-config [no-confirm]]

Context
You can issue this command from any CLI context.

Inline Commands
The following table lists the CLI commands used inline with the logout command. Command save-config [no-confirm] Description Saves the running configuration file as the startup configuration file. This saves your configuration changes as part of the logout process. Use the no-confirm parameter to save configuration changes without being prompted to confirm the operation. NOTE: The system uses the default answers to all confirmation questions.

Restrictions
Default Privilege Level for logout Command: 0 Default Privilege Level for logout save-config Command: 15

XOS Command Reference Guide

123

Commands for Configuring System Alarms and Logs

This section describes the commands that you can use to configure system alarms and logs for the X-Series Platform. This section contains the following command descriptions: audit-trail on page 124 configure enable alarm on page 125 configure facility-alarm cpu on page 125 configure facility-alarm cpu-core on page 126 configure facility-alarm disk-usage-boot on page 128 configure facility-alarm disk-usage-cbconfig on page 129 configure facility-alarm disk-usage-mgmt on page 130 configure facility-alarm disk-usage-root on page 132 configure facility-alarm disk-usage-tftpboot on page 133 configure facility-alarm disk-usage-var on page 134 configure facility-alarm free-memory on page 136 configure snmp-server community on page 137 configure snmp-server host on page 138 configure snmp-server contact on page 139 configure snmp-server location on page 140 configure snmp-server engine-id on page 141 configure snmp-user on page 142 configure rmon event on page 144 configure rmon alarm on page 145 configure logging console on page 148 configure logging monitor on page 150 configure logging server on page 152 logging on page 152

audit-trail
Writes the specified text message to the audit trail log file.

Syntax
audit-trail <text_message>

Context
You can access this command from any CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <text_message> Description Text message that you wish to write to the audit trail log file.

Restrictions
Default Privilege Level: 0

Commands for Configuring the X-Series Platform to Enable System Management

124

configure enable alarm

Enables or disables (using no) the power supply failure alarm or the power feed failure alarm. Both alarms are enabled by default.

Syntax
configure enable [no] alarm {power-supply | power-feed}

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter {power-supply | power-feed} Description Specifies the alarm that you want to enable or disable: power-supply Power supply failure alarm power-feed Power feed failure alarm By default, both alarms are enabled.

Restrictions
Default Privilege Level: 15

configure facility-alarm cpu

Facility alarms help to identify physical system problems. This command configures the alarm threshold values for the CPU utilization percentage alarms. There are six different alarm thresholds. Use the no parameter to restore the default settings for all threshold values. If you enter the configure facility-alarm cpu command without specifying any parameters, the system does not change the existing alarm threshold settings.

Syntax
configure facility-alarm cpu [upper-minor <percentage>] [upper-major <percentage>] [upper-critical <percentage>] [lower-minor <percentage>] [lower-major <percentage>] [lower-critical <percentage>] configure facility-alarm no cpu

Context
You access this command from the main CLI context.

XOS Command Reference Guide

125

Parameters
The following table lists the parameters used with this command. Parameter upper-minor <percentage> Description Configures the upper threshold value, expressed as a percentage, for the minor alarm for CPU utilization. If the CPU utilization percentage rises above the upper threshold value, the alarm sensor triggers a minor alarm. Valid values are 0 to 100. Default is 80. upper-major <percentage> Configures the upper threshold value, expressed as a percentage, for the major alarm for CPU utilization. If the CPU utilization percentage rises above the upper threshold value, the alarm sensor triggers a major alarm. Valid values are 0 to 100. Default is 90. upper-critical <percentage> Configures the upper threshold value, expressed as a percentage, for the critical alarm for CPU utilization. If the CPU utilization percentage rises above the upper threshold value, the alarm sensor triggers a critical alarm. Valid values are 0 to 100. Default is 99. lower-minor <percentage> Configures the lower threshold value, expressed as a percentage, for the minor alarm for CPU utilization. If the CPU utilization percentage falls below the lower threshold value, the alarm sensor triggers a minor alarm. Valid values are 0 to 100. Default is 0. lower-major <percentage> Configures the lower threshold value, expressed as a percentage, for the major alarm for CPU utilization. If the CPU utilization percentage falls below the lower threshold value, the alarm sensor triggers a major alarm. Valid values are 0 to 100. Default is 0. lower-critical <percentage> Configures the lower threshold value, expressed as a percentage, for the critical alarm for CPU utilization. If the CPU utilization percentage falls below the lower threshold value, the alarm sensor triggers a critical alarm. Valid values are 0 to 100. Default is 0.

Restrictions
Default Privilege Level: 15

configure facility-alarm cpu-core

Facility alarms help to identify physical system problems. This command configures the alarm threshold values for the CPU core utilization percentage alarms. There are six different alarm thresholds. Use the no parameter to restore the default settings for all threshold values.

Commands for Configuring the X-Series Platform to Enable System Management

126

If you enter the configure facility-alarm cpu-core command without specifying any parameters, the system does not change the existing alarm threshold settings.

Syntax
configure facility-alarm cpu-core [upper-minor <percentage>] [upper-major <percentage>] [upper-critical <percentage>] [lower-minor <percentage>] [lower-major <percentage>] [lower-critical <percentage>] configure facility-alarm no cpu-core

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter upper-minor <percentage> Description Configures the upper threshold value, expressed as a percentage, for the minor alarm for CPU core utilization. If the CPU core utilization percentage rises above the upper threshold value, the alarm sensor triggers a minor alarm. Valid values are 0 to 100. Default is 80. upper-major <percentage> Configures the upper threshold value, expressed as a percentage, for the major alarm for CPU core utilization. If the CPU core utilization percentage rises above the upper threshold value, the alarm sensor triggers a major alarm. Valid values are 0 to 100. Default is 90. upper-critical <percentage> Configures the upper threshold value, expressed as a percentage, for the critical alarm for CPU core utilization. If the CPU core utilization percentage rises above the upper threshold value, the alarm sensor triggers a critical alarm. Valid values are 0 to 100. Default is 99. lower-minor <percentage> Configures the lower threshold value, expressed as a percentage, for the minor alarm for CPU core utilization. If the CPU core utilization percentage falls below the lower threshold value, the alarm sensor triggers a minor alarm. Valid values are 0 to 100. Default is 0. lower-major <percentage> Configures the lower threshold value, expressed as a percentage, for the major alarm for CPU core utilization. If the CPU core utilization percentage falls below the lower threshold value, the alarm sensor triggers a major alarm. Valid values are 0 to 100. Default is 0.

XOS Command Reference Guide

127

Parameter lower-critical <percentage>

Description Configures the lower threshold value, expressed as a percentage, for the critical alarm for CPU core utilization. If the CPU core utilization percentage falls below the lower threshold value, the alarm sensor triggers a critical alarm. Valid values are 0 to 100. Default is 0.

Restrictions
Default Privilege Level: 15

configure facility-alarm disk-usage-boot

Facility alarms help to identify physical system problems. This command configures the alarm threshold values for the /boot partition disk utilization alarms. There are six different alarm thresholds. Use the no parameter to restore the default settings for all threshold values. If you enter the configure facility-alarm disk-usage-boot command without specifying any parameters, the system does not change the existing alarm threshold settings.

Syntax
configure facility-alarm disk-usage-boot [upper-minor <percentage>] [upper-major <percentage>] [upper-critical <percentage>] [lower-minor <percentage>] [lower-major <percentage> ] [lower-critical <percentage>] configure facility-alarm no disk-usage-boot

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter upper-minor <percentage> Description Configures the upper threshold value, expressed as a percentage, for the minor alarm for the /boot partitions disk utilization. If the /boot partitions disk utilization percentage rises above the upper threshold value, the alarm sensor triggers a minor alarm. Valid values are 0 to 100. Default is 70. upper-major <percentage> Configures the upper threshold value, expressed as a percentage, for the major alarm for the /boot partitions disk utilization. If the /boot partitions disk utilization percentage rises above the upper threshold value, the alarm sensor triggers a major alarm. Valid values are 0 to 100. Default is 80.

Commands for Configuring the X-Series Platform to Enable System Management

128

Parameter upper-critical <percentage>

Description Configures the upper threshold value, expressed as a percentage, for the critical alarm for the /boot partitions disk utilization. If the /boot partitions disk utilization percentage rises above the upper threshold value, the alarm sensor triggers a critical alarm. Valid values are 0 to 100. Default is 97.

lower-minor <percentage>

Configures the lower threshold value, expressed as a percentage, for the minor alarm for the /boot partitions disk utilization. If the /boot partitions disk utilization percentage falls below the lower threshold value, the alarm sensor triggers a minor alarm. Valid values are 0 to 100. Default is 0.

lower-major <percentage>

Configures the lower threshold value, expressed as a percentage, for the major alarm for the /boot partitions disk utilization. If the /boot partitions disk utilization percentage falls below the lower threshold value, the alarm sensor triggers a major alarm. Valid values are 0 to 100. Default is 0.

lower-critical <percentage>

Configures the lower threshold value, expressed as a percentage, for the critical alarm for the /boot partitions disk utilization. If the /boot partitions disk utilization percentage falls below the lower threshold value, the alarm sensor triggers a critical alarm. Valid values are 0 to 100. Default is 0.

Restrictions
Default Privilege Level: 15

configure facility-alarm disk-usage-cbconfig

Facility alarms help to identify physical system problems. This command configures the alarm threshold values for the /cbconfig partition disk utilization alarms. There are six different alarm thresholds. Use the no parameter to restore the default settings for all threshold values. If you enter the configure facility-alarm disk-usage-cbconfig command without specifying any parameters, the system does not change the existing alarm threshold settings.

Syntax
configure facility-alarm disk-usage-cbconfig [upper-minor <percentage>] [upper-major <percentage>] [upper-critical <percentage>] [lower-minor <percentage>] [lower-major <percentage>] [lower-critical <percentage>] configure facility-alarm no disk-usage-cbconfig

Context
You access this command from the main CLI context.

XOS Command Reference Guide

129

Parameters
The following table lists the parameters used with this command. Parameter upper-minor <percentage> Description Configures the upper threshold value, expressed as a percentage, for the minor alarm for the /cbconfig partitions disk utilization. If the /cbconfig partitions disk utilization percentage rises above the upper threshold value, the alarm sensor triggers a minor alarm. Valid values are 0 to 100. Default is 70. upper-major <percentage> Configures the upper threshold value, expressed as a percentage, for the major alarm for the /cbconfig partitions disk utilization. If the /cbconfig partitions disk utilization percentage rises above the upper threshold value, the alarm sensor triggers a major alarm. Valid values are 0 to 100. Default is 80. upper-critical <percentage> Configures the upper threshold value, expressed as a percentage, for the critical alarm for the /cbconfig partitions disk utilization. If the /cbconfig partitions disk utilization percentage rises above the upper threshold value, the alarm sensor triggers a critical alarm. Valid values are 0 to 100. Default is 97. lower-minor <percentage> Configures the lower threshold value, expressed as a percentage, for the minor alarm for the /cbconfig partitions disk utilization. If the /cbconfig partitions disk utilization percentage falls below the lower threshold value, the alarm sensor triggers a minor alarm. Valid values are 0 to 100. Default is 0. lower-major <percentage> Configures the lower threshold value, expressed as a percentage, for the major alarm for the /cbconfig partitions disk utilization. If the /cbconfig partitions disk utilization percentage falls below the lower threshold value, the alarm sensor triggers a major alarm. Valid values are 0 to 100. Default is 0. lower-critical <percentage> Configures the lower threshold value, expressed as a percentage, for the critical alarm for the /cbconfig partitions disk utilization. If the /cbconfig partitions disk utilization percentage falls below the lower threshold value, the alarm sensor triggers a critical alarm. Valid values are 0 to 100. Default is 0.

Restrictions
Default Privilege Level: 15

configure facility-alarm disk-usage-mgmt

Facility alarms help to identify physical system problems. This command configures the alarm threshold values for the /mgmt partition disk utilization alarms. There are six different alarm thresholds. Use the no parameter to restore the default settings for all threshold values.

Commands for Configuring the X-Series Platform to Enable System Management

130

If you enter the configure facility-alarm disk-usage-mgmt command without specifying any parameters, the system does not change the existing alarm threshold settings.

Syntax
configure facility-alarm disk-usage-mgmt [upper-minor <percentage>] [upper-major <percentage>] [upper-critical <percentage>] [lower-minor <percentage>] [lower-major <percentage> ] [lower-critical <percentage>] configure facility-alarm no disk-usage-mgmt

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter upper-minor <percentage> Description Configures the upper threshold value, expressed as a percentage, for the minor alarm for the /mgmt partitions disk utilization. If the /mgmt partitions disk utilization percentage rises above the upper threshold value, the alarm sensor triggers a minor alarm. Valid values are 0 to 100. Default is 70. upper-major <percentage> Configures the upper threshold value, expressed as a percentage, for the major alarm for the /mgmt partitions disk utilization. If the /mgmt partitions disk utilization percentage rises above the upper threshold value, the alarm sensor triggers a major alarm. Valid values are 0 to 100. Default is 80. upper-critical <percentage> Configures the upper threshold value, expressed as a percentage, for the critical alarm for the /mgmt partitions disk utilization. If the /mgmt partitions disk utilization percentage rises above the upper threshold value, the alarm sensor triggers a critical alarm. Valid values are 0 to 100. Default is 97. lower-minor <percentage> Configures the lower threshold value, expressed as a percentage, for the minor alarm for the /mgmt partitions disk utilization. If the /mgmt partitions disk utilization percentage falls below the lower threshold value, the alarm sensor triggers a minor alarm. Valid values are 0 to 100. Default is 0. lower-major <percentage> Configures the lower threshold value, expressed as a percentage, for the major alarm for the /mgmt partitions disk utilization. If the /mgmt partitions disk utilization percentage falls below the lower threshold value, the alarm sensor triggers a major alarm. Valid values are 0 to 100. Default is 0.

XOS Command Reference Guide

131

Parameter lower-critical <percentage>

Description Configures the lower threshold value, expressed as a percentage, for the critical alarm for the /mgmt partitions disk utilization. If the /mgmt partitions disk utilization percentage falls below the lower threshold value, the alarm sensor triggers a critical alarm. Valid values are 0 to 100. Default is 0.

Restrictions
Default Privilege Level: 15

configure facility-alarm disk-usage-root

Facility alarms help to identify physical system problems. This command configures the alarm threshold values for the root partition disk utilization alarms. There are six different alarm thresholds. Use the no parameter to restore the default settings for all threshold values. If you enter the configure facility-alarm disk-usage-root command without specifying any parameters, the system does not change the existing alarm threshold settings.

Syntax
configure facility-alarm disk-usage-root [upper-minor <percentage>] [upper-major <percentage>] [upper-critical <percentage>] [lower-minor <percentage>] [lower-major <percentage>] [lower-critical <percentage>] configure facility-alarm no disk-usage-root

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter upper-minor <percentage> Description Configures the upper threshold value, expressed as a percentage, for the minor alarm for the root partitions disk utilization. If the root partitions disk utilization percentage rises above the upper threshold value, the alarm sensor triggers a minor alarm. Valid values are 0 to 100. Default is 70. upper-major <percentage> Configures the upper threshold value, expressed as a percentage, for the major alarm for the root partitions disk utilization. If the root partitions disk utilization percentage rises above the upper threshold value, the alarm sensor triggers a major alarm. Valid values are 0 to 100. Default is 80.

Commands for Configuring the X-Series Platform to Enable System Management

132

Parameter upper-critical <percentage>

Description Configures the upper threshold value, expressed as a percentage, for the critical alarm for the root partitions disk utilization. If the root partitions disk utilization percentage rises above the upper threshold value, the alarm sensor triggers a critical alarm. Valid values are 0 to 100. Default is 97.

lower-minor <percentage>

Configures the lower threshold value, expressed as a percentage, for the minor alarm for the root partitions disk utilization. If the root partitions disk utilization percentage falls below the lower threshold value, the alarm sensor triggers a minor alarm. Valid values are 0 to 100. Default is 0.

lower-major <percentage>

Configures the lower threshold value, expressed as a percentage, for the major alarm for the root partitions disk utilization. If the root partitions disk utilization percentage falls below the lower threshold value, the alarm sensor triggers a major alarm. Valid values are 0 to 100. Default is 0.

lower-critical <percentage>

Configures the lower threshold value, expressed as a percentage, for the critical alarm for the root partitions disk utilization. If the root partitions disk utilization percentage falls below the lower threshold value, the alarm sensor triggers a critical alarm. Valid values are 0 to 100. Default is 0.

Restrictions
Default Privilege Level: 15

configure facility-alarm disk-usage-tftpboot

Facility alarms help to identify physical system problems. This command configures the alarm threshold values for the /tftpboot partition disk utilization alarms. There are six different alarm thresholds. Use the no parameter to restore the default settings for all threshold values. If you enter the configure facility-alarm disk-usage-tftpboot command without specifying any parameters, the system does not change the existing alarm threshold settings.

Syntax
configure facility-alarm disk-usage-tftpboot [upper-minor <percentage>] [upper-major <percentage>] [upper-critical <percentage>] [lower-minor <percentage>] [lower-major <percentage>] [lower-critical <percentage>] configure facility-alarm no disk-usage-tftpboot

Context
You access this command from the main CLI context.

XOS Command Reference Guide

133

Parameters
The following table lists the parameters used with this command. Parameter upper-minor <percentage> Description Configures the upper threshold value, expressed as a percentage, for the minor alarm for the /tftpboot partitions disk utilization. If the /tftpboot partitions disk utilization percentage rises above the upper threshold value, the alarm sensor triggers a minor alarm. Valid values are 0 to 100. Default is 70. upper-major <percentage> Configures the upper threshold value, expressed as a percentage, for the major alarm for the /tftpboot partitions disk utilization. If the /tftpboot partitions disk utilization percentage rises above the upper threshold value, the alarm sensor triggers a major alarm. Valid values are 0 to 100. Default is 80. upper-critical <percentage> Configures the upper threshold value, expressed as a percentage, for the critical alarm for the /tftpboot partitions disk utilization. If the /tftpboot partitions disk utilization percentage rises above the upper threshold value, the alarm sensor triggers a critical alarm. Valid values are 0 to 100. Default is 97. lower-minor <percentage> Configures the lower threshold value, expressed as a percentage, for the minor alarm for the /tftpboot partitions disk utilization. If the /tftpboot partitions disk utilization percentage falls below the lower threshold value, the alarm sensor triggers a minor alarm. Valid values are 0 to 100. Default is 0. lower-major <percentage> Configures the lower threshold value, expressed as a percentage, for the major alarm for the /tftpboot partitions disk utilization. If the /tftpboot partitions disk utilization percentage falls below the lower threshold value, the alarm sensor triggers a major alarm. Valid values are 0 to 100. Default is 0. lower-critical <percentage> Configures the lower threshold value, expressed as a percentage, for the critical alarm for the /tftpboot partitions disk utilization. If the /tftpboot partitions disk utilization percentage falls below the lower threshold value, the alarm sensor triggers a critical alarm. Valid values are 0 to 100. Default is 0.

Restrictions
Default Privilege Level: 15

configure facility-alarm disk-usage-var

Facility alarms help to identify physical system problems. This command configures the alarm threshold values for the /var partition disk utilization alarms. There are six different alarm thresholds. Use the no parameter to restore the default settings for all threshold values.

Commands for Configuring the X-Series Platform to Enable System Management

134

If you enter the configure facility-alarm disk-usage-var command without specifying any parameters, the system does not change the existing alarm threshold settings.

Syntax
configure facility-alarm disk-usage-var [upper-minor <percentage>] [upper-major <percentage>] [upper-critical <percentage>] [lower-minor <percentage>] [lower-major <percentage>] [lower-critical <percentage>] configure facility-alarm no disk-usage-var

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter upper-minor <percentage> Description Configures the upper threshold value, expressed as a percentage, for the minor alarm for the /var partitions disk utilization. If the /var partitions disk utilization percentage rises above the upper threshold value, the alarm sensor triggers a minor alarm. Valid values are 0 to 100. Default is 70. upper-major <percentage> Configures the upper threshold value, expressed as a percentage, for the major alarm for the /var partitions disk utilization. If the /var partitions disk utilization percentage rises above the upper threshold value, the alarm sensor triggers a major alarm. Valid values are 0 to 100. Default is 80. upper-critical <percentage> Configures the upper threshold value, expressed as a percentage, for the critical alarm for the /var partitions disk utilization. If the /var partitions disk utilization percentage rises above the upper threshold value, the alarm sensor triggers a critical alarm. Valid values are 0 to 100. Default is 97. lower-minor <percentage> Configures the lower threshold value, expressed as a percentage, for the minor alarm for the /var partitions disk utilization. If the /var partitions disk utilization percentage falls below the lower threshold value, the alarm sensor triggers a minor alarm. Valid values are 0 to 100. Default is 0. lower-major <percentage> Configures the lower threshold value, expressed as a percentage, for the major alarm for the /var partitions disk utilization. If the /var partitions disk utilization percentage falls below the lower threshold value, the alarm sensor triggers a major alarm. Valid values are 0 to 100. Default is 0.

XOS Command Reference Guide

135

Parameter lower-critical <percentage>

Description Configures the lower threshold value, expressed as a percentage, for the critical alarm for the /var partitions disk utilization. If the /var partitions disk utilization percentage falls below the lower threshold value, the alarm sensor triggers a critical alarm. Valid values are 0 to 100. Default is 0.

Restrictions
Default Privilege Level: 15

configure facility-alarm free-memory

Facility alarms help to identify physical system problems. A free memory alarm is triggered whenever the amount of available memory on any APM falls below one of the alarm sensors APM free memory page count thresholds. This command configures APM free memory page count thresholds for lower-minor and lower-major free memory alarms. These two thresholds are expressed as multipliers of the lower-critical free memory alarms threshold, which is 7500 free pages. For example, if you set the lower-major free memory alarms threshold multiplier to 3, you will receive a major alarm whenever any APMs free memory page count falls below 22,500 free pages (7500 free pages * 3). Use the no parameter to restore the default settings for the lower-minor and lower-major alarm threshold multipliers. If you enter the configure facility-alarm free-memory command without specifying any parameters, the system does not change the existing alarm threshold multiplier settings.

Syntax
configure facility-alarm free-memory [lower-minor <threshold_multiplier>] [lower-major <threshold_multiplier>] configure facility-alarm no free-memory

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter lower-minor <threshold_multiplier> Description Specifies the lower-minor alarms APM free page count threshold multiplier. The alarm sensor triggers a minor alarm if the amount of free memory on any APM falls below: (7500 free pages * <threshold_multiplier>) Valid values are 1 to 100. Default is 4.

Commands for Configuring the X-Series Platform to Enable System Management

136

Parameter lower-major <threshold_multiplier>

Description Specifies the lower-major alarms APM free page count threshold multiplier. The alarm sensor triggers a major alarm if the amount of free memory on any APM falls below: (7500 free pages * <threshold_multiplier>) Valid values are 1 to 100, with a default of 2.

Restrictions
Default Privilege Level: 15

configure snmp-server community

Defines an SNMP community on the server consisting of this X-Series Platform (the SNMP server) and one or more SNMP management stations (the SNMP clients). The SNMP management station(s) included in the community use the specified community string as a password to read from the SNMP agent on the X-Series Platform. Specify an IP address without a subnet mask to configure the community to include only the specified SNMP management station. Specify an IP address with a subnet mask to configure the community to include the specified SNMP management station and all other SNMP management stations on the specified subnet. You can specify an IP address and subnet mask pair of 0.0.0.0 0.0.0.0 to grant read access to all SNMP management station users. NOTE: SNMP management stations (SNMP clients) have read-only access to their community string, which is stored on the X-Series Platform (SNMP server). You cannot use an SNMP management station to change its community string or any other information in the chassis. Use the no parameter to delete the specified community.

Syntax
configure snmp-server community <community_string> {<IP_address> | {<IP_address> <subnet_mask> | <IP_address>/<0-32>}} configure no snmp-server community <community_string>

Context
You access this command from the main CLI context.

XOS Command Reference Guide

137

Parameters
The following table lists the parameters used with this command. Parameter community <community_string> Description Community string, expressed as a text string, assigned to the SNMP community that you are defining. The SNMP management stations use the specified community string as a password to read the SNMP agent on the X-Series Platform. NOTE: The community string cannot contain whitespace characters. <IP_address> Configures the SNMP community to include the SNMP agent on the X-Series Platform (the SNMP server) and the single SNMP management station (SNMP client) with the specified IP address. Configures the SNMP community to include the SNMP agent on the X-Series Platform (the SNMP server) and all other SNMP management stations (SNMP clients) on the specified subnet. Example: 10.15.3.0/16

{<IP_address> <subnet_mask> | <IP_address>/<0-32>}

Restrictions
Default Privilege Level: 15 A community string cannot contain whitespace characters.

configure snmp-server host

Configures a host as an SNMP notification receiver for the specified community. There are two types of SNMP notification messages: SNMP traps and SNMP informs. You can configure the SNMP notification receiver host to accept one of these two types of messages. The host confirms receipt of SNMP informs, but does not confirm receipt of SNMP traps. Therefore, if you want to send critical notifications to the host, you should configure the host to receive SNMP informs. NOTE: SNMP informs are only available for use with devices that support SNMP version 2c. The no parameter has one of two functions, depending on where the parameter appears in the command: Prevent a host from receiving either SNMP traps or SNMP informs: configure snmp-server no host <IP_address> <community_string> [traps | informs] If you do not specify traps or informs with this command, the host stops receiving SNMP traps, but continues to receive SNMP informs. Delete a host configuration: configure no snmp-server host <IP_address> <community_string> [informs] If the host that you wish to delete currently receives informs, you must specify the informs parameter with this command.

Commands for Configuring the X-Series Platform to Enable System Management

138

Syntax
configure snmp-server host <IP_address> [traps | informs] [version {1 | 2c}] <community_string> [udp-port <port_number>] configure snmp-server no host <IP_address> <community_string> [traps | informs] configure no snmp-server host <IP_address> <community_string> [informs]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter host <IP_address> [traps | informs] Description Specifies the IP address of the host that you want to configure as an SNMP notification receiver. Configures the host to receive either SNMP traps or SNMP informs. By default, the host receives SNMP traps. version {1 | 2c} Specifies the SNMP version that the host uses for security and message processing. Default is version 1. <community_string> Community string, expressed as a text string, assigned to the SNMP community for which the host is to become an SNMP notification receiver. Use the show snmp command to display the community strings for the SNMP communities defined on the X-Series Platform. See configure snmp-server community on page 137 for more information on configuring a community string for an SNMP community. udp-port <port_number> Configures the host to receive SNMP notification messages through the specified UDP port. Default UDP port is 162.

Restrictions
Default Privilege Level: 15

configure snmp-server contact

Configures system administrator contact information for the SNMP server running on the X-Series Platform. Defines contact as an SNMP property assigned to the SNMP server, allowing other SNMP devices to read the specified system administrator contact information. Use the no parameter to delete all SNMP server system administrator contact information.

XOS Command Reference Guide

139

NOTE: The X-Series Platform stores only the most recently configured contact information. If you execute the configure snmp-server contact command multiple times, each command replaces the existing contact information with the new contact information that you provide. To view existing SNMP server system administrator contact information for your X-Series Platform, use the show snmp command.

Syntax
configure snmp-server contact <contact_info_string> configure snmp-server no contact NOTE: If the contact information string contains whitespace characters, it must be enclosed in quotation marks ( ).

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter contact <contact_info_string> Description Text string, such as a name or e-mail address, that serves as contact information for the SNMP server administrator on the X-Series Platform.

Restrictions
Default Privilege Level: 15

configure snmp-server location

Configures system location information for the SNMP server running on the X-Series Platform. Defines location as an SNMP property assigned to the SNMP server, allowing other SNMP devices to read the specified system location information. Use the no parameter to delete all SNMP server system location information. NOTE: The X-Series Platform stores only the most recently configured system location information. If you execute the configure snmp-server location command multiple times, each command replaces the existing system location information with the new system location information that you provide. To view existing SNMP server system location information for your X-Series Platform, use the show snmp command.

Syntax
configure snmp-server location <location_info_string> configure snmp-server no location

Commands for Configuring the X-Series Platform to Enable System Management

140

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter Description

location <location_info_string> Text string that specifies the physical location of the X-Series Platform. The text string can have a maximum of 255 alphanumeric characters and cannot include whitespace characters.

Restrictions
Default Privilege Level: 15

configure snmp-server engine-id

Configures a unique identifier for the SNMP V3 engine (SNMP agent) running on the X-Series Platform. Use the no parameter to delete the SNMP V3 engine ID from the X-Series Platform. NOTE: The X-Series Platform stores only the most recently configured SNMP V3 engine ID. If you execute the configure snmp-server engine-id command multiple times, each command replaces the existing SNMP V3 engine ID with the new ID that you provide. The X-Series Platform generates SNMP V3 authentication and encryption keys for each SNMP V3 transaction based on the associated SNMP V3 users authentication password and the SNMP V3 engine ID. Therefore, you should configure an SNMP V3 engine ID before configuring SNMP V3 user accounts on the X-Series Platform. The same SNMP V3 engine ID must be configured on every SNMP management station that communicates with the SNMP agent on the X-Series Platform using the SNMP V3 protocol.

Caution: If you wish to change the SNMP V3 engine ID, you must first reconfigure the SNMP V3 engine ID, and then reconfigure the authentication passwords for all existing SNMP V3 user accounts. If you do not reconfigure the authentication passwords, then the authentication and encryption keys generated from those passwords will be based on the previous engine ID. See configure snmp-user on page 142 for information on configuring authentication passwords for SNMP V3 user accounts.
To display the SNMP V3 engine ID (if any) configured for the SNMP V3 engine running on your X-Series Platform, use the show snmp command.

Syntax
configure snmp-server engine-id <identifier_string> configure snmp-server no engine-id

XOS Command Reference Guide

141

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <identifier_string> Description SNMP V3 engine ID assigned to the SNMP agent that is running on the X-Series Platform.

Restrictions
Default Privilege Level: 15

configure snmp-user
Creates and configures a new SNMP V3 user account, or configures the specified existing SNMPv3 user account. Use the no parameter to delete the specified SNMP V3 user account.

Syntax
configure [no] snmp-user <user_name> [no-passwords] [auth-type {md5 | sha | none}] [priv-type {des | none}] [oid <MIB_subtree_OID>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <user_name> no-passwords Description User name assigned to the SNMP V3 user account that you are creating and/or configuring. Configures the specified SNMP V3 user account to be accessible without an authentication password. By default, if a user account is configured with an authorization password, the user must enter that password to gain access to the account.

Commands for Configuring the X-Series Platform to Enable System Management

142

Parameter auth-type {md5 | sha | none}

Description Specifies the type of authentication used to access the SNMP V3 user account. Use one of the following keywords to specify the authentication type: none No authentication required to access this account. This is the default setting. md5 MD5 checksum authentication. sha Secure hash algorithm (SHA) authentication. NOTE: If you specify either md5 or sha, the CLI prompts you twice to enter the authentication password for the account. This password must be at least 8 characters in length.

priv-type {des | none}

Specifies whether you want to use the Data Encryption Standard (DES) algorithm to encrypt data sent to the SNMP V3 user account. If you want to use the DES algorithm, specify priv-type des; if not, specify priv-type none. The default setting is priv-type none.

oid <MIB_subtree_OID>

Specifies the MIB subtree that the SNMP V3 user can access. The following OID formats are allowed: Numeric OIDs, such as .1.3.6.1 Fully qualified OID names, such as .iso.org.dod OID names for specific MIB subtrees, such as .mib-2 OID names for subtrees that are one tree level below .mib-2, such as .system, .interfaces, .at, and .ip NOTE: All numeric and text OIDs must start with a dot (.). The default setting is .iso. This allows the user to access the entire MIB tree. For example, if you specify oid mib-2, the user can access only those MIB objects that are part of the mib-2 subtree. If you specify oid interfaces, the user can access only those MIB objects that are part of the interface table.

Restrictions
Default Privilege Level: 15 All numeric and text OIDs must start with a dot (.).

XOS Command Reference Guide

143

configure rmon event

Configures an RMON event in the global RMON configuration. Adds an RMON event to the RMON event table (the eventTable object in the RMON MIB). You specify an event using its RMON event number (EventIndex) in the global RMON configuration. Use the no parameter to remove the specified event from the RMON event table. NOTE: RMON alarm and event configurations are not supported on an offline CPM.

Syntax
configure rmon event <RMON_event_number> [log] [trap <community_string>] [description <event_description>] [owner <owner_name>] configure no rmon event <RMON_event_number>

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <RMON_event_number> Description Specifies the RMON event number assigned to the event that you want to configure and add to the RMON event table. In the eventTable, the <RMON_event_number> becomes the events eventIndex. Valid values are 1 to 64999. log Configures the event to generate an RMON log entry. In the eventTable, the events eventType becomes log or log-and-trap. trap <community_string> Configures the event to trigger an SNMP trap notification message for the SNMP community with the specified community string. In the eventTable, the events eventType becomes snmptrap or log-and-trap. The <community_string> becomes the events eventCommunity. description <event_description> Configures the event with the specified event description. In the eventTable, the <event_description> becomes the events eventDescription. owner <owner_name> Configures the event with the specified event owner. In the eventTable, the <owner_name> becomes the events eventOwner.

Commands for Configuring the X-Series Platform to Enable System Management

144

Restrictions
Default Privilege Level: 15

Example
The following command adds event number 1 to the RMON event table: CBS# configure rmon event 1 log trap snmpcommunity1 description "High CPU Utilization" owner jroy The new event has the following configuration settings: The event description is High CPU Utilization. The event owner is jroy. Each time the event occurs, it generates an RMON log entry. Each time the event occurs, the X-Series Platform sends an SNMP trap notification message to the SNMP community that uses the community string, snmpcommunity1.

configure rmon alarm

Configures an RMON alarm in the global RMON configuration for the specified MIB object. Adds an alarm to the alarm table (the alarmTable object in the RMON MIB). You specify an alarm using its RMON alarm number (AlarmIndex) in the global RMON configuration. By default, no RMON alarms are configured. Use the no parameter to delete the specified RMON alarm configuration and remove the specified RMON alarm from the RMON alarm table. NOTE: RMON alarm and event configurations are not supported on an offline CPM.

Syntax
configure rmon alarm <RMON_alarm_number> <MIB_object> <sample_interval> {delta | absolute} rising-threshold <rising_threshold_value> [<rising_threshold_event_number>] falling-threshold <falling_threshold_value> [<falling_threshold_event_number>] [owner <alarm_owner>] configure no threshold alarm <number>

Context
You access this command from the main CLI context.

XOS Command Reference Guide

145

Parameters
The following table lists the parameters used with this command. Parameter <RMON_alarm_number> Description Specifies the RMON alarm number assigned to the alarm that you want to configure and add to the RMON alarm table. In the alarmTable, the <RMON_alarm_number> becomes the events alarmIndex. Valid values are 1 to 64999. <MIB_object> Specifies the MIB object for which you want to configure an RMON alarm. In the alarmTable, the <MIB_object> becomes the alarmVariable. <sample_interval> Configures the sample interval, expressed in seconds, for the alarm sensor. The alarm sensor obtains a sample measurement every <sample_interval> seconds. In the alarmTable, <sample_interval> becomes the alarmInterval. {delta | absolute} Specifies the method that the alarm sensor uses to calculate the MIB objects current value. You must specify one of the following: delta MIB objects current value is the delta between the alarm sensors last two consecutive sample measurements. absolute MIB objects current value is the absolute value of the current sample measurement. In the alarmTable, the alarms alarmSampleType becomes delta or absolute. rising-threshold <rising_threshold_value> Configures the alarm sensors rising threshold value. If the MIB objects current value is equal to or greater than the specified rising threshold value, the alarm sensor triggers the alarm. In the alarmTable, the <threshold_value> becomes the alarms alarmRisingThreshold. Valid values are from -2147483648 to 2147483647. <rising_threshold_event_number> Configures the RMON alarm to trigger the specified RMON event. In the alarmTable, the <rising_threshold_event_number> becomes the alarms alarmRisingEventIndex. Valid values are from 1 to 64999.

Commands for Configuring the X-Series Platform to Enable System Management

146

Parameter falling-threshold <falling_threshold_value>

Description Configures the alarm sensors falling threshold value. After the alarm sensor triggers the alarm, the alarm remains active until the MIB objects current value is less than or equal to the specified falling threshold value. At that point, the alarm sensor resets the alarm. In the alarmTable, the <threshold_value> becomes the alarms alarmFallingThreshold. Valid values are from -2147483648 to 2147483647.

<falling_threshold_event_number>

Configures the resetting of the RMON alarm to trigger the specified RMON event. In the alarmTable, the <falling_threshold_event_number> becomes the alarms alarmFallingEventIndex. Valid values are from 1 to 64999.

owner <alarm_owner>

Configures the alarm with the specified alarm owner. In the alarmTable, the <owner_name> becomes the events alarmOwner.

Restrictions
Default Privilege Level: 15

Example
The following command configures RMON alarm number 10: CBS# configure rmon alarm 10 ifEntry.2.1 30 delta rising-threshold 15 0 falling-threshold 1 owner jjohnson The new alarm has the following configuration settings: The alarm sensor monitors the MIB object, ifEntry.2.1. The alarm sensors sample interval is 30. The alarm obtains a sample measurement every 30 seconds, until the alarm is disabled. The alarms alarmSampleType is delta. Each time the alarm sensor obtains a sample measurement, the sensor calculates the delta between the current sample measurement and the previous sample measurement. This delta value becomes the current value of ifEntry.2.1. The alarms rising threshold value is 15. When the current value of ifEntry.2.1 is greater than or equal to 15 (that is, the measured value of ifEntry.2.1 increases by at least 15), the sensor triggers the alarm. When the alarm sensor trigger the alarm, the alarm triggers event number 1. The alarms falling threshold is 0. After the alarm sensor triggers the alarm, it continues to obtain sample measurements and calculate the current value of ifEntry.2.1 every 30 seconds. If the current value of ifEntry.2.1 falls to a value less than or equal to 1 (that is, the measured value of ifEntry.2.1 does not increase), the sensor resets the alarm. The alarm owner is jjohnson.

XOS Command Reference Guide

147

configure logging console

Sets the level of console logging that the X-Series Platform performs. The console log stores all event messages that have a severity level equal to or lower than the specified log level. You can specify the console log level by entering the desired log level number (0-7) or by entering the severity keyword that corresponds to the desired log level number (listed below). Use the configure no logging console command to restore the default console log level, which is 4 (Warning). At this level, the console log stores all event messages with severity levels 0-4.

Syntax
configure logging console level {<level_number> | emerg | alert | crit | error | warning | notice | info | debug} configure no logging console

Context
You access this command from the main CLI context.

Commands for Configuring the X-Series Platform to Enable System Management

148

Parameters
The following table lists the parameters used with this command. Parameter level {<level_number> | emerg | alert | crit | error | warning | notice | info | debug} Description Configures the console log level for the X-Series Platform. The console log stores all event messages that have a severity level equal to or lower than the console log level. You can specify the console log level using either its level number or its level name. Valid values for log level number (<level_number>) are 0-7. Default is 4. Valid console log level names are: emerg Specifies log level 0 (LOG_EMERG). Logs messages with severity level 0, Emergency. Emergency messages indicate that the system is unstable. alert Specifies log level 1 (LOG_ALERT). Logs messages with severity levels 0 and 1. Severity level 1 is Alert, which indicates that immediate action is needed. crit Specifies log level 2 (LOG_CRIT). Logs messages with severity levels 0-2. Severity level 2 is Critical, which indicates a critical condition. error Specifies log level 3 (LOG_ERROR). Logs messages with severity levels 0-3. Severity level 3 is Error, which indicates an error condition. warning Default log level. Specifies log level 4 (LOG_WARNING). Logs messages with severity levels 0-4. Severity level 4 is Warning, which indicates a warning condition. notice Specifies log level 5 (LOG_NOTICE). Logs messages with severity levels 0-5. Severity level 5 is Notification, which indicates that a significant event has occurred, but conditions remain normal. info Specifies log level 6 (LOG_INFO). Logs messages with severity levels 0-6. Severity level 6 is Informational. Use these messages for information only. debug Specifies log level 7 (LOG_DEBUG). Logs messages with severity levels 0-7. Severity level 7 is Debugging. Use these messages for debugging only.

Restrictions
Default Privilege Level: 15

XOS Command Reference Guide

149

configure logging monitor

Sets the level of log monitoring that the X-Series Platform performs. The console terminal displays only the event messages stored in the console log that have a severity level equal to or lower than the specified log monitoring level, allowing the user to monitor specific types of events in real time. You can specify the log monitoring level by entering the desired log monitoring level number (0-7) or by entering the severity keyword that corresponds to the desired log monitoring level number (listed below). Use the configure no logging monitor command to restore the default log monitoring level, which is 4 (Warning). At this level, the console terminal displays only the event messages stored in the console log that have severity levels 0-4.

Syntax
configure logging monitor level {<level_number> | emerg | alert | crit | error | warning | notice | info | debug} configure no logging monitor

Context
You access this command from the main CLI context.

Parameters
See Parameters on page 151 for a list of parameters used with this command.

Commands for Configuring the X-Series Platform to Enable System Management

150

Parameters
Parameter level {<level_number> | emerg | alert | crit | error | warning | notice | info | debug} Description Configures the log monitoring level for the X-Series Platform. The console terminal displays only the event messages stored in the console log that have a severity level equal to or lower than the specified log monitoring level, allowing the user to monitor specific types of events in real time. You can specify the log monitoring level using either its level number or its level name. Valid values for log level number (<level_number>) are 0-7. Default is 4. Valid log monitoring level names are: emerg Specifies log level 0 (LOG_EMERG). Console terminal displays messages with severity level 0, Emergency. Emergency messages indicate that the system is unstable. alert Specifies log level 1 (LOG_ALERT). Console terminal displays messages with severity levels 0 and 1. Severity level 1 is Alert, which indicates that immediate action is needed. crit Specifies log level 2 (LOG_CRIT). Console terminal displays messages with severity levels 0-2. Severity level 2 is Critical, which indicates a critical condition. error Specifies log level 3 (LOG_ERROR). Console terminal displays messages with severity levels 0-3. Severity level 3 is Error, which indicates an error condition. warning Default log level. Specifies log level 4 (LOG_WARNING). Console terminal displays messages with severity levels 0-4. Severity level 4 is Warning, which indicates a warning condition. notice Specifies log level 5 (LOG_NOTICE). Console terminal displays messages with severity levels 0-5. Severity level 5 is Notification, which indicates that a significant event has occurred, but conditions remain normal. info Specifies log level 6 (LOG_INFO). Console terminal displays messages with severity levels 0-6. Severity level 6 is Informational. Use these messages for information only. debug Specifies log level 7 (LOG_DEBUG). Console terminal displays messages with severity levels 0-7. Severity level 7 is Debugging. Use these messages for debugging only.

Restrictions
Default Privilege Level: 15

XOS Command Reference Guide

151

configure logging server

Directs the X-Series Platform to send log messages to the specified remote syslog server. Use the no parameter to delete the specified syslog server configuration entry.

Syntax
configure [no] logging server {<host_name> | <IP_address>}

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <host_name> <IP_address> Description Host name assigned to the syslog server to which the X-Series Platform sends log messages. IP address assigned to the syslog server to which the X-Series Platform sends log messages.

Restrictions
Default Privilege Level: 15

logging
Writes the specified text message to the X-Series Platforms system log. In the log, the text message is prepended by a series of equal signs (=), as shown in the example below.

Syntax
logging <text_message>

Context
You can access this command from any CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <text_message> Description Text message that the X-Series Platform writes to the system log.

Commands for Configuring the X-Series Platform to Enable System Management

152

Restrictions
Default Privilege Level: 0

Example
The following command writes the text message, Hello World! to the X-Series Platforms system log: mercury# logging Hello World! The following log message appears in the /var/log/messages file on the CPM: Jan 20 16:26:42 mercury admin: ==================== Hello World!

Commands for Configuring Chassis Resource Protection

This section describes the commands to configure Chassis Resource Protection. This section contains the following command descriptions: configure chassis-resource-protection on page 153 flow-table-partition (conf-resource-protection context) on page 154 flow-table-profile (conf-flow-table-partition context) on page 155 table-limit-action (conf-rp-table-profile context) on page 156 backup-flow-info (conf-rp-table-profile context) on page 156 fragment-handling-options (conf-resource-protection context) on page 157 selective-drop (conf-rp-frag-handlings context) on page 157 allow-fragment-overlap (conf-rp-select-drop context) on page 158 limit-fragment-queue (conf-rp-select-drop context) on page 158 ip-id-validation (conf-rp-frag-handlings context) on page 159 tcp-overlap-protection (conf-rp-frag-handlings context) on page 159 tcp-flow-validation (conf-resource-protection context) on page 159 bypass-tcp-flow-setup-validation (tcp-flow-validation context) on page 160 packet-validation on page 161 validate-ip-packet (conf-pkt-validation context) on page 161 validate-tcp-packet (conf-pkt-validation context) on page 162 validate-tcp-xsum (conf-pkt-validation context) on page 163

configure chassis-resource-protection
Chassis Resource Protection provides configuration parameters to prevent malicious traffic from consuming critical NPM resources. Parameters based on TCP flow validation and flow table limits are set to monitor and filter traffic flow. Additional fragment handling parameters can also be enabled for effective handling fragmented packets. These features must be enabled by the user, and are off by default. configure chassis-resource-protection enables global resource protection settings on the X-Series Platform. Use the no parameter to disable chassis resource protection. NOTE: To restore all the resource protection settings to default values, use the no chassis-resource-protection command.

XOS Command Reference Guide

153

Syntax
configure [no] chassis-resource-protection [no] enable

Contexts and Subcommands

You access this command from the main CLI context. This command places you in the conf-resource-protection context. You can access the following command from this context: flow-table-partition (conf-resource-protection context) on page 154 fragment-handling-options (conf-resource-protection context) on page 157 tcp-flow-validation (conf-resource-protection context) on page 159

Parameters
The following table lists the parameters used with this command. Parameter [no] enable Description [Disable] Enable resource protection on the chassis. Once enabled, you can disable settings per logical line, or on a flow rule basis.

Restrictions
Default Privilege Level: 15 Settings are off by default Once enabled, settings may be disabled per logical interface.

Example
configure chassis-resource-protection enable

flow-table-partition (conf-resource-protection context)

Sets the percentage of the flow table used when flow table limits are enforced and the individual protocol flow table limits as a percentage of the chassis-wide flow table size. The range for the flow table limit enforcement threshold is 0 to 85% and that for the individual protocol thresholds are 0 to 100% and they must all add up to 100%.

Syntax
flow-table-partition threshold <0 - 85>

Context and Subcommands

Access this command from the conf-resource-protection context. Access this context from the main CLI context by issuing the chassis-resource-protection command. flow-table-profile (conf-flow-table-partition context) on page 155

Commands for Configuring the X-Series Platform to Enable System Management

154

Parameters
The following table lists the parameters used with this command. Parameter tcp <0-100> udp <0-100> icmp <0-100> other-ip <0-100> flow-table-profile {tcp | udp | icmp | other-ip} backup-flow-info table-limit Description Percentage of flow table allocated for protocol TCP Percentage of flow table allocated for protocol UDP Percentage of flow table allocated for protocol ICMP Percentage of flow table allocated for other-IP protocols Configures the system action for the tcp, udp, icmp, or other-ip partition Enables the flow information to be backed up for high-availability Specifies the action to take when the flow table limit is exceeded. Values are: action drop Drops packets when the limit has been exceeded action pass Passes packets when the limit has been exceeded

Restrictions
Default Privilege Level: 15

Example
Use the configure chassis-resource-protection command to enter the correct context, then define the flow table partitions. CBS# configure chassis-resource-protection CBS(conf-resource-protection)# flow-table-partition threshold 60 tcp 20 udp 20 icmp 0 other-ip 0

flow-table-profile (conf-flow-table-partition context)

This command sets the flow table profile for the stated protocol. The profile determines how the traffic is handled when the protocol allocation is reached, and whether flow info is backed up.

Syntax
flow-table-profile {tcp| udp | icmp | other-ip}

Subcommands
table-limit-action (conf-rp-table-profile context) on page 156 backup-flow-info (conf-rp-table-profile context) on page 156

XOS Command Reference Guide

155

Parameters
The following table lists the parameters used with this command. Parameter tcp udp icmp other-ip Description Sets the profile for TCP Sets the profile for UDP Sets the profile for ICMP Sets the profile for Other-IP

Restrictions
Default Privilege Level: 15

Example
CBS(conf-resource-protection)# flow-table-partition threshold 60 tcp 20 udp 20 icmp 0 other-ip 0 CBS(conf-flow-table-partition)# flow-table-profile tcp CBS(conf-rp-table-profile)#

table-limit-action (conf-rp-table-profile context)

Specifies the action taken per flow-type, when the specified limit is reached. Statistics are maintained for both drop and pass disposition. This global flow-table-profile table-limit-action can be overridden on a per circuit basis by specifying a circuit specific flow table limit alternative-action. The default action is pass.

Syntax
table-limit {action drop | action pass}

Restrictions
Default Privilege Level: 15

Example
CBS(conf-resource-protection)# flow-table-partition threshold 60 tcp 20 udp 20 icmp 0 other-ip 0 CBS(conf-flow-table-partition)# flow-table-profile tcp CBS(conf-rp-table-profile)# table-limit action drop CBS(conf-rp-table-profile)# backup-flow-info

backup-flow-info (conf-rp-table-profile context)

Controls back up of flows for high-availability. When enabled, flows of the specified flow-type will be backed up. When disabled, flows created while the system is below threshold will be backed up. Flows created while the system is above threshold will not be backed up. The default is backup-flow-info.

Syntax
[no] backup-flow-info

Commands for Configuring the X-Series Platform to Enable System Management

156

Restrictions
Default Privilege Level: 15

Example
CBS(conf-resource-protection)# flow-table-partition threshold 60 tcp 20 udp 20 icmp 0 other-ip 0 CBS(conf-flow-table-partition)# flow-table-profile tcp CBS(conf-rp-table-profile)# table-limit action drop CBS(conf-rp-table-profile)# backup-flow-info CBS(conf-rp-table-profile)#

fragment-handling-options (conf-resource-protection context)

Defines which heuristics XOS will use to classify and process fragmented packets. Access these parameters from the configure chassis-resource-protection context.

Syntax
fragment-handling-options

Context and Subcommands

Access this command from the conf-resource-protection context. Access this context from the main CLI context by issuing the chassis-resource-protection command. selective-drop (conf-rp-frag-handlings context) on page 157 ip-id-validation (conf-rp-frag-handlings context) on page 159 tcp-overlap-protection (conf-rp-frag-handlings context) on page 159

Restrictions
Default Privilege Level: 15

Example
CBS(conf-resource-protection)# fragment-handling-options CBS(conf-rp-frag-handlings)#

selective-drop (conf-rp-frag-handlings context)

Defines heuristics for actions to be taken when processing packet fragments and selectively drops TCP/UDP flows with matched options.

Syntax
selective-drop

Context and Subcommands

Access this command from the conf-rp-frag-handlings context. Issue the fragment-handling-options command at the conf-resource-protection level.

XOS Command Reference Guide

157

Subcommands include: allow-fragment-overlap (conf-rp-select-drop context) on page 158 limit-fragment-queue (conf-rp-select-drop context) on page 158

Restrictions
Default Privilege Level: 15

Example
CBS(conf-rp-frag-handlings)# selective-drop CBS(conf-rp-select-drop)#

allow-fragment-overlap (conf-rp-select-drop context)

Instructs the fragment handling heuristics to pass overlapping TCP and UDP packet fragments. Use the [no] parameter to drop overlapping TCP and UDP packet fragments.

Syntax
allow-fragment-overlap

Context
Access this command from the selective drop context. Use the following commands to reach the correct context: CBS# configure chassis-resource-protection CBS(conf-resource-protection)# fragment-handling-options CBS(conf-rp-frag-handlings)# selective-drop CBS(conf-rp-select-drop)# allow-fragment-overlap

limit-fragment-queue (conf-rp-select-drop context)

Instructs the fragment handling heuristics to limit the length of the queue holding TCP/UDP packet fragments.

Syntax
limit-fragment-queue

Restrictions
Default Privilege Level: 15

Context
Access this command from the selective drop context. Use the following commands to reach the correct context: CBS# configure chassis-resource-protection CBS(conf-resource-protection)# fragment-handling-options CBS(conf-rp-frag-handlings)# selective-drop CBS(conf-rp-select-drop)# limit-fragment-queue

Commands for Configuring the X-Series Platform to Enable System Management

158

ip-id-validation (conf-rp-frag-handlings context)

Resolves mapping of fragmented TCP/UDP packets with same IP-ID to flows.

Syntax
ip-id-validation

Restrictions
Default Privilege Level: 15

Context
Access this command from the fragment-handling-options context. Use the following commands to reach the correct context: CBS# configure chassis-resource-protection CBS(conf-resource-protection)# fragment-handling-options CBS(conf-rp-frag-handlings)# ip-id-validation CBS(conf-rp-frag-handlings)#

tcp-overlap-protection (conf-rp-frag-handlings context)

Eliminates overlaps in TCP fragments at the beginning of TCP header.

Syntax
tcp-overlap-protection

Restrictions
Default Privilege Level: 15

Context
Access this command from the fragment-handling-options context. Use the following commands to reach the correct context: CBS# configure chassis-resource-protection CBS(conf-resource-protection)# fragment-handling-options CBS(conf-rp-frag-handlings)# tcp-overlap-protection CBS(conf-rp-frag-handlings)#

tcp-flow-validation (conf-resource-protection context)

Enables validation of TCP flow setup, including the 3-way handshake, middle-of-flow setup, simultaneous SYNs, sequence number validation, and flow terminations via FIN/RST sequence number validation. When enabled globally, tcp-flow-validation can be disabled on a per flow rule basis, using bypass-tcp-flow-setup-validation.

XOS Command Reference Guide

159

Syntax
tcp-flow-validation

Context and Subcommands

Access this command from the conf-resource-protection context. Access this context from the main CLI context by issuing the chassis-resource-protection command. bypass-tcp-flow-setup-validation (tcp-flow-validation context) on page 160

Restrictions
Default Privilege Level: 15

Example
CBS# configure chassis-resource-protection CBS(conf-resource-protection)# tcp-flow-validation CBS(conf-rp-tcp-flow)#

bypass-tcp-flow-setup-validation (tcp-flow-validation context)

Bypass TCP validation during flow setup. Typically, bypass should be set when the topology prevents a flows bidirectional symmetry (through the chassis). When bypassed, TCP sequence number will be updated and FIN and RST sequence numbers will be validated before flow removal. This parameter is set globally for the platform, and can be disabled per interface. When enabled globally, tcp-flow-validation can be disabled on a per flow rule basis, using bypass-tcp-flow-setup-validation. See the second example below.

Syntax
bypass-tcp-flow-setup-validation

Restrictions
Default Privilege Level: 15

Example
CBS# configure chassis-resource-protection CBS(conf-resource-protection)# tcp-flow-validation CBS(conf-rp-tcp-flow)# bypass-tcp-flow-setup-validation CBS(conf-rp-tcp-flow)#

Example - disable per flow rule

CBS# configure vap-group <existing vap-group name> CBS(config-vap-grp)# ip-flow-rule <existing-rule> CBS(ip-flow-rule)# bypass-tcp-flow-setup-validation CBS(ip-flow-rule)#

Commands for Configuring the X-Series Platform to Enable System Management

160

packet-validation
TCP Packet validation is an inspection process to detect and drop invalid TCP/IP frames. Packet Validation checks TCP and IP header information, packet size, flags, checksums, and other specific aspects of each incoming packet. When the packet-validation feature is enabled, the subcommands provide the option to either drop or pass non-conformant traffic. In all packet validation checks, statistics are maintained regardless of the action. These checks are applied globally to circuits connected to external interfaces. Packet validation can be disabled on individual circuits by assigning a per-circuit alternative-action. Refer to the example below for additional information.

Syntax
packet-validation

Contexts and Subcommands

You access this command from the main CLI context. validate-ip-packet (conf-pkt-validation context) on page 161 validate-tcp-packet (conf-pkt-validation context) on page 162 validate-tcp-xsum (conf-pkt-validation context) on page 163

Restrictions
Default Privilege Level: 15

Example
CBS# configure packet-validation CBS(conf-pkt-validation)#

Alternative-action per logical interface

The alternative action set at the logical interface level applies to all flow types (UDP, TCP, ICMP, and other-IP). When the per-logical interface packet-validation feature is enabled, the individual validate options provide alternative action selections of either drop or pass. The alternative-action command is available for logical interfaces configured as part of an interface, a group interface, and a VLAN. The alternative-action specified disables or enables packet-validation features for the logical interface. When set, the action overrides the chassis-wide settings.

Example
CBS# configure interface gigabitethernet 2/4 CBS(conf-intf-gig)# logical trflog CBS(intf-gig-logical)# circuit trf CBS(intf-gig-log-cct)# packet-validation

validate-ip-packet (conf-pkt-validation context)

Validate packets based on IP fields independent of flow state (e.g., invalid IP option length). The default disposition is validate-ip-packet; the default action is pass.

XOS Command Reference Guide

161

Syntax
validate-ip-packet action <drop | pass>

Restrictions
Default Privilege Level: 15

Example
CBS# configure packet-validation CBS(conf-pkt-validation)# validate-ip-packet action drop

Alternative-action per logical interface

The alternative action set at the logical interface level applies to all flow types (UDP, TCP, ICMP, and other-IP). When the per-logical interface packet-validation feature is enabled, the individual validate options provide alternative action selections of either drop or pass. The alternative-action command is available for logical interfaces configured as part of an interface, a group interface, and a VLAN. The alternative-action specified disables or enables packet-validation features for the logical interface. When set, the action overrides the chassis-wide settings. IMPORTANT: The default disposition is no validate-ip-packet, which means Do not override the chassis-wide setting.

Example
CBS# configure interface gigabitethernet 2/4 CBS(conf-intf-gig)# logical trflog CBS(intf-gig-logical)# circuit trf CBS(intf-gig-log-cct)# packet-validation CBS(intf-gig-log-cct)# validate-ip-packet alternative-action pass

validate-tcp-packet (conf-pkt-validation context)

Validate packets based on TCP fields that are independent of the flow state (for example, invalid TCP flags). The default disposition is validate-tcp-packet; the default action is pass.

Syntax
validate-tcp-packet action <drop | pass>

Restrictions
Default Privilege Level: 15

Example
CBS# configure packet-validation CBS(conf-pkt-validation)# validate-tcp-packet action drop

Commands for Configuring the X-Series Platform to Enable System Management

162

Alternative-action per logical interface

The alternative action set at the logical interface level applies to all flow types (UDP, TCP, ICMP, and other-IP). When the per-logical interface packet-validation feature is enabled, the individual validate options provide alternative action selections of either drop or pass. The alternative-action command is available for logical interfaces configured as part of an interface, a group interface, and a VLAN. The alternative-action specified disables or enables packet-validation features for the circuit. When set, the action overrides the chassis-wide settings. IMPORTANT: The default disposition is no validate-tcp-packet, which means Do not override the chassis-wide setting.

Example
CBS# configure interface gigabitethernet 2/4 CBS(conf-intf-gig)# logical trflog CBS(intf-gig-logical)# circuit trf CBS(intf-gig-log-cct)# packet-validation CBS(intf-gig-log-cct)# validate-tcp-packet alternative-action pass

validate-tcp-xsum (conf-pkt-validation context)

Validate packets based on the TCP checksum. The default disposition is no validate-tcp-xsum; the default action is pass.

Syntax
validate-tcp-xsum action <drop | pass>

Restrictions
Default Privilege Level: 15

Example
CBS# configure packet-validation CBS(conf-pkt-validation)# validate-tcp-xsum action drop

Alternative-action per logical interface

The alternative action set at the logical interface level applies to all flow types (UDP, TCP, ICMP, and other-IP). When the per-logical interface packet-validation feature is enabled, the individual validate options provide alternative action selections of either drop or pass. The alternative-action command is available for logical interfaces configured as part of an interface, a group interface, and a VLAN. The alternative-action specified disables or enables packet-validation features for the circuit. When set, the action overrides the chassis-wide settings. IMPORTANT: The default disposition is no validate-tcp-xsum, which means Do not override the chassis-wide setting.

Example
CBS# configure interface gigabitethernet 2/4 CBS(conf-intf-gig)# logical trflog CBS(intf-gig-logical)# circuit trf CBS(intf-gig-log-cct)# packet-validation CBS(intf-gig-log-cct)# validate-tcp-xsum alternative-action pass
XOS Command Reference Guide 163

Commands for Configuring CPM Redundancy

This section describes the commands that you can use to configure CPM redundancy on an X-Series Platform.

configure cp-redundancy
Configures CPM redundancy on the X-Series Platform. Sets the operational state of the online CPM the CPM on which you issue the configure cp-redundancy command to primary. Sets the administrative state of both CPMs to election. IMPORTANT: The CPM redundancy configuration takes effect immediately on the offline CPM. However, the CPM redundancy configuration does not take effect on the online (primary) CPM until after you reboot it. To begin using CPM redundancy, you must first write the XOS running configuration file to the startup configuration file using the startup-config parameter with the copy running-config command, and then reboot the online CPM using the reload module command. If CPM redundancy is already configured on the X-Series Platform, this command places you in the config-cp-redundancy context, from which you can configure each CPMs administrative state. Use the no parameter to delete the existing CPM redundancy configuration from both CPMs.

Syntax
configure [no] cp-redundancy

Contexts and Subcommands

You access this command from the main CLI context. If CPM redundancy is already configured on the X-Series Platform, this command places you in config-cp-redundancy context, from which you can configure each CPMs administrative state. You can access the following command from this context: set (config-cp-redundancy context) on page 165

Restrictions
Default Privilege Level: 15 CPMs configured for redundancy must have identical RAID configurations. (Their mirrored partition sizes must match.) Therefore: If one CPM is configured for RAID, both CPMs must be configured for RAID. If both CPMs are configured for RAID, they must both be configured for the same RAID type (RAID 1 or RAID 0). NOTE: To support a RAID configuration, you must perform a fresh XOS installation on both CPMs.

Commands for Configuring the X-Series Platform to Enable System Management

164

set (config-cp-redundancy context)

Sets the CPM redundancy administrative state of the specified CPM. When you configure CPM redundancy on the X-Series Platform, by default, the administrative state of both CPMs is set to election. (See configure cp-redundancy on page 164.) Use the show cp-redundancy command to display the current CPM redundancy administrative states of both CPMs.

Syntax
set {cp1 | cp2 | this_cp | other_cp} {election | offline}

Context
You access this command from the config-cp-redundancy CLI context. You access this context from the main CLI context by issuing the configure cp-redundancy command.

Parameters
The following table lists the parameters used with this command. Parameter {cp1 | cp2 | this_cp | other_cp} Description Specifies the CPM for which you are configuring CPM redundancy: cp1 CPM named cp1. Use the show chassis command to display the slot number and module name assigned to each CPM in your chassis. cp2 CPM named cp2. Use the show chassis command to display the slot number and module name assigned to each CPM in your chassis. this_cp The CPM from which you are issuing the set command (this CPM). other_cp The other CPM. {election | offline} Configures the specified CPM with one of the following CPM redundancy administrative states: election CPM participates in the primary CPM election, and can be elected as the primary CPM. This is the default administrative state for both CPMs when CPM redundancy is first configured. offline Specified CPM is offline. An offline CPM does not communicate with other modules in the chassis, and cannot be elected as the primary CPM.

Restrictions
Default Privilege Level: 15

XOS Command Reference Guide

165

configure management vip-addr

Configures a virtual management IP address for the X-Series Platform and assigns that IP address to port 1 on both CPMs. If you have configured CPM redundancy on the X-Series Platform, you can use the virtual management IP address to access the primary management interface, regardless of which CPM is currently designated as the primary CPM. Use the no parameter to delete the specified virtual management IP address.

Syntax
configure management [no] vip-addr <IP_address>

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <IP_address> Description Virtual management IP address that you wish to assign to the X-Series Platform.

Restrictions
Default Privilege Level: 15 The virtual management IP address, the actual management IP address of cp1, and the actual management IP address of cp2 must all be part of the same subnet.

configure cp-action {cp1 | cp2} disk-error

Configures the specified CPM to respond to critical disk errors in one of two ways: Go offline when a critical disk error occurs. Take no action.when a critical disk error occurs.

Syntax
configure cp-action {cp1 | cp2} disk-error {offline | none}

Context
You access this command from the main CLI context.

Commands for Configuring the X-Series Platform to Enable System Management

166

Parameters
The following table lists the parameters used with this command. Parameter {cp1 | cp2} Description Specifies the CPM that you want to configure. You specify a CPM using its module name (cp1 or cp2). Use the show chassis command to display the slot number and module name assigned to each CPM in your chassis. {offline | none} Configures the CPM to respond to a critical disk error in one of two ways: offline CPM goes offline when a critical disk error occurs. none CPM takes no action when a critical disk error occurs.

Restrictions
Default Privilege Level: 15

Example
The following command configures the CPM named cp1 to go offline when a critical disk error occurs. CBS(config)# cp-action cp1 disk-error offline

cp-unknown-state
Configures the specified CPM to take one of two actions when the other CPMs state is unknown: Continue monitoring the other CPM while its state is unknown, and be prepared to take action should the other CPM fail after exiting the unknown state. Ignore the other CPM while its state is unknown, and resume monitoring the other CPM when it enters a known state.

Syntax
cp-unknown-state {cp1 | cp2} {monitor | ignore}

Context
You access this command from the main CLI context.

XOS Command Reference Guide

167

Parameters
The following table lists the parameters used with this command. Parameter {cp1 | cp2} Description Specifies the CPM that you want to configure. You specify a CPM using its module name (cp1 or cp2). Use the show chassis command to display the slot number and module name assigned to each CPM in your chassis. {monitor | ignore} Configures the specified CPM to take one of two actions when the other CPMs state is unknown: monitor Continue monitoring the other CPM while its state is unknown, and be prepared to take action should the other CPM fail after exiting the unknown state. ignore Ignore the other CPM while its state is unknown, and resume monitoring the other CPM when it enters a known state.

Restrictions
Default Privilege Level: 15 This command is not available on the X20 or X30 chassis.

Example
In the following example, an X-Series Platform is configured for CPM redundancy. The primary CPM is cp1 and the secondary is cp2. The system administrator plans an activity on cp2 that will result in cp2 being temporarily unable to send heartbeat signals. Examples include: Performing a fresh XOS software installation on cp2 using the USB Installer (USBI) Rebuilding the partitions on the cp2 disk NOTE: The loss of heartbeat from cp2 occurs after the cp-disk-scheme command has been used, and after cp2 has rebooted. Copying the cp2 primary distribution to the secondary distribution NOTE: This can occur during: An AWS "Prepare system for a possible rollback" operation As part of the preparation for a safe upgrade (see Preparing for Safe Upgrade in the XOS Configuration Guide) Prior to starting the activity on cp2, the system administrator uses the following command on cp1 to instruct it to ignore the lack of heartbeat signals from cp2. CBS# cp-unknown-state cp1 ignore After the activity on cp2 has been completed, the administrator uses the following command to instruct cp1 to resume monitoring of cp2. CBS# cp-unknown-state cp1 monitor

Commands for Configuring the X-Series Platform to Enable System Management

168

Commands for Accessing Other Systems from the CPM

This section describes the CLI and Unix commands that you can use to access other systems from the CPM. This section includes the following command descriptions: CLI command: ssh on page 169 Unix Commands: ftp, telnet, ssh, rsh on page 170

CLI command: ssh

Initiates an SSH client connection request. The X-Series Platform functions as an SSH client, so the remote host must be an SSH server. If user authentication is required to connect to the SSH server, specify your user name with the ssh command and then specify your password when the SSH server prompts you to do so.

Syntax
ssh [username <user_name>] {<IP_address> | <host_name>}

Context
You can access this command from the any CLI context.

Parameters
The following table lists the parameters used with this command. Parameter username <user_name> Description Configures the X-Series Platform to login to the SSH server using the specified user name. By default, the X-Series Platform attempts to log into the SSH server using your X-Series Platform user name. <IP_address> <host_name> IP address assigned to the SSH server (the remote host). Host name assigned to the SSH server (the remote host).

Restrictions
Default Privilege Level: 15

XOS Command Reference Guide

169

Unix Commands: ftp, telnet, ssh, rsh

If you want to access another system using the CLI, you must request an SSH connection, as described in CLI command: ssh on page 169. However, you can access the Linux shell and login as the root user by issuing the following command at the CLI prompt and entering your root password when prompted: CBS# unix su Password:<root_password> [root@xxxxx admin]# See unix on page 626 for more information about the unix CLI command. From the Linux shell, you can use any of the following Unix commands to log into another system: ftp Open an FTP connection. telnet Open a telnet connection. ssh Open an SSH connection. rsh Open an RSH connection.

Commands for Configuring the X-Series Platform to Enable System Management

170

5
Commands for Configuring and Managing VAP Groups
This chapter describes the CLI commands that you can use to: Create, configure, and manage a virtual application processor (VAP) group on an X-Series Platform. Install, configure, and manage an application on a VAP group. Install and configure routing software and services on a VAP group. This chapter contains the following sections: Commands for Creating and Configuring a VAP Group on page 172 Commands for Managing User Access to a VAP Group on page 209 Commands for Installing, Configuring, and Managing an Application on a VAP Group on page 214 Commands for Installing, Configuring, and Managing Routing Software and Routing Protocols on a VAP Group on page 233

XOS Command Reference Guide

171

Commands for Creating and Configuring a VAP Group

This section describes the commands that you can use to create and configure a virtual application processor (VAP) group on an X-Series Platform. This section contains the following command descriptions: configure vap-group on page 173 vap-count (config-vap-grp context) on page 175 max-load-count (config-vap-grp context) on page 177 max-reload-count (config-vap-grp context) on page 178 load-balance-vap-list (config-vap-grp context) on page 180 load-priority (config-vap-grp context) on page 182 preemption-priority (config-vap-grp context) on page 183 raid (config-vap-grp context) on page 185 enable-ipv6 (conf-vap-grp context) (IPv6) on page 186 ip-forwarding-ipv6 (enable-ipv6 context) (IPv6) on page 187 ip-flow-rule (config-vap-grp context) on page 188 non-ip-flow-rule (config-vap-grp context) on page 189 ip-forwarding (config-vap-grp context) on page 192 fail-to-host (config-vap-grp context) on page 192 jumbo-frame (config-vap-grp context) on page 193 scatter-gather (config-vap-grp context) on page 194 reload-timeout (config-vap-grp context) on page 195 vg-reset-wait-time on page 196 delay-flow (config-vap-grp context) on page 197 application-monitor (config-vap-group context) on page 198 master-failover-trigger application (config-vap-grp context) on page 199 master-holddown (config-vap-grp context) on page 200 dhcp-relay-server-list (config-vap-grp context) on page 201 rp-filter (config-vap-grp context) on page 202 log-martians (config-vap-grp context) on page 203 show (config-vap-grp context) on page 204

Commands for Configuring and Managing VAP Groups

172

configure vap-group
Creates and configures a new virtual application processor (VAP) group or configures the specified existing VAP group. Places you into the config-vap-grp context in which you can configure the specified VAP group. When you issue the configure vap-group command to create a new VAP group, the CLI prompts you to confirm your decision to create a new VAP group. If you confirm your decision, the CLI displays a progress message while the X-Series Platform creates and configures the new VAP group. When the VAP group configuration is complete, the CLI returns you to the command prompt. See the example below for details. NOTE: When you create a new VAP group, the X-Series Platform configures that VAP group with the default VAP count of 1. That is, the VAP group includes only one VAP. To increase the number of VAPs included in a new VAP group, use the vap-count (config-vap-grp context) command. You can specify a Crossbeam VAP operating system (VAP OS) parameter with the configure vap-group command to configure a new VAP group to run the xslinux_v3, xslinux_v5, xslinux_v5_64, or xsve VAP OS. If you do not specify a VAP OS parameter when you create a new VAP group, the X-Series Platform configures the new VAP group to run the default VAP OS, xslinux_v3. NOTE: You must configure a new VAP group to run the specific Crossbeam VAP OS required to support the application that you plan to install on that VAP group. Refer to the installation guide for your application to determine its VAP OS requirements. You cannot change the VAP OS configuration for an existing VAP group. If you do not specify a VAP OS parameter when you configure an existing VAP group, the X-Series Platform retains the current VAP OS configuration for that VAP group. Use the show (config-vap-grp context) command to display the VAP OS currently running on the VAP group that you are configuring. Use the configure no vap-group <VAP_group_name> command to delete the specified VAP group. NOTE: You must delete all parts of the XOS configuration that reference a specific VAP group before deleting that VAP group.

Syntax
configure vap-group <VAP_group_name> [xslinux_v3 | xslinux_v5 | xslinux_v5_64 | xsve] configure no vap-group <VAP_group_name>

Contexts and Subcommands

You access this command from the main CLI context. This command places you in the config-vap-grp context in which you can configure the specified VAP group. You can access the following commands from this context vap-count (config-vap-grp context) on page 175 max-load-count (config-vap-grp context) on page 177 max-reload-count (config-vap-grp context) on page 178 max-reload-count (config-vap-grp context) on page 178 load-balance-vap-list (config-vap-grp context) on page 180 load-priority (config-vap-grp context) on page 182 preemption-priority (config-vap-grp context) on page 183 raid (config-vap-grp context) on page 185

XOS Command Reference Guide

173

enable-ipv6 (conf-vap-grp context) (IPv6) on page 186 ip-forwarding-ipv6 (enable-ipv6 context) (IPv6) on page 187 ip-flow-rule (config-vap-grp context) on page 188 non-ip-flow-rule (config-vap-grp context) on page 189 ip-forwarding (config-vap-grp context) on page 192 fail-to-host (config-vap-grp context) on page 192 flow-proxy (config-vap-grp context) on page 193 jumbo-frame (config-vap-grp context) on page 193 scatter-gather (config-vap-grp context) on page 194 reload-timeout (config-vap-grp context) on page 195 vg-reset-wait-time on page 196 delay-flow (config-vap-grp context) on page 197 application-monitor (config-vap-group context) on page 198 master-failover-trigger application (config-vap-grp context) on page 199 master-holddown (config-vap-grp context) on page 200 dhcp-relay-server-list (config-vap-grp context) on page 201 rp-filter (config-vap-grp context) on page 202 log-martians (config-vap-grp context) on page 203 show (config-vap-grp context) on page 204

Parameters
The following table lists the parameters used with this command. Parameter <VAP_group_name> Description Name assigned to the new or existing VAP group that you wish to create and/or configure. Each VAP group must have a unique name, and VAP group names are not case-sensitive. For example, you cannot create two VAP groups named firewall1, and you cannot create one VAP group named firewall2 and another group named FireWall2. NOTE: A VAP group cannot be named npm6, and cannot be more than 12 characters long.

Commands for Configuring and Managing VAP Groups

174

Parameter [xslinux_v3 | xslinux_v5 | xslinux_v5_64 | xsve]

Description Configures the VAP group to run the specified Crossbeam VAP operating system (VAP OS). Each application requires a specific VAP OS. Refer to the installation guide for your application to determine its VAP OS requirements. An application that runs in a virtual environment requires xsve. The default VAP OS is xslinux_v3. NOTE: If you do not specify a VAP OS when you create a new VAP group, the X-Series Platform configures the new VAP group to run the default VAP OS, xslinux_v3. Use the show (config-vap-grp context) command to display the VAP OS running on the VAP group that you are currently configuring.

Restrictions
Default Privilege Level: 15 Each VAP group must have a unique name, and VAP group names are not case-sensitive. A VAP group cannot be named npm6. A VAP group name cannot be more than 12 characters long. You cannot change the VAP OS configuration for an existing VAP group.

Example
The following command creates a new VAP group called testvapgroup, which consists of one VAP and is configured to run the xslinux_v5 VAP OS: CBS# configure vap-group testvapgroup xslinux_v5 Are you sure you want to create a new vap-group with OS version xslinux_v5? <Y or N> [Y]: Y Creating vap-group testvapgroup. May take several minutes...........+...........+.. CBS(config-vap-grp)#

vap-count (config-vap-grp context)

Sets the VAP count for the VAP group that you are currently configuring. The VAP count is the number of VAPs (APMs) included in the VAP group. The default VAP count is 1. Use the vap-count 1 command to restore the default VAP count setting for the VAP group that you are currently configuring. Use the show (config-vap-grp context) command to display the VAP count for the VAP group that you are currently configuring.

XOS Command Reference Guide

175

When you issue the vap-count command to change the VAP count for a given VAP group, the CLI prompts you to confirm the new VAP count setting. If you confirm the new VAP count setting, the CLI displays a progress message while the X-Series Platform adjusts the VAP count. When the VAP count adjustment is complete, the CLI returns you to the command prompt. See the example below for details.

Syntax
vap-count <number_of_VAPs_in_group>

Context
You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command.

Parameters
The following table lists the parameters used with this command. Parameter <number_of_VAPs_in_group> Description VAP count setting for the VAP group that you are currently configuring. Valid values are from 1 to 63. Default is 1. Use the show (config-vap-grp context) command to display the VAP count for the VAP group that you are currently configuring.

Restrictions
Default Privilege Level: 15

Example
The following command places you in the config-vap-grp context in which you can configure the existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# The following command sets the VAP count of testvapgroup to 3: CBS(config-vap-grp)# vap-count 3 Are you sure you want to adjust vap-count to 3? <Y or N> [Y]: Y Adjusting vap-count. May take several minutes...........+...........+.... CBS(config-vap-grp)#

Commands for Configuring and Managing VAP Groups

176

max-load-count (config-vap-grp context)

Sets the max load count for the VAP group that you are configuring. The max load count is the maximum number of VAPs in a VAP group that can be loaded onto APMs and used to run applications. NOTE: A VAP groups max load count must be equal to or lower than its VAP count. Use the show (config-vap-grp context) command to display the current max load count and VAP count for the VAP group that you are configuring. When you set the max load count for a VAP group, the system attempts to load the specified number of VAPs onto available APMs. NOTE: Each APM can load only one VAP at a time. If there are not enough available APMs in the chassis to load the specified number of VAPs, the system loads one VAP onto each available APM, and places the remaining VAPs in a queue. Each time you install a new APM in the chassis, the system loads one of the queued VAPs onto the new APM. Use the show ap-vap-mapping command to determine the number of VAPs in a group that are loaded onto APMs. Use the show chassis command to determine the number of available APMs in a chassis. The default max load count setting is 0. Use the no parameter to restore this default setting for the VAP group that you are configuring.

Syntax
[no] max-load-count <number_of_VAPs>

Context
You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command.

Parameters
The following table lists the parameters used with this command. Parameter <number_of_VAPs> Description Max load count setting for the VAP group that you are configuring. Valid values are 0 to 63. Default is 0. Use the show (config-vap-grp context) command to display the max load count for the VAP group that you are configuring.

Restrictions
Default Privilege Level: 15 A VAP groups max load count must be equal to or lower than its VAP count.

XOS Command Reference Guide

177

Example
The following command places you in the config-vap-grp context in which you can configure the existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# The following command sets the max load count of testvapgroup to 3: CBS(config-vap-grp)# max-load-count 3 CBS(config-vap-grp)#

max-reload-count (config-vap-grp context)

Defines the number of times that a VAP can be reloaded before the APM is declared DOWN by the CPM.

Syntax
max-reload-count <reload_count>

Context
You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command.

Parameters
The following table lists the parameters used with this command. Parameter <reload_count> Description The number of reloads that are allowed. Range: 1 to 32767 Default Value: 3

Restrictions
Default Privilege Level: 15

ap-list (config-vap-grp context)

Defines a new APM list for the VAP group that you are currently configuring. The APM list specifies the APMs that can load VAPs that belong to the VAP group. Only an APM included in a VAP groups APM list can load a VAP in that group. NOTE: Each VAP group can contain only APM-9600s, only APM-8600s, or only APM-8650s. Use the show chassis command to obtain each modules name and model. Then, use the ap-list command to add only APM-9600s, only APM-8600s, or only APM-8650s to the APM list for the VAP group that you are configuring. By default, when you create a new VAP group, all APMs are included in the VAP groups APM list. That is, any APM can load any VAP in the group.

Commands for Configuring and Managing VAP Groups

178

When you use the ap-list command to define a new APM list for a VAP group, the new list replaces the old one. That is, the new APM list for the VAP group that you are configuring includes only the APMs that you specify with the ap-list command. NOTE: You must specify at least one APM name with the ap-list command; you cannot define a new APM list with no members. Use the no ap-list command to remove all APMs from the APM list for the VAP group that you are currently configuring. Use the show (config-vap-grp context) command to display the APM list for the VAP group that you are currently configuring.

Syntax
ap-list {<APM_name1>} [<APM_name2>] [<APM_name3>] ... [<APM_nameN>] no ap-list

Context
You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command.

Parameters
The following table lists the parameters used with this command. Parameter <APM_nameN> Description Module name assigned to an APM that you want to add to the APM list for the VAP group that you are currently configuring. APM names have the format, apN, where N can be any number from 1 to 10. By default, the APM list for a new VAP group includes all APMs installed in the chassis.

Restrictions
Default Privilege Level: 15 You must specify at least one APM name with the ap-list command.

Example
In this example, the X-Series Platform administrator wants to install a firewall application on the VAP group called testvapgroup. The administrator wants to run this application on a VAP group consisting solely of APM-8650s.

XOS Command Reference Guide

179

The administrator uses the following command to determine which module names are assigned to the APM-8650s installed in his chassis. CBS# show chassis Chassis Status for X80: Power Type: AC-3 1G Backplane Support: Yes 1G Backplane Capability for Slots 3 and 4: Yes Chassis Revision: C2 Chassis Serial Number: G808F008 Chassis Part Number: 004360 Chassis OCODE: A000 Slot Present Module Name Module Type 1 No n/a n/a 2 Yes np2 NP8600 3 No n/a n/a 4 No n/a n/a 5 Yes ap3 AP8600 6 No n/a n/a 7 Yes ap5 AP8650 8 Yes ap6 AP8650 9 Yes ap7 AP8650 10 No n/a n/a 11 No n/a n/a 12 No n/a n/a 13 Yes cp1 CP8600 14 No n/a n/a CBS# This command shows that the APM-8650s in the chassis are named ap5, ap6, and ap7. Therefore, the administrator issues the following commands to configure the APM list for the VAP group, testvapgroup, to include only ap5, ap6, and ap7. CBS# configure vap-group testvapgroup CBS(config-vap-grp)# ap-list ap5 ap6 ap7 CBS(config-vap-grp)#

Status n/a Up n/a n/a Active n/a Active Active Active n/a n/a n/a Up n/a

Uptime 13 days, 04:11

5 days, 00:58 0 days, 01:56 0 days, 01:56 0 days, 01:56

13 days, 04:14

load-balance-vap-list (config-vap-grp context)

Defines the load-balance VAP list for the VAP group that you are configuring. The load-balance VAP list specifies the VAPs to which the NPM can assign new flows coming into the VAP group. The NPM load balances new flows only across VAPs included in the VAP groups load-balance VAP list. When you use the load-balance-vap-list command to define a new load-balance VAP list for a VAP group, the new list replaces the old one. That is, the new load-balance VAP list for the VAP group that you are configuring includes only the VAPs that you specify with the load-balance-vap-list command. NOTE: You must specify at least one VAP index number with the load-balance-vap-list command; you cannot define a new load-balance VAP list with no members. By default, a VAP groups load-balance VAP list includes all of the VAPs in the VAP group. That is, the NPM load balances new flows across all VAPs in the group. Use the no load-balance-vap-list command to restore this default behavior. Use the show (config-vap-grp context) command to display the load-balance VAP list for the VAP group that you are currently configuring.

Commands for Configuring and Managing VAP Groups

180

Syntax
load-balance-vap-list <VAP_index_number> [<VAP_index_number>] [<VAP_index_number>] ... no load-balance-vap-list

Context
You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command.

Parameters
The following table lists the parameters used with this command. Parameter <VAP_index_number> Description VAP index number assigned to a VAP that you want to include in the load-balance VAP list for the VAP group that you are currently configuring. Use the show ap-vap-mapping command to display the VAP group name and index number assigned to each VAPs that is loaded on an APM. Valid values are from 1 to 63. NOTE: You can specify up to 63 VAP index numbers, but the NPMs load balance flows only across VAPs that are loaded onto APMs.

Restrictions
Default Privilege Level: 15 You must specify at least one VAP index number with the load-balance-vap-list command.

Example
In this example, an X-Series Platform administrator originally installed a firewall application on a VAP group called testvapgroup, which consisted of three VAPs. Now, the X-Series Platform administrator wants to add a fourth VAP to testvapgroup and install the firewall application onto a fourth APM-8650. The administrator issues the following commands to increase the VAP count for testvapgroup and add a fourth APM-8650, ap8, to that VAP groups APM list. CBS# configure vap-group testvapgroup CBS(config-vap-grp)# vap-count 4 Are you sure you want to adjust vap-count to 4? <Y or N> [Y]: Y Adjusting vap-count. May take several minutes...........+...........+.... CBS(config-vap-grp)# ap-list ap5 ap6 ap7 ap8 Now, to prevent the NPM from assigning new flows to the new VAP during firewall application installation, the X-Series Platform administrator issues the following commands to configure the load-balance VAP list for the VAP group, testvapgroup, to include only the VAPs with index numbers 1, 2, and 3. (The newest VAPs index number is 4.) CBS(config-vap-grp)# load-balance-vap-list 1 2 3 CBS(config-vap-grp)#
XOS Command Reference Guide 181

Next, the administrator issues the following command to increase the max load count to 4 and load the new VAP onto an APM (ap8): CBS(config-vap-grp)# max-load-count 4 CBS(config-vap-grp)# The administrator then installs the firewall application on the new VAP. When the installation is complete, the administrator uses the following command to add the new VAP to the load-balance VAP list for testvapgroup, so that the new VAP can start processing traffic. CBS(config-vap-grp)# load-balance-vap-list 1 2 3 4 CBS(config-vap-grp)#

load-priority (config-vap-grp context)

Sets the load priority value for the VAP group that you are configuring. The CPM uses VAP group load priority values to determine the order in which to load VAPs onto APMs installed in the chassis. The CPM always loads all of the members of one VAP group onto available APMs before loading the members of another VAP group onto the remaining available APMs. The CPM loads VAP groups onto APMs in order of load priority value, loading the members of the VAP group with the highest load priority value first. If two VAP groups have the same load priority value, the CPM may load VAPs from either VAP group first. Use the show (config-vap-grp context) command to display the current load priority value for the VAP group that you are configuring. Use the show vap-group command to display the current load priorities of all VAP groups configured on your X-Series Platform. The default VAP group load priority value is 0, which is the lowest load priority value. Use the no load-priority command to restore this default value for the VAP group that you are configuring.

Syntax
load-priority <load_priority_value> no load-priority

Context
You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command.

Parameters
The following table lists the parameters used with this command. Parameter <load_priority_value> Description Load priority value that you want to assign to the VAP group that you are configuring. Valid values are from 0 to 255. The default value is 0.

Restrictions
Default Privilege Level: 15 A VAP groups load priority value must be equal to or higher than its preemption priority value.

Commands for Configuring and Managing VAP Groups

182

Use the show (config-vap-grp context) command to display the current preemption priority value for the VAP group that you are configuring. See preemption-priority (config-vap-grp context) on page 183 for information on setting the preemption priority value for the VAP group that you are configuring.

Example
In this example, a VAP group called idsvapgroup is running an IDS application, and a VAP group called testvapgroup is running a firewall application. The X-Series Platforms system administrator has been told that maintaining the availability of the firewall application is much more important than maintaining the availability of the IDS application. Therefore, the administrator decides to configure the two VAP groups to ensure availability of the firewall application in the event that the administrator must reboot the X-Series Platform. The administrator uses the following commands to set the load priority for the firewall applications VAP group (testvapgroup) to 10: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# load-priority 10 CBS(config-vap-grp)# end CBS# The administrator then uses the following commands to set the load priority for the IDS applications VAP group (idsvapgroup) to 5: CBS# configure vap-group idsvapgroup CBS(config-vap-grp)# load-priority 5 CBS(config-vap-grp)# end CBS# Now, whenever the X-Series Platform reboots, the CPM will load all the VAPs in testvapgroup onto APMs before loading any of the VAPs in idsvapgroup onto APMs. Therefore, after an X-Series Platform reboot, the firewall application starts running on the first APMs that become available. Also, if there are not enough APMs to run all VAPs in both groups, the CPM loads the IDS applications VAPs only if APMs remain available after the CPM loads all of the firewall applications VAPs onto APMs.

preemption-priority (config-vap-grp context)

Sets the preemption priority value for the VAP group that you are configuring. You set preemption priority values for all VAP groups configured on the X-Series Platform to ensure that all of the VAPs in the VAP group running the highest-priority application are always loaded onto APMs. If an APM assigned to a VAP group fails and there are no standby APMs available to replace the failed APM, the CPM may remove a functional APM from a VAP group with a lower preemption priority value and reassign that APM to the VAP group with the higher preemption priority value. NOTE: If there are not enough functional APMs available to run all VAPs in all VAP groups, one or more VAP groups may not be loaded onto any APMs. Use the show (config-vap-grp context) command to display the current preemption priority value for the VAP group that you are configuring. Use the show vap-group command to display the current preemption priorities of all VAP groups configured on your X-Series Platform. The default VAP group preemption priority value is 0, which is the lowest preemption priority value. Use the no preemption-priority command to restore this default value for the VAP group that you are configuring.

XOS Command Reference Guide

183

Syntax
preemption-priority <preemption_priority_value> no preemption-priority

Context
You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command.

Parameters
The following table lists the parameters used with this command. Parameter <preemption_priority_value> Description Preemption priority value that you want to assign to the VAP group that you are configuring. Valid values are from 0 to 255. The default value is 0.

Restrictions
Default Privilege Level: 15 A VAP groups preemption priority value must be equal to or lower than its load priority value. Use the show (config-vap-grp context) command to display the current load priority value for the VAP group that you are configuring. See load-priority (config-vap-grp context) on page 182 for information on setting the load priority value for the VAP group that you are configuring.

Example
In this example, a VAP group called idsvapgroup is running an IDS application, and a VAP group called testvapgroup is running a firewall application. The X-Series Platforms system administrator has been told that maintaining the availability of the firewall application is much more important than maintaining the availability of the IDS application. Therefore, the administrator decides to configure the two VAP groups to minimize downtime for the firewall application in the event that the administrator must reboot the X-Series Platform. The administrator uses the following commands to set the preemption priority for the firewall applications VAP group (testvapgroup) to 10: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# preemption-priority 10 CBS(config-vap-grp)# end CBS# The administrator then uses the following commands to set the preemption priority for the IDS applications VAP group (idsvapgroup) to 5: CBS# configure vap-group idsvapgroup CBS(config-vap-grp)# preemption-priority 5 CBS(config-vap-grp)# end CBS#

Commands for Configuring and Managing VAP Groups

184

Now, if one or more APMs fail while running the firewall application, the CPM first attempts to replace the failed APMs with standby APMs. If there are not enough standby APMs available to replace all the failed APMs, the CPM removes APMs from the IDS applications VAP group (idsvapgroup) and reassigns those APMs to the firewall applications VAP group (testvapgroup). The CPM continues to reassign APMs to testvapgroup until every VAP in that group is assigned to an APM or until there are no available APMs left in the chassis. This way, the VAP group running the highest-priority application (the firewall) will always have APMs on which to run, because the firewall applications VAP group (testvapgroup) will always have an APM assigned to every VAP in the group.

raid (config-vap-grp context)

Sets the RAID level for the APM local hard drives installed in the APMs assigned to the VAP group that you are configuring. You can set the RAID level for a VAP group to RAID 1 or RAID 0. IMPORTANT: A RAID configuration functions only for VAP groups that are loaded on APMs on which two local hard drives are installed, and the CLI does not issue a warning or error message when you configure a RAID level for a VAP group loaded on one or more APMs with single local hard drives. Before setting the RAID level for a VAP group, make sure its APM list includes only APMs that have two local hard drives installed on them. Use the show module status command to determine which APMs have two local hard drives installed on them. Then, use the ap-list (config-vap-grp context) command to configure the VAP groups APM list to include only APMs with two local hard drives. RAID 0 is called striping. If the APMs assigned to a VAP group use RAID 0, each APM distributes data across both of its local disks, creating larger logical disk partitions with faster read/write speeds. However, if either of the local hard drives installed on an APM fails, all of the data saved on both hard drives is lost. RAID 1 called mirroring. If the APMs assigned to a VAP group use RAID 1, each APM writes identical data to both of its local hard drives. Thus, mirroring lets you create local hard drive redundancy on each APM. By default, if a VAP group runs on APMs with two hard drives, the APMs do not use RAID; the two disks on each APM work independently of one another. Use the no raid command to restore this default behavior for the APMs assigned to the VAP group that you are configuring. Use the show (config-vap-grp context) command to display the RAID level for the VAP group that you are currently configuring.

Syntax
raid {1 | 0} no raid

Context
You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command.

XOS Command Reference Guide

185

Parameters
The following table lists the parameters used with this command. Parameter {1 | 0} Description Specifies the RAID level that you want to set for the APMs assigned to the VAP group that you are configuring. Specify one of the following: 0 Specifies RAID level 0, striping. Each APM writes an equal amount of data to both of its local hard drives. 1 Specifies RAID level 1, mirroring. Each APM writes identical data to both of its local hard drives. By default, if a VAP group runs on APMs with two hard drives, the APMs do not use RAID; the two disks on each APM work independently of one another.

Restrictions
Default Privilege Level: 15

Example
The following command places you in the config-vap-grp context in which you can configure the existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# The following command configures the APMs assigned to testvapgroup to use RAID 1: CBS(config-vap-grp)# raid 1 CBS(config-vap-grp)#

enable-ipv6 (conf-vap-grp context) (IPv6)

Enables or disables (using no) IPv6 services for the VAP group that you are configuring.

Syntax
[no] enable-ipv6

Contexts and Subcommands

You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command. This command places you in the enable-ipv6 context in which you can configure ip-forwarding for IPv6 traffic. XOS handles IPv6 traffic using non-IP flow rules. When you enable IPv6 support for a VAP-group, XOS automatically creates the following non-ip-flow-rule for IPv6 traffic: non-ip-flow-rule ipv6_rule encapsulation ethernet type 34525 action pass-to-master activate
Commands for Configuring and Managing VAP Groups 186

Do not disable or change this rule while IPv6 support is enabled for the VAP group.

Restrictions
Default Privilege Level: 15 To enable IPv6 on a VAP group, all associated circuits must have an MTU size of at least 1280.

Example
The following command places you in the config-vap-grp context in which you can configure the existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# The following command enables IPv6 services for VAP group: CBS(config-vap-grp)# enable-ipv6 CBS(config-vap-grp)#

ip-forwarding-ipv6 (enable-ipv6 context) (IPv6)

Enables or disables (using no) ip forwarding for IPv6 packets for the VAP group you are configuring.

Syntax
[no] ip-forwarding-ipv6

Restrictions
Default Privilege Level: 15 Typically, the application running on the module preforms IP forwarding, if required. This command is primarily used for lab testing.

Example
The following command places you in the config-vap-grp context in which you can configure the existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# The following commands configure the APMs assigned to testvapgroup for IPv6 traffic and enable the forwarding of IPv6 packets.: CBS(config-vap-grp)# enable-ipv6 CBS(enable-ipv6)# ip-forwarding-ipv6

XOS Command Reference Guide

187

ip-flow-rule (config-vap-grp context)

Creates or configures an IP flow rule for the VAP group that you are configuring. Places you into a context in which you can configure and activate the specified IP flow rule. The NPM uses the IP flow rules configured for a VAP group to determine how to process IP traffic destined for the members of that VAP group. NOTE: If an NPM is unable to apply any IP flow rules to an incoming IP packet, the NPM drops the packet. Therefore, when you assign an IP address to a circuit configured for a VAP group, the X-Series Platform automatically creates default IP flow rules for that VAP group. Refer to the XOS Configuration Guide for more information about these default IP flow rules. Each IP flow rule is comprised of an action and a set of packet matching criteria. The NPM performs the action on flows that match the conditions defined in the packet matching criteria. For example, you can create an IP flow rule that instructs the NPM to load balance all flows across all members of a VAP group, or you can create an IP flow rule that instructs the NPM to drop all packets that match a specific destination port. By default, when you create a new IP flow rule for a VAP group, XOS configures packet matching criteria for the new IP flow rule to match all IP flows assigned to the VAP group. You must activate an IP flow rule before it will take effect. By default, IP flow rules are not activated. See activate (ip-flow-rule context) for instructions on activating an IP flow rule for the VAP group that you are configuring. Use the no parameter to delete the specified IP flow rule. Use the show (ip-flow-rule context) command to display the current configuration for the IP flow rule that you are configuring. Use the show ip-flow-rule command to display all VAP group IP flow rules currently configured for the X-Series Platform.

Syntax
[no] ip-flow-rule <IP_flow_rule_name>

Contexts and Subcommands

You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command. This command places you in the ip-flow-rule context in which you can configure and activate the specified IP flow rule. You can access the following commands from this context: action load-balance (ip-flow-rule context) on page 304 action drop (ip-flow-rule context) on page 305 action allow (ip-flow-rule context) on page 306 action pass-to-master (ip-flow-rule context) on page 307 action pass-to-vap (ip-flow-rule context) on page 308 action broadcast (ip-flow-rule context) on page 309 bypass-tcp-flow-setup-validation (ip-flow-rule context) on page 310 direction (ip-flow-rule context) on page 310 skip-port-protocol (ip-flow-rule context) on page 312

Commands for Configuring and Managing VAP Groups

188

generate-reversed-flow (ip-flow-rule context) on page 312 source-addr (ip-flow-rule context) on page 314 destination-addr (ip-flow-rule context) on page 315 source-port (ip-flow-rule context) on page 317 destination-port (ip-flow-rule context) on page 318 protocol (ip-flow-rule context) on page 319 domain (ip-flow-rule context) on page 321 incoming-circuit-group (ip-flow-rule context) on page 322 timeout (ip-flow-rule context) on page 324 trace (ip-flow-rule context) on page 326 core-assignment (ip-flow-rule context) on page 329 activate (ip-flow-rule context) on page 330 show (ip-flow-rule context) on page 331

Parameters
The following table lists the parameters used with this command. Parameter <IP_flow_rule_name> Description Name assigned to the IP flow rule that you want to create or configure for the VAP group that you are configuring.

Restrictions
Default Privilege Level: 15

Example
The following command places you in the config-vap-grp context in which you can configure the existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# The following command creates an IP flow rule for the VAP group called testvapgroup and places you in the context in which you can configure and activate that IP flow rule (called testiprule): CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)#

non-ip-flow-rule (config-vap-grp context)

Creates or configures a non-IP flow rule for the VAP group that you are configuring. Places you into a context in which you can configure and activate the specified non-IP flow rule for the VAP group that you are configuring. The NPM uses the non-IP flow rules configured for a VAP group to determine how to process each non-IP traffic flow (such as an IPX or Spanning Tree Protocol traffic flow) that arrives on a logical interface configured on the VAP group.

XOS Command Reference Guide

189

NOTE: If an NPM is unable to apply any non-IP flow rules to an incoming non-IP packet, the NPM drops the packet. Each VAP group non-IP flow rule is comprised of an action and a set of packet-matching criteria. The NPM performs the action on flows that match the conditions defined in the packet-matching criteria. For example, you can create a non-IP flow rule that instructs the NPM to send all Spanning-Tree-Protocol-related traffic destined for a VAP group to the master VAP for that VAP group. You must configure each VAP group non-IP flow rule with one of three link encapsulation types: ethernet Enables the NPM to process Ethernet encapsulated packets that arrive on logical interfaces configured for the VAP group. Configures the NPM to apply the VAP group non-IP flow rules action only to Ethernet encapsulated packets that meet the flow rules destination Ethernet protocol matching criteria. lsap Enables the NPM to process LSAP encapsulated packets that arrive on logical interfaces configured for the VAP group. Configures the NPM to apply the VAP group non-IP flow rules action only to LSAP encapsulated packets that meet the flow rules Destination Service Access Point (DSAP) and Source Service Access Point (SSAP) matching criteria. snap Enables the NPM to process SNAP encapsulated packets that arrive on logical interfaces configured for the VAP group. Configures the NPM to apply the VAP group non-IP flow rules action only to SNAP encapsulated packets that meet the flow rules destination Ethernet protocol and Organization Unique Identifier (OUI) matching criteria. NOTE: By default, the link encapsulation type for all VAP group non-IP flow rules is ethernet, and the destination Ethernet protocol matching criteria is set to any Ethernet protocol number. Use the show (non-ip-flow context) command to display the link encapsulation type and packet-matching criteria defined for the VAP group non-IP flow rule that you are configuring. You must activate a VAP group non-IP flow rule before it will take effect. By default, VAP group non-IP flow rules are not activated. See activate (non-ip-flow context) on page 351 for instructions on activating the VAP group non-IP flow rule that you are configuring. Use the no parameter to delete the specified non-IP flow rule. Use the show non-ip-flow command to display the current configuration for the VAP group non-IP flow rule that you are configuring. Use the show non-ip-flow command to display all VAP group non-IP flow rules currently configured on the X-Series Platform.

Syntax
[no] non-ip-flow-rule <non_IP_flow_rule_name>

Contexts and Subcommands

You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command. This command places you in the non-ip-flow context in which you can configure and activate the specified non-IP flow rule. You can access the following commands from this context: action drop (non-ip-flow context) on page 342 action pass-to-master (non-ip-flow context) on page 342 action broadcast (non-ip-flow context) on page 343 encapsulation ethernet (non-ip-flow context) on page 345 encapsulation lsap (non-ip-flow context) on page 346

Commands for Configuring and Managing VAP Groups

190

encapsulation snap (non-ip-flow context) on page 348 core-assignment (non-ip-flow-rule context) on page 350 activate (non-ip-flow context) on page 351 show (non-ip-flow context) on page 351

Parameters
The following table lists the parameters used with this command. Parameter <non_IP_flow_rule_name> Description Name assigned to the non-IP flow rule that you want to create or configure for the VAP group that you are configuring.

Restrictions
Default Privilege Level: 15

Example
The following command places you in the config-vap-grp context in which you can configure the existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# The following command creates a non-IP flow rule for the VAP group called testvapgroup and places you in the context in which you can configure and activate that IP flow rule (called testnoniprule): CBS(config-vap-grp)# non-ip-flow-rule testnoniprule CBS(non-ip-flow)#

XOS Command Reference Guide

191

ip-forwarding (config-vap-grp context)

Enables or disables (using no) IP forwarding for the VAP group that you are configuring. By default, IP forwarding is disabled for all VAP groups. IMPORTANT: Enabling IP forwarding for a VAP group also enables IP forwarding on all circuits assigned to that VAP group. If IP forwarding is enabled for a VAP group, the ip-forwarding (conf-cct-vapgroup context) command has no effect on circuit configurations for that VAP group, so you cannot disable IP forwarding on the VAP groups circuits. NOTE: In almost all cases, the application installed on a VAP group handles packet forwarding for that VAP group and for all circuits assigned to that VAP group. Therefore, you should enable IP forwarding only if your application installation and configuration guide specifically instructs you to do so. Use the show (config-vap-grp context) command to determine whether IP forwarding is enabled for the VAP group that you are currently configuring.

Syntax
[no] ip-forwarding

Context
You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command.

Restrictions
Default Privilege Level: 15

Example
The following command places you in the config-vap-grp context in which you can configure the existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# The following command enables IP forwarding for the VAP group called testvapgroup: CBS(config-vap-grp)# ip-forwarding CBS(config-vap-grp)#

fail-to-host (config-vap-grp context)

In a virtual environment, fail-to-host enables the host to forward packets when the guest application has failed. For example, if a virtualized application (the guest) running on a VAP fails, the host (the xsve operating system running on the APM) continues to forward packets to their destination if fail-to-host has been enabled. Use the no fail-to-host parameter to disable this behavior. Typically, for applications such as firewalls, fail-to-host is disabled (the default condition).

Syntax
[no] fail-to-host

Commands for Configuring and Managing VAP Groups

192

Context
You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command.

Restrictions
Default Privilege Level: 15 Applies only to VAP groups that have been configured with the xsve operating system If fail-to-host is configured, ip-forwarding must be enabled for the vap-group

Example
CBS# configure vap-group testvapgroup xsve CBS(config-vap-group)# fail-to-host

flow-proxy (config-vap-grp context)

In a virtualized environment, this command changes the flow processing algorithm to improve performance. To disable the flow-proxy command after it has been enabled, use the no flow-proxy command. IMPORTANT: This parameter is disabled by default, but is required for any VAP group that uses the xsve VAP operating system.

Syntax
[no] flow-proxy

Context
You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command.

Restrictions
Default Privilege Level: 15 This command is required for any vap-group that uses the xsve VAP operating system.

Example
CBS# configure vap-group testvapgroup CBS(config-vap-group)# flow-proxy CBS(config-vap-group)#

jumbo-frame (config-vap-grp context)

Enables or disables (using no) jumbo Ethernet frame support for the VAP group that you are configuring. By default, jumbo Ethernet frame support is disabled for all VAP groups. Use this command to enable a VAP group to process Ethernet frames that are larger than 1500 bytes (which is the standard maximum frame size).

XOS Command Reference Guide

193

Use the show (config-vap-grp context) command to determine whether jumbo Ethernet frame support is enabled for the VAP group that you are currently configuring. NOTE: If you enable jumbo Ethernet frame support for a VAP group, you must also set the Maximum Transfer Unit (MTU) size to 9000 for each circuit associated with that VAP group. Use the show circuit command to determine the MTU size configured for every circuit associated with the VAP group that you are configuring. See mtu (conf-cct-vapgroup context) on page 427 for instructions on setting the MTU size for a circuit associated with a VAP group.

Syntax
[no] jumbo-frame

Context
You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command.

Restrictions
Default Privilege Level: 15 If jumbo Ethernet frame support is enabled for a VAP group, every circuit associated with that VAP group must have a Maximum Transfer Unit (MTU) size of 9000.

Example
The following command places you in the config-vap-grp context in which you can configure the existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# The following command enables jumbo Ethernet frame support for the VAP group called testvapgroup: CBS(config-vap-grp)# jumbo-frame CBS(config-vap-grp)#

scatter-gather (config-vap-grp context)

Enables or disables (using no) support for fragmenting large Ethernet frames into multiple buffers in host memory on the APMs assigned to the VAP group that you are configuring. By default, this functionality (called scatter-gather functionality) is disabled for all VAP groups. NOTE: You must reload the VAP group to enable the scatter-gather or no scatter-gather command to take effect. Enabling support for scatter-gather functionality allows the APMs in a VAP group to carve buffers more efficiently. NOTE: Use the show (config-vap-grp context) command to determine whether scatter-gather functionality and jumbo Ethernet frames support are enabled for the VAP group that you are currently configuring. See jumbo-frame (config-vap-grp context) on page 193 for information on enabling support for jumbo Ethernet frames on the VAP group that you are configuring.

Commands for Configuring and Managing VAP Groups

194

Syntax
[no] scatter-gather

Context
You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command.

Restrictions
Default Privilege Level: 15

Example
The following command places you in the config-vap-grp context in which you can configure the existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# The following command enables support for fragmenting large Ethernet frames into multiple buffers in host memory on the APMs assigned to testvapgroup. That is, the following command enables support for scatter-gather functionality for testvapgroup: CBS(config-vap-grp)# scatter-gather CBS(config-vap-grp)#

reload-timeout (config-vap-grp context)

Sets the reload timeout interval for the VAP group that you are configuring. A VAP groups reload timeout interval is the amount of time, in seconds, that the CPM waits for an APM assigned to the VAP group to boot after a reload. If an APM does not finish booting by the end of its VAP groups reload timeout interval, the CPM declares an APM failure and reloads the APM in an attempt to recover from that failure. NOTE: If the CPM performs too many APM failure recovery attempts, the CPM declares the APM to be permanently down. You should set the reload timeout interval for a VAP group to allow sufficient time for the application that you plan to install on that VAP group to be reloaded on all VAPs in the VAP group. For example, a firewall application installed on a VAP group consisting of ten VAPs may require 500 seconds to reload all ten VAPs onto APMs in the chassis. Therefore, you should set the reload timeout interval for this VAP group to 500. The default reload timeout interval for a VAP group is 300 seconds. Use the no reload-timeout command to restore this default setting. Use the show (config-vap-grp context) command to display the current reload timeout interval for the VAP group that you are configuring.

Syntax
reload-timeout <reload_timeout_interval> no reload-timeout

XOS Command Reference Guide

195

Context
You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command.

Parameters
The following table lists the parameters used with this command. Parameter <reload_timeout_interval> Description Reload timeout interval that you want to assign to the VAP group that you are configuring. You specify the reload timeout interval in seconds. Valid values are from 60 to 18000. Default is 300.

Restrictions
Default Privilege Level: 15

Example
The following command places you in the config-vap-grp context in which you can configure the existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# The following command sets the reload timeout interval for testvapgroup to 500 seconds: CBS(config-vap-grp)# reload-timeout 500 CBS(config-vap-grp)# When you reload the VAP group, testvapgroup, the X-Series Platform waits 500 seconds for the VAP group to finish reloading. After 500 seconds, if any VAPs in testvapgroup are not loaded onto APMs, the X-Series Platform declares those VAPs inaccessible and attempts to reload them again.

vg-reset-wait-time
Sets the wait time before resetting a VAP when no connectivity to the VAP has been detected. You can use this command to delay the resetting of a VAP if the VAP is busy and fails to send heartbeats for a period of time. Specify a time from 0 (zero) to 60 seconds. Use the no vg-reset-wait-time parameter to set the time to the default value (5 seconds).

Syntax
[no] vg-reset-wait-time <wait_time>

Context
You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command.

Commands for Configuring and Managing VAP Groups

196

Parameters
The following table lists the parameters used with this command. Parameter <wait_time> Description The time that XOS waits after detecting no connectivity from a VAP before resetting the VAP. You specify the wait time in seconds. Valid values are from 0 to 60 seconds. The default is 5.

Restrictions
Default Privilege Level: 15

Example
CBS# configure vap-group testvap-group CBS(config-vap-grp)# vg-reset-wait-time 15

delay-flow (config-vap-grp context)

Sets the new flow delay interval for the VAP group that you are configuring. A VAP groups new flow delay interval is the amount of time, in seconds, that the NPM waits after an APM assigned to the VAP group enters the Active state before assigning new flows to that APM. NOTE: Use the show chassis command to determine which APMs are in the Active state. See show chassis on page 780 for more information on possible operational states for APMs. By default, a VAP group does not have a new flow delay interval. That is, the NPM begins assigning new flows to an APM assigned to a VAP group as soon as that APM enters the Active state. Use the no delay flow command to restore this default behavior. Use the show (config-vap-grp context) command to display the current new flow delay interval for the VAP group that you are configuring.

Syntax
delay-flow <new_flow_delay_interval> no delay-flow

Context
You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command.

XOS Command Reference Guide

197

Parameters
The following table lists the parameters used with this command. Parameter <new_flow_delay_interval> Description New flow delay interval that you want to assign to the VAP group that you are configuring. You specify the new flow delay interval in seconds. Valid values are 1 to 3600 seconds. NOTE: By default, a VAP group has no new flow delay interval, but 0 is not a valid value for <new_flow_delay_interval>. To restore the default behavior, you must use the no delay-flow command.

Restrictions
Default Privilege Level: 15

Example
The following command places you in the config-vap-grp context in which you can configure the existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# The following command sets the new flow delay interval for testvapgroup to 100 seconds: CBS(config-vap-grp)# delay-flow 100 CBS(config-vap-grp)# When you reload the VAP group, testvapgroup, the NPM waits 100 seconds after each APM assigned to that VAP group enters the Active state before assigning new flows to that APM.

application-monitor (config-vap-group context)

Enables or disables (using no) application monitoring for the VAP group that you are configuring. By default, application monitoring is enabled on all VAP groups. NOTE: Some applications have an application configuration menu that is used to enable and disable application monitoring. Refer to your application installation and configuration guide for details. Use the show application vap-group command to determine whether application monitoring is enabled on the VAP group that you are configuring. If application monitoring is enabled for a VAP group, the XOS health monitoring system polls application processes on each VAP in the group every five seconds to verify that every VAP is running. If the application is not running on any VAP in the group, the XOS health monitoring system notifies the NPM to stop new flows to that VAP. The NPM performs this process dynamically without modifying the VAP groups load-balance VAP list. If application monitoring is enabled on a VAP group, you can use the show application vap-group command to determine which VAPs in the VAP group are currently running the application.

Commands for Configuring and Managing VAP Groups

198

Syntax
[no] application-monitor

Context
You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command.

Restrictions
Default Privilege Level: 15

Example
The following command places you in the config-vap-grp context in which you can configure the existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# The following command disables application monitoring for the VAP group called testvapgroup: CBS(config-vap-grp)# no application-monitor CBS(config-vap-grp)#

master-failover-trigger application (config-vap-grp context)

Configures application failure as a master VAP failover trigger for the VAP group that you are configuring. If you configure a VAP group with this command, whenever application monitoring detects an application failure on the master VAP in the group, XOS re-elects a new master VAP. This behavior is desirable when a VAP group has an application installed on it and is configured to run Crossbeam routing software (RSW) or to participate in Spanning Tree topologies, since RSW and Spanning Tree run only on the master VAP. NOTE: This command has no effect unless application monitoring is enabled on the VAP group. Refer to your application installation and configuration guide for instructions on enabling application monitoring. By default, application failure is not a master VAP failover trigger for any VAP group. Use the no master-failover-trigger command to restore this default behavior. Use the show (config-vap-grp context) command to determine whether application failure is currently a master VAP failover trigger for the VAP group that you are configuring.

Syntax
master-failover-trigger application no master-failover-trigger

Context
You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command.

XOS Command Reference Guide

199

Restrictions
Default Privilege Level: 15

Example
The following command places you in the config-vap-grp context in which you can configure the existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# The following command configures application failure as a master VAP failover trigger for the VAP group, testvapgroup: CBS(config-vap-grp)# master-failover-trigger application CBS(config-vap-grp)# When the application fails to run on the master VAP for the VAP group, testvapgroup, XOS will elect a new master VAP for the group.

master-holddown (config-vap-grp context)

Sets the master VAP hold-down time for the VAP group that you are configuring. In the event of a master VAP failure, the VAP groups master VAP hold-down time is the amount of time, in seconds, that XOS waits before electing a new master VAP. The default master VAP hold-down time for all VAP groups is 0. Use the no master-holddown command to restore this default setting for the VAP group that you are configuring. Use the show (config-vap-grp context) command to display the current master VAP hold-down time for the VAP group that you are configuring.

Syntax
master-holddown <master_VAP_hold-down_time> no master-holddown

Context
You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command.

Parameters
The following table lists the parameters used with this command. Parameter <master_VAP_hold-down_time> Description Master VAP hold-down time that you want to assign to the VAP group that you are configuring. You specify the master VAP hold-down time in seconds. Valid values are 0-3600. Default is 0.

Commands for Configuring and Managing VAP Groups

200

Restrictions
Default Privilege Level: 15

Example
The following command places you in the config-vap-grp context in which you can configure the existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# The following command sets the master VAP hold-down time for testvapgroup to 30 seconds: CBS(config-vap-grp)# master-holddown 30 CBS(config-vap-grp)# If the current master VAP for testvapgroup should fail, XOS will wait 30 seconds before re-electing a new master VAP for the group.

dhcp-relay-server-list (config-vap-grp context)

Adds the specified servers to the DHCP relay server list for the VAP group that you are configuring. A VAP groups DHCP relay server list identifies the DHCP servers to which the VAP group forwards DHCP broadcasts. Use the no parameter to remove the specified servers from the DHCP relay server list for the VAP group that you are configuring. IMPORTANT: You must configure the VAP group to use one or more circuits to listen for DHCP broadcasts. The VAP group accepts all DHCP broadcasts that it receives on these circuits and forwards them to the servers included in the DHCP relay server list. To enable a VAP group to use a circuit to listen for DHCP broadcasts, you must configure the circuit with the dhcp-relay command under the conf-cct-vapgroup context. See dhcp-relay (conf-cct-vapgroup context) on page 422 for instructions on using this command.: Use the show (config-vap-grp context) command to display the current DHCP relay server list for the VAP group that you are configuring.

Syntax
[no] dhcp-relay-server-list <IP_address> [<IP_address>] [<IP_address>] ...

Context
You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command.

XOS Command Reference Guide

201

Parameters
The following table lists the parameters used with this command. Parameter <IP_address> Description IP address of a DHCP relay server that you want to add to or remove from the DHCP relay server list for the VAP group that you are configuring. You must specify each IP address in the standard format (A.B.C.D).

Restrictions
Default Privilege Level: 15

Example
The following command places you in the config-vap-grp context in which you can configure the existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# The following command adds the DHCP relay servers with the IP addresses 10.10.10.10 and 10.10.10.20 to the DHCP relay server list for the VAP group called testvapgroup: CBS(config-vap-grp)# dhcp-relay-server-list 10.10.10.10 10.10.10.20 CBS(config-vap-grp)#

rp-filter (config-vap-grp context)

Enables or disables (using no) Reverse Path (RP) filtering for the VAP group that you are configuring. If RP filtering is enabled for a VAP group, the VAPs in the group drop any packet whose incoming interface is different from its reply packets outgoing interface. A VAP group applies RP filtering only to packets whose source or destination IP address belongs to a network directly connected to the VAP group. By default, RP filtering is enabled on all VAP groups. NOTE: You can use the log-martians (config-vap-grp context) command to configure the VAP group to log packets dropped due to RP filtering. Use the show (config-vap-grp context) command to determine whether RP filtering is enabled on the VAP group that you are configuring. NOTE: You should disable RP filtering for each VAP group on which you plan to install a Check Point VPN-1 or FireWall-1 application.

Syntax
[no] rp-filter

Context
You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command.

Commands for Configuring and Managing VAP Groups

202

Restrictions
Default Privilege Level: 15

Example
The following command places you in the config-vap-grp context in which you can configure the existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# The following command disables RP filtering for the VAP group called testvapgroup: CBS(config-vap-grp)# no rp-filter CBS(config-vap-grp)#

log-martians (config-vap-grp context)

Enables or disables (using no) writing syslog entries for martians that come into the VAP group that you are configuring. A martian is a packet whose incoming interface is different from its reply packets outgoing interface. By default, martians are not logged. NOTE: If RP filtering is enabled for the VAP group, the VAP group drops all packets defined as martians. See rp-filter (config-vap-grp context) on page 202 for more information about RP filtering. Use the show (config-vap-grp context) command to determine whether martians are currently logged for the VAP group that you are configuring.

Syntax
[no] log-martians

Context
You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command.

Restrictions
Default Privilege Level: 15

Example
The following command places you in the config-vap-grp context in which you can configure the existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# The following command configures the VAP group called testvapgroup create a syslog entry for each martian that comes into the VAP group. CBS(config-vap-grp)# log-martians CBS(config-vap-grp)#

XOS Command Reference Guide

203

show (config-vap-grp context)

Displays the current VAP group configuration settings for the VAP group that you are configuring. Use this command to verify that a VAP groups configuration meets all the requirements for the application that you plan to install on the VAP group. Refer to your application installation and configuration guide for a list of VAP group configuration requirements for the application.

Syntax
show

Context
You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command.

Output
The output for this command has the following format: VAP Group Operating System : <VAP_group_name> : {xslinux_v3 | xslinux_v5 | xslinux_v5_64 | xsve} Load Priority : <load_priority_value> Preemption Priority : <preemption_priority_value> AP List : <apN> <apN> <apN> ... VAP Count : <number_of_VAPs_in_group> Max Load Count : <number_of_VAPs> Max Reload Count : <number_of_reloads> Load Balance VAP List : <index_number> <index_number> ... IP Forwarding (true/false) : {t | f} Delay Flow (seconds) : <new_flow_delay_interval> Backup Mode : none Reload Timeout (seconds) : <reload_timeout_interval> RP Filter (true/false) : {t | f} Log Martians (true/false) : {t | f} DHCP Relay Server List : <IP_address> <IP_address> ... RAID : {none | 0 | 1} Jumbo Frame (true/false) : {t | f} Scatter Gather (true/false) : {t | f} Master HoldDown Timer (in seconds) : <master_VAP_hold-down_time> Master Failover Trigger : application Application Monitoring (true/false) : {t | f} IPv6 Enabled (true/false) : {t | f} IPv6 IP Forwarding (true/false) : {t | f} Fail To Host (true/false) : f Flow Proxy (true/false) : f Reset Wait Time (seconds) : 5 (1 row)

Commands for Configuring and Managing VAP Groups

204

The following table describes the information provided in each column/row. Column/Row Heading VAP Group Information Provided Name assigned to the VAP group. See configure vap-group on page 173 for instructions on assigning a name to a VAP group. Operating System VAP OS that the VAP group uses. Default is xslinux_v3. See configure vap-group on page 173 for instructions on configuring a VAP group to use a specific VAP OS. Load Priority Load priority assigned to the VAP group. Default is 0. See load-priority (config-vap-grp context) on page 182 for information about setting load priorities for the VAP groups configured on your X-Series Platform. Preemption Priority Preemption priority assigned to the VAP group. Default is 0. See preemption-priority (config-vap-grp context) on page 183 for information about setting preemption priorities for the VAP groups configured on your X-Series Platform. AP List Module names assigned to the APMs included in the VAP groups APM list. By default, every VAP groups APM list includes all APMs installed in the X-Series Platform. See ap-list (config-vap-grp context) on page 178 for instructions on configuring an APM list for a VAP group. VAP Count VAP count configured for the VAP group. Default is 1. See vap-count (config-vap-grp context) on page 175 for instructions on setting the VAP count for a VAP group. Max Load Count Max load count configured for the VAP group. Default is 0. See max-load-count (config-vap-grp context) on page 177 for instructions on setting the max load count for a VAP group. Max Reload Count The maximum number of reloads for an APM before the APM is declared DOWN. See max-reload-count (config-vap-grp context) on page 178 for instructions on setting the max reload count for an APM. Load Balance VAP List VAP index numbers assigned to the VAPs included in the VAP groups load-balance VAP list. By default, all VAPs in a VAP group are included in its load-balance VAP list. See load-balance-vap-list (config-vap-grp context) on page 180 for instructions on configuring a load-balance VAP list for a VAP group. IP Forwarding (true/false) Indicates whether IP forwarding is enabled (t) or disabled (f) for the VAP group. Default is disabled (f). See ip-forwarding (config-vap-grp context) on page 192 for instructions on enabling and disabling IP forwarding for a VAP group.

XOS Command Reference Guide

205

Column/Row Heading Delay Flow (seconds)

Information Provided New flow delay interval configured for the VAP group. Default is 0. See delay-flow (config-vap-grp context) on page 197 for instructions on configuring a new flow delay interval for a VAP group.

Backup Mode Reload Timeout (seconds)

Backup mode assigned to the VAP group. Default is none. This setting is no longer configurable. Reload timeout interval, expressed in seconds, that is configured for the VAP group. Default is 300. See reload-timeout (config-vap-grp context) on page 195 for instructions on configuring a reload timeout interval for a VAP group.

RP Filter (true/false)

Indicates whether RP filtering is enabled (t) or disabled (f) for the VAP group. Default is enabled (t). See rp-filter (config-vap-grp context) on page 202 for instructions on enabling and disabling RP filtering for a VAP group.

Log Martians (true/false)

Indicates whether incoming packets (called martians) that are dropped due to RP filtering are logged (t) or not (f). By default, martians are not logged (f). See log-martians (config-vap-grp context) on page 203 for instructions on configuring a VAP group log martians.

DHCP Relay Server List

IP addresses of the DHCP servers included in the VAP groups DHCP relay server list. By default, there are no servers included in this list. See dhcp-relay-server-list (config-vap-grp context) on page 201 for instructions on configuring a DHCP relay server list for a VAP group.

RAID

RAID level configured for the two local hard drives installed on each APM assigned to the VAP group. 1 and 0 indicate RAID 1 and RAID 0, respectively; none (the default setting) indicates that local hard drives installed on APMs assigned to the VAP group do not use RAID. See raid (config-vap-grp context) on page 185 for instructions on configuring a RAID level for the local hard drives installed on APMs assigned to a VAP group.

Jumbo Frame (true/false)

Indicates whether support for jumbo Ethernet frames is enabled (t) or disabled (f) for the VAP group. Default is disabled (f). See jumbo-frame (config-vap-grp context) on page 193 for instructions on enabling and disabling jumbo Ethernet frame support for a VAP group.

Scatter Gather (true/false)

Indicates whether scatter-gather functionality is enabled (t) or disabled (f) for the VAP group. Default is disabled (f). See scatter-gather (config-vap-grp context) on page 194 for instructions on enabling and disabling scatter-gather functionality for a VAP group.

Commands for Configuring and Managing VAP Groups

206

Column/Row Heading Master HoldDown Timer (in seconds)

Information Provided Master VAP hold-down time, expressed in seconds, that is configured for the VAP group. Default is 0. See master-holddown (config-vap-grp context) on page 200 for instructions on configuring the master VAP hold-down time for a VAP group.

Master Failover Trigger

If this field appears in the output, its value is always application, and it indicates that application failure is configured as a master VAP failover trigger for the VAP group. By default, application failure is not configured as a master VAP failover trigger for any VAP group. If this default behavior is configured for a VAP group, the Master Failover Trigger field does not appear in the show command output. See master-failover-trigger application (config-vap-grp context) on page 199 for information on configuring application failure as a master VAP failover trigger for a VAP group.

Application Monitoring (true/false)

Indicates whether application monitoring is enabled (t) or disabled (f) for the VAP group. Default is enabled (t). See application-monitor (config-vap-group context) on page 198 for instructions on enabling and disabling application monitoring for a VAP group.

IPv6 Enabled (true/false) IPv6 IP Forwarding (true/false)

Indicates whether IPv6 services are enabled (t) or disabled (f) for the VAP group. Default is disabled (f). Indicates whether IPv6 IP forwarding is enabled (t) or disabled (f) for the VAP group. Default is disabled (f). This setting depends on the value of IPv6 Enabled. If IPv6 Enabled is false (f), you cannot set IPv6 IP Forwarding and no value for IPv6 IP Forwarding appears in the output.

Fail To Host (true/false)

In a virtualized environment, if the guest application fails, this parameter controls whether the host continues to forward traffic that was intended for the guest. Indicates whether all flows should be directed to the VAP group. The time that the CPM waits before resetting the APM. Some applications require a substantial boot time. By setting this wait time, you can avoid having the APM reset before it has completed the boot process. Some applications have their own restart on failure mechanisms. By setting this wait time, you can avoid having the APM reset before the application restart has had sufficient time to succeed.

Flow Proxy (true/false) Reset Wait Time (seconds)

Restrictions
Default Privilege Level: 15

XOS Command Reference Guide

207

Example
The following command displays the VAP group configuration settings for the VAP group called testvapgroup. NOTE: The example output displays the VAP group configuration settings that you would create for testvapgroup if you issued all the example commands that we have provided throughout this section. CBS# configure vap-group testvapgroup CBS(config-vap-grp)# show VAP Group : Operating System : Load Priority : Preemption Priority : AP List : VAP Count : Max Load Count : Max Reload Count : Load Balance VAP List : IP Forwarding (true/false) : Delay Flow (seconds) : Backup Mode : Reload Timeout (seconds) : RP Filter (true/false) : Log Martians (true/false) : DHCP Relay Server List : RAID : Jumbo Frame (true/false) : Scatter Gather (true/false) : Master HoldDown Timer (in seconds) : Master Failover Trigger : Application Monitoring (true/false) : IPv6 Enabled (true/false) : IPv6 IP Forwarding (true/false) : Fail To Host (true/false) : Flow Proxy (true/false) : Reset Wait Time (seconds) : (1 row)

testvapgroup xslinux_v5 10 10 ap5 ap6 ap7 ap8 4 4 3 1 2 3 4 t 100 none 500 f t 10.10.10.10 10.10.10.20 1 t t 30 application f t f f f 5

Commands for Configuring and Managing VAP Groups

208

Commands for Managing User Access to a VAP Group

This section describes the commands that you can use to configure and manage user access to a virtual application processor (VAP) group. This section contains the following command descriptions: configure host on page 209 vap-group-password on page 211 vap-group-password-expiration on page 212

configure host
Creates a host entry for the specified IP address, mapping that IP address to the specified host names and fully qualified domain names (FQDNs). You can create a host entry for an external system, or for a VAP. To create an entry for a VAP, specify the VAPs management IP address along with the host names and fully qualified domain names (FQDNs) that you want to assign to the VAP. NOTE: You can use the show ap-vap-mapping command to display the management IP addresses assigned to the VAPs in the VAP groups configured on the X-Series Platform. Each time you issue this command to assign a host name or FQDN to a host, the CPM stores the new host name or FQDN assignment as a host entry in the /etc/hosts file. The CPM and the VAPs configured on the X-Series Platform can use the entries in the /etc/hosts file to look up a hosts IP address using its host name(s) or FQDN(s). Use the show host command to display all host entries currently stored in the /etc/hosts file on the CPM. Use the configure no host command to remove all host entries that include the specified IP address.

Syntax
configure host <host_IP_address> {<host_name_1> | <FQDN_1>} [<host_name_2> | <FQDN_2>] ... [<host_name_3> | <FQDN_3>] configure no host <host_IP_address>

Context
You access this command from the main CLI context.

XOS Command Reference Guide

209

Parameters
The following table lists the parameters used with this command. Parameter <host_IP_address> Description IP address assigned to the host or management IP address assigned to the VAP for which you want to create or delete host entries. NOTE: You can use the show ap-vap-mapping command to display the management IP addresses assigned to the VAPs in the VAP groups configured on the X-Series Platform. <host_name_n> Host name that you want to assign to the host or VAP with the specified IP address. NOTE: You can specify more than one host name for a single host or VAP. <FQDN_n> Fully-qualified domain name (FQDN) that you want to assign to the host or VAP with the specified IP address. NOTE: You can specify more than one FQDN for a single host or VAP.

Restrictions
Default Privilege Level: 15 You can specify a maximum of five host names or FQDNs for a single host or VAP.

Example
In this example, the X-Series Platform administrator wants to assign a hostname to all VAPs in the VAP group testvapgroup. First, the administrator issues the following command to display the management IP addresses assigned to each VAP in testvapgroup: CBS# show ap-vap-mapping Module Slot Status VAP IP Address AP3 5 Active 1.1.1.99 AP4 6 Active 1.1.1.100 AP5 7 Active 1.1.2.101 AP6 8 Active 1.1.2.102 AP7 9 Active 1.1.2.103 AP8 10 Active 1.1.2.104 (6 rows) VAP Group idsvapgroup idsvapgroup testvapgroup testvapgroup testvapgroup testvapgroup Index 1 2 1 2 3 4 Master (true/false) false true false true false false

The X-Series Platform administrator then uses the following commands to assign a host name to each VAP in the VAP group called testvapgroup: CBS# CBS# CBS# CBS# CBS# configure configure configure configure host host host host 1.1.2.101 1.1.2.102 1.1.2.103 1.1.2.104 testhostvap1 testhostvap2 testhostvap3 testhostvap4

Commands for Configuring and Managing VAP Groups

210

vap-group-password
Configures a user-defined Unix root password for the specified VAP group, assigns the CPMs Unix root password to all VAP groups configured on the X-Series Platform, or assigns the CPMs Unix root password to the specified VAP group. By default, VAP groups do not have Unix root passwords. A VAP groups Unix root password applies to every VAP in the group. To successfully log into a VAP using SSH, you must supply the Unix root password assigned to that VAP. NOTE: While you must use a VAPs Unix root password to log into the VAP using SSH, you do not have to supply a password to log into a VAP from the CPM using RSH. See Executing Unix Commands on a Designated VAP on page 892 for more information on using RSH to log into a VAP from the CPM. You use a VAPs Unix root password to access the Linux shell running on the VAP. To access and manage the application running on the VAP, you use the application management password that you specify when you install the application on the VAP group. The vap-group-password command performs one of three different operations, depending on the command syntax that you use: vap-group-password vap-group <VAP_group_name> Assigns a user-defined password to the specified VAP group. When you issue this command, the CLI prompts you twice to enter the password for the specified VAP group. NOTE: A VAP group password must be at least six characters in length and must meet IT industry standards for secure passwords. If you enter a password that does not meet these requirements, the CLI issues an error message and prompts you to enter a different password. vap-group-password source-cp Assigns the CPMs root password to all VAP groups configured on the X-Series Platform. vap-group-password source-cp vap-group <VAP_group_name> Assigns the CPMs root password to the specified VAP group.

Syntax
vap-group-password vap-group <VAP_group_name> vap-group-password source-cp [vap-group <VAP_group_name>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter vap-group <VAP_group_name> source-cp Description Configures a Unix root password only for the VAP group with the specified VAP group name. Assigns the CPMs Unix root password to all VAP groups or to the specified VAP group.

XOS Command Reference Guide

211

Restrictions
Default Privilege Level: 15

Examples
The following command configures a user-defined password for the VAP group called testvapgroup: CBS# vap-group-password vap-group testvapgroup Changing password for user root. New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. The following command assigns the CPMs root password to the VAP group called testvapgroup: CBS# vap-group-password source-cp vap-group testvapgroup CBS#

vap-group-password-expiration
Defines the password expiration interval for all VAP groups configured on the X-Series Platform or for the specified VAP group. A VAP groups password expiration interval is the number of days that the VAP groups Unix root password remains valid before it expires and must be changed. You can specify a user-defined password expiration interval or you can specify the source-cp parameter to use the CPMs Unix root password expiration interval as the VAP group Unix root password expiration interval.

Syntax
vap-group-password-expiration {<expiration_interval> | source-cp} [vap-group <VAP_group_name>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <expiration_interval> Description Amount of time, expressed in days, that the Unix root password remains valid for all VAP groups configured on the X-Series Platform or for the specified VAP group. When a VAP groups password is no longer valid, the password expires, and you must change the password the next time you log into a VAP in the group. Valid values for <expiration_interval> are from 0 to 65535. NOTE: An expiration interval of 0 means that the Unix root password for the VAP group(s) does not expire.

Commands for Configuring and Managing VAP Groups

212

Parameter source-cp vap-group <VAP_group_name>

Description Specifies the CPMs root password expiration interval as the VAP group Unix root password expiration interval. Configures the specified Unix root password expiration interval only for the VAP group with the specified VAP group name. If you do not specify this parameter, the vap-group-password-expiration command configures a Unix root password expiration interval for all VAP groups configured on the X-Series Platform.

Restrictions
Default Privilege Level: 15

Example
The following command configures the Unix root password for the VAP group called testvapgroup to expire in 30 days. After 30 days have passed, the next time a user logs into a VAP in the group using SSH, the VAP will prompt the user to change the Unix root password. CBS# vap-group-password-expiration 30 vap-group testvapgroup CBS#

XOS Command Reference Guide

213

Commands for Installing, Configuring, and Managing an Application on a VAP Group

This section describes the commands that you can use to install, configure and manage an application on a virtual application processor (VAP) group running on APMs installed in an X-Series Platform. This section contains the following command descriptions: application on page 214 application-update on page 218 application-upgrade on page 219 application-remove on page 221 show application on page 222 show application vap-group on page 223 archive-vap-group backup on page 226 archive-vap-group restore on page 227 archive-vap-group delete on page 229 archive-vap-group show on page 230

application
Performs one of the following operations: Installs an application on a VAP group. Configures an application running on a VAP group. Changes the state of an application running on a VAP group. (Starts, stops, or restarts the application.) Uninstalls an application from a VAP group.

Syntax
application <application_ID> [version <version_ID>] [release <release_#>] vap-group <VAP_group_name> {install | configure | start | stop | restart | uninstall}

Context
You can access this command from any CLI context.

Commands for Configuring and Managing VAP Groups

214

Parameters
The following table lists the parameters used with this command. Parameter <application_ID> Description Application identifier assigned to the application that you want to install, configure, start, stop, restart, or uninstall on a VAP group. Use the show application command to display the application identifiers assigned to the applications that are currently loaded on the CPM. version <version_ID> Specifies the version of the application that you want to install, configure, start, stop, restart, or uninstall on a VAP group. NOTE: Not all applications use purely numeric version identifiers. For example, the version identifier for Check Point VPN-1 Power NGX R65 the version is NGXR65. Use the show application command to display the version identifiers assigned to the application installation packages currently loaded on the CPM. release <release_#> Specifies the release of the application that you want to install on a VAP group. NOTE: If the /crossbeam/apps/archive directory contains more than one CBI application bundle of the same version, and you do not specify a release, the installation process installs the most recent release by default. Use the show application command to display the release numbers assigned to the application installation packages currently loaded on the CPM. vap-group <VAP_group_name> Specifies the name assigned to the VAP group on which you want to install, configure, start, stop, restart, or uninstall an application.

XOS Command Reference Guide

215

Parameter install

Description Runs the Crossbeam installation script for the specified application on the specified VAP group. The Crossbeam installation script performs the following operations: 1. Verifies that the X-Series Platform meets the applications hardware, software, and network configuration requirements.

IMPORTANT: If the X-Series Platform does not meet these requirements, the installation will fail. Refer to your application installation and configuration guide for instructions on configuring the X-Series Platform to support the application. 2. Runs the installation interview script, prompting you to enter licensing and configuration information for your application. NOTE: Refer to your application installation and configuration guide for instructions on answering installation interview questions. 3. configure Installs and configures the application on the specified VAP group.

Displays the configuration menu for the specified application running on the specified VAP group. To change the current configuration for the application, choose an option from the configuration menu and enter information if prompted. NOTE: Each application has its own custom configuration menu, and each applications configuration menu may include different options, depending on the current state of the application. Refer to your application installation and configuration guide for instructions on using the configuration menu(s) for your application. NOTE: Some configuration changes do not take effect until after you reload the VAP group. The CLI issues a message if you must reload the VAP group to implement a configuration change.

start stop

Starts the specified application on the specified VAP group. Stops the specified application on the specified VAP group. NOTE: For some applications, using this command sets the Start on Boot flag to no. This value remains unchanged if you reload the VAP group or reboot the chassis. To reset the value to yes, use the start parameter with the application command.

restart

Restarts the specified application on the specified VAP group.

Commands for Configuring and Managing VAP Groups

216

Parameter uninstall

Description Uninstalls the specified application from the specified VAP group. NOTE: Uninstalling an application from a VAP group does not remove the Crossbeam Installer (CBI) bundle from the CPM. You can always use the CBI bundle to reinstall the application. To remove an applications CBI bundle from the CPM, thereby preventing reinstallation of the application, use the application-remove command.

Restrictions
Default Privilege Level: 15

Examples
Example 1: Installing an Application The following command installs the Check Point VPN-1 Power NGX R65 firewall application on the VAP group called testvapgroup, which includes three VAPs: NOTE: After you install an application on a VAP group, you must reload the VAP group to start the application and implement the initial configuration that you create during the installation interview. See reload vap-group on page 593 for instructions on reloading a VAP group. CBS# application vpn1 vap-group testvapgroup install Check Point Software Technologies LTD., VPN-1 Power NGXR65 release 1.0.2.0-5 Checking Bundle Integrity: [####################] 100% [ ok ] Checking Dependencies: [####################] 100% [ ok ] Check Point Software Technologies Ltd. License Agreement V.NG.2 <License Agreement text> <Installation interview questions - see application installation and configuration guide for full text> ** A reboot is required for the change(s) to take affect. ** Extracting Bundle: [####################] 100% [ ok ] Installing vpn1 on VAP testvapgroup_3: [####################] 100% [ ok ] Installing vpn1 on VAP testvapgroup_2: [####################] 100% [ ok ] Installing vpn1 on VAP testvapgroup_1: [####################] 100% [ ok ] In order to successfully complete the application install, the XOS configuration must be saved. Any unsaved configuration will be lost. Do you want to save it to startup-config? <Y or N>[Y]: Y Saving configuration ... Please be patient.... CBS# Example 2: Configuring an Application The following command displays the configuration menu for the Check Point VPN-1 Power NGX R65 firewall application running on the VAP group called testvapgroup. Note that the available configuration options shown here reflect the current configuration for the application.

XOS Command Reference Guide

217

To change the applications configuration, enter the appropriate option number and then enter information if prompted. Then, enter 6 to exit the configuration menu, confirm the configuration changes that you made, and return to the CLI prompt. CBS# application vpn1 vap-group testvapgroup configure Check Point Software Technologies LTD., VPN-1 Power NGXR65 release 1.0.2.0-5 Checking Dependencies: [####################] 100% [ ok ] VPN-1 Power Configuration Menu 1. Licenses 2. Secure Internal Communication 3. High Availability/State Synchronization 4. Check Point Optional Packages 5. Check Point SecureXL 6. Exit Enter choice: 6 CBS# NOTE: You may need to reload the VAP group for your configuration changes to take effect. The CLI displays a message if your configuration changes require a VAP group reload. See reload vap-group on page 593 for instructions on reloading a VAP group. Example 3: Stopping an Application The following command stops the Check Point VPN-1 Power NGX R65 firewall application on the VAP group called testvapgroup: CBS# application Stopping vpn1 on Stopping vpn1 on Stopping vpn1 on CBS# vpn1 vap-group testvapgroup stop VAP testvapgroup_3: [####################] 100% [ ok ] VAP testvapgroup_2: [####################] 100% [ ok ] VAP testvapgroup_1: [####################] 100% [ ok ]

application-update
Installs the application on all members of the specified VAP group on which the application is not already installed. Each time you add new VAPs to a VAP group on which an application has been installed, you must use the application-update command to install the application on the new VAPs. NOTE: When you install the application on new VAPs in a VAP group, XOS copies the configuration files from the existing VAPs onto the new VAPs. An application always has the same configuration on all VAPs in a VAP group. IMPORTANT: After you install an application on new VAPs in a VAP group, you must reload the new VAPs to implement the application configuration and start running the application on the new VAPs.

Syntax
application-update vap-group <VAP_group_name>

Context
You can access this command from any CLI context.

Commands for Configuring and Managing VAP Groups

218

Parameters
The following table lists the parameters used with this command. Parameter vap-group <VAP_group_name> Description Specifies the name of the VAP group on which you want to execute the application-update command.

Restrictions
Default Privilege Level: 15

Example
In this example, a firewall application has been installed on a VAP group called testvapgroup. This VAP group consisted of three VAPs at the time of the installation. A few months after the firewall application installation, the X-Series Platform administrator added a fourth VAP to the group. To install the firewall application on the fourth VAP in the VAP group called testvapgroup, the administrator issues the following command: CBS# application-update vap-group testvapgroup NOTE: You must reload the new VAPs to start running the application on the new VAPs in the VAP group.

application-upgrade
Upgrades the application on all members of the specified VAP group to a later version of the CBI. If you have previously installed a CBI application bundle, you can use the application-upgrade command to upgrade to a later version of the CBI. NOTE: After you upgrade the application, you may be required to reload the VAP group. The upgrade interview will request a reload, if required.

Syntax
application-upgrade <application_id> vap-group <VAP_group_name> [version <version_id>] [release <release_#>]

Context
You can access this command from any CLI context.

XOS Command Reference Guide

219

Parameters
The following table lists the parameters used with this command. Parameter <application_ID> Description Application identifier assigned to the application that you want to upgrade on a VAP group. Use the show application command to display the application identifiers assigned to the applications that are currently loaded on the CPM. vap-group <VAP_group_name> version <version_ID> Specifies the name of the VAP group on which you want to execute the application-upgrade command. Specifies the version of the application that you want to upgrade on a VAP group. NOTE: At present, application upgrades are supported only between different releases of the same application version. release <release_#> Specifies the release of the application to which you want to upgrade on a VAP group. NOTE: If the /crossbeam/apps/archive directory contains more than one CBI application bundle of the same version, and you do not specify a release, the upgrade process upgrades to the most recent release by default. Use the show application command to display the release numbers assigned to the application installation packages currently loaded on the CPM.

Restrictions
Default Privilege Level: 15

Example
In this example, a firewall application has been installed on a VAP group called testvapgroup. To upgrade to a new release of the firewall application on the VAP group called testvapgroup, the administrator places the new firewall application CBI in the /crossbeam/apps/archive directory on the X-Series platform and then issues the following command: CBS# application-upgrade <application_ID> vap-group testvapgroup

Commands for Configuring and Managing VAP Groups

220

application-remove
Removes the specified applications Crossbeam Installer (CBI) bundle from the CPM. NOTE: This command does not uninstall an application running on a VAP group. To uninstall an application, you must use the application command with the uninstall parameter.

Syntax
application-remove <application_ID> [version <version_ID> [release <release_number>]]

Context
You can access this command from any CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <application_ID> Description Application identifier assigned to the application CBI bundle you want to remove from the CPM. Use the show application command to display the application identifiers assigned to the applications that are currently loaded on the CPM. version <version_ID> Version identifier assigned to the application CBI bundle you want to remove from the CPM. NOTE: You can specify the version parameter with or without the release parameter. release <release_number> Release identifier assigned to the application CBI bundle you want to remove from the CPM. NOTE: To specify the release parameter, you must include the version parameter.

Restrictions
Default Privilege Level: 15

Example
The following command removes the Check Point VPN-1 Power NGX R71.10 application CBI bundle from the CPM, thereby preventing reinstallation of that application: CBS# application-remove CPSG version R71.10 release 3.0.2.0-3 CBS#

XOS Command Reference Guide

221

show application
Displays information about the applications loaded onto the CPM on the X-Series Platform.

Syntax
show application

Context
You access this command from the main CLI context.

Output
This command displays information about each application loaded on the X-Series Platform, using the following format: App ID Name Version Release CBI Version : : : : : <application_identifier> <application_name> <application_version> <application_release_number> <CBI_version_number>

The following table describes the information provided in each column/row. Column/Row Heading App ID Information Provided Application identifier that Crossbeam has assigned to the application. When you use a CLI command to perform an operation on a specific application, you specify the application identifier as an argument to the CLI command. For example, to install Check Point VPN-1 Power NGX R65 on a VAP group, you specify the application identifier, vpn1, with the following command: CBS# application vpn1 version NGXR65 vap-group <VAP_group_name> install Name Version Release Application name. Application version. Application release number. NOTE: This row does not appear for applications that are installed using Application Development Framework (ADF) RPMs. CBI Version Version number assigned to the Crossbeam Installer (CBI) package used to install the application on a VAP group. NOTE: This row does not appear for applications that are installed using RPMs.

Restrictions
Default Privilege Level: 0

Commands for Configuring and Managing VAP Groups

222

Example
The following command shows information about the two applications that are currently loaded on the CPM in an X-Series Platform: CBS# show application App ID : issprovg Name : IBM Proventia Network IPS Version : 2.0 Release : 1 CBI Version : 1.1.0.0 App ID Name Version Release CBI Version : : : : : vpn1 VPN-1 Power NGXR65 1.0.2.0-5 1.0.2.0

show application vap-group

Displays information about the applications installed on all VAP groups configured on the X-Series Platform, or displays information about the application installed on the specified VAP group.

Syntax
show application vap-group [<VAP_group_name>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <VAP_group_name> Description Displays information about the application installed on the VAP group with the specified VAP group name. If you do not specify this parameter, the show application vap-group command displays information about all applications installed on VAP groups configured on the X-Series Platform.

Output
This command displays information about the application installed on a VAP group using the following format: VAP Group : App ID : Name : Version : Release : Start on Boot : App Monitor : App State (<VAP_group_name>_1): App State (<VAP_group_name>_2): .... App State (<VAP_group_name>_n):
XOS Command Reference Guide

<VAP_group_name> <application_identifier> {<application_name> | N/A} <application_version> {<application_release_number> | N/A} {yes | no} {on | off} {Up | Down | Initializing | Not Monitored} {Up | Down | Initializing | Not Monitored} {Up | Down | Initializing | Not Monitored}
223

The following table describes the information provided in each column/row. Column/Row Heading VAP Group App ID Information Provided Name of the VAP group on which the application is installed. Application identifier that Crossbeam has assigned to the application. When you use a CLI command to perform an operation on a specific application, you specify the application identifier as an argument to the CLI command. For example, to install Check Point VPN-1 Power NGX R65 on a VAP group, you specify the application identifier, vpn1, with the following command: CBS# application vpn1 version NGXR65 vap-group <VAP_group_name> install Name Application name. NOTE: N/A indicates that the application is installed using an RPM. Version Release Application version. Application release number. NOTE: N/A indicates that the application is installed using an RPM. Start on Boot Indicates whether the application automatically starts running when you boot up the VAP group: on Application automatically starts up when you boot up the VAP group. off You must manually start up the application each time you boot up the VAP group. App Monitor Indicates whether application monitoring is enabled (on) or disabled (off) on the VAP group on which the application is installed. By default, application monitoring is enabled (on). See application-monitor (config-vap-group context) on page 198 for more information about application monitoring and for instructions on enabling and disabling application monitoring on a VAP group.

Commands for Configuring and Managing VAP Groups

224

Column/Row Heading App State (<VAP_group_name>_n)

Information Provided Indicates the current state of the application on the VAP with the VAP index number n. The show application vap-group command displays the current state of the application on each VAP on which an application is installed. Possible application states are: Up Application is running on the VAP. Down Application is not running on the VAP, but the APM on which the VAP is loaded is functional. Initializing The APM on which the VAP is loaded is rebooting. Not Monitored Application monitoring is disabled on the VAP group on which the application is installed. Therefore, XOS is unable to determine the current state of the application on any VAP. NOTE: These rows appear only for VAPs that are currently loaded onto APMs. NOTE: For applications that are installed using RPMs, this row has the format: <VAP_group_name>_n

Restrictions
Default Privilege Level: 0

Example
The following command shows information about the firewall application running on the VAP group called testvapgroup: CBS# show application vap-group testvapgroup VAP Group : testvapgroup App ID : vpn1 Name : VPN-1 Power Version : NGXR65 Release : 1.0.2.0-5 Start on Boot : yes App Monitor : on App State (testvapgroup_1) : Up App State (testvapgroup_2) : Up App State (testvapgroup_3) : Up CBS#

XOS Command Reference Guide

225

archive-vap-group backup
Backs up the specified VAP groups filesystems and saves them in an archive directory on the CPM. IMPORTANT: Before creating an archive, XOS verifies that the CPM has enough disk space available to store the new archive. If the CPM does not have enough disk space, the backup operation fails and the CLI issues an error message. During the VAP group backup operation, the application installed on the VAP group must be shut down. When you issue the archive-vap-group backup command, the CLI displays a message warning you that the VAP group will be disabled during the backup and prompts you to confirm or cancel the operation. If you confirm the operation, XOS shuts down the application running on the VAP group and then proceeds to back up the VAP groups filesystems and create an archive for the VAP group. All archive directories have the following structure: /tftpboot/archives/<VAP_group_name>/<archive_number> where <VAP_group_name> is the name of the archived VAP group and <archive_number> is the number that XOS assigns to the archive. XOS assigns the number 1 to the first archive that you create for a VAP group. XOS then increments the archive number by 1 for each subsequent archive that you create for the VAP group. For example, the second archive you create for a particular VAP group has archive number 2, and the third has archive number 3.

Syntax
archive-vap-group backup vap-group <VAP_group_name> [archive <archive_number>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter vap-group <VAP_group_name> archive <archive_number> Description Specifies the name assigned to the VAP group for which you want to create an archive. Backs up the specified VAP group using the specified archive number (1 - 99). By default, the X-Series Platform creates backups of VAP group file systems starting with archive number 1. If you do not specify an archive number, the X-Series Platform assigns the next unused archive number. You can specify any archive number, provided that the number is not being used by an existing archive.

Restrictions
Default Privilege Level: 15

Commands for Configuring and Managing VAP Groups

226

Example
The following command backs up the filesystems for the VAP group called testvapgroup and stores the archive files on the CPM in a directory called /tftpboot/archives/testvapgroup/1: CBS# archive-vap-group backup vap-group testvapgroup Calculating available and required space...........+..Done During backup the vap-group will be disabled. Continue? <Y or N> [Y]: Y Waiting for vap group to go down...Done Backing up testvapgroup_1 Archive 1 to /tftpboot/archives/testvapgroup/1...........+...........+..Done Backing up testvapgroup_2 Archive 1 to /tftpboot/archives/testvapgroup/1...........+...........+..Done Backing up testvapgroup_3 Archive 1 to /tftpboot/archives/testvapgroup/1...........+...........+..Done Backing up testvapgroup_common Archive 1 to /tftpboot/archives/testvapgroup/1...........+...........+..Done Creating MD5 sum file......Done CBS#

archive-vap-group restore
Restores VAP group file systems using the most recent backup archive created for the VAP group or using the backup archive with the specified archive number. IMPORTANT: Before restoring a VAP group using an archive stored on an external server, XOS verifies that the CPM has enough memory available to store the archive files while the X-Series Platform performs the restore operation. If the CPM does not have enough memory, the restore operation fails and the CLI issues an error message. During the VAP group restore operation, the application installed on the VAP group must be shut down. When you issue the archive-vap-group restore command, the CLI displays a message warning you that the VAP group will be disabled during the restore operation and prompts you to confirm or cancel the operation. If you confirm the operation, XOS shuts down the application running on the VAP group and then proceeds to restore the VAP groups filesystems using the specified archive. By default, the X-Series Platform restores a VAP groups filesystems using the most recent archive created for that VAP group. Optionally, you can specify a less recent archive using its archive number. IMPORTANT: You must specify an archive created when the VAP group had the same VAP count, XOS version, VAP OS version, application name, application version, and application release number as it does now. The restore operation will fail if any of these VAP group configuration parameter values are not the same for the archived VAP group and the restored VAP group. Use the archive-vap-group show command to display the archive number and VAP group configuration parameter values for every archive created from the VAP group that you plan to restore.

Syntax
archive-vap-group restore vap-group <VAP_group_name> [archive <archive_number>]

XOS Command Reference Guide

227

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter vap-group <VAP_group_name> archive <archive_number> Description Specifies the name assigned to the VAP group whose filesystems you want to restore. Restores the specified VAP group using the archive with the specified archive number. By default, the X-Series Platform restores VAP group file systems using the most recent archive created for that VAP group. IMPORTANT: You must specify an archive created when the VAP group had the same VAP count, XOS version, VAP OS version, application name, application version, and application release number as it does now. The restore operation will fail if any of these VAP group configuration parameter values are not the same for the archived VAP group and the restored VAP group. Use the archive-vap-group show command to display the archive number and VAP group configuration parameter values for every archive created from the VAP group that you plan to restore.

Restrictions
Default Privilege Level: 15 You must restore a VAP group using an archive created when the VAP group had the same VAP count, XOS version, VAP OS version, application name, application version, and application release number as it does now. The restore operation will fail if any of these VAP group configuration parameter values are not the same for the archived VAP group and the restored VAP group.

Example
The following command restores the filesystems for the VAP group called testvapgroup using archive number 1, which is stored on the CPM in a directory called /tftpboot/archives/testvapgroup/1: CBS# archive-vap-group restore vap-group testvapgroup archive 1 Checking MD5 sums... Calculating available and required space.......Done During restore the vap-group will be disabled. Continue? <Y or N> [Y]: Y Waiting for vap group to go down...Done

Commands for Configuring and Managing VAP Groups

228

Restoring vap-group testvapgroup archive 1. This may take several minutes... Removing old temporary files ...Done Extracting testvapgroup_1 archive...........+..Done Extracting testvapgroup_2 archive...........+....Done Extracting testvapgroup_3 archive...........+...Done Extracting testvapgroup_common archive...........+...Done Restoring VapGroup testvapgroup testvapgroup_common restoration has completed testvapgroup_1 restoration has completed testvapgroup_2 restoration has completed testvapgroup_3 restoration has completed VAP Group testvapgroup restoration completed Cleaning up temporary files...........+...........+...........+.Done CBS#

archive-vap-group delete
Deletes all of the specified VAP groups archives or deletes the specified VAP group archive.

Syntax
archive-vap-group delete vap-group <VAP_group_name> [archive <archive_number>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter vap-group <VAP_group_name> archive <archive_number> Description Specifies the name assigned to the VAP group whose archive(s) you want to delete from the CPM. Deletes the specified archive of the specified VAP group. You specify an archive using its archive number. Use the archive-vap-group show command to display the archive numbers assigned to the archives created for a specific VAP group. If you do not specify the archive parameter, the archive-vap-group delete command deletes all of the archives that were created for the specified VAP group.

Restrictions
Default Privilege Level: 15

Example
The following command deletes all archives that were created for the VAP group called testvapgroup: CBS# archive-vap-group delete vap-group testvapgroup archive 2 Deleting archive 2 for VAP Group testvapgroup Done CBS#
XOS Command Reference Guide 229

archive-vap-group show
Displays information about VAP group archive. An archive is a backup copy of all the filesystems used by a particular VAP group at a particular time. By default, this command displays information about all archives created for VAP groups configured on the X-Series Platform. Use the vap-group parameter to display information only about archives created for the specified VAP group. Use the vap-group parameter with the archive parameter to display information only about the specified archive of the specified VAP group.

Syntax
archive-vap-group show [vap-group <VAP_group_name> [archive <archive_number>]]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter vap-group <VAP_group_name> Description Displays information only about the archives created for the specified VAP group. If you do not specify this parameter, the archive-vap-group show command displays information about all archives created for all VAP groups configured on the X-Series Platform. archive <archive_number> Displays information only about the specified archive created for the specified VAP group. You specify an archive using its archive number. NOTE: A VAP groups archives are numbered from 1 to n, where n is the number of archives created for a VAP group. The first archive that you create for a VAP group is archive number 1, the second is 2, etc. If you do not specify the archive parameter with the vap-group parameter, the archive-vap-group show command displays information about all archives created for the specified VAP group.

Output
This command displays archive information in the following format: VAP Group : <VAP_group_name> Archive Number : <archive_number> VAP Count : <VAP_count> VAP OS version : {xslinux_v3 | xslinux_v5 | xslinux_v5_64 | xsve} XOS version : <XOS_version>

Commands for Configuring and Managing VAP Groups

230

Application : <application_name> Application Version : <application_version_identifier> Application Release : <application_release_number> Date : <archive_creation_date> Archive Location : {<archive_directory_on_CPM> | <URL_for_archive_directory_on_external_server>} Archive Size : <number_of_bytes> The following table describes the information provided in each column/row. Column/Row Heading VAP Group Archive Number Information Provided Name of the VAP group that was backed up to create the archive. Archive number that XOS assigned to the archive. XOS assigns the number 1 to the first archive that you create for a VAP group. XOS then increments the archive number by 1 for each subsequent archive that you create for the VAP group. For example, the second archive you create for a VAP group is archive number 2, and the third is archive number 3. VAP Count VAP OS version XOS version Application Application Version Application Release Date Archive Location Number of VAPs in the archived VAP group at the time when the archive was created. VAP OS version running on the archived VAP group at the time when the archive was created. XOS version running on the X-Series Platform at the time when the archive was created. Name of the application running on the VAP group at the time when the archive was created. Version of the application running on the VAP group at the time when the archive was created. Release of the application running on the VAP group at the time when the archive was created. Day, date, and time at which the archive was created. Full path to the CPM directory in which the archive files are stored. NOTE: The archive-vap-group show command displays the location where the archive files were placed when the archive was created. If the archive files have been moved to another location, the archive-vap-group show command does not display the new location. Archive Size Total size of the contents of the archive directory, expressed in bytes.

Restrictions
Default Privilege Level: 15

XOS Command Reference Guide

231

Example
The following command displays information about the first archive (archive number 1) that was created for the VAP group called testvapgroup. CBS# show archive-vap-group vap-group testvapgroup archive 1 VAP Group : testvapgroup Archive Number : 1 VAP Count : 3 VAP OS version : xslinux_v3 XOS version : 9.5.1-xx Application : VPN-1 Power Application Version : NGXR65 Application Release : 1.0.2.0-5 Date : Mon Nov 29 14:53:25 EST 2010 Archive Location : /tftpboot/archives/testvapgroup/1 Archive Size : 419624 CBS#

Commands for Configuring and Managing VAP Groups

232

Commands for Installing, Configuring, and Managing Routing Software and Routing Protocols on a VAP Group
This section describes the commands that you can use to: Install, configure, and manage the Crossbeam Routing Software (RSW) application on a VAP group. Install, configure, and manage routing protocols on a VAP group. This section contains the following command descriptions: routing-protocol vap-group install on page 234 routing-protocol vap-group update on page 235 routing-protocol vap-group configure on page 237 routing-protocol vap-group save on page 238 routing-protocol vap-group restore on page 240 routing-protocol vap-group uninstall on page 242 routing-protocol vap-group status on page 243 configure routing-protocol on page 244 routing-protocol-services vap-group configure on page 246 routing-protocol-services vap-group save on page 247 routing-protocol-services vap-group restore on page 248 routing-protocol-services vap-group status on page 250 routing-protocol-services vap-group upgrade on page 251 routing-protocol-services vap-group update on page 252

XOS Command Reference Guide

233

routing-protocol vap-group install

Installs the specified routing protocol on the specified VAP group. NOTE: XOS automatically installs NSM on any VAP group on which at least one routing protocol is installed. IMPORTANT: Before installing a routing protocol on a VAP group, you must ensure that at least one VAP in the VAP group is UP or Active, and you must ensure that the X-Series Platform meets all hardware and software configuration requirements for the routing protocol that you intend to install. If the X-Series Platform does not meet these requirements, the routing protocol installation will fail. Use the show ap-vap-mapping command to display the current state of all VAPs in the specified VAP group, and verify that at least one VAP is UP or Active. Refer to the RSW Installation Guide for instructions on configuring the X-Series Platform to meet the hardware and software configuration requirements for the routing protocol that you intend to install. IMPORTANT: After installing a routing protocol on a VAP group, you must use the following command to start the routing protocol running on the VAP group: CBS# configure routing-protocol <protocol> vap-group <VAP_group_name> start See configure routing-protocol on page 244 for instructions on using this command.

Syntax
routing-protocol <protocol> vap-group <VAP_group_name> install [<version>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <protocol> Description Specifies the routing protocol that you want to install. You must specify a protocol using one of the following parameters: bgp Border Gateway Protocol (BGP) routing protocol ospf Open Shortest Path First (OSPF) routing protocol rip Routing Information Protocol (RIP) routing protocol pim Protocol Independent Multicast (PIM) routing protocol ospf6 Open Shortest Path First (OSPF) routing protocol for IPv6 ripng Routing Information Protocol (RIP) for IPv6

Commands for Configuring and Managing VAP Groups

234

Parameter vap-group <VAP_group_name> <version>

Description Specifies the name of the VAP group on which you want to install the specified routing protocol. Specifies the routing protocol version that you want to install. Use this parameter if the /usr/os/rsw/rpm directory on the CPM contains more than one RPM package for the routing protocol that you want to install. If you do not specify a version, and the /usr/os/rsw/rpm directory on the CPM contains more than one RPM package for the specified routing protocol, the CLI prompts you to enter the routing protocol version that you want to install.

Restrictions
Default Privilege Level: 15 This command does not work unless at least one VAP in the specified VAP group is UP or Active.

Example
The following command installs the BGP routing protocol on the VAP group called testvapgroup: CBS# routing-protocol bgp vap-group testvapgroup install Install BGP version 7.5.3-7.1.0.21 on testvapgroup_1 Install BGP version 7.5.3-7.1.0.21 on testvapgroup_2 Install BGP version 7.5.3-7.1.0.21 on testvapgroup_3 Finished installing BGP version 7.5.3-7.1.0.21 on testvapgroup CBS#

routing-protocol vap-group update

Verifies that the specified routing protocol and the Routing Software (RSW) Network Services Module (NSM) running on the specified VAP group are installed on all members of that VAP group. Installs the specified routing protocol on all VAP group members on which the routing protocol is not already installed. Installs the NSM on all VAP group members on which it is not already installed. This command updates only the specified routing protocol and the NSM. To update all installed routing protocols, use the routing-protocol-services vap-group update command. NOTE: This command does not work unless at least one VAP in the specified VAP group is UP or Active. Use the show ap-vap-mapping command to display the current state of all VAPs in a VAP group. Each time you add new VAPs to a VAP group on which a routing protocol has been installed, you must use the routing-protocol <protocol> vap-group <VAP_group_name> update command to install the routing protocol on the new VAPs and to install NSM on the new VAPs, if necessary. NOTE: When you install a routing protocol on new VAPs in a VAP group, XOS copies the routing protocol configuration from the existing VAPs onto the new VAPs. When you install NSM on new VAPs in a VAP group, XOS copies the NSM configuration from the existing VAPs onto the new VAPs. The NSM and routing protocol configurations are always the same for all VAPs in a VAP group.

Syntax
routing-protocol <protocol> vap-group <VAP_group_name> update

XOS Command Reference Guide

235

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <protocol> Description Specifies one of the routing protocols that you want to install on new VAPs added to a VAP group. You must specify a protocol using one of the following parameters: bgp Border Gateway Protocol (BGP) routing protocol ospf Open Shortest Path First (OSPF) routing protocol rip Routing Information Protocol (RIP) routing protocol pim Protocol Independent Multicast (PIM) routing protocol ospf6 Open Shortest Path First (OSPF) routing protocol for IPv6 ripng Routing Information Protocol (RIP) for IPv6 vap-group <VAP_group_name> Specifies the name of the VAP group that contains one or more new VAPs on which you want to install the specified routing protocol, and if necessary, install NSM.

Restrictions
Default Privilege Level: 15 This command requires at least one VAP in the specified VAP group to be UP or Active.

Example
In this example, the BGP routing protocol has been installed on a VAP group called testvapgroup, and therefore, XOS has also installed NSM on that VAP group. This VAP group consisted of three VAPs at the time of the installation. A few months after the BGP routing protocol and NSM installations, the X-Series Platform administrator added a fourth VAP to the group. To install the BGP routing protocol and the NSM on the fourth VAP in the VAP group called testvapgroup, the administrator issues the following command: CBS# routing-protocol bgp vap-group testvapgroup update Finished updating on vap-group testvapgroup CBS#

Commands for Configuring and Managing VAP Groups

236

routing-protocol vap-group configure

Launches the ZebOS CLI for the specified routing protocol, and allows you to use the ZebOS CLI to configure the specified routing protocol on the specified VAP group. NOTE: This command does not work unless at least one VAP in the specified VAP group is UP or Active. Use the show ap-vap-mapping command to display the current state of all VAPs in a VAP group. When you execute this command, the CLI prompts you to enter the ZebOS CLI password for the routing protocol that you want to configure. When you successfully enter the password, the ZebOS CLI prompt appears. To obtain read/write access to the routing protocols configuration file, enter the enable command at the ZebOS CLI prompt, and then enter your privileged mode password when prompted. NOTE: For all routing protocols, the default ZebOS CLI password is admin and the default privileged mode password is admin. You configure the routing protocol by executing the appropriate ZebOS CLI commands in privileged mode. For instruction on using the ZebOS CLI to configure a routing protocol, refer to the ZebOS documentation located on the Crossbeam Routing Software (RSW) DVD.

Syntax
routing-protocol <protocol> vap-group <VAP_group_name> configure

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <protocol> Description Specifies the routing protocol that you want to configure. You must specify a protocol using one of the following parameters: bgp Border Gateway Protocol (BGP) routing protocol ospf Open Shortest Path First (OSPF) routing protocol rip Routing Information Protocol (RIP) routing protocol pim Protocol Independent Multicast (PIM) routing protocol ospf6 Open Shortest Path First (OSPF) routing protocol for IPv6 ripng Routing Information Protocol (RIP) for IPv6 vap-group <VAP_group_name> Specifies the name of the VAP group on which you want to configure the specified routing protocol.

XOS Command Reference Guide

237

Restrictions
Default Privilege Level: 15 This command does not work unless at least one VAP in the specified VAP group is UP or Active.

Example
The following command launches the ZebOS CLI for the BGP routing protocol on the VAP group called testvapgroup: CBS# routing-protocol bgp vap-group testvapgroup configure Password: ***** bgpd> The following command enables privileged mode, which gives the user read/write privileges for the BGP routing protocols configuration file: bgpd>enable Password: ***** bgpd# After the user finishes configuring the protocol, he uses the following commands to save the configuration and exit the ZebOS CLI.: bgpd# write Configuration saved to /usr/os/etc/zebos/bgpd.conf bgpd# exit Connection closed by foreign host. Finished configuring BGP on vap-group testvapgroup Finished synchronizing configuration for BGP on vap-group testvapgroup CBS# NOTE: Refer to the ZebOS documentation for information on how to configure BGP.

routing-protocol vap-group save

Saves the configuration for the specified routing protocol running on the specified VAP group, and writes the configuration to a file stored on the CPM. NOTE: This command does not work unless at least one VAP in the specified VAP group is UP or Active. Use the show ap-vap-mapping command to display the current state of all VAPs in a VAP group.

Syntax
routing-protocol <protocol> vap-group <VAP_group_name> save {<config_file_name> | <full_path_name_of_config_file>}

Context
You access this command from the main CLI context.

Commands for Configuring and Managing VAP Groups

238

Parameters
The following table lists the parameters used with this command. Parameter <protocol> Description Specifies the routing protocol whose configuration you want to save. You must specify a protocol using one of the following parameters: bgp Border Gateway Protocol (BGP) routing protocol ospf Open Shortest Path First (OSPF) routing protocol rip Routing Information Protocol (RIP) routing protocol pim Protocol Independent Multicast (PIM) routing protocol ospf6 Open Shortest Path First (OSPF) routing protocol for IPv6 ripng Routing Information Protocol (RIP) for IPv6 vap-group <VAP_group_name> {<config_file_name> | <full_path_name_of_config_file>} Specifies the name of the VAP group for which you want to save the configuration for the specified routing protocol. Specifies the file to which you want to write the routing protocol configuration. By default, when you are logged in as admin, the X-Series Platform saves the configuration file to the /tftpboot/.private/home/admin folder. However, you can write the file to a different directory by specifying the full path name of the configuration file. If you are logged in as a user other than admin, the default save path is /tftpboot/.private/home/<username>. NOTE: If you specify the full path name to the file, you must be sure that you have the correct permissions to access the directory in which you want to save the file.

Restrictions
Default Privilege Level: 15 This command does not work unless at least one VAP in the specified VAP group is UP or Active.

Example
The following command saves the configuration for the BGP routing protocol running on the VAP group called testvapgroup, and writes the configuration to a file called bgp.conf in the /testvapgroup/routingprotocols/bgp/savedconfigs/directory on the CPM: CBS# routing-protocol bgp vap-group testvapgroup save /testvapgroup/routingprotocols/bgp/savedconfigs/bgp.conf CBS#

XOS Command Reference Guide

239

routing-protocol vap-group restore

Restores the configuration for the specified routing protocol running on the specified VAP group, using the specified backup routing protocol configuration file, which is stored on the CPM. NOTE: This command does not work unless at least one VAP in the specified VAP group is UP or Active and the specified routing protocol is running on the VAP group. Use the show ap-vap-mapping command to display the current state of all VAPs in the specified VAP group and verify that at least one VAP is UP or Active. Use the routing-protocol vap-group status command to determine whether the specified routing protocol is running on the specified VAP group. IMPORTANT: Before restoring a routing protocol configuration on a VAP group, XOS shuts down the routing protocol. XOS restarts the routing protocol when the routing protocol configuration restore operation is complete.

Syntax
routing-protocol <protocol> vap-group <VAP_group_name> restore {<config_file_name> | <full_path_name_of_config_file>}

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <protocol> Description Specifies the routing protocol whose configuration you want to restore. You must specify a protocol using one of the following parameters: bgp Border Gateway Protocol (BGP) routing protocol ospf Open Shortest Path First (OSPF) routing protocol rip Routing Information Protocol (RIP) routing protocol pim Protocol Independent Multicast (PIM) routing protocol ospf6 Open Shortest Path First (OSPF) routing protocol for IPv6 ripng Routing Information Protocol (RIP) for IPv6 vap-group <VAP_group_name> Specifies the name of the VAP group for which you want to restore the configuration for the specified routing protocol.

Commands for Configuring and Managing VAP Groups

240

Parameter {<config_file_name> | <full_path_name_of_config_file>}

Description Specifies the routing protocol configuration file that you want to use to restore the specified routing protocol configuration on the specified VAP group. By default, when you are logged in as admin, the X-Series Platform attempts to retrieve the specified routing protocol configuration file from the /tftpboot/.private/home/admin folder. If the desired routing protocol configuration file is in a different directory, you must specify the full path name to the file. If you are logged in as a user other than admin, the default restore path is /tftpboot/.private/home/<username>. NOTE: If you specify the full path name to the file, you must be sure that you have the correct permissions to access the directory from which you want to retrieve the file.

Restrictions
Default Privilege Level: 15 This command does not work unless at least one VAP in the specified VAP group is UP or Active. This command does not work unless the specified routing protocol is running on the specified VAP group.

Example
The following command restores the configuration for the BGP routing protocol running on the VAP group called testvapgroup. The X-Series Platform restores the BGP configuration using the configuration file called bgp.conf, which is stored on the CPM in a directory called /testvapgroup/routingprotocols/bgp/savedconfigs. CBS# routing-protocol bgp vap-group testvapgroup restore /testvapgroup/routingprotocols/bgp/savedconfigs/bgp.conf Shutting down bgpd: [ OK ] Starting bgpd: [ OK ] Finished restoring configuration for BGP on vap-group testvapgroup Finished synchronizing configuration for BGP on vap-group testvapgroup CBS#

XOS Command Reference Guide

241

routing-protocol vap-group uninstall

Uninstalls the specified routing protocol from the specified VAP group. IMPORTANT: Before uninstalling a routing protocol from a VAP group, you must use the following command to remove the entry for the routing protocol from the XOS running configuration: CBS# configure no routing-protocol <protocol> vap-group <VAP_group_name> See configure routing-protocol on page 244 for instructions on using this command. NOTE: This command does not work unless at least one VAP in the VAP group is UP or Active. Use the show ap-vap-mapping command to display the current state of all VAPs in the specified VAP group. IMPORTANT: When you uninstall all routing protocols from a VAP group, XOS also uninstalls the RSW Network Services Module (NSM) from that VAP group

Syntax
routing-protocol <protocol> vap-group <VAP_group_name> uninstall

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <protocol> Description Specifies the routing protocol that you intend to uninstall from a VAP group. You must specify a protocol using one of the following parameters: bgp Border Gateway Protocol (BGP) routing protocol ospf Open Shortest Path First (OSPF) routing protocol rip Routing Information Protocol (RIP) routing protocol pim Protocol Independent Multicast (PIM) routing protocol ospf6 Open Shortest Path First (OSPF) routing protocol for IPv6 ripng Routing Information Protocol (RIP) for IPv6 vap-group <VAP_group_name> Specifies the name of the VAP group from which you want to uninstall the specified routing protocol.

Restrictions
Default Privilege Level: 15 This command does not work unless at least one VAP in the specified VAP group is UP or Active. Before using this command to uninstall a routing protocol, you must remove that routing protocol from the XOS running configuration.
Commands for Configuring and Managing VAP Groups 242

Example
The following command uninstalls the BGP routing protocol from the VAP group called testvapgroup: CBS# routing-protocol Finished uninstalling Finished uninstalling Finished uninstalling Finished uninstalling CBS# bgp BGP BGP BGP BGP vap-group testvapgroup uninstall on vap testvapgroup_1 on vap testvapgroup_2 on vap testvapgroup_3 on vap-group testvapgroup

routing-protocol vap-group status

Displays the current state of the specified routing protocol installed on the specified VAP group. NOTE: This command does not work unless at least one VAP in the specified VAP group is UP or Active. Use the show ap-vap-mapping command to display the current state of all VAPs in a VAP group.

Syntax
routing-protocol <protocol> vap-group <VAP_group_name> status

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <protocol> Description Specifies the routing protocol whose current state you want to display. You must specify a protocol using one of the following parameters: bgp Border Gateway Protocol (BGP) routing protocol ospf Open Shortest Path First (OSPF) routing protocol rip Routing Information Protocol (RIP) routing protocol pim Protocol Independent Multicast (PIM) routing protocol vap-group <VAP_group_name> Specifies the name of the VAP group for which you want to display the current state of the specified routing protocol.

Output
This command displays the current state of the specified routing protocol on the specified VAP group, using one of the following formats: <protocol_name> is not installed <protocol_name> <RPM_package_name> is installed but not running <protocol_name> <RPM_package_name> is installed and running
XOS Command Reference Guide 243

where: <protocol_name> is the name of the routing protocol. <RPM_package_name> is the name of the RPM package used to install the specified routing protocol on the VAP group specified with the command. NOTE: The RPM package name includes the routing protocol name and the routing protocol version number.

Restrictions
Default Privilege Level: 15 This command does not work unless at least one VAP in the specified VAP group is UP or Active.

Example
The following command displays the current state of the BGP routing protocol on the VAP group called testvapgroup: CBS# routing-protocol bgp vap-group testvapgroup status BGP zebos-bgp-EL5-7.5.3-29.0.0.72 is installed and running CBS#

configure routing-protocol
Starts, stops, or restarts the specified routing protocol on the specified VAP group. NOTE: This command does not work unless at least one VAP in the specified VAP group is UP or Active. Use the show ap-vap-mapping command to display the current state of all VAPs in a VAP group. Use the configure no routing-protocol <protocol> vap-group <VAP_group_name> command to delete the XOS running configuration entry for the specified protocol installed on the specified VAP group. IMPORTANT: You must delete the XOS running configuration entry for a protocol installed on a VAP group before you can uninstall the protocol from the VAP group using the routing-protocol vap-group uninstall command.

Syntax
configure routing-protocol <protocol> vap-group <VAP_group_name> {start | stop | restart} configure no routing-protocol <protocol> vap-group <VAP_group_name>

Context
You access this command from the main CLI context.

Commands for Configuring and Managing VAP Groups

244

Parameters
The following table lists the parameters used with this command. Parameter <protocol> Description Specifies the routing protocol that you want to start, stop, or restart, or specifies the routing protocol for which you want to delete the XOS configuration entry for a VAP group. You must specify a protocol using one of the following parameters: bgp Border Gateway Protocol (BGP) routing protocol ospf Open Shortest Path First (OSPF) routing protocol rip Routing Information Protocol (RIP) routing protocol pim Protocol Independent Multicast (PIM) routing protocol ospf6 Open Shortest Path First (OSPF) routing protocol for IPv6 ripng Routing Information Protocol (RIP) for IPv6 vap-group <VAP_group_name> Specifies the name of the VAP group on which you want to start, stop, or restart the specified routing protocol, or specifies the name of the VAP group for which you want to delete the XOS running configuration entry for the specified routing protocol. Starts the specified routing protocol on the specified VAP group. Stops the specified routing protocol on the specified VAP group. Restarts the specified routing protocol on the specified VAP group.

start stop restart

Restrictions
Default Privilege Level: 15 This command does not work unless at least one VAP in the specified VAP group is UP or Active.

Examples
The following command starts the BGP routing protocol on the VAP group called testvapgroup: CBS# configure routing protocol bgp vap-group testvapgroup start Are you sure you want to start protocol bgp? <Y or N> [Y]: Y CBS# The following command restarts the BGP routing protocol on the VAP group called testvapgroup: CBS# configure routing protocol bgp vap-group testvapgroup restart Are you sure you want to restart protocol bgp? <Y or N> [Y]: Y CBS#

XOS Command Reference Guide

245

The following command stops the BGP routing protocol on the VAP group called testvapgroup: CBS# configure routing protocol bgp vap-group testvapgroup stop Are you sure you want to stop protocol bgp? <Y or N> [Y]: Y CBS# The following command deletes the XOS running configuration entry for the BGP routing protocol installed on the VAP group called testvapgroup: CBS# configure no routing-protocol bgp vap-group testvapgroup CBS#

routing-protocol-services vap-group configure

Launches the ZebOS CLI for the Routing Software (RSW) Network Services Module (NSM), and allows you to use the ZebOS CLI to configure the NSM on the specified VAP group. NOTE: This command does not work unless at least one VAP in the specified VAP group is UP or Active. Use the show ap-vap-mapping command to display the current state of all VAPs in a VAP group. When you execute this command, the CLI prompts you to enter the ZebOS CLI password for the NSM. When you successfully enter the password, the ZebOS CLI prompt appears. To obtain read/write access to the NSM configuration file, enter the enable command at the ZebOS CLI prompt, and then enter your privileged mode password when prompted. NOTE: The default ZebOS CLI password is admin and the default privileged mode password is admin. You configure the NSM by executing the appropriate ZebOS CLI commands in privileged mode. NOTE: Refer to the RSW Installation Guide for instructions on using the ZebOS CLI to configure a FIB Retain time for NSM. Refer to the ZebOS documentation located on the Crossbeam Routing Software (RSW) DVD for instructions on configuring other functionality for NSM.

Syntax
routing-protocol-services vap-group <VAP_group_name> configure

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter vap-group <VAP_group_name> Description Specifies the name of the VAP group on which you want to configure NSM.

Restrictions
Default Privilege Level: 15 This command does not work unless at least one VAP in the specified VAP group is UP or Active.

Commands for Configuring and Managing VAP Groups

246

Example
The following command launches the ZebOS CLI for the Network Services Module (NSM) on the VAP group called testvapgroup: CBS# routing-protocol-services vap-group testvapgroup configure Password: ***** Router> The following command enables privileged mode, which gives the user read/write privileges for the NSMs configuration file: Router>enable Password: ***** Router# After the user finishes configuring the protocol, he uses the following commands to save the configuration and exit the ZebOS CLI, thereby synchronizing the configuration changes on all members of the VAP group: Router# write Configuration saved to /usr/os/etc/zebos/nsm.conf Router# exit CBS# NOTE: Refer to the RSW Installation Guide for instructions on using the ZebOS CLI to configure a FIB Retain time for NSM. Refer to the ZebOS documentation located on the Crossbeam Routing Software (RSW) DVD for instructions on configuring other functionality for NSM.

routing-protocol-services vap-group save

Saves the Routing Software (RSW) Network Services Module (NSM) configuration for the specified VAP group, and writes the configuration to a file stored on the CPM. NOTE: This command does not work unless at least one VAP in the specified VAP group is UP or Active. Use the show ap-vap-mapping command to display the current state of all VAPs in a VAP group.

Syntax
routing-protocol-services vap-group <VAP_group_name> save {<config_file_name> | <full_path_name_of_config_file>}

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter vap-group <VAP_group_name> Description Specifies the name of the VAP group for which you want to save the NSM configuration.

XOS Command Reference Guide

247

Parameter {<config_file_name> | <full_path_name_of_config_file>}

Description Specifies the file to which you want to write the NSM configuration. By default, if you are logged in as admin, the X-Series Platform saves the configuration file to the /tftpboot/.private/home/admin folder. However, you can write the file to a different directory by specifying the full path name of the configuration file. If you are logged in as a user other than admin, the default save path is /tftpboot/.private/home/<username>. NOTE: If you specify the full path name to the file, you must be sure that you have the correct permissions to access the directory in which you want to save the file.

Restrictions
Default Privilege Level: 15 This command does not work unless at least one VAP in the specified VAP group is UP or Active.

Example
The following command saves the NSM configuration for the VAP group called testvapgroup, and writes the configuration to a file called nsm.conf in the /testvapgroup/routingprotocols/nsm/savedconfigs/directory on the CPM: CBS# routing-protocol-services vap-group testvapgroup save /testvapgroup/routingprotocols/nsm/savedconfigs/nsm.conf CBS#

routing-protocol-services vap-group restore

Restores the Routing Software (RSW) Network Services Module (NSM) configuration for the specified VAP group, using the specified backup NSM configuration file, which is stored on the CPM. NOTE: This command does not work unless at least one VAP in the specified VAP group is UP or Active. Use the show ap-vap-mapping command to display the current state of all VAPs in the specified VAP group. IMPORTANT: Before restoring the NSM configuration on a VAP group, XOS shuts down NSM on the VAP group and then shuts down all of the routing protocols installed on the VAP group. XOS restarts NSM on the VAP group and then restarts the routing protocols installed on the VAP group when the NSM configuration restore operation is complete.

Syntax
routing-protocol-services vap-group <VAP_group_name> restore {<config_file_name> | <full_path_name_of_config_file>}

Context
You access this command from the main CLI context.

Commands for Configuring and Managing VAP Groups

248

Parameters
The following table lists the parameters used with this command. Parameter vap-group <VAP_group_name> {<config_file_name> | <full_path_name_of_config_file>} Description Specifies the name of the VAP group for which you want to restore the NSM configuration. Specifies the NSM configuration file that you want to use to restore the NSM configuration for the specified VAP group. By default, if you are logged in as admin, the X-Series Platform attempts to retrieve the specified NSM configuration file from the /tftpboot/.private/home/admin folder. If the desired NSM configuration file is in a different directory, you must specify the full path name to the file. If you are logged in as a user other than admin, the default restore path is /tftpboot/.private/home/<username>. NOTE: If you specify the full path name to the file, you must be sure that you have the correct permissions to access the directory from which you want to retrieve the file.

Restrictions
Default Privilege Level: 15 This command does not work unless at least one VAP in the specified VAP group is UP or Active.

Example
The following command restores the NSM configuration for the VAP group called testvapgroup. The X-Series Platform restores the NSM configuration using the NSM configuration file called nsm.conf, which is stored on the CPM in a directory called /testvapgroup/routingprotocols/nsm/savedconfigs. CBS# routing-protocol-services vap-group testvapgroup restore /testvapgroup/routingprotocols/nsm/savedconfigs/nsm.conf Shutting down nsm: [ OK ] Shutting down bgpd: [ OK ] Starting bgpd: [ OK ] Finished restoring configuration for NSM on vap-group testvapgroup Finished synchronizing configuration for NSM on vap-group testvapgroup CBS#

XOS Command Reference Guide

249

routing-protocol-services vap-group status

Displays the current state of the Routing Software (RSW) Network Services Module (NSM) on the specified VAP group. NOTE: This command does not work unless at least one VAP in the specified VAP group is UP or Active. Use the show ap-vap-mapping command to display the current state of all VAPs in a VAP group.

Syntax
routing-protocol-services vap-group <VAP_group_name> status

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter vap-group <VAP_group_name> Description Specifies the name of the VAP group for which you want to display the current state of the NSM.

Output
This command displays the current state of the NSM on the specified VAP group, using one of the following formats: NSM is not installed NSM <RPM_package_name> is installed but not running NSM <RPM_package_name> is installed and running where <RPM_package_name> is the name of the RPM package used to install the NSM on the VAP group specified with the command. NOTE: The RPM package name includes the NSM version number.

Restrictions
Default Privilege Level: 15 This command does not work unless at least one VAP in the specified VAP group is UP or Active.

Example
The following command displays the current state of the NSM on the VAP group called testvapgroup: CBS# routing-protocol-services vap-group testvapgroup status NSM zebos-common-EL5-7.5.3-29.0.0.72 is installed and running CBS#

Commands for Configuring and Managing VAP Groups

250

routing-protocol-services vap-group upgrade

Upgrades the Routing Software (RSW) Network Services Module (NSM) and any installed routing protocols on the specified VAP group to a newer version. Before upgrading the routing software, perform the following steps: 1. 2. Extract and copy the new version of the RSW RPM files to the /crossbeam/rsw/rpm directory on the X-Series Platform. Stop all routing protocol daemons. Use the configure routing-protocol command to stop the routing protocol daemons.

NOTE: Before undertaking an application upgrade, it is good practice to back up the configuration files. Use the routing-protocol-services vap-group save command to save the routing protocol configurations. Use the routing-protocol vap-group save command to save the NSM configuration.

Syntax
routing-protocol-services vap-group <VAP_group_name> upgrade

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter vap-group <VAP_group_name> Description Specifies the name of the VAP group on which you want to upgrade the routing software.

Restrictions
Default Privilege Level: 15 This command does not work unless at least one VAP in the specified VAP group is UP or Active.

Example
The following command upgrades NSM and any installed routing protocols on the VAP group called testvapgroup: CBS# routing-protocol-services vap-group testvapgroup upgrade Upgrade to version 7.7.1-8.0.0.x. Do you want to proceed <Y or N>[Y]: y XOS displays the following as it upgrades NSM and any installed routing protocols (in this example, PIM sparse-mode): Preparing packages for installation... zebos-common-EL5-7.7.1-8.0.0.x Preparing packages for installation... zebos-pim-EL5-7.7.1-8.0.0.x Finished upgrading version 7.7.1-8.0.0.x on vap-group testvapgroup

XOS Command Reference Guide

251

routing-protocol-services vap-group update

Verifies that all routing protocols and the Routing Software (RSW) Network Services Module (NSM) running on the specified VAP group are installed on all members of that VAP group. Installs the routing protocols on all VAP group members on which the routing protocols are not already installed. Installs the NSM on all VAP group members on which it is not already installed NOTE: This command does not work unless at least one VAP in the specified VAP group is UP or Active. Use the show ap-vap-mapping command to display the current state of all VAPs in a VAP group. Each time you add new VAPs to a VAP group on which multiple routing protocols have been installed, you must use the routing-protocol vap-group <VAP_group_name> update command to install the routing protocols on the new VAPs and to install NSM on the new VAPs, if necessary. NOTE: When you install routing protocols on new VAPs in a VAP group, XOS copies the routing protocol configurations and the NSM configuration from the existing VAPs onto the new VAPs. The NSM and routing protocol configurations are always the same for all VAPs in a VAP group.

Syntax
routing-protocol-services vap-group <VAP_group_name> update

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter vap-group <VAP_group_name> Description Specifies the name of the VAP group that contains one or more new VAPs on which you want to install the routing protocols, and if necessary, install NSM.

Restrictions
Default Privilege Level: 15 This command does not work unless at least one VAP in the specified VAP group is UP or Active.

Example
In this example, the BGP and OSPF routing protocols have been installed on a VAP group called testvapgroup, and therefore, XOS has also installed NSM on that VAP group. This VAP group consisted of three VAPs at the time of the installation. A few months after the routing protocol and NSM installations, the X-Series Platform administrator added a fourth VAP to the group. To install the BGP and OSPF routing protocols and the NSM on the fourth VAP in the VAP group called testvapgroup, the administrator issues the following command: CBS# routing-protocol-services vap-group testvapgroup update Finished updating on vap-group testvapgroup CBS#

Commands for Configuring and Managing VAP Groups

252

6
Commands for Configuring and Managing Flow Provisioning
You configure flow provisioning for the X-Series Platform by creating and configuring flow rules. The NPM uses flow rules to determine how to process a new traffic flow when it arrives on a logical interface. A flow rule is comprised of an action and a set of packet-matching criteria. The NPM performs the action on flows that meet the packet-matching criteria. You manage flow provisioning for the X-Series Platform by monitoring flows passing through the system, clearing unwanted flows from the system, and reconfiguring flow rules as necessary. This chapter describes the CLI commands that you can use to configure and manage flow provisioning for the X-Series Platform. This chapter contains the following sections: Commands for Configuring System-Level Flow Rules on page 254 Commands for Configuring VAP-Group Level Flow Rules on page 301 Commands for Monitoring Flows and Managing Flow Rule Conflicts on page 356 Commands for Clearing Flows from the X-Series Platform on page 388

XOS Command Reference Guide

253

Commands for Configuring System-Level Flow Rules

This section describes the commands that you can use to create and configure system-level flow rules for the X-Series Platform. This section contains the following command descriptions: configure system-ip-flow-rule on page 255 action drop (conf-system-ip-flow context) on page 256 action allow (conf-system-ip-flow context) on page 257 action pass-to-masters (conf-system-ip-flow context) on page 258 action broadcast (conf-system-ip-flow context) on page 259 direction (conf-system-ip-flow context) on page 259 skip-port-protocol (conf-system-ip-flow context) on page 261 generate-reversed-flow (conf-system-ip-flow context) on page 262 source-addr (conf-system-ip-flow context) on page 263 destination-addr (conf-system-ip-flow context) on page 264 source-port (conf-system-ip-flow context) on page 266 destination-port (conf-system-ip-flow context) on page 267 protocol (conf-system-ip-flow context) on page 268 domain (conf-system-ip-flow context) on page 270 incoming-circuit-group (conf-system-ip-flow context) on page 271 timeout (conf-system-ip-flow context) on page 273 trace (conf-system-ip-flow context) on page 275 priority (conf-system-ip-flow context) on page 276 activate (conf-system-ip-flow context) on page 277 show (conf-system-ip-flow context) on page 278 configure system-non-ip-flow-rule on page 287 action drop (conf-system-non-ip-flow context) on page 289 action pass-to-masters (conf-system-non-ip-flow context) on page 290 action broadcast (conf-system-non-ip-flow context) on page 291 encapsulation ethernet (conf-system-non-ip-flow context) on page 292 encapsulation lsap (conf-system-non-ip-flow context) on page 293 encapsulation snap (conf-system-non-ip-flow context) on page 295 activate (conf-system-non-ip-flow context) on page 296 show (conf-system-non-ip-flow context) on page 297

Commands for Configuring and Managing Flow Provisioning

254

configure system-ip-flow-rule
Creates or configures a system-level IP flow rule for the X-Series Platform. Places you into a context in which you can configure and activate the specified system-level IP flow rule. The NPM uses system-level IP flow rules to determine how to process each IP traffic flow that enters the NPM in the X-Series Platform. Each system-level IP flow rule is comprised of an action and a set of packet-matching criteria. The NPM performs the action on flows that meet the packet-matching criteria. For example, you can create a system-level IP flow rule that instructs the NPM to drop all packets that match a specific source IP address. By default, when you create a system-level IP flow rule, XOS configures that flow rules packet-matching criteria to match all flows. That is, by default, the NPM performs a system-level IP flow rules action on every flow entering the NPM. You must activate a system-level IP flow rule before it will take effect. By default, system-level IP flow rules are not activated. See activate (conf-system-ip-flow context) on page 277 for instructions on activating the system-level IP flow rule that you are configuring. Use the no parameter to delete the specified system-level IP flow rule. Use the show (conf-system-ip-flow context) command to display the current configuration for the system-level IP flow rule that you are configuring. Use the show system-ip-flow-rule command to display all system-level IP flow rules currently configured on the X-Series Platform.

Syntax
configure [no] system-ip-flow-rule <IP_flow_rule_name>

Contexts and Subcommands

You access this command from the main CLI context. This command places you in the conf-system-ip-flow context in which you can configure and activate the specified system-level IP flow rule. You can access the following commands from this context: action drop (conf-system-ip-flow context) on page 256 action allow (conf-system-ip-flow context) on page 257 action pass-to-masters (conf-system-ip-flow context) on page 258 action broadcast (conf-system-ip-flow context) on page 259 direction (conf-system-ip-flow context) on page 259 skip-port-protocol (conf-system-ip-flow context) on page 261 generate-reversed-flow (conf-system-ip-flow context) on page 262 source-addr (conf-system-ip-flow context) on page 263 destination-addr (conf-system-ip-flow context) on page 264 source-port (conf-system-ip-flow context) on page 266 destination-port (conf-system-ip-flow context) on page 267 protocol (conf-system-ip-flow context) on page 268 domain (conf-system-ip-flow context) on page 270

XOS Command Reference Guide

255

incoming-circuit-group (conf-system-ip-flow context) on page 271 timeout (conf-system-ip-flow context) on page 273 trace (conf-system-ip-flow context) on page 275 priority (conf-system-ip-flow context) on page 276 activate (conf-system-ip-flow context) on page 277 show (conf-system-ip-flow context) on page 278

Parameters
The following table lists the parameters used with this command. Parameter <IP_flow_rule_name> Description Name assigned to the system-level IP flow rule that you want to create or configure for the X-Series Platform.

Restrictions
Default Privilege Level: 15

Example
The following command creates a system-level IP flow rule called testsysipflow and places you in the context in which you can configure and activate that system-level IP flow rule: CBS# configure system-ip-flow-rule testsysipflow CBS(conf-system-ip-flow)#

action drop (conf-system-ip-flow context)

Sets the action to drop for the system-level IP flow rule that you are configuring. The NPM drops all IP packets that match the conditions defined in the system-level IP flow rules packet-matching criteria. Use the show (conf-system-ip-flow context) command to display the conditions defined in the packet-matching criteria for the system-level IP flow rule that you are configuring. NOTE: The default action for all system-level IP flow rules is drop. Use the show (conf-system-ip-flow context) command to display the action for the system-level IP flow rule that you are configuring.

Syntax
action drop

Context
You access this command from the conf-system-ip-flow context. You access this context from the main CLI context by issuing the configure system-ip-flow-rule command.

Restrictions
Default Privilege Level: 15

Commands for Configuring and Managing Flow Provisioning

256

Example
The following command places you in the conf-system-ip-flow context in which you can configure the system-level IP flow rule called testsysipflow: CBS# configure system-ip-flow-rule testsysipflow CBS(conf-system-ip-flow)# The following command sets the action for the system-level IP flow rule called testsysipflow to drop: CBS(conf-system-ip-flow)# action drop CBS(conf-system-ip-flow)# The NPM drops all IP packets that meet the packet-matching criteria defined for the system-level IP flow rule called testsysipflow.

action allow (conf-system-ip-flow context)

Sets the action to allow for the system-level IP flow rule that you are configuring. The NPM allows all IP packets that meet the packet-matching criteria defined in the system-level IP flow rule to pass through the X-Series Platform and proceed to their destination IP addresses. IMPORTANT: This action is only applicable to outbound IP traffic (IP traffic flowing out of the X-Series Platform). If you configure a system-level IP flow rule with the action allow command, you must also use the direction (conf-system-ip-flow context) command to configure the flow rules packet-matching criteria to match only outbound IP traffic. Use the show (conf-system-ip-flow context) command to display the packet-matching criteria defined for the system-level IP flow rule that you are configuring. NOTE: The default action for all system-level IP flow rules is drop. See action drop (conf-system-ip-flow context) on page 256 for more information about this action. Use the show (conf-system-ip-flow context) command to display the action for the system-level IP flow rule that you are configuring.

Syntax
action allow

Context
You access this command from the conf-system-ip-flow context. You access this context from the main CLI context by issuing the configure system-ip-flow-rule command.

Restrictions
Default Privilege Level: 15 If a system-level IP flow rules action is set to allow, the packet matching criterias traffic flow direction matching criteria must be set to outbound. NOTE: If a system-level IP flow rule does not meet this requirement, the CLI issues an error when you attempt to use the activate (conf-system-ip-flow context) command to activate that system-level IP flow rule.

XOS Command Reference Guide

257

Example
The following command places you in the conf-system-ip-flow context in which you can configure the system-level IP flow rule called testsysipflow: CBS# configure system-ip-flow-rule testsysipflow CBS(conf-system-ip-flow)# The following command sets the action for the system-level IP flow rule called testsysipflow to allow: CBS(conf-system-ip-flow)# action allow CBS(conf-system-ip-flow)# The NPM allows all IP packets that meet the packet-matching criteria for the system-level IP flow rule called testsysipflow to pass through the X-Series Platform and proceed to their destination IP addresses.

action pass-to-masters (conf-system-ip-flow context)

Sets the action to pass-to-masters for the system-level IP flow rule that you are configuring. When the NPM encounters an IP packet that meets the packet-matching criteria defined in the system-level IP flow rule, the NPM passes that IP packet to the master VAP in every VAP group configured on the X-Series Platform. Use the show (conf-system-ip-flow context) command to display the packet-matching criteria defined for the system-level IP flow rule that you are configuring. NOTE: The default action for all system-level IP flow rules is drop. See action drop (conf-system-ip-flow context) on page 256 for more information about this action. Use the show (conf-system-ip-flow context) command to display the action for the system-level IP flow rule that you are configuring.

Syntax
action pass-to-masters

Context
You access this command from the conf-system-ip-flow context. You access this context from the main CLI context by issuing the configure system-ip-flow-rule command.

Restrictions
Default Privilege Level: 15

Example
The following command places you in the conf-system-ip-flow context in which you can configure the system-level IP flow rule called testsysipflow: CBS# configure system-ip-flow-rule testsysipflow CBS(conf-system-ip-flow)# The following command sets the action for the system-level IP flow rule called testsysipflow to pass-to-masters: CBS(conf-system-ip-flow)# action pass-to-masters CBS(conf-system-ip-flow)#

Commands for Configuring and Managing Flow Provisioning

258

When the NPM encounters an IP packet that meets the packet-matching criteria defined for the system-level IP flow rule called testsysipflow, the NPM passes that IP packet to the master VAP in every VAP group configured on the X-Series Platform.

action broadcast (conf-system-ip-flow context)

Sets the action to broadcast for the system-level IP flow rule that you are configuring. When the NPM encounters an IP packet that meets the packet-matching criteria defined in the system-level IP flow rule, the NPM passes that IP packet to every VAP in every VAP group configured on the X-Series Platform. Use the show (conf-system-ip-flow context) command to display the packet-matching criteria defined for the system-level IP flow rule that you are configuring. NOTE: The default action for all system-level IP flow rules is drop. See action drop (conf-system-ip-flow context) on page 256 for more information about this action. Use the show (conf-system-ip-flow context) command to display the action for the system-level IP flow rule that you are configuring.

Syntax
action broadcast

Context
You access this command from the conf-system-ip-flow context. You access this context from the main CLI context by issuing the configure system-ip-flow-rule command.

Restrictions
Default Privilege Level: 15

Example
The following command places you in the conf-system-ip-flow context in which you can configure the system-level IP flow rule called testsysipflow: CBS# configure system-ip-flow-rule testsysipflow CBS(conf-system-ip-flow)# The following command sets the action for the system-level IP flow rule called testsysipflow to broadcast: CBS(conf-system-ip-flow)# action broadcast CBS(conf-system-ip-flow)# When the NPM encounters an IP packet that meets the packet-matching criteria defined for the system-level IP flow rule called testsysipflow, the NPM passes that IP packet to every VAP in every VAP group configured on the X-Series Platform.

direction (conf-system-ip-flow context)

Configures the traffic flow direction packet-matching criteria for the system-level IP flow rule that you are configuring.

XOS Command Reference Guide

259

Use this command to apply a system-level IP flow rules action only to IP traffic flowing in the specified direction (inbound to or outbound from the X-Series Platform). By default, the NPM applies a system-level IP flow rules action to both inbound and outbound IP traffic. Use the both parameter to restore this default behavior. Use the show (conf-system-ip-flow context) command to display the traffic flow direction packet-matching criteria for the system-level IP flow rule that you are configuring.

Syntax
direction {inbound | outbound | both}

Context
You access this command from the conf-system-ip-flow context. You access this context from the main CLI context by issuing the configure system-ip-flow-rule command.

Parameters
The following table lists the parameters used with this command. Parameter inbound Description Configures the packet-matching criteria for the system-level IP flow rule that you are configuring to match only inbound flows. The NPM applies the system-level IP flow rule only to IP packets coming into the X-Series Platform. outbound Configures the packet-matching criteria for the system-level IP flow rule that you are configuring to match only outbound IP traffic flows. The NPM applies the system-level IP flow rule only to IP packets exiting from the X-Series Platform. both Configures the packet-matching criteria for the system-level IP flow rule that you are configuring to match both inbound and outbound IP traffic flows. The NPM applies the system-level IP flow rule to all IP packets entering or exiting the X-Series Platform. This is the default setting.

Restrictions
Default Privilege Level: 15 When you issue the activate (conf-system-ip-flow context) command to activate a system-level IP flow rule, the CLI issues an error if the following conditions are not met: If the system-level IP flow rules action is set to allow, the flow rules traffic flow direction packet-matching criteria must be set to outbound. If the system-level IP flow rules traffic flow direction matching criteria is set to outbound, the flow rules action must be set to allow or drop. See action allow (conf-system-ip-flow context) on page 257 and action drop (conf-system-ip-flow context) on page 256 for more information about the allow and drop actions.

Commands for Configuring and Managing Flow Provisioning

260

Example
The following command places you in the conf-system-ip-flow context in which you can configure the system-level IP flow rule called testsysipflow: CBS# configure system-ip-flow-rule testsysipflow CBS(conf-system-ip-flow)# The following command configures the packet-matching criteria for the system-level IP flow rule called testsysipflow to match only outbound IP traffic flows: CBS(conf-system-ip-flow)# direction outbound CBS(conf-system-ip-flow)#

skip-port-protocol (conf-system-ip-flow context)

Enables or disables (using no) skip-port-protocol for the system-level IP flow rule that you are configuring. By default, skip-port-protocol is enabled for all system-level IP flow rules. If skip-port-protocol is enabled for a system-level IP flow rule, the NPM excludes source port number, destination port number, and protocol number from the packet-matching criteria for the system-level IP flow rule. The NPM applies the system-level IP flow rules action without considering an IP packets source port number, destination port number, or protocol number. Use the show (conf-system-ip-flow context) command to determine whether skip-port-protocol is enabled for the system-level IP flow rule that you are configuring.

Syntax
[no] skip-port-protocol

Context
You access this command from the conf-system-ip-flow context. You access this context from the main CLI context by issuing the configure system-ip-flow-rule command.

Restrictions
Default Privilege Level: 15

Example
The following command places you in the conf-system-ip-flow context in which you can configure the system-level IP flow rule called testsysipflow: CBS# configure system-ip-flow-rule testsysipflow CBS(conf-system-ip-flow)# The following command disables skip-port-protocol for the system-level IP flow rule called testsysipflow. CBS(conf-system-ip-flow)# no skip-port-protocol CBS(conf-system-ip-flow)# With skip-port-protocol disabled, the user can configure the packet matching criteria for testsysipflow to include source port, destination port, and protocol number matching criteria. The NPM applies the system-level IP flow rules action to an IP packet only if that packet matches these criteria.

XOS Command Reference Guide

261

generate-reversed-flow (conf-system-ip-flow context)

Enables or disables (using no) bi-directional IP flow matching for the system-level IP flow rule that you are configuring. By default, bi-directional IP flow matching is disabled for all system-level IP flow rules. If bi-directional IP flow matching is enabled for a system-level IP flow rule, you can configure its packet-matching criteria for bi-directional flows. This means that you can configure packet-matching criteria for both source and destination IP addresses and port numbers. If bi-directional IP flow matching is disabled for a system-level IP flow rule, you must configure its packet-matching criteria for uni-directional flows. This means that you can configure packet-matching criteria for either source IP address and source port number or destination IP address and destination port number. Use the show (conf-system-ip-flow context) command to determine whether bi-directional IP flow matching is enabled for the system-level IP flow rule that you are configuring.

Syntax
[no] generate-reversed-flow

Context
You access this command from the conf-system-ip-flow context. You access this context from the main CLI context by issuing the configure system-ip-flow-rule command.

Restrictions
Default Privilege Level: 15

Example
The following command places you in the conf-system-ip-flow context in which you can configure the system-level IP flow rule called testsysipflow: CBS# configure system-ip-flow-rule testsysipflow CBS(conf-system-ip-flow)# The following command enables bi-directional IP flow matching for the system-level IP flow rule called testsysipflow: CBS(conf-system-ip-flow)# generate-reversed-flow CBS(conf-system-ip-flow)# The user can now configure testsysipflow with packet-matching criteria for bi-directional IP flows. That is, the user can configure packet-matching criteria for both source and destination IP addresses and port numbers.

Commands for Configuring and Managing Flow Provisioning

262

source-addr (conf-system-ip-flow context)

Configures the source IP address matching criteria for the system-level IP flow rule that you are configuring. The NPM applies the system-level IP flow rules action only to IP packets that meet the specified source IP address matching criteria. By default, a system-level IP flow rules source IP address matching criteria is set to any source IP address. The NPM applies the system-level IP flow rules action without considering a packets source IP address. To restore this default behavior, use the no source-addr command or use the source-addr any command. Use the show (conf-system-ip-flow context) command to display the source IP address-matching criteria defined for the system-level IP flow rule that you are configuring.

Syntax
source-addr {any | <IP_address> | <IP_address>/<0-32>} no source-addr

Context
You access this command from the conf-system-ip-flow context. You access this context from the main CLI context by issuing the configure system-ip-flow-rule command.

Parameters
The following table lists the parameters used with this command. Parameter any Description Sets the flow rules source IP address matching criteria to any source IP address. The NPM applies the system-level IP flow rules action without considering a packets source IP address. This is the default behavior for every system-level IP flow rule. <IP_address> Configures the flow rules source IP address matching criteria to include only the specified IP address. The NPM applies the system-level IP flow rules action to a packet only if its source IP address matches the specified IP address.

XOS Command Reference Guide

263

Parameter <IP_address>/<0-32>

Description Configures the flow rules source IP address matching criteria to include all IP addresses that belong to the specified IP network. The NPM applies the system-level IP flow rules action to a packet only if its source IP address matches one of the IP addresses that belong to the specified IP network. You specify the IP network using CIDR notation (for example, 10.15.0.0/16). NOTE: When configuring IP flow rules, do not configure either the source or destination address as a.b.c.d/0 where a.b.c.d is not 0.0.0.0. This address format (for example, 5.5.5.5/0) is not valid.

Restrictions
Default Privilege Level: 15 If you wish to configure a system-level IP flow rule with packet-matching criteria for both source and destination IP addresses, you must use the generate-reversed-flow (conf-system-ip-flow context) command to enable bi-directional IP flow matching for that system-level IP flow rule.

Example
The following command places you in the conf-system-ip-flow context in which you can configure the system-level IP flow rule called testsysipflow: CBS# configure system-ip-flow-rule testsysipflow CBS(conf-system-ip-flow)# The following command sets the source IP address matching criteria for the system-level IP flow rule called testsysipflow to include all IP addresses on the IP network, 10.170.53.0/24: CBS(conf-system-ip-flow)# source-addr 10.170.53.0/24 CBS(conf-system-ip-flow)# The NPM applies the action configured for testsysipflow only to IP packets whose source IP address matches one of the IP addresses that belong to the IP network, 10.170.53.0/24.

destination-addr (conf-system-ip-flow context)

Configures the destination IP address matching criteria for the system-level IP flow rule that you are configuring. The NPM applies the system-level IP flow rules action only to IP packets that meet the specified destination IP address matching criteria. By default, a system-level IP flow rules destination IP address matching criteria is set to any destination IP address. The NPM applies the system-level IP flow rules action without considering a packets destination IP address. To restore this default behavior, use the no destination-addr command or use the destination-addr any command. Use the show (conf-system-ip-flow context) command to display the destination IP address matching criteria defined for the system-level IP flow rule that you are configuring.

Commands for Configuring and Managing Flow Provisioning

264

Syntax
destination-addr {any | <IP_address> | <IP_address>/<0-32>} no destination-addr

Context
You access this command from the conf-system-ip-flow context. You access this context from the main CLI context by issuing the configure system-ip-flow-rule command.

Parameters
The following table lists the parameters used with this command. Parameter any Description Sets the flow rules destination IP address matching criteria to any destination IP address. The NPM applies the system-level IP flow rules action without considering a packets destination IP address. This is the default behavior for every system-level IP flow rule. <IP_address> Configures the flow rules destination IP address matching criteria to include only the specified IP address. The NPM applies the system-level IP flow rules action to a packet only if its destination IP address matches the specified IP address. <IP_address>/<0-32> Configures the flow rules destination IP address matching criteria to include all IP addresses that belong to the specified IP network. The NPM applies the system-level IP flow rules action to a packet only if its destination IP address matches one of the IP addresses that belong to the specified IP network. You specify the IP network using CIDR notation (for example, 10.15.0.0/16). NOTE: When configuring IP flow rules, do not configure either the source or destination address as a.b.c.d/0 where a.b.c.d is not 0.0.0.0. This address format (for example, 5.5.5.5/0) is not valid.

Restrictions
Default Privilege Level: 15 If you wish to configure a system-level IP flow rule with packet matching criteria for both source and destination IP addresses, you must use the generate-reversed-flow (conf-system-ip-flow context) command to enable bi-directional IP flow matching for that system-level IP flow rule.

Example
The following command places you in the conf-system-ip-flow context in which you can configure the system-level IP flow rule called testsysipflow:

XOS Command Reference Guide

265

CBS# configure system-ip-flow-rule testsysipflow CBS(conf-system-ip-flow)# The following command sets the destination IP address matching criteria for the system-level IP flow rule called testsysipflow to include all IP addresses on the IP network, 10.170.53.0/24: CBS(conf-system-ip-flow)# destination-addr 10.170.53.0/24 CBS(conf-system-ip-flow)# The NPM applies the action configured for testsysipflow only to IP packets whose destination IP address matches one of the IP addresses that belong to the IP network, 10.170.53.0/24.

source-port (conf-system-ip-flow context)

Configures the source port matching criteria for the system-level IP flow rule that you are configuring. The NPM applies the system-level IP flow rules action only to IP packets that meet the specified source port matching criteria. By default, a system-level IP flow rules source port matching criteria is set to any source port number. The NPM applies the system-level IP flow rules action without considering a packets source port number. To restore this default behavior, use the no source-port command or use the source-port any command. Use the show (conf-system-ip-flow context) command to display the source port matching criteria defined for the system-level IP flow rule that you are configuring.

Syntax
source-port {any | <port_number>} no source-port

Context
You access this command from the conf-system-ip-flow context. You access this context from the main CLI context by issuing the configure system-ip-flow-rule command.

Parameters
The following table lists the parameters used with this command. Parameter any Description Sets the flow rules source port matching criteria to any source port number. The NPM applies the system-level IP flow rules action without considering a packets source port number. This is the default behavior for every system-level IP flow rule. <port_number> Sets the flow rules source port matching criteria to include only the specified port number. The NPM applies the system-level IP flow rules action to a packet only if its source port number matches the specified port number. Valid values are from 0-65535.

Commands for Configuring and Managing Flow Provisioning

266

Restrictions
Default Privilege Level: 15 If you wish to configure a system-level IP flow rule with packet-matching criteria for both source and destination port numbers, you must use the generate-reversed-flow (conf-system-ip-flow context) command to enable bi-directional IP flow matching for that system-level IP flow rule.

Example
The following command places you in the conf-system-ip-flow context in which you can configure the system-level IP flow rule called testsysipflow: CBS# configure system-ip-flow-rule testsysipflow CBS(conf-system-ip-flow)# The following command configures the source port matching criteria for the system-level IP flow rule called testsysipflow to include only port 25: CBS(conf-system-ip-flow)# source-port 25 CBS(conf-system-ip-flow)# The NPM applies the action configured for testsysipflow only to IP packets whose source port number is 25.

destination-port (conf-system-ip-flow context)

Configures the destination port matching criteria for the system-level IP flow rule that you are configuring. The NPM applies the system-level IP flow rules action only to IP packets that meet the specified destination port matching criteria. By default, a system-level IP flow rules destination port matching criteria is set to any destination port number. The NPM applies the system-level IP flow rules action without considering a packets destination port number. To restore this default behavior, use the no destination-port command or use the destination-port any command. Use the show (conf-system-ip-flow context) command to display the destination port matching criteria defined for the system-level IP flow rule that you are configuring.

Syntax
destination-port {any | <port_number>} no destination-port

Context
You access this command from the conf-system-ip-flow context. You access this context from the main CLI context by issuing the configure system-ip-flow-rule command.

XOS Command Reference Guide

267

Parameters
The following table lists the parameters used with this command. Parameter any Description Sets the flow rules destination port matching criteria to any destination port number. The NPM applies the system-level IP flow rules action without considering a packets destination port number. This is the default behavior for every system-level IP flow rule. <port_number> Configures the flow rules destination port matching criteria to include only the specified port number. The NPM applies the system-level IP flow rules action to a packet only if its destination port number matches the specified port number. Valid values are from 0-65535.

Restrictions
Default Privilege Level: 15 If you wish to configure a system-level IP flow rule with packet-matching criteria for both source and destination port numbers, you must use the generate-reversed-flow (conf-system-ip-flow context) command to enable bi-directional IP flow matching for that system-level IP flow rule.

Example
The following command places you in the conf-system-ip-flow context in which you can configure the system-level IP flow rule called testsysipflow: CBS# configure system-ip-flow-rule testsysipflow CBS(conf-system-ip-flow)# The following command configures the destination port matching criteria for the system-level IP flow rule called testsysipflow to include only port 25: CBS(conf-system-ip-flow)# destination-port 25 CBS(conf-system-ip-flow)# The NPM applies the action configured for testsysipflow only to IP packets whose destination port number is 25.

protocol (conf-system-ip-flow context)

Configures the protocol matching criteria for the system-level IP flow rule that you are configuring. The NPM applies the system-level IP flow rules action only to IP packets that meet the specified protocol matching criteria. By default, a system-level IP flow rules protocol matching criteria is set to any protocol number. The NPM applies the system-level IP flow rules action without considering a packets protocol number. To restore this default behavior, use the no protocol command or use the protocol any command.

Commands for Configuring and Managing Flow Provisioning

268

Use the show (conf-system-ip-flow context) command to display the protocol matching criteria defined for the system-level IP flow rule that you are configuring.

Syntax
protocol {any | <protocol_number>} no protocol

Context
You access this command from the conf-system-ip-flow context. You access this context from the main CLI context by issuing the configure system-ip-flow-rule command.

Parameters
The following table lists the parameters used with this command. Parameter any Description Sets the flow rules protocol matching criteria to any protocol number. The NPM applies the system-level IP flow rules action without considering a packets protocol number. This is the default behavior for every system-level IP flow rule. <protocol_number> Configures the flow rules protocol matching criteria to include only the specified protocol number. The NPM applies the system-level IP flow rules action to a packet only if its protocol number matches the specified protocol number. Valid values are from 1-255.

Restrictions
Default Privilege Level: 15

Example
The following command places you in the conf-system-ip-flow context in which you can configure the system-level IP flow rule called testsysipflow: CBS# configure system-ip-flow-rule testsysipflow CBS(conf-system-ip-flow)# The following command configures the protocol matching criteria for the system-level IP flow rule called testsysipflow to include only protocol number 41 (IPv6): CBS(conf-system-ip-flow)# protocol 41 CBS(conf-system-ip-flow)# The NPM applies the action configured for testsysipflow only to IP packets using protocol 41.

XOS Command Reference Guide

269

domain (conf-system-ip-flow context)

Configures the domain matching criteria for the system-level IP flow rule that you are configuring. The NPM applies the system-level IP flow rules action only to IP packets that meet the specified domain matching criteria. By default, a system-level IP flow rules domain matching criteria is set to any domain ID number. The NPM applies the system-level IP flow rules action without considering a packets domain ID number. To restore this default behavior, use the no domain command or use the domain any command. NOTE: All of the IP packets that are destined for a particular circuit belong to that circuits domain. You assign a domain to a circuit by specifying the domain parameter with the configure circuit command. By default, all circuits belong to domain 1. Use the show (conf-system-ip-flow context) command to display the domain matching criteria defined for the system-level IP flow rule that you are configuring.

Syntax
domain {any | <domain_ID_number>} no domain

Context
You access this command from the conf-system-ip-flow context. You access this context from the main CLI context by issuing the configure system-ip-flow-rule command.

Parameters
The following table lists the parameters used with this command. Parameter any Description Sets the flow rules domain matching criteria to any domain ID number. The NPM applies the system-level IP flow rules action without considering a packets domain ID number. This is the default behavior for every system-level IP flow rule. <domain_ID_number> Configures the flow rules domain matching criteria to include only the specified domain ID number. The NPM applies the system-level IP flow rules action to a packet only if its domain ID number matches the specified domain ID number. Valid values are from 1-4095.

Restrictions
Default Privilege Level: 15

Commands for Configuring and Managing Flow Provisioning

270

Example
The following command places you in the conf-system-ip-flow context in which you can configure the system-level IP flow rule called testsysipflow: CBS# configure system-ip-flow-rule testsysipflow CBS(conf-system-ip-flow)# The following command configures the domain matching criteria for the system-level IP flow rule called testsysipflow to include only domain ID number 2. Domain ID number 2 is assigned to the circuit called cctwan, which is one of the egress traffic circuits configured for the VAP group called testvapgroup. CBS(conf-system-ip-flow)# domain 2 CBS(conf-system-ip-flow)# The NPM applies the action configured for testsysipflow only to IP packets whose domain ID number is 2.

incoming-circuit-group (conf-system-ip-flow context)

Configures the incoming circuit group (ICG) matching criteria for the system-level IP flow rule that you are configuring. The NPM applies the system-level IP flow rules action only to IP packets that meet the specified ICG matching criteria. By default, a system-level IP flow rules ICG matching criteria is set to 1. To restore this default behavior, use the no incoming-circuit-group command. To assign a name to an incoming circuit group, use the configure incoming-circuit-group-name command. To see a list of incoming circuit groups, including any names assigned to them, use the show incoming-circuit-group-name command. NOTE: All of the IP packets that are destined for a particular circuit are assigned to that circuits ICG. You assign an ICG to a circuit by configuring that circuit with the incoming-circuit-group (conf-cct context) command. By default, all circuits belong to ICG 1. Use the show (conf-system-ip-flow context) command to display the ICG matching criteria defined for the system-level IP flow rule that you are configuring.

Syntax
incoming-circuit-group {any | <ICG_number>} no incoming-circuit-group

Context
You access this command from the conf-system-ip-flow context. You access this context from the main CLI context by issuing the configure system-ip-flow-rule command.

XOS Command Reference Guide

271

Parameters
The following table lists the parameters used with this command. Parameter any Description Sets the flow rules incoming circuit group (ICG) matching criteria to any ICG number. The NPM applies the system-level IP flow rules action without considering a packets ICG number. <ICG_number> Configures the flow rules incoming circuit group (ICG) matching criteria to include only the specified ICG number. The NPM applies the system-level IP flow rules action to a packet only if its ICG number matches the specified ICG number. Valid values are from 1-255. Default is 1.

Restrictions
Default Privilege Level: 15

Example
The following command places you in the conf-system-ip-flow context in which you can configure the system-level IP flow rule called testsysipflow: CBS# configure system-ip-flow-rule testsysipflow CBS(conf-system-ip-flow)# The following command configures the incoming circuit group (ICG) matching criteria for the system-level IP flow rule called testsysipflow to include only ICG number 2. ICG number 2 is assigned to the circuit called cctwan, which is one of the egress traffic circuits configured for the VAP group called testvapgroup. CBS(conf-system-ip-flow)# incoming-circuit-group 2 CBS(conf-system-ip-flow)# The NPM applies the action configured for testsysipflow only to IP packets whose ICG number is 2.

Commands for Configuring and Managing Flow Provisioning

272

timeout (conf-system-ip-flow context)

Configures an idle flow timeout interval and applies it to all IP flows that match the conditions defined in the packet matching criteria for the system-level IP flow rule that you are configuring. An IP flows idle flow timeout interval is the amount of time that the IP flow can remain idle before the NPM deletes the IP flow from the Active Flow Table (AFT). By default, the NPMs IP flow classifier assigns an appropriate idle flow timeout interval to every new IP flow. To restore this default behavior, use the no timeout command or use the timeout auto command. NOTE: After the NPM deletes an idle IP flow from the AFT, if the NPM later encounters other IP packets belonging to that flow, the NPM considers those packets to be part of a new flow. As a result, the NPM may move the now-active flow onto a new VAP. You may encounter problems if an IP flow moves between VAPs in a VAP group on which you are running a stateful firewall (such as Check Point VPN-1 Power NGX R65). Use the show (conf-system-ip-flow context) command to display the idle flow timeout interval configuration for the system-level IP flow rule that you are configuring.

Syntax
timeout {auto | <idle_flow_timeout_interval>} no timeout

Context
You access this command from the conf-system-ip-flow context. You access this context from the main CLI context by issuing the configure system-ip-flow-rule command.

Parameters
The following table lists the parameters used with this command. Parameter auto Description Configures the NPMs IP flow classifier to automatically assign these idle flow timeout intervals to every new flow that matches the conditions defined in the packet matching criteria for the system-level IP flow rule that you are configuring. TCP 10 minutes UDP 1 minute Other 30 seconds

XOS Command Reference Guide

273

Parameter <idle_flow_timeout_interval>

Description Applies the specified idle flow timeout interval to all IP flows that match the conditions defined in the packet matching criteria for the system-level IP flow rule that you are configuring. An IP flows idle flow timeout interval is the amount of time that the IP flow can remain idle before the NPM deletes the IP flow from the Active Flow Table (AFT). You must specify an idle flow timeout interval using one of the following parameters: 30-seconds Sets the idle flow timeout interval to 30 seconds. Timeout occurs when a flow remains idle for approximately 30 seconds. 1-minute Sets the idle flow timeout interval to 1 minute. Timeout occurs when a flow remains idle for approximately 1 minute. 3-minutes Sets the idle flow timeout interval to 3 minutes. Timeout occurs when a flow remains idle for approximately 3 minutes. 5-minutes Sets the idle flow timeout interval to 5 minutes. Timeout occurs when a flow remains idle for approximately 5 minutes. 10-minutes Sets the idle flow timeout interval to 10 minutes. Timeout occurs when a flow remains idle for approximately 10 minutes. 20-minutes Sets the idle flow timeout interval to 20 minutes. Timeout occurs when a flow remains idle for approximately 20 minutes. 30-minutes Sets the idle flow timeout interval to 30 minutes. Timeout occurs when a flow remains idle for approximately 30 minutes. 1-hour Sets the idle flow timeout interval to 1 hour. Timeout occurs when a flow remains idle for approximately 1 hour.

Restrictions
Default Privilege Level: 15

Example
The following command places you in the conf-system-ip-flow context in which you can configure the system-level IP flow rule called testsysipflow: CBS# configure system-ip-flow-rule testsysipflow CBS(conf-system-ip-flow)# The following command sets the idle flow timeout interval for the system-level IP flow rule called testsysipflow to 10 minutes. CBS(conf-system-ip-flow)# timeout 10-minutes CBS(conf-system-ip-flow)#

Commands for Configuring and Managing Flow Provisioning

274

The NPM deletes any IP flow from the Active Flow Table (AFT) if that flow matches the conditions defined in the packet matching criteria for testsysipflow and that flow remains idle for approximately 10 minutes.

trace (conf-system-ip-flow context)

Enables or disables (using no) packet tracing for IP packets that match the conditions defined in the packet matching criteria for the system-level IP flow rule that you are configuring. By default, packet tracing is disabled for all system-level IP flow rules. NOTE: Packet tracing may impact X-Series Platform performance. You should enable packet tracing for debugging purposes only. Use the show (conf-system-ip-flow context) command to determine packet tracing is enabled for IP packets that match the conditions defined in the packet matching criteria for the system-level IP flow rule that you are configuring.

Syntax
[no] trace

Context
You access this command from the conf-system-ip-flow context. You access this context from the main CLI context by issuing the configure system-ip-flow-rule command.

Restrictions
Default Privilege Level: 15

Example
The following command places you in the conf-system-ip-flow context in which you can configure the system-level IP flow rule called testsysipflow: CBS# configure system-ip-flow-rule testsysipflow CBS(conf-system-ip-flow)# The following command enables packet tracing for all IP packets that match the conditions defined in the packet matching criteria for the system-level IP flow rule called testsysipflow: CBS(conf-system-ip-flow)# trace CBS(conf-system-ip-flow)#

XOS Command Reference Guide

275

priority (conf-system-ip-flow context)

Sets the priority level for the system-level IP flow rule that you are configuring. You set priority levels for system-level IP flow rules to specify the order in which the NPM applies system-level IP flow rules to an IP traffic flow that arrives on a logical interface. When an IP traffic flow arrives on a logical interface configured on an X-Series Platform, the NPM applies activated system-level IP flow rules to that flow. The NPM applies system-level IP flow rules one at a time, in order of priority level, applying the system-level IP flow rule with the highest priority level first. Valid priority levels are from 10-20, and from 25-30. By default, all system-level IP flow rules have a priority level of 10. Use the no priority command to restore this default setting. Use the show (conf-system-ip-flow context) command to display the priority level assigned to the system-level IP flow rule that you are configuring.

Syntax
priority <priority_level> no priority

Context
You access this command from the conf-system-ip-flow context. You access this context from the main CLI context by issuing the configure system-ip-flow-rule command.

Parameters
The following table lists the parameters used with this command. Parameter <priority_level> Description Specifies the priority level that you want to assign to the system-level IP flow rule that you are configuring. Valid values are from 10-20 and from 25-30. Default is 10.

Restrictions
Default Privilege Level: 15

Example
In this example, the X-Series Platform system administrator wants to configure the X-Series Platform so that the NPM drops all outbound IP packets that have the source IP address, 1.1.1.20, unless those packets also have the destination IP address, 1.1.1.35. If an IP packet has the desired source and destination IP addresses, the administrator wants the NPM to allow the IP packet to exit the X-Series Platform and proceed to the destination IP address. Therefore, the administrator has configured two system-level IP flow rules: testsysipflow Allows all outbound IP packets that have the source IP address, 1.1.1.20 and the destination IP address, 1.1.1.35, to exit the X-Series Platform and proceed to the destination IP address. dropsysipflow Drops all outbound IP packets that have the source IP address, 1.1.1.20.

Commands for Configuring and Managing Flow Provisioning

276

The administrator now uses the following commands to configure the system-level IP flow rule called testsysipflow with a priority level of 15, and configure the system-level IP flow rule called dropsysipflow with a priority level of 14. CBS# configure system-ip-flow-rule testsysipflow CBS(conf-system-ip-flow)# priority 15 CBS(conf-system-ip-flow)# source-addr 1.1.1.20 CBS(conf-system-ip-flow)# destination-addr 1.1.1.35 CBS(conf-system-ip-flow)# action allow CBS(conf-system-ip-flow)# activate CBS(conf-system-ip-flow)# end CBS# configure system-ip-flow-rule dropsysipflow CBS(conf-system-ip-flow)# priority 14 CBS(conf-system-ip-flow)# source-addr 1.1.1.20 CBS(conf-system-ip-flow)# action drop CBS(conf-system-ip-flow)# activate CBS(conf-system-ip-flow)# end CBS# Now, the NPM applies the system-level IP flow rule called testsysipflow before applying the system-level IP flow rule called dropsysipflow. When the NPM encounters an outbound IP packet, the NPM first determines whether the packet matches the source and destination IP address matching criteria defined for the system-level IP flow rule called testsysipflow. If the packet has both the source IP address, 1.1.1.20, and the destination IP address, 1.1.1.35, the packet matches the conditions defined in the packet matching criteria, and the NPM allows the IP packet to exit the X-Series Platform and proceed to the destination IP address. If an outbound IP packet does not have the destination IP address, 1.1.1.35, that packet does not match all the conditions defined in the packet matching criteria for testsysipflow. In this case, the NPM does not apply the action (allow) for testsysipflow to the IP packet. Instead, the NPM proceeds to determine whether the packet matches the source IP address matching criteria defined for dropsysipflow. If the IP packet has the source IP address, 1.1.1.20, the packet matches the conditions defined in the packet matching criteria for dropsysipflow, and the NPM drops the packet.

activate (conf-system-ip-flow context)

Activates or deactivates (using no) the system-level IP flow rule that you are configuring. By default, all system-level IP flow rules are deactivated. IMPORTANT: The NPM only applies active system-level IP flow rules to new IP flows. Use the show (conf-system-ip-flow context) command to determine whether the system-level IP flow rule that you are configuring has been activated.

Syntax
[no] activate

Context
You access this command from the conf-system-ip-flow context. You access this context from the main CLI context by issuing the configure system-ip-flow-rule command.

XOS Command Reference Guide

277

Restrictions
Default Privilege Level: 15 When you issue the activate command to activate a system-level IP flow rule, the CLI issues an error if the following conditions are not met: If the system-level IP flow rules action is set to allow, the flow rules traffic flow direction matching criteria must be set to outbound. If the system-level IP flow rules traffic flow direction matching criteria is set to outbound, the flow rules action must be set to allow or drop. See action allow (conf-system-ip-flow context) on page 257 and action drop (conf-system-ip-flow context) on page 256 for more information about the allow and drop actions.

Example
The following command places you in the conf-system-ip-flow context in which you can configure the system-level IP flow rule called testsysipflow: CBS# configure system-ip-flow-rule testsysipflow CBS(conf-system-ip-flow)# The following command activates the system-level IP flow rule called testsysipflow: CBS(conf-system-ip-flow)# activate CBS(conf-system-ip-flow)# The NPM now applies this system-level IP flow rules action to all new IP flows that match the conditions defined in the packet matching criteria for the system-level IP flow rule.

show (conf-system-ip-flow context)

Displays the current configuration settings for the system-level IP flow rule that you are configuring.

Syntax
show

Context
You access this command from the conf-system-ip-flow context. You access this context from the main CLI context by issuing the configure system-ip-flow-rule command.

Output
The output for this command has the following format: System IP Flow Rule Destination Address Destination Address High Destination Port Destination Port High Source Address Source Address High Source Port Source Port High Incoming Circuit Group : : : : : : : : : : <IP_flow_rule_name> {<IP_address> | <IP_address>/<0-32>} 255.255.255.255 <port_number> 65535 {<IP_address> | <IP_address>/<0-32>} 255.255.255.255 <port_number> 65535 <ICG_number>

Commands for Configuring and Managing Flow Provisioning

278

Protocol : Protocol High : Domain : Domain High : : Action Activate (true/false) : Priority : Skip Protocol (true/false) : Skip Port (true/false) : Skip Port Protocol (true/false) : Timeout : Trace (true/false) : Generate Reversed Flow(true/false): Direction : (1 row)

<protocol_number> 255 <domain_ID_number> 4095

{drop | allow | pass-to-masters | broadcast}

{t | f} <priority_level> {t | f} {t | f} {t | f} {auto | <idle_flow_timeout_interval> {t | f} {t | f} {outbound | inbound | both}

The following table describes the information provided in each column/row. Column/Row Heading System IP Flow Rule Information Provided Name of the system-level IP flow rule. See configure system-ip-flow-rule on page 255 for information on assigning a name to a new system-level IP flow rule. Destination Address Destination IP address matching criteria for the system-level IP flow rule. This row may display one of the following: 0.0.0.0 Default value. Defines the lowest IP address that meets the destination IP address matching criteria. In this case, the highest matching destination IP address is 255.255.255.255. The NPM applies the system-level IP flow rules action without considering a packets destination IP address. Single, non-zero IP address NPM applies the system-level IP flow rules action only to IP packets that have the specified destination IP address. IP network address displayed in CIDR format NPM applies the system-level IP flow rules action only to IP packets whose destination IP address matches one of the IP addresses that belong to the specified IP network. See destination-addr (conf-system-ip-flow context) on page 264 for information on configuring destination IP address matching criteria for a system-level IP flow rule.

XOS Command Reference Guide

279

Column/Row Heading Destination Address High

Information Provided This row shows the default address if the user has not defined destination IP address matching criteria for the system-level IP flow rule. This row may display one of the following: 255.255.255.255 Default value. Defines the highest IP address that meets the destination IP address matching criteria. In this case, the highest matching destination IP address is 255.255.255.255. In this case, the Destination Address is 0.0.0.0 and Destination Address High is 255.255.255.255. This indicates that the flow rules destination IP address matching criteria includes all IP addresses from 0.0.0.0 to 255.255.255.255 (that is, all IP addresses). The NPM applies the system-level IP flow rules action without considering a packets destination IP address. Single, non-zero IP address NPM applies the system-level IP flow rules action only to IP packets within the range specified by the destination IP address and the destination high IP address. See destination-addr (conf-system-ip-flow context) on page 264 for information on configuring destination IP address matching criteria for a system-level IP flow rule.

Destination Port

Destination port matching criteria for the system-level IP flow rule. This row may display one of the following: 0 Default value. Defines the lowest port number that meets the destination port matching criteria. In this case, the highest matching destination port number is 65535. The NPM applies the system-level IP flow rules action without considering a packets destination port number. Single, non-zero port number NPM applies the system-level IP flow rules action only to IP packets that have the specified destination port number. See destination-port (conf-system-ip-flow context) on page 267 for information on configuring destination port matching criteria for a system-level IP flow rule.

Commands for Configuring and Managing Flow Provisioning

280

Column/Row Heading Destination Port High

Information Provided This row appears only if the user has not defined destination port matching criteria for the system-level IP flow rule. In this case, the Destination Port is 0 and Destination Port High is 65535. This indicates that the flow rules destination port matching criteria includes all port numbers from 0 to 65535 (that is, all valid port numbers). The NPM applies the system-level IP flow rules action without considering a packets destination port number. See destination-port (conf-system-ip-flow context) on page 267 for information on configuring destination port matching criteria for a system-level IP flow rule.

Source Address

Source IP address matching criteria for the system-level IP flow rule. This row may display one of the following: 0.0.0.0 Default value. Defines the lowest IP address that meets the source IP address matching criteria for the system-level IP flow rule. In this case, the highest matching source IP address is 255.255.255.255. The NPM applies the system-level IP flow rules action without considering a packets source IP address. Single, non-zero IP address NPM applies the system-level IP flow rules action only to IP packets that have the specified source IP address. IP network address displayed in CIDR format NPM applies the system-level IP flow rules action only to IP packets whose source IP address matches one of the IP addresses that belong to the specified IP network. See source-addr (conf-system-ip-flow context) on page 263 for information on configuring source IP address matching criteria for a system-level IP flow rule.

Source Address High

This row appears only if the user has not defined source IP address matching criteria for the system-level IP flow rule. In this case, the Source Address is 0.0.0.0 and Source Address High is 255.255.255.255. This indicates that the system-level IP flow rules source IP address matching criteria includes all IP addresses from 0.0.0.0 to 255.255.255.255 (that is, all IP addresses). The NPM applies the system-level IP flow rules action without considering a packets source IP address. See source-addr (conf-system-ip-flow context) on page 263 for information on configuring source IP address matching criteria for a system-level IP flow rule.

XOS Command Reference Guide

281

Column/Row Heading Source Port

Information Provided Source port matching criteria for the system-level IP flow rule. This row may display one of the following: 0 Default value. Defines the lowest port number that meets the source port matching criteria for the flow rule. In this case, the highest matching source port number is 65535. The NPM applies the system-level IP flow rules action without considering a packets source port number. Single, non-zero port number NPM applies the system-level IP flow rules action only to IP packets that have the specified source port number. See source-port (conf-system-ip-flow context) on page 266 for information on configuring source port matching criteria for a system-level IP flow rule.

Source Port High

This row appears only if the user has not defined source port matching criteria for the system-level IP flow rule. In this case, the Source Port is 0 and Source Port High is 65535. This indicates that the system-level IP flow rules source port matching criteria includes all port numbers from 0 to 65535 (that is, all valid port numbers). The NPM applies the system-level IP flow rules action without considering a packets source port number. See source-port (conf-system-ip-flow context) on page 266 for information on configuring source port matching criteria for a system-level IP flow rule.

Incoming Circuit Group

Incoming circuit group (ICG) matching criteria for the system-level IP flow rule. The NPM applies the system-level IP flow rules action only to IP packets with the specified ICG number. Default is 1. See incoming-circuit-group (conf-system-ip-flow context) on page 271 for information on setting ICG matching criteria for a system-level IP flow rule.

Commands for Configuring and Managing Flow Provisioning

282

Column/Row Heading Protocol

Information Provided Protocol matching criteria for the system-level IP flow rule. This row may display one of the following: 1 Default value. Defines the lowest protocol number that meets the protocol matching criteria for the flow rule. In this case, the highest matching protocol number is 255. The NPM applies the system-level IP flow rules action without considering a packets protocol number. Single, non-zero protocol number NPM applies the system-level IP flow rules action only to IP packets that have the specified protocol number. See protocol (conf-system-ip-flow context) on page 268 for information on configuring protocol matching criteria for a system-level IP flow rule.

Protocol High

This row appears only if the user has not defined protocol matching criteria for the system-level IP flow rule. In this case, the Protocol is 1 and Protocol High is 255. This indicates that the system-level IP flow rules protocol matching criteria includes all protocol numbers from 1 to 255 (that is, all valid protocol numbers). The NPM applies the system-level IP flow rules action without considering a packets protocol number. See protocol (conf-system-ip-flow context) on page 268 for information on configuring protocol matching criteria for a system-level IP flow rule.

Domain

Domain matching criteria for the system-level IP flow rule. This row may display one of the following: 1 Default value. Defines the lowest domain ID number that meets the domain matching criteria for the system-level IP flow rule. In this case, the highest matching domain ID number is 4095. The NPM applies the system-level IP flow rules action without considering a packets domain ID number. Single, non-zero domain ID number NPM applies the system-level IP flow rules action only to IP packets that have the specified domain ID number. See domain (conf-system-ip-flow context) on page 270 for information on configuring domain matching criteria for a system-level IP flow rule.

XOS Command Reference Guide

283

Column/Row Heading Domain High

Information Provided This row appears only if the user has not defined domain matching criteria for the system-level IP flow rule. In this case, the Domain is 1 and Domain High is 4095. This indicates that the system-level IP flow rules domain matching criteria includes all domain ID numbers from 1 to 4095 (that is, all valid domain ID numbers). The NPM applies the system-level IP flow rules action without considering a packets domain ID number. See domain (conf-system-ip-flow context) on page 270 for information on configuring domain matching criteria for a system-level IP flow rule.

Action

Specifies the action configured for the system-level IP flow rule (drop, allow, pass-to-masters or broadcast). Default is drop. See the following sections for information on configuring an action for a system-level IP flow rule: action drop (conf-system-ip-flow context) on page 256 action allow (conf-system-ip-flow context) on page 257 action pass-to-masters (conf-system-ip-flow context) on page 258 action broadcast (conf-system-ip-flow context) on page 259

Activate (true/false)

Indicates whether the system-level IP flow rule is activated (t) or deactivated (f). Default is deactivated (f). See activate (conf-system-ip-flow context) on page 277 for information on activating and deactivating a system-level IP flow rule.

Priority

Priority level assigned to the system-level IP flow rule. Default is 10, which is the lowest valid priority level. See priority (conf-system-ip-flow context) on page 276 for information about setting priority levels for the system-level IP flow rules configured on an X-Series Platform.

Skip Protocol (true/false)

Indicates whether skip-protocol is enabled (t) or disabled (f) for the system-level IP flow rule. Default is enabled (t). See skip-port-protocol (conf-system-ip-flow context) on page 261 for information on enabling or disabling skip-protocol.

Skip Port (true/false)

Indicates whether skip-port is enabled (t) or disabled (f) for the system-level IP flow rule. Default is enabled (t). See skip-port-protocol (conf-system-ip-flow context) on page 261 for information on enabling or disabling skip-port.

Skip Port Protocol (true/false)

Indicates whether skip-port-protocol is enabled (t) or disabled (f) for the system-level IP flow rule. Default is enabled (t). See skip-port-protocol (conf-system-ip-flow context) on page 261 for information on enabling and disabling skip-port-protocol for a system-level IP flow rule.

Commands for Configuring and Managing Flow Provisioning

284

Column/Row Heading Timeout

Information Provided Displays the idle flow timeout interval configuration for the system-level IP flow rule. This row may display one of the following: auto Default value. Indicates that the NPMs IP flow classifier assigns an appropriate idle flow timeout interval to every new IP flow that meets the matching criteria defined for the system-level IP flow rule. Idle flow time interval keyword A keyword that indicates the user-defined idle flow timeout interval configured for the system-level IP flow rule. The NPM applies the user-defined idle flow timeout interval to each IP flow that meets the matching criteria defined in the system-level IP flow rule. See timeout (conf-system-ip-flow context) on page 273 for information on configuring an idle flow timeout interval for a system-level IP flow rule.

Trace (true/false)

Indicates whether packet tracing is enabled (t) or disabled (f) for IP packets that match the conditions defined in the packet matching criteria for the system-level IP flow rule. Default is disabled (f). See trace (conf-system-ip-flow context) on page 275 for information on enabling and disabling packet tracing for a system-level IP flow rule.

Generate Reversed Flow

Indicates whether bi-directional flow matching is enabled (t) or disabled (f) for the system-level IP flow rule. Default is disables (f). See generate-reversed-flow (conf-system-ip-flow context) on page 262 for information on enabling and disabling bi-directional flow matching for a system-level IP flow rule.

XOS Command Reference Guide

285

Column/Row Heading Direction

Information Provided Indicates the IP flow direction matching criteria defined for the system-level IP flow rule. This row displays one of the following keywords: both Default setting. Direction matching criteria includes both inbound and outbound IP flows. The NPM applies the system-level IP flow rule to IP packets without considering whether the packet is coming into or out of the X-Series Platform. inbound IP flow direction matching criteria includes only inbound IP flows. The NPM applies the system-level IP flow rule only to IP packets coming into the X-Series Platform. outbound IP flow direction matching criteria includes only outbound IP flows. The NPM applies the system-level IP flow rule only to IP packets exiting the X-Series Platform. See direction (conf-system-ip-flow context) on page 259 for information on setting IP flow direction matching criteria for a system-level IP flow rule.

Restrictions
Default Privilege Level: 15

Example
The following command places you in the conf-system-ip-flow context in which you can configure the system-level IP flow rule called testsysipflow: CBS# configure system-ip-flow-rule testsysipflow CBS(conf-system-ip-flow)# The following command displays the configuration settings for the system-level IP flow rule called testsysipflow. NOTE: The example output displays the configuration settings that you would create for testsysipflow if you issued all the example commands that we have provided throughout this section. CBS(conf-system-ip-flow)# show System IP Flow Rule Destination Address Destination Address High Destination Port Destination Port High Source Address Source Address High Source Port Source Port High Incoming Circuit Group Protocol Protocol High Domain : : : : : : : : : : : : : testsysipflow 1.1.1.35 255.255.255.255 25 65535 1.1.1.20 255.255.255.255 25 65535 2 41 255 2

Commands for Configuring and Managing Flow Provisioning

286

Domain High Action Activate (true/false) Priority Skip Protocol (true/false) Skip Port (true/false) Skip Port Protocol (true/false) Timeout Trace (true/false) Generate Reversed Flow (true/false) Direction Core Assignment (1 row) CBS(conf-system-ip-flow)#

: : : : : : : : : : : :

4095 allow t 15 f f f 10-minutes t t outbound random-single-core

configure system-non-ip-flow-rule
Creates or configures a system-level non-IP flow rule for the X-Series Platform. Places you into a context in which you can configure and activate the specified system-level non-IP flow rule. The NPM uses system-level non-IP flow rules to determine how to process each non-IP traffic flow (such as an IPX or Spanning Tree Protocol traffic flow) that arrives on a logical interface configured on the X-Series Platform. Each system-level non-IP flow rule is comprised of an action and a set of packet matching criteria. The NPM performs the action on flows that match the conditions defined in the packet matching criteria. For example, you can create a system-level non-IP flow rule that instructs the NPM to send all Spanning-Tree-Protocol-related traffic to the master VAP in every VAP group configured on the X-Series Platform. You must configure each system-level non-IP flow rule with one of three link encapsulation types: ethernet Enables the NPM to process Ethernet encapsulated packets. Configures the NPM to apply the system-level non-IP flow rules action only to Ethernet encapsulated packets that meet the flow rules destination Ethernet protocol matching criteria. lsap Enables the NPM to process LSAP encapsulated packets. Configures the NPM to apply the system-level non-IP flow rules action only to LSAP encapsulated packets that meet the flow rules Destination Service Access Point (DSAP) and Source Service Access Point (SSAP) matching criteria. snap Enables the NPM to process SNAP encapsulated packets. Configures the NPM to apply the system-level non-IP flow rules action only to SNAP encapsulated packets that meet the flow rules destination Ethernet protocol and Organization Unique Identifier (OUI) matching criteria. NOTE: By default, the link encapsulation type for all system-level non-IP flow rules is ethernet, and the destination Ethernet protocol matching criteria is set to any Ethernet protocol number. Use the show (conf-system-non-ip-flow context) command to display the link encapsulation type and packet matching criteria defined for the system-level non-IP flow that you are configuring. You must activate a system-level non-IP flow rule before it will take effect. By default, system-level non-IP flow rules are not activated. See activate (conf-system-non-ip-flow context) on page 296 for instructions on activating the system-level non-IP flow rule that you are configuring. Use the no parameter to delete the specified system-level non-IP flow rule.

XOS Command Reference Guide

287

Use the show (conf-system-non-ip-flow context) command to display the current configuration for the system-level non-IP flow rule that you are configuring. Use the show system-non-ip-flow-rule command to display all system-level non-IP flow rules currently configured on the X-Series Platform.

Syntax
configure [no] system-non-ip-flow-rule <non_IP_flow_rule_name>

Contexts and Subcommands

You access this command from the main CLI context. This command places you in the conf-system-non-ip-flow context in which you can configure and activate the specified system-level non-IP flow rule. You can access the following commands from this context: action drop (conf-system-non-ip-flow context) on page 289 action pass-to-masters (conf-system-non-ip-flow context) on page 290 action broadcast (conf-system-non-ip-flow context) on page 291 encapsulation ethernet (conf-system-non-ip-flow context) on page 292 encapsulation lsap (conf-system-non-ip-flow context) on page 293 encapsulation snap (conf-system-non-ip-flow context) on page 295 activate (conf-system-non-ip-flow context) on page 296 show (conf-system-non-ip-flow context) on page 297

Parameters
The following table lists the parameters used with this command. Parameter <non_IP_flow_rule_name> Description Name assigned to the system-level non-IP flow rule that you want to create or configure.

Restrictions
Default Privilege Level: 15

Example
The following command creates a system-level non-IP flow rule called testsysnonipflow and places you in the context in which you can configure and activate that system-level non-IP flow rule: CBS# configure system-non-ip-flow-rule testsysnonipflow CBS(conf-system-non-ip-flow)#

Commands for Configuring and Managing Flow Provisioning

288

action drop (conf-system-non-ip-flow context)

Sets the action to drop for the system-level non-IP flow rule that you are configuring. The NPM drops all non-IP packets that match the conditions defined in the system-level non-IP flow rules packet matching criteria. Use the show (conf-system-non-ip-flow context) command to display the conditions defined in the packet matching criteria for the system-level non-IP flow rule that you are configuring. NOTE: The default action for all system-level non-IP flow rules is drop. Use the show (conf-system-non-ip-flow context) command to display the action for the system-level non-IP flow rule that you are configuring.

Syntax
action drop

Context
You access this command from the conf-system-non-ip-flow context. You access this context from the main CLI context by issuing the configure system-non-ip-flow-rule command.

Restrictions
Default Privilege Level: 15

Example
The following command places you in the conf-system-non-ip-flow context in which you can configure the system-level non-IP flow rule called testsysnonipflow: CBS# configure system-non-ip-flow-rule testsysnonipflow CBS(conf-system-non-ip-flow)# The following command sets the action for the system-level non-IP flow rule called testsysnonipflow to drop: CBS(conf-system-non-ip-flow)# action drop CBS(conf-system-non-ip-flow)# The NPM drops all non-IP packets that match the conditions defined in the packet matching criteria for the system-level non-IP flow rule called testsysnonipflow.

XOS Command Reference Guide

289

action pass-to-masters (conf-system-non-ip-flow context)

Sets the action to pass-to-masters for the system-level non-IP flow rule that you are configuring. When the NPM encounters a non-IP packet that matches the conditions defined in the system-level non-IP flow rules packet matching criteria, the NPM passes that non-IP packet to the master VAP in every VAP group configured on the X-Series Platform. Use the show (conf-system-non-ip-flow context) command to display the conditions defined in the packet matching criteria for the system-level non-IP flow rule that you are configuring. NOTE: The default action for all system-level non-IP flow rules is drop. See action drop (conf-system-non-ip-flow context) on page 289 for more information about this action. Use the show (conf-system-non-ip-flow context) command to display the action for the system-level non-IP flow rule that you are configuring.

Syntax
action pass-to-masters

Context
You access this command from the conf-system-non-ip-flow context. You access this context from the main CLI context by issuing the configure system-non-ip-flow-rule command.

Restrictions
Default Privilege Level: 15

Example
The following command places you in the conf-system-non-ip-flow context in which you can configure the system-level non-IP flow rule called testsysnonipflow: CBS# configure system-non-ip-flow-rule testsysnonipflow CBS(conf-system-non-ip-flow)# The following command sets the action for the system-level non-IP flow rule called testsysnonipflow to pass-to-masters: CBS(conf-system-non-ip-flow)# action pass-to-masters CBS(conf-system-non-ip-flow)# When the NPM encounters a non-IP packet that matches the conditions defined in the packet matching criteria for the system-level non-IP flow rule called testsysnonipflow, the NPM passes that non-IP packet to the master VAP in every VAP group configured on the X-Series Platform.

Commands for Configuring and Managing Flow Provisioning

290

action broadcast (conf-system-non-ip-flow context)

Sets the action to broadcast for the system-level non-IP flow rule that you are configuring. When the NPM encounters a non-IP packet that matches the conditions defined in the system-level non-IP flow rules packet matching criteria, the NPM passes that non-IP packet to every VAP in every VAP group configured on the X-Series Platform. Use the show (conf-system-non-ip-flow context) command to display the conditions defined in the packet matching criteria for the system-level non-IP flow rule that you are configuring. NOTE: The default action for all system-level non-IP flow rules is drop. See action drop (conf-system-non-ip-flow context) on page 289 for more information about this action. Use the show (conf-system-non-ip-flow context) command to display the action for the system-level non-IP flow rule that you are configuring.

Syntax
action broadcast

Context
You access this command from the conf-system-non-ip-flow context. You access this context from the main CLI context by issuing the configure system-non-ip-flow-rule command.

Restrictions
Default Privilege Level: 15

Example
The following command places you in the conf-system-non-ip-flow context in which you can configure the system-level non-IP flow rule called testsysnonipflow: CBS# configure system-non-ip-flow-rule testsysnonipflow CBS(conf-system-non-ip-flow)# The following command sets the action for the system-level non-IP flow rule called testsysnonipflow to broadcast: CBS(conf-system-non-ip-flow)# action broadcast CBS(conf-system-non-ip-flow)# When the NPM encounters a non-IP packet that matches the conditions defined in the packet matching criteria for the system-level non-IP flow rule called testsysnonipflow, the NPM passes that non-IP packet to every VAP in every VAP group configured on the X-Series Platform.

XOS Command Reference Guide

291

encapsulation ethernet (conf-system-non-ip-flow context)

Sets the link encapsulation type to ethernet and defines destination Ethernet protocol matching criteria for the system-level non-IP flow rule that you are configuring. The NPM applies the system-level non-IP flow rule only to Ethernet encapsulated packets that meet the specified destination Ethernet protocol matching criteria. Use the show (conf-system-non-ip-flow context) command to display the destination Ethernet protocol matching criteria for the system-level non-IP flow rule that you are configuring. By default, the destination Ethernet protocol matching criteria is set to any Ethernet protocol number. The NPM applies the system-level non-IP flow rule to all Ethernet encapsulated packets. To restore this default behavior, use the encapsulation ethernet any command. NOTE: The default link encapsulation type for all system-level non-IP flow rules is ethernet. Use the show (conf-system-non-ip-flow context) command to display the link encapsulation type and packet matching criteria defined for the system-level non-IP flow that you are configuring.

Syntax
encapsulation ethernet {any | type <Ethernet_protocol_number>}

Context
You access this command from the conf-system-non-ip-flow context. You access this context from the main CLI context by issuing the configure system-non-ip-flow-rule command.

Parameters
The following table lists the parameters used with this command. Parameter any Description Sets the flow rules destination Ethernet protocol matching criteria to any Ethernet protocol number. The NPM applies the system-level non-IP flow rules action to all Ethernet encapsulated packets. This is the default behavior for all system-level non-IP flow rules configured with the link encapsulation type, ethernet. type <Ethernet_protocol_number> Configures the flow rules destination Ethernet protocol matching criteria to include only the specified Ethernet protocol number. The NPM applies the system-level non-IP flow rules action only to Ethernet encapsulated packets whose destination Ethernet protocol number matches the specified Ethernet protocol number. Valid values are from 1519 to 65535, except for 2048 and 2054.

Restrictions
Default Privilege Level: 15 2048 and 2054 are not valid values for destination Ethernet protocol matching criteria for system-level non-IP flow rules.
Commands for Configuring and Managing Flow Provisioning 292

Example
The following command places you in the conf-system-non-ip-flow context in which you can configure the system-level non-IP flow rule called testsysnonipflow: CBS# configure system-non-ip-flow-rule testsysnonipflow CBS(conf-system-non-ip-flow)# The following command sets the link encapsulation type for the system-level non-IP flow rule called testsysnonipflow to ethernet and configures the flow rules destination Ethernet protocol matching criteria to include only Ethernet protocol number 2000: CBS(conf-system-non-ip-flow)# encapsulation ethernet type 2000 CBS(conf-system-non-ip-flow)# The NPM applies the system-level non-IP flow rule called testsysnonipflow only to Ethernet encapsulated packets whose destination Ethernet protocol number is 2000.

encapsulation lsap (conf-system-non-ip-flow context)

Sets the link encapsulation type to lsap and defines Destination Service Access Point (DSAP) and Source Service Access Point (SSAP) matching criteria for the system-level non-IP flow rule that you are configuring. The NPM applies the system-level non-IP flow rules action only to LSAP encapsulated packets that meet the specified DSAP and SSAP matching criteria. Use the show (conf-system-non-ip-flow context) command to display the DSAP and SSAP matching criteria for the system-level non-IP flow rule that you are configuring. By default, the DSAP matching criteria is set to any destination service access point number, and the SSAP matching criteria is set to any source service access point number. The NPM applies the system-level non-IP flow rules action to all LSAP encapsulated packets. To restore this default behavior, use the encapsulation lsap any command. NOTE: The default link encapsulation type for all system-level non-IP flow rules is ethernet. See encapsulation ethernet (conf-system-non-ip-flow context) on page 292 for more information about this link encapsulation type. Use the show (conf-system-non-ip-flow context) command to display the link encapsulation type for the system-level non-IP flow rule that you are configuring.

Syntax
encapsulation lsap {any | dsap <DSAP_number> ssap <SSAP_number>}

Context
You access this command from the conf-system-non-ip-flow context. You access this context from the main CLI context by issuing the configure system-non-ip-flow-rule command.

XOS Command Reference Guide

293

Parameters
The following table lists the parameters used with this command. Parameter any Description Sets the flow rules DSAP and SSAP matching criteria to any destination service access point number and any source service access point number. The NPM applies the system-level non-IP flow rules action to all LSAP encapsulated packets. This is the default behavior for all system-level non-IP flow rules configured with the link encapsulation type, lsap. dsap <DSAP_number> Configures the flow rules Destination Service Access Point (DSAP) matching criteria to include only the specified DSAP number. The NPM applies the system-level non-IP flow rules action only to LSAP encapsulated packets whose DSAP number matches the specified DSAP number. Valid values are from 0 to 255. ssap <DSAP_number> Configures the flow rules Source Service Access Point (SSAP) matching criteria to include only the specified SSAP number. The NPM applies the system-level non-IP flow rules action only to LSAP encapsulated packets whose SSAP number matches the specified SSAP number. Valid values are from 0 to 255.

Restrictions
Default Privilege Level: 15

Example
The following command places you in the conf-system-non-ip-flow context in which you can configure the system-level non-IP flow rule called testsysnonipflow: CBS# configure system-non-ip-flow-rule testsysnonipflow CBS(conf-system-non-ip-flow)# The following command sets the link encapsulation type for the system-level non-IP flow rule called testsysnonipflow to lsap, configures the flow rules DSAP matching criteria to include only DSAP number 10, and configures the flow rules SSAP matching criteria to include only SSAP number 15: CBS(conf-system-non-ip-flow)# encapsulation lsap dsap 10 ssap 15 CBS(conf-system-non-ip-flow)# The NPM applies the system-level non-IP flow rule called testsysnonipflow only to LSAP encapsulated packets with Destination Service Access Point number 10 and Source Service Access Point number 15.

Commands for Configuring and Managing Flow Provisioning

294

encapsulation snap (conf-system-non-ip-flow context)

Sets the link encapsulation type to snap and defines destination SNAP protocol and Organization Unique Identifier (OUI) matching criteria for the system-level non-IP flow rule that you are configuring. The NPM applies the system-level non-IP flow rule only to SNAP encapsulated packets that meet the specified destination Ethernet protocol and OUI matching criteria. Use the show (conf-system-non-ip-flow context) command to display the destination Ethernet protocol and OUI matching criteria for the system-level non-IP flow rule that you are configuring. By default, the destination Ethernet protocol matching criteria is set to any Ethernet protocol number and the OUI matching criteria is set to 0. (No OUI matching criteria are used.) The NPM applies the system-level non-IP flow rules action to all SNAP encapsulated packets. NOTE: The default link encapsulation type for all system-level non-IP flow rules is ethernet. See encapsulation ethernet (conf-system-non-ip-flow context) on page 292 for more information about this link encapsulation type. Use the show (conf-system-non-ip-flow context) command to display the link encapsulation type for the system-level non-IP flow rule that you are configuring.

Syntax
encapsulation snap {any | type <Ethernet_protocol_number> [oui <OUI_number>]}

Context
You access this command from the conf-system-non-ip-flow context. You access this context from the main CLI context by issuing the configure system-non-ip-flow-rule command.

Parameters
The following table lists the parameters used with this command. Parameter any Description Sets the flow rules destination Ethernet protocol matching criteria to any Ethernet protocol number and sets the OUI matching criteria to 0. (No OUI matching criteria are used.) The NPM applies the system-level non-IP flow rules action to all SNAP encapsulated packets. This is the default behavior for all system-level non-IP flow rules configured with the link encapsulation type, snap. type <Ethernet_protocol_number> Sets the flow rules destination Ethernet protocol matching criteria to include only the specified Ethernet protocol number. The NPM applies the system-level non-IP flow rules action only to SNAP encapsulated packets whose destination Ethernet protocol number matches the specified Ethernet protocol number. Valid values are from 1519 to 65535.

XOS Command Reference Guide

295

Parameter oui <OUI_number>

Description Sets the flow rules Organization Unique Identifier (OUI) matching criteria to include only the specified OUI number. The NPM applies the system-level non-IP flow rules action only to SNAP encapsulated packets whose OUI number matches the specified OUI number. Valid values are from 0-16777215. Default is 0. (Do not include OUI number matching criteria in the packet matching criteria definition.)

Restrictions
Default Privilege Level: 15

Example
The following command places you in the conf-system-non-ip-flow context in which you can configure the system-level non-IP flow rule called testsysnonipflow: CBS# configure system-non-ip-flow-rule testsysnonipflow CBS(conf-system-non-ip-flow)# The following command sets the link encapsulation type for the system-level non-IP flow rule called testsysnonipflow to snap, configures the flow rules destination Ethernet protocol matching criteria to include only Ethernet protocol number 2000, and configures the flow rules OUI matching criteria to include only OUI number 10: CBS(conf-system-non-ip-flow)# encapsulation snap type 2000 oui 10 CBS(conf-system-non-ip-flow)# The NPM applies the system-level non-IP flow rule called testsysnonipflow only to SNAP encapsulated packets whose destination Ethernet protocol number is 2000 and whose Organization Unique Identifier is 10.

activate (conf-system-non-ip-flow context)

Activates or deactivates (using no) the system-level non-IP flow rule that you are configuring. By default, all system-level non-IP flow rules are deactivated. IMPORTANT: The NPM only applies active system-level non-IP flow rules to new non-IP flows. Use the show (conf-system-non-ip-flow context) command to determine whether the system-level non-IP flow rule that you are configuring has been activated.

Syntax
[no] activate

Context
You access this command from the conf-system-non-ip-flow context. You access this context from the main CLI context by issuing the configure system-non-ip-flow-rule command.

Commands for Configuring and Managing Flow Provisioning

296

Restrictions
Default Privilege Level: 15

Example
The following command places you in the conf-system-non-ip-flow context in which you can configure the system-level non-IP flow rule called testsysnonipflow: CBS# configure system-non-ip-flow-rule testsysnonipflow CBS(conf-system-non-ip-flow)# The following command activates the system-level non-IP flow rule called testsysnonipflow: CBS(conf-system-non-ip-flow)# activate CBS(conf-system-non-ip-flow)# The NPM now applies this system-level non-IP flow rules action to all new non-IP flows that use the flow rules link encapsulation type and that match the conditions defined in the flow rules packet matching criteria.

show (conf-system-non-ip-flow context)

Displays the current configuration for the system-level non-IP flow rule that you are currently configuring.

Syntax
show

Context
You access this command from the conf-system-non-ip-flow context. You access this context from the main CLI context by issuing the configure system-non-ip-flow-rule command.

Output
This command displays information about a system-level non-IP flow rule using one of the following formats: Output for system-level non-IP flow rules with a link encapsulation type, ethernet: System Non IP Flow Rule Encapsulation Type Action Activate (true/false) (1 row) : : : : : <non_IP_flow_rule_name> ethernet <destination_Ethernet_protocol_number> {drop | pass-to-masters | broadcast} {t | f}

Output for system-level non-IP flow rules with a link encapsulation type, lsap: System Non IP Flow Rule Encapsulation Type Action Activate (true/false) (1 row) : : : : : <non_IP_flow_rule_name> lsap 10/15 (dsap/ssap) {drop | pass-to-masters | broadcast} {t | f}

Output for system-level non-IP flow rules with a link encapsulation type, snap: System Non IP Flow Rule Encapsulation Type OUI Action Activate (true/false) (1 row)
XOS Command Reference Guide

: : : : : :

<non_IP_flow_rule_name> snap <destination_Ethernet_protocol_number> <OUI_number> {drop | pass-to-masters | broadcast} {t | f}

297

The following table describes the information provided in each column/row. Column/Row Heading System Non IP Flow Rule Information Provided Name assigned to the system-level non-IP flow rule. See configure system-non-ip-flow-rule on page 287 for information on assigning a name to a new system-level non-IP flow rule. Encapsulation Link encapsulation type (ethernet, lsap, or snap) defined for the system-level non-IP flow rule. Default is ethernet. Refer to the following three sections for information about each link encapsulation type: encapsulation ethernet (conf-system-non-ip-flow context) on page 292 encapsulation lsap (conf-system-non-ip-flow context) on page 293 encapsulation snap (conf-system-non-ip-flow context) on page 295 Type (when link encapsulation type is ethernet or snap) Destination Ethernet protocol matching criteria defined for the system-level non-IP flow rule. This row displays one of the following types of destination Ethernet protocol matching criteria: any Default setting. Destination Ethernet protocol matching criteria is set to any Ethernet protocol number. The NPM applies the system-level non-IP flow rules action to all Ethernet encapsulated packets or all SNAP encapsulated packets. User-defined destination Ethernet protocol number Destination Ethernet protocol matching criteria includes only the specified Ethernet protocol number. NPM applies the system-level non-IP flow rules action only to Ethernet or SNAP encapsulated packets with the specified destination Ethernet protocol number. See encapsulation ethernet (conf-system-non-ip-flow context) on page 292 for information on setting destination Ethernet protocol matching criteria for Ethernet encapsulation system-level non-IP flow rules. See encapsulation snap (conf-system-non-ip-flow context) on page 295 for information on setting destination Ethernet protocol matching criteria for SNAP encapsulation system-level non-IP flow rules.

Commands for Configuring and Managing Flow Provisioning

298

Column/Row Heading Type (when link encapsulation type is lsap)

Information Provided Destination Service Access Point (DSAP) and Source Service Access Point (SSAP) matching criteria defined for the system-level non-IP flow rule. This row displays one of the following types of DSAP and SSAP matching criteria: any Default setting. DSAP matching criteria is set to any DSAP number, and SSAP matching criteria is set to any SSAP number. The NPM applies the system-level non-IP flow rules action to all LSAP encapsulated packets. User-defined DSAP and SSAP numbers DSAP and SSAP matching criteria includes only the specified DSAP and SSAP numbers. NPM applies the system-level non-IP flow rules action only to LSAP encapsulated packets with the specified DSAP and SSAP numbers. See encapsulation lsap (conf-system-non-ip-flow context) on page 293 for information on setting DSAP and SSAP matching criteria for LSAP encapsulation system-level non-IP flow rules.

OUI

Organization Unique Identifier (OUI) matching criteria defined for the system-level non-IP flow rule. NPM applies the system-level non-IP flow rules action only to SNAP encapsulated packets with the specified OUI number. NOTE: This row appears only if OUI matching criteria is defined for the system-level non-IP flow rule. See encapsulation snap (conf-system-non-ip-flow context) on page 295 for information on setting OUI matching criteria for SNAP encapsulation system-level non-IP flow rules.

Action

Specifies the action for the system-level non-IP flow rule (drop, pass-to-masters, or broadcast). Default is drop. Refer to the following sections for information about these actions: action drop (conf-system-non-ip-flow context) on page 289 action pass-to-masters (conf-system-non-ip-flow context) on page 290 action broadcast (conf-system-non-ip-flow context) on page 291

Activate (true/false)

Specifies whether the system-level non-IP flow rule is activated (t) or deactivated (f). Default is deactivated (f). See activate (conf-system-non-ip-flow context) on page 296 for information on enabling and disabling system-level non-IP flow rules.

XOS Command Reference Guide

299

Restrictions
Default Privilege Level: 15

Examples
The following command places you in the conf-system-non-ip-flow context in which you can configure the system-level non-IP flow rule called testsysnonipflow: CBS# configure system-non-ip-flow-rule testsysnonipflow CBS(conf-system-non-ip-flow)# The following command displays configuration settings for the system-level non-IP flow rule called testsysnonipflow, with that flow rule configured for Ethernet link encapsulation: CBS(conf-system-non-ip-flow)# show System Non IP Flow Rule : testsysnonipflow Encapsulation : ethernet Type : 2000 Action : drop Activate (true/false) : t (1 row) The following command displays configuration settings for the system-level non-IP flow rule called testsysnonipflow, with that flow rule configured for LSAP link encapsulation: CBS(conf-system-non-ip-flow)# show System Non IP Flow Rule : testsysnonipflow Encapsulation : lsap Type : 10/15 (dsap/ssap) Action : drop Activate (true/false) : t (1 row) The following command displays configuration settings for the system-level non-IP flow rule called testsysnonipflow, with that flow rule configured for SNAP link encapsulation: CBS(conf-system-non-ip-flow)# show System Non IP Flow Rule : testsysnonipflow Encapsulation : snap Type : 2000 OUI : 10 Action : drop Activate (true/false) : t (1 row)

Commands for Configuring and Managing Flow Provisioning

300

Commands for Configuring VAP-Group Level Flow Rules

This section describes the commands that you can use to create and configure flow rules for VAP groups configured on the X-Series Platform. This section contains the following command descriptions: ip-flow-rule (config-vap-grp context) on page 302 action load-balance (ip-flow-rule context) on page 304 action drop (ip-flow-rule context) on page 305 action allow (ip-flow-rule context) on page 306 action pass-to-master (ip-flow-rule context) on page 307 action pass-to-vap (ip-flow-rule context) on page 308 action broadcast (ip-flow-rule context) on page 309 direction (ip-flow-rule context) on page 310 skip-port-protocol (ip-flow-rule context) on page 312 generate-reversed-flow (ip-flow-rule context) on page 312 source-addr (ip-flow-rule context) on page 314 destination-addr (ip-flow-rule context) on page 315 source-port (ip-flow-rule context) on page 317 destination-port (ip-flow-rule context) on page 318 protocol (ip-flow-rule context) on page 319 domain (ip-flow-rule context) on page 321 incoming-circuit-group (ip-flow-rule context) on page 322 timeout (ip-flow-rule context) on page 324 trace (ip-flow-rule context) on page 326 priority (ip-flow-rule context) on page 327 core-assignment (ip-flow-rule context) on page 329 activate (ip-flow-rule context) on page 330 show (ip-flow-rule context) on page 331 non-ip-flow-rule (config-vap-grp context) on page 340 action drop (non-ip-flow context) on page 342 action pass-to-master (non-ip-flow context) on page 342 action broadcast (non-ip-flow context) on page 343 encapsulation ethernet (non-ip-flow context) on page 345 encapsulation lsap (non-ip-flow context) on page 346 encapsulation snap (non-ip-flow context) on page 348 core-assignment (non-ip-flow-rule context) on page 350 activate (non-ip-flow context) on page 351 show (non-ip-flow context) on page 351

XOS Command Reference Guide

301

ip-flow-rule (config-vap-grp context)

Creates or configures an IP flow rule for the VAP group that you are configuring. Places you into a context in which you can configure and activate the specified IP flow rule. The NPM uses the IP flow rules configured for a VAP group to determine how to process IP traffic destined for the members of that VAP group. NOTE: When you assign an IP address to a circuit configured for a VAP group, the X-Series Platform automatically creates default IP flow rules for that VAP group. Refer to the XOS Configuration Guide for more information about these default IP flow rules. Each IP flow rule is comprised of an action and a set of packet matching criteria. The NPM performs the action on flows that match the conditions defined in the packet matching criteria. For example, you can create an IP flow rule that instructs the NPM to load balance all flows across all members of a VAP group, or you can create an IP flow rule that instructs the NPM to drop all packets that match a specific destination port. By default, when you create a new IP flow rule for a VAP group, XOS configures that new IP flow rule to match all IP flows assigned to that VAP group. You must activate an IP flow rule before it will take effect. By default, IP flow rules are not activated. See activate (ip-flow-rule context) for instructions on activating an IP flow rule for the VAP group that you are configuring. Use the no parameter to delete the specified IP flow rule. Use the show (ip-flow-rule context) command to display the current configuration for the IP flow rule that you are configuring. Use the show ip-flow-rule command to display all VAP group IP flow rules currently configured for the X-Series Platform.

Syntax
[no] ip-flow-rule <IP_flow_rule_name>

Contexts and Subcommands

You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command. This command places you in the ip-flow-rule context in which you can configure and activate the specified IP flow rule. You can access the following commands from this context: action load-balance (ip-flow-rule context) on page 304 action drop (ip-flow-rule context) on page 305 action allow (ip-flow-rule context) on page 306 action pass-to-master (ip-flow-rule context) on page 307 action pass-to-vap (ip-flow-rule context) on page 308 action broadcast (ip-flow-rule context) on page 309 bypass-tcp-flow-setup-validation (ip-flow-rule context) on page 310 direction (ip-flow-rule context) on page 310 skip-port-protocol (ip-flow-rule context) on page 312 generate-reversed-flow (ip-flow-rule context) on page 312

Commands for Configuring and Managing Flow Provisioning

302

source-addr (ip-flow-rule context) on page 314 destination-addr (ip-flow-rule context) on page 315 source-port (ip-flow-rule context) on page 317 destination-port (ip-flow-rule context) on page 318 protocol (ip-flow-rule context) on page 319 domain (ip-flow-rule context) on page 321 incoming-circuit-group (ip-flow-rule context) on page 322 timeout (ip-flow-rule context) on page 324 trace (ip-flow-rule context) on page 326 activate (ip-flow-rule context) on page 330 show (ip-flow-rule context) on page 331

Parameters
The following table lists the parameters used with this command. Parameter <IP_flow_rule_name> Description Name assigned to the IP flow rule that you want to create or configure for the VAP group that you are configuring.

Restrictions
Default Privilege Level: 15

Example
The following command places you in the config-vap-grp context in which you can configure the existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# The following command creates an IP flow rule for the VAP group called testvapgroup and places you in the context in which you can configure and activate that IP flow rule (called testiprule): CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)#

XOS Command Reference Guide

303

action load-balance (ip-flow-rule context)

Sets the action to load-balance for the VAP group IP flow rule that you are configuring. The NPM load-balances IP flows that match the conditions defined in the system-level IP flow rules packet matching criteria across all members of the VAP group. Use the show (ip-flow-rule context) command to display the conditions defined in the packet matching criteria for the IP flow rule that you are configuring. NOTE: The default action for all VAP group IP flow rules is drop. See action drop (ip-flow-rule context) on page 305 for more information about this action. Use the show (ip-flow-rule context) command to display the action for the IP flow rule that you are configuring.

Syntax
action load-balance

Context
You access this command from the ip-flow-rule context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the ip-flow-rule (config-vap-grp context) command to configure a specific IP flow rule for the VAP group.

Restrictions
Default Privilege Level: 15

Example
The following commands place you in the ip-flow-rule context from which you can configure an existing IP flow rule called testiprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)# The following command sets the action for the IP flow rule called testiprule to load-balance: CBS(ip-flow-rule)# action load-balance CBS(ip-flow-rule)# The NPM load-balances all IP flows that match the conditions defined in the packet matching criteria for testiprule across all members of the VAP group called testvapgroup.

Commands for Configuring and Managing Flow Provisioning

304

action drop (ip-flow-rule context)

Sets the action to drop for the VAP group IP flow rule that you are configuring. The NPM drops all IP packets destined for the VAP group that match the conditions defined in the IP flow rules packet matching criteria. Use the show (ip-flow-rule context) command to display the conditions defined in the packet matching criteria for the IP flow rule that you are configuring. NOTE: The default action for all VAP group IP flow rules is drop. Use the show (ip-flow-rule context) command to display the action for the IP flow rule that you are configuring.

Syntax
action drop

Context
You access this command from the ip-flow-rule context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the ip-flow-rule (config-vap-grp context) command to configure a specific IP flow rule for the VAP group.

Restrictions
Default Privilege Level: 15

Example
The following commands place you in the ip-flow-rule context from which you can configure an existing IP flow rule called testiprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)# The following command sets the action for the IP flow rule called testiprule to drop: CBS(ip-flow-rule)# action drop CBS(ip-flow-rule)# The NPM drops all IP flows destined for the VAP group called testvapgroup that match the conditions defined in the packet matching criteria for testiprule.

XOS Command Reference Guide

305

action allow (ip-flow-rule context)

Sets the action to allow for the VAP group IP flow rule that you are configuring. The NPM allows all IP packets that match the conditions defined in the IP flow rules packet matching criteria to pass through the VAP group and proceed to their destination IP addresses. IMPORTANT: This action is only applicable to outbound IP traffic (IP traffic flowing out of the VAP group). If you configure an IP flow rule with the action allow command, you must also use the direction (ip-flow-rule context) command to configure the flow rules packet matching criteria to match only outbound IP traffic. Use the show (ip-flow-rule context) command to display the conditions defined in the packet matching criteria for the IP flow rule that you are configuring. NOTE: The default action for all VAP group IP flow rules is drop. See action drop (ip-flow-rule context) on page 305 for more information about this action. Use the show (ip-flow-rule context) command to display the action for the IP flow rule that you are configuring.

Syntax
action allow

Context
You access this command from the ip-flow-rule context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the ip-flow-rule (config-vap-grp context) command to configure a specific IP flow rule for the VAP group.

Restrictions
Default Privilege Level: 15 If an IP flow rules action is set to allow, the flow rules traffic flow direction matching criteria must be set to outbound. NOTE: If an IP flow rule does not meet this requirement, the CLI issues an error when you attempt to use the activate (ip-flow-rule context) command to activate that IP flow rule.

Example
The following commands place you in the ip-flow-rule context from which you can configure an existing IP flow rule called testiprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)# The following command sets the action for the IP flow rule called testiprule to allow: CBS(ip-flow-rule)# action allow CBS(ip-flow-rule)# The NPM allows all IP packets that match the conditions defined in the packet matching criteria for the IP flow rule called testsysipflow to pass through the VAP group called testvapgroup and proceed to their destination IP addresses.

Commands for Configuring and Managing Flow Provisioning

306

action pass-to-master (ip-flow-rule context)

Sets the action to pass-to-master for the VAP group IP flow rule that you are configuring. When the NPM encounters an IP packet destined for the VAP group that matches the conditions defined in the IP flow rules packet matching criteria, the NPM passes that IP packet to the master VAP in the VAP group. Use the show (ip-flow-rule context) command to display the conditions defined in the packet matching criteria for the IP flow rule that you are configuring. NOTE: The default action for all VAP group IP flow rules is drop. See action drop (ip-flow-rule context) on page 305 for more information about this action. Use the show (ip-flow-rule context) command to display the action for the IP flow rule that you are configuring.

Syntax
action pass-to-master

Context
You access this command from the ip-flow-rule context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the ip-flow-rule (config-vap-grp context) command to configure a specific IP flow rule for the VAP group.

Restrictions
Default Privilege Level: 15

Example
The following commands place you in the ip-flow-rule context from which you can configure an existing IP flow rule called testiprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)# The following command sets the action for the IP flow rule called testiprule to pass-to-master: CBS(ip-flow-rule)# action pass-to-master CBS(ip-flow-rule)# When the NPM encounters an IP packet destined for the VAP group called testvapgroup, and the IP packet matches the conditions defined in the packet matching criteria for the IP flow rule called testsysipflow, the NPM passes the IP packet to the master VAP in the VAP group called testvapgroup.

XOS Command Reference Guide

307

action pass-to-vap (ip-flow-rule context)

Sets the action to pass-to-vap for the VAP group IP flow rule that you are configuring. When the NPM encounters an IP packet destined for the VAP group that matches the conditions defined in the IP flow rules packet matching criteria, the NPM passes that IP packet to the specified VAP in the VAP group. Use the show (ip-flow-rule context) command to display the conditions defined in the packet matching criteria for the IP flow rule that you are configuring. You use a VAPs index number to specify the VAP to which the NPM passes IP packets that match the conditions defined in the IP flow rules packet matching criteria. Use the show ap-vap-mapping command to display the VAP index numbers assigned to the VAPs in a VAP group. NOTE: The default action for all VAP group IP flow rules is drop. See action drop (ip-flow-rule context) on page 305 for more information about this action. Use the show (ip-flow-rule context) command to display the action for the IP flow rule that you are configuring.

Syntax
action pass-to-vap <VAP_index_number>

Context
You access this command from the ip-flow-rule context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the ip-flow-rule (config-vap-grp context) command to configure a specific IP flow rule for the VAP group.

Parameters
The following table lists the parameters used with this command. Parameter <VAP_index_number> Description Index number assigned to the VAP to which you want to send IP packets that match the conditions defined in the packet matching criteria for the VAP group IP flow rule that you are configuring.

Restrictions
Default Privilege Level: 15

Example
The following commands place you in the ip-flow-rule context from which you can configure an existing IP flow rule called testiprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)# The following command sets the action for the IP flow rule called testiprule to pass-to-vap 1: CBS(ip-flow-rule)# action pass-to-vap 1 CBS(ip-flow-rule)#

Commands for Configuring and Managing Flow Provisioning

308

When the NPM encounters an IP packet destined for the VAP group called testvapgroup, and the IP packet matches the conditions defined in the packet matching criteria for the IP flow rule called testsysipflow, the NPM passes the IP packet to VAP number 1 in the VAP group called testvapgroup.

action broadcast (ip-flow-rule context)

Sets the action to broadcast for the VAP group IP flow rule that you are configuring. When the NPM encounters an IP packet destined for the VAP group, and the IP packet matches the conditions defined in the packet matching criteria for the IP flow rule that you are configuring, the NPM passes the IP packet to every VAP in the VAP group. Use the show (ip-flow-rule context) command to display the conditions defined in the packet matching criteria for the IP flow rule that you are configuring. NOTE: The default action for all VAP group IP flow rules is drop. See action drop (ip-flow-rule context) on page 305 for more information about this action. Use the show (ip-flow-rule context) command to display the action for the IP flow rule that you are configuring.

Syntax
action broadcast

Context
You access this command from the ip-flow-rule context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the ip-flow-rule (config-vap-grp context) command to configure a specific IP flow rule for the VAP group.

Restrictions
Default Privilege Level: 15

Example
The following commands place you in the ip-flow-rule context from which you can configure an existing IP flow rule called testiprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)# The following command sets the action for the IP flow rule called testiprule to broadcast: CBS(ip-flow-rule)# action broadcast CBS(ip-flow-rule)# When the NPM encounters an IP packet destined for the VAP group called testvapgroup, and the IP packet matches the conditions defined in the packet matching criteria for the IP flow rule called testiprule, the NPM passes the IP packet to every VAP in the VAP group called testvapgroup.

XOS Command Reference Guide

309

bypass-tcp-flow-setup-validation (ip-flow-rule context)

Bypass TCP validation during flow setup. Typically, bypass should be set when the topology prevents a flows bidirectional symmetry (through the chassis). When bypassed, TCP sequence number will be updated and FIN and RST sequence numbers will be validated before flow removal. This parameter is set globally for the platform, and can be disabled per interface. When enabled globally, tcp-flow-validation can be disabled on a per flow rule basis, using bypass-tcp-flow-setup-validation. See the second example below.

Syntax
bypass-tcp-flow-setup-validation

Restrictions
Default Privilege Level: 15

Example
CBS# configure chassis-resource-protection CBS(conf-resource-protection)# tcp-flow-validation CBS(conf-rp-tcp-flow)# bypass-tcp-flow-setup-validation CBS(conf-rp-tcp-flow)#

Example - disable per flow rule

CBS# configure vap-group <existing vap-group name> CBS(config-vap-grp)# ip-flow-rule <existing-rule> CBS(ip-flow-rule)# bypass-tcp-flow-setup-validation CBS(ip-flow-rule)#

direction (ip-flow-rule context)

Configures the traffic flow direction matching criteria for the VAP group IP flow rule that you are configuring. Use this command to apply an IP flow rules action only to IP traffic flowing in the specified direction (inbound to or outbound from the VAP group that you are configuring). By default, the NPM applies an IP flow rules action to both inbound and outbound IP traffic. Use the both parameter to restore this default behavior. Use the show (ip-flow-rule context) command to display the traffic flow direction matching criteria defined for the packet matching criteria for the IP flow rule that you are configuring.

Syntax
direction {inbound | outbound | both}

Context
You access this command from the ip-flow-rule context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the ip-flow-rule (config-vap-grp context) command to configure a specific IP flow rule for the VAP group.

Commands for Configuring and Managing Flow Provisioning

310

Parameters
The following table lists the parameters used with this command. Parameter inbound Description Configures the packet matching criteria for the VAP group IP flow rule that you are configuring to match only inbound flows. The NPM applies the IP flow rule only to IP packets coming into the VAP group. outbound Configures the packet matching criteria for the VAP group IP flow rule that you are configuring to match only outbound IP traffic flows. The NPM applies the IP flow rule only to IP packets exiting from the VAP group. both Configures the packet matching criteria for the VAP group IP flow rule that you are configuring to match both inbound and outbound IP traffic flows. The NPM applies the IP flow rule to all IP packets entering or exiting the VAP group. This is the default setting.

Restrictions
Default Privilege Level: 15 When you issue the activate (ip-flow-rule context) command to activate a VAP group IP flow rule, the CLI issues an error if the following conditions are not met: If the IP flow rules action is set to allow, the flow rules traffic flow direction matching criteria must be set to outbound. If the IP flow rules traffic flow direction matching criteria is set to outbound, the flow rules action must be set to allow or drop. See action allow (ip-flow-rule context) on page 306 and action drop (ip-flow-rule context) on page 305 for more information about the allow and drop actions.

Example
The following commands place you in the ip-flow-rule context from which you can configure an existing IP flow rule called testiprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)# The following command configures the packet matching criteria for the IP flow rule called testirule to match only outbound IP traffic flows: CBS(ip-flow-rule)# direction outbound CBS(ip-flow-rule)#

XOS Command Reference Guide

311

skip-port-protocol (ip-flow-rule context)

Enables or disables (using no) skip-port-protocol for the VAP group IP flow rule that you are configuring. By default, skip-port-protocol is enabled for all VAP group IP flow rules. If skip-port-protocol is enabled for a VAP group IP flow rule, the NPM excludes source port number, destination port number, and protocol number from the packet matching criteria for the IP flow rule. The NPM applies the IP flow rules action without considering an IP packets source port number, destination port number, or protocol number. Use the show (ip-flow-rule context) command to determine whether skip-port-protocol is enabled for the VAP group IP flow rule that you are configuring.

Syntax
[no] skip-port-protocol

Context
You access this command from the ip-flow-rule context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the ip-flow-rule (config-vap-grp context) command to configure a specific IP flow rule for the VAP group.

Restrictions
Default Privilege Level: 15

Example
The following commands place you in the ip-flow-rule context from which you can configure an existing IP flow rule called testiprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)# The following command disables skip-port-protocol for the IP flow rule called testiprule. CBS(ip-flow-rule)# no skip-port-protocol CBS(ip-flow-rule)# With skip-port-protocol disabled, the user can configure the packet matching criteria for testiprule to include source port, destination port, and protocol number matching criteria. The NPM applies the IP flow rules action to an IP packet only if that packet matches these criteria.

generate-reversed-flow (ip-flow-rule context)

Enables or disables (using no) bi-directional IP flow matching for the VAP group IP flow rule that you are configuring. By default, bi-directional IP flow matching is disabled for all VAP group IP flow rules. If bi-directional IP flow matching is enabled for a VAP group IP flow rule, you can configure its packet matching criteria for bi-directional flows. This means that you can configure packet matching criteria for both source and destination IP addresses and port numbers.

Commands for Configuring and Managing Flow Provisioning

312

If bi-directional IP flow matching is disabled for a VAP group IP flow rule, you must configure its packet matching criteria for uni-directional flows. This means that you can configure packet matching criteria for either source IP address and source port number or destination IP address and destination port number. Use the show (ip-flow-rule context) command to determine whether bi-directional IP flow matching is enabled for the IP flow rule that you are configuring.

Syntax
[no] generate-reversed-flow

Context
You access this command from the ip-flow-rule context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the ip-flow-rule (config-vap-grp context) command to configure a specific IP flow rule for the VAP group.

Restrictions
Default Privilege Level: 15

Example
The following commands place you in the ip-flow-rule context from which you can configure an existing IP flow rule called testiprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)# The following command enables bi-directional IP flow matching for the IP flow rule called testiprule: CBS(conf-system-ip-flow)# generate-reversed-flow CBS(conf-system-ip-flow)# The user can now configure testiprule with packet matching criteria for bi-directional IP flows. That is, the user can configure packet matching criteria for both source and destination IP addresses and port numbers.

XOS Command Reference Guide

313

source-addr (ip-flow-rule context)

Configures the source IP address matching criteria for the VAP group IP flow rule that you are configuring. The NPM applies the IP flow rules action only to IP packets that meet the specified source IP address matching criteria. By default, a VAP group IP flow rules source IP address matching criteria is set to any source IP address. The NPM applies the IP flow rules action without considering a packets source IP address. To restore this default behavior, use the no source-addr command or use the source-addr any command. Use the show (ip-flow-rule context) command to display the source IP address matching criteria defined for the IP flow rule that you are configuring.

Syntax
source-addr {any | <IP_address> | <IP_address>/<0-32>} no source-addr

Context
You access this command from the ip-flow-rule context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the ip-flow-rule (config-vap-grp context) command to configure a specific IP flow rule for the VAP group.

Parameters
The following table lists the parameters used with this command. Parameter any Description Sets the flow rules source IP address matching criteria to any source IP address. The NPM applies the IP flow rules action without considering a packets source IP address. This is the default behavior for every VAP group IP flow rule. <IP_address> Configures the flow rules source IP address matching criteria to include only the specified IP address. The NPM applies the IP flow rules action to a packet only if its source IP address matches the specified IP address. <IP_address>/<0-32> Configures the flow rules source IP address matching criteria to include all IP addresses that belong to the specified IP network. The NPM applies the IP flow rules action to a packet only if its source IP address matches one of the IP addresses that belong to the specified IP network. You specify the IP network using CIDR notation (for example, 10.15.0.0/16). NOTE: When configuring IP flow rules, do not configure either the source or destination address as a.b.c.d/0 where a.b.c.d is not 0.0.0.0. This address format (for example, 5.5.5.5/0) is not valid.

Commands for Configuring and Managing Flow Provisioning

314

Restrictions
Default Privilege Level: 15 If you wish to configure packet matching criteria for both source and destination IP addresses, you must use the generate-reversed-flow (ip-flow-rule context) command to enable bi-directional IP flow matching for the IP flow rule.

Example
The following commands place you in the ip-flow-rule context from which you can configure an existing IP flow rule called testiprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)# The following command sets the source IP address matching criteria for the IP flow rule called testiprule to include all IP addresses on the IP network, 10.170.54.0/24: CBS(ip-flow-rule)# source-addr 10.170.54.0/24 CBS(ip-flow-rule)# The NPM applies the action configured for testiprule only to IP packets whose source IP address matches one of the IP addresses that belong to the IP network, 10.170.54.0/24.

destination-addr (ip-flow-rule context)

Configures the destination IP address matching criteria for the VAP group IP flow rule that you are configuring. The NPM applies the IP flow rules action only to IP packets that meet the specified destination IP address matching criteria. By default, a VAP group IP flow rules destination IP address matching criteria is set to any destination IP address. The NPM applies the IP flow rules action without considering a packets destination IP address. To restore this default behavior, use the no destination-addr command or use the destination-addr any command. Use the show (ip-flow-rule context) command to display the destination IP address matching criteria defined for the IP flow rule that you are configuring.

Syntax
destination-addr {any | <IP_address> | <IP_address>/<0-32>} no destination-addr

Context
You access this command from the ip-flow-rule context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the ip-flow-rule (config-vap-grp context) command to configure a specific IP flow rule for the VAP group.

XOS Command Reference Guide

315

Parameters
The following table lists the parameters used with this command. Parameter any Description Sets the flow rules destination IP address matching criteria to any destination IP address. The NPM applies the IP flow rules action without considering a packets destination IP address. This is the default behavior for every VAP group IP flow rule. <IP_address> Configures the flow rules destination IP address matching criteria to include only the specified IP address. The NPM applies the IP flow rules action to a packet only if its destination IP address matches the specified IP address. <IP_address>/<0-32> Configures the flow rules destination IP address matching criteria to include all IP addresses that belong to the specified IP network. The NPM applies the IP flow rules action to a packet only if its destination IP address matches one of the IP addresses that belong to the specified IP network. You specify the IP network using CIDR notation (for example, 10.15.0.0/16). NOTE: When configuring IP flow rules, do not configure either the source or destination address as a.b.c.d/0 where a.b.c.d is not 0.0.0.0. This address format (for example, 5.5.5.5/0) is not valid.

Restrictions
Default Privilege Level: 15 If you wish to configure packet matching criteria for both source and destination IP addresses, you must use the generate-reversed-flow (ip-flow-rule context) command to enable bi-directional IP flow matching for the IP flow rule.

Example
The following commands place you in the ip-flow-rule context from which you can configure an existing IP flow rule called testiprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)# The following command sets the destination IP address matching criteria for the IP flow rule called testiprule to include all IP addresses on the IP network, 10.170.53.0/24: CBS(ip-flow-rule)# destination-addr 10.170.53.0/24 CBS(ip-flow-rule)# The NPM applies the action configured for testiprule only to IP packets whose destination IP address matches one of the IP addresses that belong to the IP network, 10.170.53.0/24.

Commands for Configuring and Managing Flow Provisioning

316

source-port (ip-flow-rule context)

Configures the source port matching criteria for the VAP group IP flow rule that you are configuring. The NPM applies the IP flow rules action only to IP packets that meet the specified source port matching criteria. By default, a VAP group IP flow rules source port matching criteria is set to any source port number. The NPM applies the IP flow rules action without considering a packets source port number. To restore this default behavior, use the no source-port command or use the source-port any command. Use the show (ip-flow-rule context) command to display the source port matching criteria defined for the IP flow rule that you are configuring.

Syntax
source-port {any | <port_number>} no source-port

Context
You access this command from the ip-flow-rule context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the ip-flow-rule (config-vap-grp context) command to configure a specific IP flow rule for the VAP group.

Parameters
The following table lists the parameters used with this command. Parameter any Description Sets the flow rules source port matching criteria to any source port number. The NPM applies the IP flow rules action without considering a packets source port number. This is the default behavior for every VAP group IP flow rule. <port_number> Configures the flow rules source port matching criteria to include only the specified port number. The NPM applies the IP flow rules action to a packet only if its source port number matches the specified port number. Valid values are from 0-65535.

Restrictions
Default Privilege Level: 15 If you wish to configure packet matching criteria for both source and destination port numbers, you must use the generate-reversed-flow (ip-flow-rule context) command to enable bi-directional IP flow matching for the IP flow rule.

Example
The following commands place you in the ip-flow-rule context from which you can configure an existing IP flow rule called testiprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)#
XOS Command Reference Guide 317

The following command sets the source port matching criteria for the IP flow rule called testiprule to include only port 25: CBS(ip-flow-rule)# source-port 25 CBS(ip-flow-rule)# The NPM applies the action configured for testiprule only to IP packets whose source port number is 25.

destination-port (ip-flow-rule context)

Configures the destination port matching criteria for the VAP group IP flow rule that you are configuring. The NPM applies the IP flow rules action only to IP packets that meet the specified destination port matching criteria. By default, a VAP group IP flow rules destination port matching criteria is set to any destination port number. The NPM applies the IP flow rules action without considering a packets destination port number. To restore this default behavior, use the no destination-port command or use the destination-port any command. Use the show (ip-flow-rule context) command to display the destination port matching criteria defined for the IP flow rule that you are configuring.

Syntax
destination-port {any | <port_number>} no destination-port

Context
You access this command from the ip-flow-rule context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the ip-flow-rule (config-vap-grp context) command to configure a specific IP flow rule for the VAP group.

Parameters
The following table lists the parameters used with this command. Parameter any Description Sets the flow rules destination port matching criteria to any destination port number. The NPM applies the IP flow rules action without considering a packets destination port number. This is the default behavior for every VAP group IP flow rule. <port_number> Configures the flow rules destination port matching criteria to include only the specified port number. The NPM applies the IP flow rules action to a packet only if its destination port number matches the specified port number. Valid values are from 0-65535.

Commands for Configuring and Managing Flow Provisioning

318

Restrictions
Default Privilege Level: 15 If you wish to configure packet matching criteria for both source and destination port numbers, you must use the generate-reversed-flow (ip-flow-rule context) command to enable bi-directional IP flow matching for the IP flow rule.

Example
The following commands place you in the ip-flow-rule context from which you can configure an existing IP flow rule called testiprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)# The following command sets the destination port matching criteria for the IP flow rule called testiprule to include only port 25: CBS(ip-flow-rule)# destination-port 25 CBS(ip-flow-rule)# The NPM applies the action configured for testiprule only to IP packets whose destination port number is 25.

protocol (ip-flow-rule context)

Configures the protocol matching criteria for the VAP group IP flow rule that you are configuring. The NPM applies the IP flow rules action only to IP packets that meet the specified protocol matching criteria. By default, a VAP group IP flow rules protocol matching criteria is set to any protocol number. The NPM applies the IP flow rules action without considering a packets protocol number. To restore this default behavior, use the no protocol command or use the protocol any command. Use the show (ip-flow-rule context) command to display the protocol matching criteria defined for the IP flow rule that you are configuring.

Syntax
protocol {any | <protocol_number>} no protocol

Context
You access this command from the ip-flow-rule context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the ip-flow-rule (config-vap-grp context) command to configure a specific IP flow rule for the VAP group.

XOS Command Reference Guide

319

Parameters
The following table lists the parameters used with this command. Parameter any Description Sets the flow rules protocol matching criteria to any protocol number. The NPM applies the IP flow rules action without considering a packets protocol number. This is the default behavior for every VAP group IP flow rule. <protocol_number> Configures the flow rules protocol matching criteria to include only the specified protocol number. The NPM applies the IP flow rules action to a packet only if its protocol number matches the specified protocol number. Valid values are from 1-255.

Restrictions
Default Privilege Level: 15

Example
The following commands place you in the ip-flow-rule context from which you can configure an existing IP flow rule called testiprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)# The following command sets the protocol matching criteria for the IP flow rule called testiprule to include only protocol number 41 (IPv6): CBS(conf-system-ip-flow)# protocol 41 CBS(conf-system-ip-flow)# The NPM applies the action configured for testiprule only to IP packets using protocol 41.

Commands for Configuring and Managing Flow Provisioning

320

domain (ip-flow-rule context)

Configures the domain matching criteria for the VAP group IP flow rule that you are configuring. The NPM applies the IP flow rules action only to IP packets that meet the specified domain matching criteria. By default, a VAP group IP flow rules domain matching criteria is set to any domain ID number. The NPM applies the IP flow rules action without considering a packets domain ID number. To restore this default behavior, use the no domain command or use the domain any command. NOTE: All of the IP packets that are destined for a particular circuit belong to that circuits domain. You assign a domain to a circuit by specifying the domain parameter with the configure circuit command. By default, all circuits belong to domain 1. Use the show (ip-flow-rule context) command to display the domain matching criteria defined for the IP flow rule that you are configuring.

Syntax
domain {any | <domain_ID_number>} no domain

Context
You access this command from the ip-flow-rule context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the ip-flow-rule (config-vap-grp context) command to configure a specific IP flow rule for the VAP group.

Parameters
The following table lists the parameters used with this command. Parameter any Description Sets the flow rules domain matching criteria to any domain ID number. The NPM applies the IP flow rules action without considering a packets domain ID number. This is the default behavior for every VAP group IP flow rule. <domain_ID_number> Configures the flow rules domain matching criteria to include only the specified domain ID number. The NPM applies the IP flow rules action to a packet only if its domain ID number matches the specified domain ID number. Valid values are from 1-4095.

Restrictions
Default Privilege Level: 15

Example
The following commands place you in the ip-flow-rule context from which you can configure an existing IP flow rule called testiprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)#
XOS Command Reference Guide 321

The following command sets the domain matching criteria for the VAP group IP flow rule called testiprule to include only domain ID number 2. Domain ID number 2 is assigned to the circuit called cctwan, which is one of the egress traffic circuits configured for the VAP group called testvapgroup. CBS(ip-flow-rule)# domain 2 CBS(ip-flow-rule)# The NPM applies the action configured for testiprule only to IP packets whose domain ID number is 2.

incoming-circuit-group (ip-flow-rule context)

Configures the incoming circuit group (ICG) matching criteria for the VAP group IP flow rule that you are configuring. The NPM applies the IP flow rules action only to IP packets that meet the specified ICG matching criteria. By default, a VAP group IP flow rules ICG matching criteria is set to any ICG number. The NPM applies the IP flow rules action without considering a packets ICG number. To restore this default behavior, use the no incoming-circuit-group command. To assign a name to an incoming circuit group, use the configure incoming-circuit-group-name command. To see a list of incoming circuit groups, including any names assigned to them, use the show incoming-circuit-group-name command. NOTE: All of the IP packets that are destined for a particular circuit are assigned to that circuits incoming circuit group (ICG). You assign an ICG to a circuit by configuring that circuit with the incoming-circuit-group (conf-cct context) command. By default, all circuits belong to ICG 1. Use the show (ip-flow-rule context) command to display the ICG matching criteria defined for the IP flow rule that you are configuring.

Syntax
incoming-circuit-group {any | <ICG_number>} no incoming-circuit-group

Context
You access this command from the ip-flow-rule context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the ip-flow-rule (config-vap-grp context) command to configure a specific IP flow rule for the VAP group.

Parameters
The following table lists the parameters used with this command. Parameter any Description Sets the flow rules incoming circuit group (ICG) matching criteria to any ICG number. The NPM applies the IP flow rules action without considering a packets ICG number. This is the default behavior for every VAP group IP flow rule.

Commands for Configuring and Managing Flow Provisioning

322

Parameter <ICG_number>

Description Configures the flow rules incoming circuit group (ICG) matching criteria to include only the specified ICG number. The NPM applies the IP flow rules action to a packet only if its ICG number matches the specified ICG number. Valid values are from 1-255.

Restrictions
Default Privilege Level: 15

Example
The following commands place you in the ip-flow-rule context from which you can configure an existing IP flow rule called testiprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)# The following command sets the incoming circuit group (ICG) matching criteria for the VAP group IP flow rule called testiprule to include only ICG number 2. ICG number 2 is assigned to the circuit called cctwan, which is one of the egress traffic circuits configured for the VAP group called testvapgroup. CBS(ip-flow-rule)# incoming-circuit-group 2 CBS(ip-flow-rule)# The NPM applies the action configured for testiprule only to IP packets whose ICG number is 2.

XOS Command Reference Guide

323

timeout (ip-flow-rule context)

Configures an idle flow timeout interval and applies it to all IP flows that match the conditions defined in the packet matching criteria for the VAP group IP flow rule that you are configuring. An IP flows idle flow timeout interval is the amount of time that the IP flow can remain idle before the NPM deletes the IP flow from the Active Flow Table (AFT). By default, the NPMs IP flow classifier assigns an appropriate idle flow timeout interval to every new IP flow. To restore this default behavior, use the no timeout command or use the timeout auto command. NOTE: After the NPM deletes an idle IP flow from the AFT, if the NPM later encounters other IP packets belonging to that flow, the NPM considers those packets to be part of a new flow. As a result, the NPM may move the now-active flow onto a new VAP. You may encounter problems if an IP flow moves between VAPs in a VAP group on which you are running a stateful firewall (such as Check Point VPN-1 Power NGX R65). Use the show (ip-flow-rule context) command to display the idle flow timeout interval configuration for the VAP group IP flow rule that you are configuring.

Syntax
timeout {auto | <idle_flow_timeout_interval>} no timeout

Context
You access this command from the ip-flow-rule context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the ip-flow-rule (config-vap-grp context) command to configure a specific IP flow rule for the VAP group.

Parameters
The following table lists the parameters used with this command. Parameter auto Description Configures the NPMs IP flow classifier to automatically assign an appropriate idle flow timeout interval to every new flow that matches the conditions defined in the packet matching criteria for the VAP group IP flow rule that you are configuring. TCP 10 minutes UDP 1 minute Other 30 seconds

Commands for Configuring and Managing Flow Provisioning

324

Parameter <idle_flow_timeout_interval>

Description Applies the specified idle flow timeout interval to all IP flows that match the conditions defined in the packet matching criteria for the VAP group IP flow rule that you are configuring. An IP flows idle flow timeout interval is the amount of time that the IP flow can remain idle before the NPM deletes the IP flow from the Active Flow Table (AFT). You must specify an idle flow timeout interval using one of the following parameters: 30-seconds Sets the idle flow timeout interval to 30 seconds. Timeout occurs when a flow remains idle for approximately 30 seconds. 1-minute Sets the idle flow timeout interval to 1 minute. Timeout occurs when a flow remains idle for approximately 1 minute. 3-minutes Sets the idle flow timeout interval to 3 minutes. Timeout occurs when a flow remains idle for approximately 3 minutes. 5-minutes Sets the idle flow timeout interval to 5 minutes. Timeout occurs when a flow remains idle for approximately 5 minutes. 10-minutes Sets the idle flow timeout interval to 10 minutes. Timeout occurs when a flow remains idle for approximately 10 minutes. 20-minutes Sets the idle flow timeout interval to 20 minutes. Timeout occurs when a flow remains idle for approximately 20 minutes. 30-minutes Sets the idle flow timeout interval to 30 minutes. Timeout occurs when a flow remains idle for approximately 30 minutes. 1-hour Sets the idle flow timeout interval to 1 hour. Timeout occurs when a flow remains idle for approximately 1 hour.

Restrictions
Default Privilege Level: 15

Example
The following commands place you in the ip-flow-rule context from which you can configure an existing IP flow rule called testiprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)# The following command sets the idle flow timeout interval for the VAP group IP flow rule called testiprule to 10 minutes. CBS(ip-flow-rule)# timeout 10-minutes CBS(ip-flow-rule)# The NPM deletes any IP flow from the Active Flow Table (AFT) if that flow matches the conditions defined in the packet matching criteria for testiprule and that flow remains idle for approximately 10 minutes.
XOS Command Reference Guide 325

trace (ip-flow-rule context)

Enables or disables (using no) packet tracing for IP packets that match the conditions defined in the packet matching criteria for the VAP group IP flow rule that you are configuring. By default, packet tracing is disabled for all VAP group IP flow rules. NOTE: Packet tracing may impact X-Series Platform performance. You should enable packet tracing for debugging purposes only. Use the show (ip-flow-rule context) command to determine packet tracing is enabled for IP packets that match the conditions defined in the packet matching criteria for the VAP group IP flow rule that you are configuring.

Syntax
[no] trace

Context
You access this command from the ip-flow-rule context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the ip-flow-rule (config-vap-grp context) command to configure a specific IP flow rule for the VAP group.

Restrictions
Default Privilege Level: 15

Example
The following commands place you in the ip-flow-rule context from which you can configure an existing IP flow rule called testiprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)# The following command enables packet tracing for all IP packets that match the conditions defined in the packet matching criteria for the VAP group IP flow rule called testiprule: CBS(ip-flow-rule)# trace CBS(ip-flow-rule)#

Commands for Configuring and Managing Flow Provisioning

326

priority (ip-flow-rule context)

Sets the priority level for the VAP group IP flow rule that you are configuring. You set priority levels for VAP group IP flow rules to specify the order in which the NPM applies IP flow rules to an IP traffic flow that arrives on a logical interface configured for a VAP group. When an IP traffic flow arrives on a logical interface configured for a VAP group, the NPM applies activated IP flow rules configured for the VAP group to the IP traffic flow. The NPM applies IP flow rules configured for a VAP group one at a time, in order of priority level, applying the IP flow rule with the highest priority level first. Valid priority levels are from 10-20 and from 25-30. By default, all VAP group IP flow rules have a priority level of 10. Use the no priority command to restore this default setting. NOTE: When you configure a circuit for a VAP group, you can change the default priority level for IP flow rules configured for that VAP group. See ip-flow-rule-priority (conf-cct-vapgroup context) on page 415 for instructions on configuring a circuit to change the default priority level assigned to IP flow rules configured for the circuits VAP group. Use the show (ip-flow-rule context) command to display the priority level assigned to the VAP group IP flow rule that you are configuring.

Syntax
priority <priority_level> no priority

Context
You access this command from the ip-flow-rule context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the ip-flow-rule (config-vap-grp context) command to configure a specific IP flow rule for the VAP group.

Parameters
The following table lists the parameters used with this command. Parameter <priority_level> Description Specifies the priority level that you want to assign to the VAP group IP flow rule that you are configuring. Valid values are from 10-20 and from 25-30. Default is 10.

Restrictions
Default Privilege Level: 15

Example
In this example, the X-Series Platform system administrator wants to configure flow provisioning for the VAP group called testvapgroup so that the NPM drops all IP packets exiting from the VAP group that have the source IP address, 10.170.54.20, unless those packets also have the destination IP address, 10.150.53.35. If an IP packet has the desired source and destination IP addresses, the administrator wants the NPM to allow the IP packet to exit the VAP group called testvapgroup and proceed to the destination IP address.

XOS Command Reference Guide

327

Therefore, the administrator has configured two IP flow rules for the VAP group called testvapgroup: testiprule Allows all outbound IP packets that have the source IP address, 10.170.54.20 and the destination IP address, 10.170.53.35, to exit the VAP group called testvapgroup and proceed to the destination IP address. dropiprule Drops all of the VAP groups outbound IP packets that have the source IP address, 10.170.54.20. The administrator now uses the following commands to configure the IP flow rule called testiprule with a priority level of 15, and configure the IP flow rule called dropiprule with a priority level of 14. CBS# configure vap-group testvapgroup CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)# priority 15 CBS(ip-flow-rule)# source-addr 10.170.54.20 CBS(ip-flow-rule)# destination-addr 10.170.53.35 CBS(ip-flow-rule)# action allow CBS(ip-flow-rule)# activate CBS(ip-flow-rule)# exit CBS(config-vap-grp)# ip-flow-rule dropiprule CBS(ip-flow-rule)# priority 14 CBS(ip-flow-rule)# source-addr 10.170.54.20 CBS(ip-flow-rule)# action drop CBS(ip-flow-rule)# activate CBS(ip-flow-rule)# end CBS# Now, when an IP packet arrives on a logical interface assigned to an egress circuit on the VAP group called testvapgroup, the NPM applies the IP flow rule called testiprule to the packet before applying the IP flow rule called dropiprule to that packet. When the NPM encounters an outbound IP packet, the NPM first determines whether the packet matches the source and destination IP address matching criteria defined in the VAP group IP flow rule called testiprule. If the packet has both the source IP address, 10.170.54.20, and the destination IP address, 10.170.53.35, the packet matches the conditions defined in the packet matching criteria, and the NPM allows the IP packet to exit the VAP group called testvapgroup and proceed to the destination IP address. If an outbound IP packet does not have the destination IP address, 10.170.53.35, that packet does not match all the conditions defined in the packet matching criteria for testiprule. In this case, the NPM does not apply the action (allow) for testiprule to the IP packet. Instead, the NPM proceeds to determine whether the packet matches the source IP address matching criteria defined for dropiprule. If the IP packet has the source IP address, 10.170.54.20, the packet matches the conditions defined in the packet matching criteria for dropiprule, and the NPM drops the packet.

Commands for Configuring and Managing Flow Provisioning

328

core-assignment (ip-flow-rule context)

This command affects the way that packets are processed by the cores and processors on an APM. When a new flow arrives, the NPM decides, based on the load-balancing rule, which APM will process the flow. After that decision has been made, the core-assignment parameter is used to direct packets to one or more cores and one or more processors. An APM can have multiple processors and each processor can have multiple cores. The numbers depend on the APM model.

Syntax
[no] core-assignment {random-single-core | multi-core-processing | multi-proc-processing}

Context
You access this command from the ip-flow-rule context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the ip-flow-rule (config-vap-grp context) command to configure a specific IP flow rule for the VAP group.

Parameters
The following table lists the parameters used with this command. Parameter random-single-core multi-core-processing multi-proc-processing Description Directs all packets of an IP flow to a single core on the APM that has been selected for this flow (default) Distributes packets of an IP flow cross all cores on a single processor on the APM that has been selected for this flow. Distributes packets of an IP flow across all cores on all processors on the APM that has been selected for this flow.

Restrictions
Default Privilege Level: 15

Example
In this example, the X-Series Platform system administrator wants to configure flow provisioning for the VAP group called testvapgroup so that all cores on one of the APM processors is used. CBS# configure vap-group testvapgroup CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)# core-assignment random-single-core CBS(ip-flow-rule)# end CBS#

XOS Command Reference Guide

329

activate (ip-flow-rule context)

Activates or deactivates (using no) the VAP group IP flow rule that you are configuring. By default, all VAP group IP flow rules are deactivated. IMPORTANT: The NPM only applies a VAP groups active IP flow rules to new IP flows arriving on logical interfaces configured for the VAP group. Use the show (ip-flow-rule context) command to determine whether the VAP group IP flow rule that you are configuring has been activated.

Syntax
[no] activate

Context
You access this command from the ip-flow-rule context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the ip-flow-rule (config-vap-grp context) command to configure a specific IP flow rule for the VAP group.

Restrictions
Default Privilege Level: 15 When you issue the activate command to activate an IP flow rule for a VAP group, the CLI issues an error if the following conditions are not met: If the IP flow rules action is set to allow, the flow rules traffic flow direction matching criteria must be set to outbound. If the IP flow rules traffic flow direction matching criteria is set to outbound, the flow rules action must be set to allow or drop. See action allow (ip-flow-rule context) on page 306 and action drop (ip-flow-rule context) on page 305 for more information about the allow and drop actions.

Example
The following commands place you in the ip-flow-rule context from which you can configure an existing IP flow rule called testiprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)# The following command activates the IP flow rule called testiprule for the VAP group called testvapgroup: CBS(ip-flow-rule)# activate CBS(ip-flow-rule)# The NPM now applies this IP flow rules action to all new IP flows assigned to the VAP group called testvapgroup that match the conditions defined in the packet matching criteria for the IP flow rule.

Commands for Configuring and Managing Flow Provisioning

330

bypass-tcp-flow-setup-validation (ip-flow-rule context)

Bypass TCP validation during flow setup. Typically, bypass should be set when the topology prevents a flows bidirectional symmetry (through the chassis). When bypassed, TCP sequence number will be updated and FIN and RST sequence numbers will be validated before flow removal. This parameter is set globally for the platform, and can be disabled per interface. When enabled globally, tcp-flow-validation can be disabled on a per flow rule basis, using bypass-tcp-flow-setup-validation. See the second example below.

Syntax
bypass-tcp-flow-setup-validation

Restrictions
Default Privilege Level: 15

Example
CBS# configure vap-group test_vap_group CBS(conf-vap-grp)# ip-flow-rule test_flow_rule CBS(ip-flowrule)# bypass-tcp-flow-setup-validation CBS(ip-flowrule)#

show (ip-flow-rule context)

Displays the current configuration settings for the VAP group IP flow rule that you are configuring.

Syntax
show

Context
You access this command from the ip-flow-rule context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the ip-flow-rule (config-vap-grp context) command to configure a specific IP flow rule for the VAP group.

Output
The output for this command has the following format: IP Flow Rule VAP Group Destination Address Destination Address High Destination Port Destination Port High Source Address Source Address High Source Port Source Port High Incoming Circuit Group Protocol : : : : : : : : : : : : <IP_flow_rule_name> <VAP_group_name> {<IP_address> | <IP_address>/<0-32>} 255.255.255.255 <port_number> 65535 {<IP_address> | <IP_address>/<0-32>} 255.255.255.255 <port_number> 65535 <ICG_number> <protocol_number>

XOS Command Reference Guide

331

Protocol High Domain Domain High Action

: 255 : <domain_ID_number> : 4095

: {load-balance | drop | allow | pass-to-master | pass-to-vap | broadcast}

VAP Index : Activate (true/false) : Priority : Skip Protocol (true/false) : Skip Port (true/false) : Skip Port Protocol (true/false) : Timeout : Trace (true/false) : Generate Reversed Flow (true/false): Direction : Bypass-tcp-flow-setup-validation : Core Assignment : (1 row)

<VAP_index_number> {t | f} <priority_level> {t | f} {t | f} {t | f} {auto | <idle_flow_timeout_interval> {t | f} {t | f} {outbound | inbound | both} {t | f} random-single-core

The following table describes the information provided in each column/row. Column/Row Heading IP Flow Rule Information Provided Name of the IP flow rule. See ip-flow-rule (config-vap-grp context) on page 302 for information on assigning a name to a new IP flow rule configured for a VAP group. VAP Group Name of the VAP group for which the IP flow rule is configured. See configure vap-group on page 173 for information on assigning a name to a new VAP group. Destination Address Destination IP address matching criteria for the VAP group IP flow rule. This row may display one of the following: 0.0.0.0 Default value. Defines the lowest IP address that meets the flow rules destination IP address matching criteria. In this case, the highest matching destination IP address is 255.255.255.255. The NPM applies the IP flow rules action without considering a packets destination IP address. Single, non-zero IP address NPM applies the IP flow rules action only to IP packets that have the specified destination IP address. IP network address displayed in CIDR format NPM applies the IP flow rules action only to IP packets whose destination IP address matches one of the IP addresses that belong to the specified IP network. See destination-addr (ip-flow-rule context) on page 315 for information on configuring destination IP address matching criteria for an IP flow rule configured for a VAP group.

Commands for Configuring and Managing Flow Provisioning

332

Column/Row Heading Destination Address High

Information Provided This row appears only if the user has not defined destination IP address matching criteria for the IP flow rule. In this case, the Destination Address is 0.0.0.0 and Destination Address High is 255.255.255.255. This indicates that the flow rules destination IP address matching criteria includes all IP addresses from 0.0.0.0 to 255.255.255.255 (that is, all IP addresses). The NPM applies the IP flow rules action without considering a packets destination IP address. See destination-addr (ip-flow-rule context) on page 315 for information on configuring destination IP address matching criteria for an IP flow rule configured for a VAP group.

Destination Port

Destination port matching criteria for the IP flow rule. This row may display one of the following: 0 Default value. Defines the lowest port number that meets the IP flow rules destination port matching criteria. In this case, the highest matching destination port number is 65535. The NPM applies the IP flow rules action without considering a packets destination port number. Single, non-zero port number NPM applies the IP flow rules action only to IP packets that have the specified destination port number. See destination-port (ip-flow-rule context) on page 318 for information on configuring destination port matching criteria for a system-level IP flow rule.

Destination Port High

This row appears only if the user has not defined destination port matching criteria for the IP flow rule. In this case, the Destination Port is 0 and Destination Port High is 65535. This indicates that the flow rules destination port matching criteria includes all port numbers from 0 to 65535 (that is, all valid port numbers). The NPM applies the IP flow rules action without considering a packets destination port number. See destination-port (ip-flow-rule context) on page 318 for information on configuring destination port matching criteria for an IP flow rule configured for a VAP group.

XOS Command Reference Guide

333

Column/Row Heading Source Address

Information Provided Source IP address matching criteria for the IP flow rule. This row may display one of the following: 0.0.0.0 Default value. Defines the lowest IP address that meets the IP flow rules source IP address matching criteria. In this case, the highest matching source IP address is 255.255.255.255. The NPM applies the IP flow rules action without considering a packets source IP address. Single, non-zero IP address NPM applies the IP flow rules action only to IP packets that have the specified source IP address. IP network address displayed in CIDR format NPM applies the IP flow rules action only to IP packets whose source IP address matches one of the IP addresses that belong to the specified IP network. See source-addr (ip-flow-rule context) on page 314 for information on configuring source IP address matching criteria for an IP flow rule configured for a VAP group.

Source Address High

This row appears only if the user has not defined source IP address matching criteria for the IP flow rule. In this case, the Source Address is 0.0.0.0 and Source Address High is 255.255.255.255. This indicates that the flow rules source IP address matching criteria includes all IP addresses from 0.0.0.0 to 255.255.255.255 (that is, all IP addresses). The NPM applies the IP flow rules action without considering a packets source IP address. See source-addr (ip-flow-rule context) on page 314 for information on configuring source IP address matching criteria for an IP flow rule configured for a VAP group.

Source Port

Source port matching criteria for the IP flow rule. This row may display one of the following: 0 Default value. Defines the lowest port number that meets the IP flow rules source port matching criteria. In this case, the highest matching source port number is 65535. The NPM applies the IP flow rules action without considering a packets source port number. Single, non-zero port number NPM applies the IP flow rules action only to IP packets that have the specified source port number. See source-port (ip-flow-rule context) on page 317 for information on configuring source port matching criteria for an IP flow rule configured for a VAP group.

Commands for Configuring and Managing Flow Provisioning

334

Column/Row Heading Source Port High

Information Provided This row appears only if the user has not defined source port matching criteria for the IP flow rule. In this case, the Source Port is 0 and Source Port High is 65535. This indicates that the IP flow rules source port matching criteria includes all port numbers from 0 to 65535 (that is, all valid port numbers). The NPM applies the IP flow rules action without considering a packets source port number. See source-port (ip-flow-rule context) on page 317 for information on configuring source port matching criteria for an IP flow rule configured for a VAP group.

Incoming Circuit Group

Incoming circuit group (ICG) matching criteria for the IP flow rule. The NPM applies the IP flow rules action only to IP packets with the specified ICG number. Default is 1. See incoming-circuit-group (ip-flow-rule context) on page 322 for information on setting ICG matching criteria for an IP flow rule configured for a VAP group.

Protocol

Protocol matching criteria for the IP flow rule. This row may display one of the following: 1 Default value. Defines the lowest protocol number that meets the IP flow rules protocol matching criteria. In this case, the highest matching protocol number is 255. The NPM applies the IP flow rules action without considering a packets protocol number. Single, non-zero protocol number NPM applies the IP flow rules action only to IP packets that have the specified protocol number. See protocol (ip-flow-rule context) on page 319 for information on configuring protocol matching criteria for an IP flow rule configured for a VAP group.

Protocol High

This row appears only if the user has not defined protocol matching criteria for the IP flow rule. In this case, the Protocol is 1 and Protocol High is 255. This indicates that the IP flow rules protocol matching criteria includes all protocol numbers from 1 to 255 (that is, all valid protocol numbers). The NPM applies the IP flow rules action without considering a packets protocol number. See protocol (ip-flow-rule context) on page 319 for information on configuring protocol matching criteria for an IP flow rule configured for a VAP group.

XOS Command Reference Guide

335

Column/Row Heading Domain

Information Provided Domain matching criteria for the IP flow rule. This row may display one of the following: 1 Default value. Defines the lowest domain ID number that meets the IP flow rules domain matching criteria. In this case, the highest matching domain ID number is 4095. The NPM applies the IP flow rules action without considering a packets domain ID number. Single, non-zero domain ID number NPM applies the IP flow rules action only to IP packets that have the specified domain ID number. See domain (ip-flow-rule context) on page 321 for information on configuring domain matching criteria for an IP flow rule configured for a VAP group.

Domain High

This row appears only if the user has not defined domain matching criteria for the IP flow rule. In this case, the Domain is 1 and Domain High is 4095. This indicates that the IP flow rules domain matching criteria includes all domain ID numbers from 1 to 4095 (that is, all valid domain ID numbers). The NPM applies the IP flow rules action without considering a packets domain ID number. See domain (ip-flow-rule context) on page 321 for information on configuring domain matching criteria for an IP flow rule configured for a VAP group.

Action

Specifies the action configured for the VAP group IP flow rule (load-balance, drop, allow, pass-to-master, pass-to-vap, or broadcast). Default is drop. See the following sections for information on configuring an action for a VAP group IP flow rule: action load-balance (ip-flow-rule context) on page 304 action drop (ip-flow-rule context) on page 305 action allow (ip-flow-rule context) on page 306 action pass-to-master (ip-flow-rule context) on page 307 action pass-to-vap (ip-flow-rule context) on page 308 action broadcast (ip-flow-rule context) on page 309

Commands for Configuring and Managing Flow Provisioning

336

Column/Row Heading VAP Index

Information Provided This row appears only if the IP flow rules action is pass-to-vap. This row displays the VAP index number assigned to the VAP to which the NPM sends IP packets that match the conditions defined in the packet matching criteria for the IP flow rule. See action pass-to-vap (ip-flow-rule context) on page 308 for information on configuring a VAP group IP flow rule to pass IP packets to a specific VAP in the VAP group if those packets match the conditions defined in the IP flow rules packet matching criteria.

Activate (true/false)

Indicates whether the IP flow rule is activated (t) or deactivated (f) for the VAP group. Default is deactivated (f). See activate (ip-flow-rule context) on page 330 for information on activating and deactivating an IP flow rule for a VAP group.

Priority

Priority level assigned to the VAP group IP flow rule. Default is 10, which is the lowest valid priority level. See priority (ip-flow-rule context) on page 327 for information about setting priority levels for the IP flow rules configured for a VAP group.

Skip Protocol (true/false)

Indicates whether skip-protocol is enabled (t) or disabled (f) for the IP flow rule. Default is enabled (t). See skip-port-protocol (ip-flow-rule context) on page 312 for information on enabling or disabling skip-protocol.

Skip Port (true/false)

Indicates whether skip-port is enabled (t) or disabled (f) for the IP flow rule. Default is enabled (t). See skip-port-protocol (ip-flow-rule context) on page 312 for information on enabling or disabling skip-port.

Skip Port Protocol (true/false)

Indicates whether skip-port-protocol is enabled (t) or disabled (f) for the IP flow rule. Default is enabled (t). See skip-port-protocol (ip-flow-rule context) on page 312 for information on enabling and disabling skip-port-protocol for an IP flow rule configured for a VAP group.

XOS Command Reference Guide

337

Column/Row Heading Timeout

Information Provided Displays the idle flow timeout interval configuration for the IP flow rule. This row may display one of the following: auto Default value. Indicates that the NPMs IP flow classifier assigns an appropriate idle flow timeout interval to every new IP flow that meets the matching criteria defined for the IP flow rule. Idle flow time interval keyword A keyword that indicates the user-defined idle flow timeout interval configured for the IP flow rule. The NPM applies the user-defined idle flow timeout interval to each IP flow that meets the IP flow rules packet matching criteria. See timeout (ip-flow-rule context) on page 324 for information on configuring an idle flow timeout interval for an IP flow rule configured for a VAP group.

Trace (true/false)

Indicates whether packet tracing is enabled (t) or disabled (f) for IP packets that match the conditions defined in the packet matching criteria for the IP flow rule. Default is disabled (f). See trace (ip-flow-rule context) on page 326 for information on enabling and disabling packet tracing for an IP flow rule configured for a VAP group.

Generate Reversed Flow

Indicates whether bi-directional flow matching is enabled (t) or disabled (f) for the IP flow rule. Default is disabled (f). See generate-reversed-flow (ip-flow-rule context) on page 312 for information on enabling and disabling bi-directional flow matching for an IP flow rule configured for a VAP group.

Direction

Indicates the IP flow direction matching criteria defined for the IP flow rule. This row displays one of the following keywords: both Default setting. Direction matching criteria includes both inbound and outbound IP flows. The NPM applies the IP flow rule to IP packets without considering whether the packet is coming into or out of the VAP group. inbound IP flow direction matching criteria includes only inbound IP flows. The NPM applies the IP flow rule only to IP packets coming into the VAP group. outbound IP flow direction matching criteria includes only outbound IP flows. The NPM applies the IP flow rule only to IP packets exiting the VAP group. See direction (ip-flow-rule context) on page 310 for information on setting IP flow direction matching criteria for an IP flow rule configured for a VAP group.

Commands for Configuring and Managing Flow Provisioning

338

Column/Row Heading Bypass-tcp-flow-setup-validation

Information Provided Indicates whether tcp-flow-setup-validation during flow setup is enabled (t) or disabled (f) for the IP flow rule. Default is disabled (f). Indicates how packets are processed by the cores and processors on an APM for the IP flow rule. This row displays one of the following options: random-single-core Directs all packets in the flow to a single core. multi-core-processing Distributes packets across all cores on a single processor on the APM that has been selected for this flow. multi-proc-processing Distributes packets across all cores on all processors on the APM that has been selected for this flow. See core-assignment (ip-flow-rule context) on page 329 for information on setting core and processor assignments for IP flows.

Core Assignment

Restrictions
Default Privilege Level: 15

Example
The following commands place you in the ip-flow-rule context from which you can configure an existing IP flow rule called testiprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)# The following command displays the configuration settings for the IP flow rule called testiprule, which is configured for the VAP group called testvapgroup. NOTE: The example output displays the configuration settings that you would create for testiprule if you issued all the example commands that we have provided throughout this section. CBS(ip-flow-rule)# show IP Flow Rule VAP Group Destination Address Destination Address High Destination Port Destination Port High Source Address Source Address High Source Port Source Port High Incoming Circuit Group Protocol Protocol High Domain Domain High : : : : : : : : : : : : : : : testiprule testvapgroup 1.1.1.35 255.255.255.255 25 65535 1.1.1.20 255.255.255.255 25 65535 2 41 4095 2 4095

XOS Command Reference Guide

339

Action Activate (true/false) Priority Skip Protocol (true/false) Skip Port (true/false) Skip Port Protocol (true/false) Timeout Trace (true/false) Generate Reversed Flow (true/false) Direction Bypass-tcp-flow-setup-validation (true/false) Core Assignment (1 row) CBS(ip-flow-rule)#

: : : : : : : : : : : :

allow t 15 f f f 10-minutes t t outbound f random-single-core

non-ip-flow-rule (config-vap-grp context)

Creates or configures a non-IP flow rule for the VAP group that you are configuring. Places you into a context in which you can configure and activate the specified non-IP flow rule for the VAP group that you are configuring. The NPM uses the non-IP flow rules configured for a VAP group to determine how to process each non-IP traffic flow (such as an IPX or Spanning Tree Protocol traffic flow) that arrives on a logical interface configured on the VAP group. Each VAP group non-IP flow rule is comprised of an action and a set of packet matching criteria. The NPM performs the action on flows that match the conditions defined in the packet matching criteria. For example, you can create a non-IP flow rule that instructs the NPM to send all Spanning-Tree-Protocol-related traffic destined for a VAP group to the master VAP for that VAP group. You must configure each VAP group non-IP flow rule with one of three link encapsulation types: ethernet Enables the NPM to process Ethernet encapsulated packets that arrive on logical interfaces configured for the VAP group. Configures the NPM to apply the VAP group non-IP flow rules action only to Ethernet encapsulated packets that meet the flow rules destination Ethernet protocol matching criteria. lsap Enables the NPM to process LSAP encapsulated packets that arrive on logical interfaces configured for the VAP group. Configures the NPM to apply the VAP group non-IP flow rules action only to LSAP encapsulated packets that meet the flow rules Destination Service Access Point (DSAP) and Source Service Access Point (SSAP) matching criteria. snap Enables the NPM to process SNAP encapsulated packets that arrive on logical interfaces configured for the VAP group. Configures the NPM to apply the VAP group non-IP flow rules action only to SNAP encapsulated packets that meet the flow rules destination Ethernet protocol and Organization Unique Identifier (OUI) matching criteria. NOTE: By default, the link encapsulation type for all VAP group non-IP flow rules is ethernet, and the destination Ethernet protocol matching criteria is set to any Ethernet protocol number. Use the show (non-ip-flow context) command to display the link encapsulation type and packet matching criteria defined for the VAP group non-IP flow rule that you are configuring. You must activate a VAP group non-IP flow rule before it will take effect. By default, VAP group non-IP flow rules are not activated. See activate (non-ip-flow context) on page 351 for instructions on activating the VAP group non-IP flow rule that you are configuring. Use the no parameter to delete the specified non-IP flow rule.

Commands for Configuring and Managing Flow Provisioning

340

Use the show (non-ip-flow context) command to display the current configuration for the VAP group non-IP flow rule that you are configuring. Use the show non-ip-flow command to display all non-IP flow rules currently configured for VAP groups configured on the X-Series Platform.

Syntax
[no] non-ip-flow-rule <non_IP_flow_rule_name>

Contexts and Subcommands

You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command. This command places you in the non-ip-flow context in which you can configure and activate the specified non-IP flow rule. You can access the following commands from this context: action drop (non-ip-flow context) on page 342 action broadcast (non-ip-flow context) on page 343 encapsulation ethernet (non-ip-flow context) on page 345 encapsulation lsap (non-ip-flow context) on page 346 encapsulation snap (non-ip-flow context) on page 348 activate (non-ip-flow context) on page 351 show (non-ip-flow context) on page 351

Parameters
The following table lists the parameters used with this command. Parameter <non_IP_flow_rule_name> Description Name assigned to the non-IP flow rule that you want to create or configure for the VAP group that you are configuring.

Restrictions
Default Privilege Level: 15

Example
The following command places you in the config-vap-grp context in which you can configure the existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# The following command creates a non-IP flow rule for the VAP group called testvapgroup and places you in the context in which you can configure and activate that IP flow rule (called testnoniprule): CBS(config-vap-grp)# non-ip-flow-rule testnoniprule CBS(non-ip-flow)#

XOS Command Reference Guide

341

action drop (non-ip-flow context)

Sets the action to drop for the VAP group non-IP flow rule that you are configuring. The NPM drops all non-IP packets arriving on logical interfaces configured for the VAP group that match the conditions defined in the VAP group non-IP flow rules packet matching criteria. Use the show (non-ip-flow context) command to display the conditions defined in the packet matching criteria for the VAP group non-IP flow rule that you are configuring. NOTE: The default action for all VAP group non-IP flow rules is drop. Use the show (non-ip-flow context) command to display the action for the system-level non-IP flow rule that you are configuring.

Syntax
action drop

Context
You access this command from the non-ip-flow context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the non-ip-flow-rule (config-vap-grp context) command to configure a specific non-IP flow rule for the VAP group.

Restrictions
Default Privilege Level: 15

Example
The following commands place you in the non-ip-flow context from which you can configure an existing non-IP flow rule called testnoniprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# non-ip-flow-rule testnoniprule CBS(non-ip-flow-rule)# The following command sets the action for the non-IP flow rule called testnoniprule to drop: CBS(conf-system-non-ip-flow)# action drop CBS(conf-system-non-ip-flow)# The NPM drops all non-IP packets that arrive on a logical interface configured for the VAP group called testvapgroup and that match the conditions defined in the packet matching criteria for the non-IP flow rule called testnoniprule.

action pass-to-master (non-ip-flow context)

Sets the action to pass-to-master for the non-IP flow rule that you are configuring. When the NPM encounters a non-IP packet that meets the packet-matching criteria defined in the non-IP flow rule, the NPM passes that non-IP packet to the master VAP in the associated VAP group. Use the show (non-ip-flow context) command to display the packet-matching criteria defined for the system-level non-IP flow rule that you are configuring.

Commands for Configuring and Managing Flow Provisioning

342

Syntax
action pass-to-master

Context
You access this command from the non-ip-flow context. You access this context from the main CLI context by issuing the configure vap-group command and then entering non-ip-flow-rule <non_ip_flow_rule_name>.

Restrictions
Default Privilege Level: 15

Example
The following command places you in the non-ip-flow context in which you can configure the non-IP flow rule called testipflow: CBS# configure vap-group vapgrp1 CBS(conf-vap-grp)# non-ip-flow-rule testipflow CBS(non-ip-flow)# The following command sets the action for the non-IP flow rule called testipflow to pass-to-master: CBS(non-ip-flow)# action pass-to-master CBS(non-ip-flow)# When the NPM encounters a non-IP packet that meets the packet-matching criteria defined for the non-IP flow rule called testflow, the NPM passes that non-IP packet to the master VAP in the associated VAP group.

action broadcast (non-ip-flow context)

Sets the action to broadcast for the VAP group non-IP flow rule that you are configuring. When the NPM encounters a non-IP packet arriving on a logical interface configured for the VAP group that you are configuring, if that IP packet matches the conditions defined in the non-IP flow rules packet matching criteria, the NPM passes that non-IP packet to every VAP in the VAP group. Use the show (non-ip-flow context) command to display the conditions defined in the packet matching criteria for the VAP group non-IP flow rule that you are configuring. NOTE: The default action for all VAP group non-IP flow rules is drop. Use the no action command to restore this default action. See action drop (non-ip-flow context) on page 342 for more information about this action. Use the show (non-ip-flow context) command to display the action for the non-IP flow rule that you are configuring.

Syntax
action broadcast no action

XOS Command Reference Guide

343

Context
You access this command from the non-ip-flow context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the non-ip-flow-rule (config-vap-grp context) command to configure a specific non-IP flow rule for the VAP group.

Restrictions
Default Privilege Level: 15

Example
The following commands place you in the non-ip-flow context from which you can configure an existing non-IP flow rule called testnoniprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# non-ip-flow-rule testnoniprule CBS(non-ip-flow)# The following command sets the action for the non-IP flow rule called testnoniprule to broadcast: CBS(non-ip-flow)# action broadcast CBS(non-ip-flow)# When the NPM encounters a non-IP packet arriving on a logical interface configured for the VAP group called testvapgroup, if that IP packet matches the conditions defined in the packet matching criteria for the non-IP flow rule called testnoniprule, the NPM passes that non-IP packet to every VAP in the VAP group.

Commands for Configuring and Managing Flow Provisioning

344

encapsulation ethernet (non-ip-flow context)

Sets the link encapsulation type to ethernet and defines destination Ethernet protocol matching criteria for the VAP group non-IP flow rule that you are configuring. The NPM applies the VAP group non-IP flow rule only to Ethernet encapsulated packets arriving on logical interfaces configured for the VAP group that meet the specified destination Ethernet protocol matching criteria. Use the show (non-ip-flow context) command to display the destination Ethernet protocol matching criteria for the non-IP flow rule that you are configuring. By default, the destination Ethernet protocol matching criteria is set to any Ethernet protocol number. The NPM applies the non-IP flow rule to all Ethernet encapsulated packets arriving on logical interfaces configured for the VAP group. To restore this default behavior, use the encapsulation ethernet any command. NOTE: The default link encapsulation type for all VAP group non-IP flow rules is ethernet. Use the show (non-ip-flow context) command to display the link encapsulation type and packet matching criteria defined for the non-IP flow that you are configuring.

Syntax
encapsulation ethernet {any | type <Ethernet_protocol_number>}

Context
You access this command from the non-ip-flow context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the non-ip-flow-rule (config-vap-grp context) command to configure a specific non-IP flow rule for the VAP group.

Parameters
The following table lists the parameters used with this command. Parameter any Description Sets the flow rules destination Ethernet protocol matching criteria to any Ethernet protocol number. The NPM applies the non-IP flow rules action to all Ethernet encapsulated packets arriving on the VAP groups logical interfaces. This is the default behavior for all VAP group non-IP flow rules configured with the link encapsulation type, ethernet. type <Ethernet_protocol_number> Configure the non-IP flow rules destination Ethernet protocol matching criteria to include only the specified Ethernet protocol number. The NPM applies the non-IP flow rules action only to Ethernet encapsulated packets whose destination Ethernet protocol number matches the specified Ethernet protocol number. Valid values are from 1519 to 65535, except for 2048 and 2054.

XOS Command Reference Guide

345

Restrictions
Default Privilege Level: 15 2048 and 2054 are not valid values for destination Ethernet protocol matching criteria for Ethernet encapsulation non-IP flow rules.

Example
The following commands place you in the non-ip-flow context from which you can configure an existing non-IP flow rule called testnoniprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# non-ip-flow-rule testnoniprule CBS(non-ip-flow)# The following command sets the link encapsulation type for the non-IP flow rule called testnoniprule to ethernet and configures the flow rules destination Ethernet protocol matching criteria to include only Ethernet protocol number 2000: CBS(non-ip-flow)# encapsulation ethernet type 2000 CBS(non-ip-flow)# The NPM applies the non-IP flow rule called testnoniprule only to Ethernet encapsulated packets that arrive on logical interfaces configured for the VAP group called testvapgroup and that have destination Ethernet protocol number 2000.

encapsulation lsap (non-ip-flow context)

Sets the link encapsulation type to lsap and defines Destination Service Access Point (DSAP) and Source Service Access Point (SSAP) matching criteria for the VAP group non-IP flow rule that you are configuring. The NPM applies the non-IP flow rules action only to LSAP encapsulated packets that meet the specified DSAP and SSAP matching criteria. Use the show (non-ip-flow context) command to display the DSAP and SSAP matching criteria for the VAP group non-IP flow rule that you are configuring. By default, the DSAP matching criteria is set to any destination service access point number, and the SSAP matching criteria is set to any source service access point number. The NPM applies the non-IP flow rules action to all LSAP encapsulated packets arriving on the VAP groups logical interfaces. To restore this default behavior, use the encapsulation lsap any command. NOTE: The default link encapsulation type for all VAP group non-IP flow rules is ethernet. See encapsulation ethernet (non-ip-flow context) on page 345 for more information about this link encapsulation type. Use the show (non-ip-flow context) command to display the link encapsulation type for the VAP group non-IP flow rule that you are configuring.

Syntax
encapsulation lsap {any | dsap <DSAP_number> ssap <SSAP_number>}

Context
You access this command from the non-ip-flow context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the non-ip-flow-rule (config-vap-grp context) command to configure a specific non-IP flow rule for the VAP group.

Commands for Configuring and Managing Flow Provisioning

346

Parameters
The following table lists the parameters used with this command. Parameter any Description Sets the non-IP flow rules DSAP and SSAP matching criteria to any destination service access point number and any source service access point number. The NPM applies the non-IP flow rules action to all LSAP encapsulated packets arriving on the VAP groups logical interfaces. This is the default behavior for all VAP group non-IP flow rules configured with the link encapsulation type, lsap. dsap <DSAP_number> Configures the flow rules Destination Service Access Point (DSAP) matching criteria to include only the specified DSAP number. The NPM applies the non-IP flow rules action only to LSAP encapsulated packets whose DSAP number matches the specified DSAP number. Valid values are from 0 to 255. ssap <DSAP_number> Configures the flow rules Source Service Access Point (SSAP) matching criteria to include only the specified SSAP number. The NPM applies the non-IP flow rules action only to LSAP encapsulated packets whose SSAP number matches the specified SSAP number. Valid values are from 0 to 255.

Restrictions
Default Privilege Level: 15

Example
The following commands place you in the non-ip-flow context from which you can configure an existing non-IP flow rule called testnoniprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# non-ip-flow-rule testnoniprule CBS(non-ip-flow)# The following command sets the link encapsulation type for the non-IP flow rule called testnoniprule to lsap, configures the flow rules DSAP matching criteria to include only DSAP number 10, and configures the flow rules SSAP matching criteria to include only SSAP number 15: CBS(non-ip-flow)# encapsulation lsap dsap 10 ssap 15 CBS(non-ip-flow)# The NPM applies the non-IP flow rule called testnoniprule only to LSAP encapsulated packets that arrive on a logical interface configured for the VAP group called testvapgroup and that have Destination Service Access Point number 10 and Source Service Access Point number 15.

XOS Command Reference Guide

347

encapsulation snap (non-ip-flow context)

Sets the link encapsulation type to snap and defines destination SNAP protocol and Organization Unique Identifier (OUI) matching criteria for the VAP group non-IP flow rule that you are configuring. The NPM applies the VAP group non-IP flow rule only to SNAP encapsulated packets that meet the specified destination Ethernet protocol and OUI matching criteria. Use the show (non-ip-flow context) command to display the destination Ethernet protocol and OUI matching criteria for the VAP group non-IP flow rule that you are configuring. By default, the destination Ethernet protocol matching criteria is set to any Ethernet protocol number and the OUI matching criteria is set to 0. (No OUI matching criteria are used.) The NPM applies the VAP group non-IP flow rules action to all SNAP encapsulated packets arriving on the VAP groups logical interfaces. NOTE: The default link encapsulation type for all VAP group non-IP flow rules is ethernet. See encapsulation ethernet (non-ip-flow context) on page 345 for more information about this link encapsulation type. Use the show (non-ip-flow context) command to display the link encapsulation type for the VAP group non-IP flow rule that you are configuring.

Syntax
encapsulation snap {any | type <Ethernet_protocol_number> [oui <OUI_number>]}

Context
You access this command from the non-ip-flow context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the non-ip-flow-rule (config-vap-grp context) command to configure a specific non-IP flow rule for the VAP group.

Parameters
The following table lists the parameters used with this command. Parameter any Description Sets the non-IP flow rules destination Ethernet protocol matching criteria to any Ethernet protocol number and sets the OUI matching criteria to 0. (No OUI matching criteria are used.) The NPM applies the non-IP flow rules action to all SNAP encapsulated packets arriving on the VAP groups logical interfaces. This is the default behavior for all VAP group non-IP flow rules configured with the link encapsulation type, snap.

Commands for Configuring and Managing Flow Provisioning

348

Parameter

Description

type <Ethernet_protocol_number> Configures the flow rules destination Ethernet protocol matching criteria to include only the specified Ethernet protocol number. The NPM applies the non-IP flow rules action only to SNAP encapsulated packets whose destination Ethernet protocol number matches the specified Ethernet protocol number. Valid values are from 1519 to 65535. oui <OUI_number> Configures the flow rules Organization Unique Identifier (OUI) matching criteria to include only the specified OUI number. The NPM applies the non-IP flow rules action only to SNAP encapsulated packets whose OUI number matches the specified OUI number. Valid values are from 0-16777215. Default is 0. (Do not include OUI number matching criteria in the packet matching criteria definition.)

Restrictions
Default Privilege Level: 15

Example
The following commands place you in the non-ip-flow context from which you can configure an existing non-IP flow rule called testnoniprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# non-ip-flow-rule testnoniprule CBS(non-ip-flow)# The following command sets the link encapsulation type for the non-IP flow rule called testnoniprule to snap, configures the flow rules destination Ethernet protocol matching criteria to include only Ethernet protocol number 2000, and configures the flow rules OUI matching criteria to include only OUI number 10: CBS(non-ip-flow)# encapsulation snap type 2000 oui 10 CBS(non-ip-flow)# The NPM applies the non-IP flow rule called testnoniprule only to SNAP encapsulated packets that arrive on a logical interface configured for the VAP group called testvapgroup and that have destination Ethernet protocol number 2000 and Organization Unique Identifier 10.

XOS Command Reference Guide

349

core-assignment (non-ip-flow-rule context)

This command affects the way that packets are processed by the cores on an APM. An APM can have multiple processors and each processor can have multiple cores. The numbers depend on the AP model. To make effective use of the cores on the APM to enhance traffic throughput, users may consider the core-assignment schemes, especially for IPv6 traffic. When non-IP (including IPv6) packets are forwarded to an APM, the core-assignment scheme specified by the matching non-ip-flow-rule governs the distribution of the packets to a set of cores

Syntax
[no] core-assignment {random-single-core | multi-core-processing | multi-proc-processing}

Context
You access this command from the non-ip-flow-rule context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the non-ip-flow-rule (config-vap-grp context) command to configure a specific IP flow rule for the VAP group.

Parameters
The following table lists the parameters used with this command. Parameter random-single-core multi-core-processing Description Directs all packets of a non-IP flow to a single core on the APM that has been selected for this flow Distributes packets of a non-IP flow across all cores on a single processor on the APM that has been selected for this flow Distributes packets across all cores on all processors on the APM that has been selected for this flow

multi-proc-processing

Restrictions
Default Privilege Level: 15

Example
In this example, the X-Series Platform system administrator wants to configure flow provisioning for the VAP group called testvapgroup so that all cores on the APM processor selected for the flow are used. CBS# configure vap-group testvapgroup CBS(config-vap-grp)# non-ip-flow-rule testnoniprule CBS(non-ip-flow)# core-assignment multi-core-processing CBS(non-ip-flow)# end CBS#

Commands for Configuring and Managing Flow Provisioning

350

activate (non-ip-flow context)

Activates or deactivates (using no) the VAP group non-IP flow rule that you are configuring. By default, all VAP group non-IP flow rules are deactivated. IMPORTANT: The NPM only applies a VAP groups active non-IP flow rules to new non-IP flows arriving on logical interfaces configured for the VAP group. Use the show (non-ip-flow context) command to determine whether the non-IP flow rule that you are configuring has been activated for the VAP group that you are configuring.

Syntax
[no] activate

Context
You access this command from the non-ip-flow context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the non-ip-flow-rule (config-vap-grp context) command to configure a specific non-IP flow rule for the VAP group.

Restrictions
Default Privilege Level: 15

Example
The following commands place you in the non-ip-flow context from which you can configure an existing non-IP flow rule called testnoniprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# non-ip-flow-rule testnoniprule CBS(non-ip-flow)# The following command activates the non-IP flow rule called testnoniprule for the VAP group called testvapgroup: CBS(non-ip-flow)# activate CBS(non-ip-flow)# The NPM now applies this non-IP flow rules action to all new non-IP flows that arrive on logical interfaces configured for the VAP group called testvapgroup, that use the flow rules link encapsulation type, and that match the conditions defined in the flow rules packet matching criteria.

show (non-ip-flow context)

Displays the current configuration for the VAP group non-IP flow rule that you are currently configuring.

Syntax
show

XOS Command Reference Guide

351

Context
You access this command from the non-ip-flow context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the non-ip-flow-rule (config-vap-grp context) command to configure a specific non-IP flow rule for the VAP group.

Output
This command displays information about a VAP group non-IP flow rule using one of the following formats: Output for VAP group non-IP flow rules with a link encapsulation type, ethernet: Non IP Flow Rule VAP Group Encapsulation Type Action Activate (true/false) Core Assignment (1 row) : : : : : : : <non_IP_flow_rule_name> <VAP_group_name> ethernet <destination_Ethernet_protocol_number> {drop | broadcast | pass-to-master} {t | f} <core_assignment_method>

Output for VAP group non-IP flow rules with a link encapsulation type, lsap: Non IP Flow Rule VAP Group Encapsulation Type Action Activate (true/false) Core Assignment (1 row) : : : : : : : <non_IP_flow_rule_name> <VAP_group_name> lsap 10/15 (dsap/ssap) {drop | broadcast | pass-to-master} {t | f} <core_assignment_method>

Output for VAP group non-IP flow rules with a link encapsulation type, snap: Non IP Flow Rule VAP Group Encapsulation Type OUI Action Activate (true/false) Core Assignment (1 row) : : : : : : : : <non_IP_flow_rule_name> <VAP_group_name> snap <destination_Ethernet_protocol_number> <OUI_number> {drop | broadcast | pass-to-master} {t | f} <core_assignment_method>

The following table describes the information provided in each column/row. Column/Row Heading Non IP Flow Rule Information Provided Name assigned to the non-IP flow rule. See configure system-non-ip-flow-rule on page 287 for information on assigning a name to a new system-level non-IP flow rule. VAP Group Name assigned to the VAP group for which the non-IP flow rule is configured. See configure vap-group on page 173 for information on assigning a name to a new VAP group.

Commands for Configuring and Managing Flow Provisioning

352

Column/Row Heading Encapsulation

Information Provided Link encapsulation type (ethernet, lsap, or snap) defined for the non-IP flow rule. Default is ethernet. Refer to the following three sections for information about each link encapsulation type: encapsulation ethernet (non-ip-flow context) on page 345 encapsulation lsap (non-ip-flow context) on page 346 encapsulation snap (non-ip-flow context) on page 348

Type (when link encapsulation type is ethernet or snap)

Destination Ethernet protocol matching criteria defined for the VAP group non-IP flow rule. This row displays one of the following types of destination Ethernet protocol matching criteria: any Default setting. Destination Ethernet protocol matching criteria is set to any Ethernet protocol number. The NPM applies the non-IP flow rules action to all Ethernet encapsulated packets or all SNAP encapsulated packets arriving on the VAP groups logical interfaces. User-defined destination Ethernet protocol number Destination Ethernet protocol matching criteria includes only the specified Ethernet protocol number. NPM applies the non-IP flow rules action only to Ethernet or SNAP encapsulated packets with the specified destination Ethernet protocol number. See encapsulation ethernet (non-ip-flow context) on page 345 for information on setting destination Ethernet protocol matching criteria for Ethernet encapsulation non-IP flow rules configured for a VAP group. See encapsulation snap (non-ip-flow context) on page 348 for information on setting destination Ethernet protocol matching criteria for SNAP encapsulation non-IP flow rules configured for a VAP group.

XOS Command Reference Guide

353

Column/Row Heading Type (when link encapsulation type is lsap)

Information Provided Destination Service Access Point (DSAP) and Source Service Access Point (SSAP) matching criteria defined for the VAP group non-IP flow rule. This row displays one of the following types of DSAP and SSAP matching criteria: any Default setting. DSAP matching criteria is set to any DSAP number, and SSAP matching criteria is set to any SSAP number. The NPM applies the non-IP flow rules action to all LSAP encapsulated packets arriving on the VAP groups logical interfaces. User-defined DSAP and SSAP numbers DSAP and SSAP matching criteria include only the specified DSAP and SSAP numbers. NPM applies the non-IP flow rules action only to LSAP encapsulated packets with the specified DSAP and SSAP numbers. See encapsulation lsap (non-ip-flow context) on page 346 for information on setting DSAP and SSAP matching criteria for LSAP encapsulation non-IP flow rules configured for a VAP group.

OUI

Organization Unique Identifier (OUI) matching criteria defined for the VAP group non-IP flow rule. NPM applies the non-IP flow rules action only to SNAP encapsulated packets with the specified OUI number. NOTE: This row appears only if OUI matching criteria is defined for the non-IP flow rule. See encapsulation snap (non-ip-flow context) on page 348 for information on setting OUI matching criteria for SNAP encapsulation non-IP flow rules configured for a VAP group.

Action

Specifies the action for the VAP groups non-IP flow rule (drop or broadcast). Default is drop. Refer to the following sections for information about these actions: action drop (non-ip-flow context) on page 342 action broadcast (non-ip-flow context) on page 343 action pass-to-master (non-ip-flow context) on page 342

Activate (true/false)

Specifies whether the VAP group non-IP flow rule is activated (t) or deactivated (f). Default is deactivated (f). See activate (non-ip-flow context) on page 351 for information on enabling and disabling non-IP flow rules configured for a VAP group.

Restrictions
Default Privilege Level: 15

Commands for Configuring and Managing Flow Provisioning

354

Examples
The following commands place you in the non-ip-flow context from which you can configure an existing non-IP flow rule called testnoniprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# non-ip-flow-rule testnoniprule CBS(non-ip-flow)# The following command displays configuration settings for the non-IP flow rule called testnoniprule, with that flow rule configured for Ethernet link encapsulation: CBS(non-ip-flow)# show Non IP Flow Rule VAP Group Encapsulation Type Action Activate (true/false) (1 row) : : : : : : testnoniprule testvapgroup ethernet 2000 drop t

The following command displays configuration settings for the non-IP flow rule called testnoniprule, with that flow rule configured for LSAP link encapsulation: CBS(non-ip-flow)# show Non IP Flow Rule VAP Group Encapsulation Type Action Activate (true/false) (1 row) : : : : : : testnoniprule testvapgroup lsap 10/15 (dsap/ssap) drop t

The following command displays configuration settings for the system-level non-IP flow rule called testnoniprule, with that flow rule configured for SNAP link encapsulation: CBS(non-ip-flow)# show Non IP Flow Rule VAP Group Encapsulation Type OUI Action Activate (true/false) (1 row) : : : : : : : testnoniprule testvapgroup snap 2000 10 drop t

XOS Command Reference Guide

355

Commands for Monitoring Flows and Managing Flow Rule Conflicts

This section describes the commands that you can use to monitor flows moving through the X-Series Platform and configure the NPM to manage flow rule conflicts. This section contains the following command descriptions: show flow active on page 357 show flow-path active on page 370 show flow distribution on page 382 show npm-originated-flow-stats on page 385 configure check-flow-rule on page 387

Commands for Configuring and Managing Flow Provisioning

356

show flow active

Displays information currently stored in the Active Flow Table (AFT) on the Network Processor Modules (NPMs) running on the X-Series Platform. NOTE: Refer to the XOS Configuration Guide for more information about Active Flow Tables on NPMs. Use this command to determine whether flows are arriving on the NPMs and to determine whether the NPMs are dropping those flows or sending them on to virtual application processor (VAP) groups configured on the X-Series Platform. You can use the verbose parameter to change the format in which the CLI displays the output of the command and to display additional information about each active flow. See Verbose Output on page 364 for a detailed description of the verbose output of this command. By default, this commands output is static; the CLI displays the current state of the active flows that exist when you issue the command and does not display updated information when the state of an existing flow changes or when a new flow arrives on the X-Series Platform. Use the poll parameter to continuously poll the NPMs and display updated information at regular intervals. Use this parameter to continuously monitor traffic over time, observing changes in the states of existing flows and obtaining information about new flows that arrive on the X-Series Platform. NOTE: Press Ctrl-y to stop updating the command output and return to the CLI prompt. By default, this command displays information about all active flows. You can use one or more of the following parameters to filter the command output to display information only about the active flows that match the criteria that you specify with the parameters: source-address destination-address source-port destination-port protocol domain circuit-id module master-npm fast-path-only verbose poll sort validated validation-pending no-validation

By default, this command lists the active flows in the order in which they appear in the AFT. Use the sort parameter to sort the list of flows, as described in Parameters on page 358.

Syntax
show flow active [verbose] [poll <polling_interval>] [source-address {<IP_address> | <lowest_IP_address> <highest_IP_address>}] [destination-address {<IP_address> | <lowest_IP_address> <highest_IP_address>}] [source-port {<port_number> | <lowest_port_number> <highest_port_number>}] [destination-port {<port_number> | <lowest_port_number> <highest_port_number>}] [protocol {<protocol_number> | <lowest_protocol_number> <highest_protocol_number>}] [domain {<domain_ID> | <lowest_domain_ID> <highest_domain_ID>}]

XOS Command Reference Guide

357

[circuit-id {<cct_ID_number> | <lowest_cct_ID_number> <highest_cct_ID_number>}] [module {<npm_slot_number> | <lowest_npm_slot_number> <highest_npm_slot_number>}] [master-npm {<np_slot_number> | <lowest_np_slot_number> <highest_np_slot_number>}] [fast-path-only] [sort] [validated | validation-pending | no-validation]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter verbose Description Changes the format in which the CLI displays the output of the command and displays additional information about flows sent to a VAP in a VAP group. See Default Output on page 361 for more details. poll <polling_interval> Polls the NPMs continuously and displays updated information every <polling_interval> seconds. NOTE: Press Ctrl-y to stop polling the NPMs and return to the CLI prompt. Valid values for <polling_interval> are from 1-3600. source-address {<IP_address> | <lowest_IP_address> <highest_IP_address>} Filters the command output using the specified source IP address matching criteria. Specify a single IP address to display information only about active flows that have the specified source IP address. Specify a range of IP addresses to display information only about active flows whose source IP addresses are within the specified range. destination-address {<IP_address> | <lowest_IP_address> <highest_IP_address>} Filters the command output using the specified destination IP address matching criteria. Specify a single IP address to display information only about active flows that have the specified destination IP address. Specify a range of IP addresses to display information only about active flows whose destination IP addresses are within the specified range. source-port {<port_number> | <lowest_port_number> <highest_port_number>} Filters the command output using the specified source port matching criteria. Specify a single port number to display information only about active flows that have the specified source port number. Specify a range of port numbers to display information only about active flows whose source port numbers are within the specified range.

Commands for Configuring and Managing Flow Provisioning

358

Parameter destination-port {<port_number> | <lowest_port_number> <highest_port_number>}

Description Filters the command output using the specified destination port matching criteria. Specify a single port number to display information only about active flows that have the specified destination port number. Specify a range of port numbers to display information only about active flows whose destination port numbers are within the specified range.

protocol {<protocol_number> | <lowest_protocol_number> <highest_protocol_number>}

Filters the command output using the specified protocol matching criteria. Specify a single protocol number to display information only about active flows that have the specified protocol number. Specify a range of protocol numbers to display information only about active flows whose protocol numbers are within the specified range.

domain {<domain_ID> | <lowest_domain_ID> <highest_domain_ID}

Filters the command output using the specified domain matching criteria. Specify a single domain ID number to display information only about active flows received on circuits with the specified domain ID number. Specify a range of domain ID numbers to display information only about active flows received on circuits whose domain ID numbers are within the specified range. Use the show circuit command to display the domain ID numbers assigned to circuits configured on the X-Series Platform NOTE: By default, XOS assigns all new circuits to domain number 1. You can assign a circuit to a different domain by specifying the domain parameter with the configure circuit command. If you assign a single domain ID to all of the circuits configured for a VAP group, you can use the show flow active command to monitor the status of all of the flows that arrive on that VAP group. This is particularly useful when monitoring flows that pass through multiple, serialized VAP groups, since you can assign a unique domain ID to each VAP groups circuits.

XOS Command Reference Guide

359

Parameter circuit-id {<cct_ID_number> | <lowest_cct_ID_number> <highest_cct_ID_number>}

Description Filters the command output using the specified circuit ID matching criteria. Specify a single circuit ID number to display information only about active flows received on the circuit with the specified circuit ID number. Specify a range of circuit ID numbers to display information only about active flows received on the circuits whose circuit ID numbers are within the specified range. Use the show circuit command to display the circuit ID numbers assigned to circuits configured on the X-Series Platform NOTE: XOS assigns a default circuit ID number to every new circuit. You can assign a new circuit ID number to a circuit by specifying the circuit-id parameter with the configure circuit command.

module {<np_slot_number> | <lowest_np_slot_number> <highest_np_slot_number>}

Filters the command output using the specified originating NPM matching criteria. Specify a single NPM slot number to display information only about active flows that originate on the NPM with the specified slot number. Specify a range of NPM slot numbers to display information only about active flows that originate on the NPMs whose slot numbers are within the specified range.

master-npm {<np_slot_number> | <lowest_np_slot_number> <highest_np_slot_number>}

Filters the command output using the specified master NPM matching criteria. Specify a single NPM slot number to display information only about active flows whose master NPM has the specified slot number. Specify a range of NPM slot numbers to display information only about active flows whose master NPM has a slot number within the specified range.

fast-path-only

Filters the command output to display information only about active flows that originate on an NPM and are processed using the Fast Path. NOTE: Refer to the XOS Configuration Guide for more information about Fast Path flow processing.

sort

Sorts the list of active flows that the command displays, using the following criteria, in the order shown. The CLI sorts the list of flows: 1. 2. 3. 4. 5. first by destination IP address then by source IP address then by protocol number then by destination port then by source port

Commands for Configuring and Managing Flow Provisioning

360

Parameter validated validation-pending no-validation

Description Displays flows that have been validated by the TCP flow setup validation scheme. Displays flows that are subject to validation but have not yet been validated by the TCP flow setup validation scheme. Displays flows that are not subject to the TCP flow setup validation scheme. Included are non-TCP flows.

Default Output
By default, the show flow active command displays information in a table, using the following format:.

Module <NPM_or_VAP_name1>

Source <IP>:<port>

Destination <IP>:<port>

Prot <#>

Dom

TTI/MAX

<ID#> <mm:ss>/<mm :ss> rx packets

Modules <VAP_name1>, <VAP_name2> ... rx circuit <ID#> Master <NPM_name> <#>

Fast Path {Y|N}

<NPM_or_VAP_name2>

<IP>:<port>

<IP>:<port>

<#>

<ID#> <mm:ss>/<mm :ss> rx packets <#>

{Re-routing | Drop(<drop_reason_ID>)} rx circuit <ID#> Master <NPM_name>

Fast Path {Y|N}

The format shown in the entry for <NPM_or_VAP_name1> is used if the flow is received by an NPM or VAP and then transferred to a VAP for processing. The format shown in the entry for <NPM_or_VAP_name2> is used if the flow is received by an NPM or VAP and then rerouted to an external system or dropped. The following table describes the information provided in each column/row/field in the command output. Column/Row Heading or Field Module <NPM_or_VAP_nameN> Information Provided Name of the NPM or VAP from which the flow originates. An NPM name has the format: np<NPM_slot_number> Use the show chassis command to display the module names assigned to the NPMs installed in the X-Series Platform. A VAP name has the format: <VAP_group_name>_<VAP_index_number> Use the show ap-vap-mapping command to display the index numbers assigned to the VAPs in each VAP group configured on the X-Series Platform. Source <IP>:<port> Source IP address and source port number for the flow.

XOS Command Reference Guide

361

Column/Row Heading or Field Destination <IP>:<port> Prot <#> Dom <ID#> TTI/MAX <mm:ss>/<mm:ss>

Information Provided Destination IP address and destination port number for the flow. Numeric identifier for the protocol that the flow uses.

Domain ID number assigned to the circuit on which the originating NPM or VAP receives the flow. TTI Time to idle: the amount of time that the flow can remain idle before the NPM deletes that flow from the AFT MAX Maximum idle time: the maximum amount of time that the flow be idle before the NPM deletes that flow from the AFT Both TTI and MAX are displayed in minutes and seconds, using the format, mm:ss. For example, 8 minutes and 7 seconds has the format, 08:07. TTI is equal to MAX when the flow is active. When the flow becomes idle, TTI begins to count down to 00:00. If TTI reaches 00:00 before the flow becomes active again, the NPM deletes the flow from the AFT.

Modules <VAP_name1>, <VAP_name2> ...

Name(s) of the VAPs to which the originating NPM or VAP transfers the flow.

Commands for Configuring and Managing Flow Provisioning

362

Column/Row Heading or Field

Information Provided

{Re-routing | Drop(<drop_reason_ID>)} Indicates one of the following: Re-routing Originating NPM or VAP re-routes the flow to an external system. Drop(<drop_reason_ID>) Originating NPM or VAP drops the flow for the reason specified by <drop_reason_ID>. Possible values for <drop_reason_ID> are: No L2 policy match There are no non-IP flow rules that apply to this layer 2 flow. NOTE: Circuit information is not displayed for flows with this drop reason ID. No L3 policy match There are no IP flow rules that apply to this layer 3 flow. NOTE: Circuit information is not displayed for flows with this drop reason ID. L3 drop policy This layer 3 flow matches the conditions defined in the packet matching criteria for an IP flow rule configured with the action, drop. PS2Master failed A VAP group IP flow rule configured with the action, pass-to-master, or a system-level IP flow rule with the action, pass-to-masters, applies to this flow. The NPM attempted to send this flow to one or more master VAPs, but the operation failed because none of the master VAPs were in the Active state. PS2IDX failed A VAP group IP flow rule configured with the action, pass-to-vap, applies to this flow. The NPM attempted to send this flow to the appropriate VAP, but the operation failed because the VAP was not in the Active state. Load-balance failed A VAP group IP flow rule configured with the action, load-balance, applies to this flow. The NPM attempted to load balance this flow across the VAPs in the appropriate VAP group, but the operation failed because there were no active VAPs in the group or because there were no VAPs in the VAP groups load-balance VAP list. Broadcast failed A flow rule configured with the action, broadcast, applies to this flow. The NPM attempted to broadcast this flow to all VAPs in one VAP group or to all VAPs in all VAP groups, but the operation failed because none of the VAPs to which the NPM sent the flow were in the Active state. No Reason One or more flow rules were successfully applied to this flow, and none of those IP flow rules are configured with the action, drop.

XOS Command Reference Guide

363

Column/Row Heading or Field rx circuit <ID#>

Information Provided Circuit ID number assigned to the circuit on which the flow is received. Use the show circuit command to display the circuit ID numbers assigned to the circuits configured on the X-Series Platform.

Master <NPM_name> Fast Path {Y|N}

Master NPM assigned to the flow. Fast Path Y Indicates that the flow originates on an NPM and that the NPM processes the flow using the Fast Path. NOTE: Refer to the XOS Configuration Guide for more information about Fast Path flow processing.

rx packets <#>

Number of packets that the originating NPM or VAP has received as part of this flow.

Verbose Output
The verbose output for this command has the following format: <NPM_or_VAP_Name1> Source Addr <IP_address>, Destination Addr <IP_address> Protocol <prot_name> (<#>), Dest Port {<#> | <port_prot>(<#>)}, Source Port {<#> | <port_prot>(<#>)}, Domain <ID#> TTI <tti_mm:ss> out of <max_mm:ss> configured Modules <VAP_name1>, <VAP_name2> ... Rx Available Slots <VAP_name1>, <VAP_name2> ... Ageout <#_of_seconds> rx circuit <ID#> Master <NPM_name> Fast Path {Y|N} rx packets <#> <NPM_or_VAP_Name2> Source Addr <IP_address>, Destination Addr <IP_address> Protocol <prot_name> (<#>), Dest Port {<#> | <port_prot>(<#>)}, Source Port {<#> | <port_prot>(<#>)}, Domain <ID#> TTI <tti_mm:ss> out of <max_mm:ss> configured {Re-routing | Drop(<drop_reason_ID>)} Rx Available Slots <VAP_name1>, <VAP_name2> ... Ageout <#_of_seconds> rx circuit <ID#> Master <NPM_name> Fast Path {Y|N} rx packets <#> The format shown in the entry for <NPM_or_VAP_name1> is used if the flow is received by an NPM or VAP and then transferred to a VAP for processing. The format shown in the entry for <NPM_or_VAP_name2> is used if the flow is received by an NPM or VAP and then rerouted to an external system or dropped.

Commands for Configuring and Managing Flow Provisioning

364

The following table describes the information provided in each column/row/field in the command output. Column/Row Heading or Field <NPM_or_VAP_nameN> Information Provided Name of the NPM or VAP from which the flow originates. An NPM name has the format: np<NPM_slot_number> Use the show chassis command to display the module names assigned to the NPMs installed in the X-Series Platform. A VAP name has the format: <VAP_group_name>_<VAP_index_number> Use the show ap-vap-mapping command to display the index numbers assigned to the VAPs in each VAP group configured on the X-Series Platform. Source Addr <IP_address> Destination Addr <IP_address> Protocol <prot_name> (<#>) Source IP address for the flow. Destination IP address for the flow. Name of the protocol that the flow uses and the numeric identifier for that protocol. For example, if the flow uses UDP, this field displays: Protocol udp (17) Dest Port {<#> | <port_prot>(<#>)} Destination port number for the flow or destination port protocol and port number for the flow. NOTE: Destination port protocol appears only if the destination port has a standard protocol. For example, if the destination port is 80, this field displays: Dest Port http (80) Source Port {<#> | <port_prot>(<#>)} Source port number for the flow or source port protocol and port number for the flow. NOTE: Source port protocol appears only if the source port has a standard protocol. For example, if the source port is 80, this field displays: Dest Port http (80) Domain <ID#> Domain ID number assigned to the circuit on which the originating NPM or VAP receives the flow.

XOS Command Reference Guide

365

Column/Row Heading or Field TTI <tti_mm:ss> out of <max_mm:ss> configured

Information Provided <tti_mm:ss> Time to idle (TTI): the amount of time that the flow can remain idle before the NPM deletes that flow from the AFT <max_mm:ss> Maximum idle time: the maximum amount of time that the flow be idle before the NPM deletes that flow from the AFT Both TTI and maximum idle time are displayed in minutes and seconds, using the format, mm:ss. For example, 8 minutes and 7 seconds has the format, 08:07. TTI is equal to maximum idle time when the flow is active. When the flow becomes idle, TTI begins to count down to 00:00. If TTI reaches 00:00 before the flow becomes active again, the NPM deletes the flow from the AFT.

Modules <VAP_name1>, <VAP_name2> ...

Name(s) of the VAPs to which the originating NPM or VAP transfers the flow.

Commands for Configuring and Managing Flow Provisioning

366

Column/Row Heading or Field

Information Provided

{Re-routing | Drop(<drop_reason_ID>)} Indicates one of the following: Re-routing Originating NPM or VAP re-routes the flow to an external system. Drop(<drop_reason_ID>) Originating NPM or VAP drops the flow for the reason specified by <drop_reason_ID>. Possible values for <drop_reason_ID> are: No L2 policy match There are no non-IP flow rules that apply to this layer 2 flow. NOTE: Circuit information is not displayed for flows with this drop reason ID. No L3 policy match There are no IP flow rules that apply to this layer 3 flow. NOTE: Circuit information is not displayed for flows with this drop reason ID. L3 drop policy This layer 3 flow matches the conditions defined in the packet matching criteria for an IP flow rule configured with the action, drop. PS2Master failed A VAP group IP flow rule configured with the action, pass-to-master, or a system-level IP flow rule with the action, pass-to-masters, applies to this flow. The NPM attempted to send this flow to one or more master VAPs, but the operation failed because none of the master VAPs were in the Active state. PS2IDX failed A VAP group IP flow rule configured with the action, pass-to-vap, applies to this flow. The NPM attempted to send this flow to the appropriate VAP, but the operation failed because the VAP was not in the Active state. Load-balance failed A VAP group IP flow rule configured with the action, load-balance, applies to this flow. The NPM attempted to load balance this flow across the VAPs in the appropriate VAP group, but the operation failed because there were no active VAPs in the group or because there were no VAPs in the VAP groups load-balance VAP list. Broadcast failed A flow rule configured with the action, broadcast, applies to this flow. The NPM attempted to broadcast this flow to all VAPs in one VAP group or to all VAPs in all VAP groups, but the operation failed because none of the VAPs to which the NPM sent the flow were in the Active state. No Reason One or more flow rules were successfully applied to this flow, and none of those IP flow rules are configured with the action, drop. Rx Available Slots <VAP_name1>, <VAP_name2> ... VAPs that can be used to transmit packets.

XOS Command Reference Guide

367

Column/Row Heading or Field Ageout <#_of_seconds> rx circuit <ID#>

Information Provided Number of seconds the flow will remain in the active flow table. Circuit ID number assigned to the circuit on which the flow is received. Use the show circuit command to display the circuit ID numbers assigned to the circuits configured on the X-Series Platform.

Master <NPM_name> Fast Path {Y|N}

Master NPM assigned to the flow. Fast Path Y Indicates that the flow originates on an NPM and that the NPM processes the flow using the Fast Path. NOTE: Refer to the XOS Configuration Guide for more information about Fast Path flow processing.

rx packets <#>

Number of packets that the originating NPM or VAP has received as part of this flow.

Restrictions
Default Privilege Level: 0

Examples
Example 1: Displaying all Active Flows Using the Default Command Output Format The following command displays information about all active flows on an X-Series Platform on which a VAP group called testvapgroup is currently running a firewall application: CBS# show flow active This command may take a few minutes. Module testvapgroup_1 Source 0.0.0.0:8116 Do you want to continue? <Y or N> [Y]: Y Destination 3.3.3.0:8116 Prot 17 Dom 1 TTI/MAX 01:00/01:00

Modules testvapgroup_2, testvapgroup_3 rx circuit 1026 Master np1 Fast Path N

rx packets 732

testvapgroup_2 Drop(No reason) rx circuit 1026

3.3.3.6:0 Master np1

224.0.0.22:0 Fast Path N

00:25/00:30

rx packets 0

np3

192.168.5.1:257 192.168.5.4:397 6 Fast Path Y

09:12/10:00

Modules testvapgroup_1 rx circuit 1025 Master np1 CBS#

rx packets 24

Commands for Configuring and Managing Flow Provisioning

368

Example 2: Filtering the Default Command Output Format The following command displays information only about the active flows using protocol 17: CBS# show flow active protocol 17 This command may take a few minutes. Module testvapgroup_1 Source 0.0.0.0:8116 Do you want to continue? <Y or N> [Y]: Y Destination 3.3.3.0:8116 Prot 17 Dom 1 TTI/MAX 01:00/01:00

Modules testvapgroup_2, testvapgroup_3 rx circuit 1026 Master np1 Fast Path N CBS#

rx packets 732

Example 3: Displaying all Active Flows Using the Verbose Command Output Format The following command displays information about all active flows on an X-Series Platform on which a VAP group called testvapgroup is currently running a firewall application: CBS# show flow active verbose This command may take a few minutes. Do you want to continue? <Y or N> [Y]: Y

testvapgroup_1 Source Addr 0.0.0.0, Destination Addr 3.3.3.0 Protocol udp (17), Dest Port 8116, Source Port 8116, Domain 1 TTI 01:00 out of 01:00 configured Modules testvapgroup_2, testvapgroup_3 Rx Available Slots testvapgroup_1 Ageout 60 rx circuit 1026 Master np1 Fast Path N rx packets 856 testvapgroup_1 Source Addr 3.3.3.6, Destination Addr 224.0.0.22 Protocol tcp (6), Dest Port 0, Source Port 0, Domain 1 TTI 00:15 out of 00:30 configured Drop(No reason) rx circuit 1026 Master np1 Fast Path N rx packets 0 np3 Source Addr 192.168.5.1, Destination Addr 192.168.5.4:397 Protocol tcp (6), Dest Port 397, Source Port 257, Domain 1 TTI 10:00 out of 10:00 configured Modules testvapgroup_1 Rx Available Slots testvapgroup_2, testvapgroup_3 Ageout 88 rx circuit 1025 Master np1 Fast Path Y rx packets 934 CBS#

XOS Command Reference Guide

369

show flow-path active

Displays the flow paths for the active flows that the X-Series Platform is currently processing. A flow path is the path that a flow takes when it goes through the X-Series Platform. A flow path has the following basic elements: Flow classification information source and destination IP addresses, source and destination port numbers, protocol number, and domain ID number Network Processor Module (NPM) on which the active flow enters the X-Series Platform Circuit(s) on which the active flow enters an active virtual application processor (VAP) group(s) Active VAP(s) that processes the flow NPM interface on which the active flow leaves the X-Series Platform By default, this command displays information only about the initial entry path and the final egress NPM interface for each flow. That is, the command displays information only about the NPM, circuit, and VAP on which the flow first enters the X-Series Platform and the NPM interface on which the flow exits the X-Series Platform. Use the default command output to determine whether NPMs are dropping flows when they arrive on the X-Series Platform, to make sure traffic is successfully passing through the X-Series Platform, and to determine where the NPM sends flows that it does not drop. Use the verbose parameter to display information about the full path for each active flow, from the ingress NPM to the egress NPM interface. Use this parameter to monitor flows when: The flows pass through more than one VAP group configured on the X-Series Platform. The flows pass through a VAP group that is configured with separate circuits and NPM interfaces for ingress and egress traffic. NOTE: See Verbose Output on page 364 for a detailed description of the verbose output of this command. By default, this commands output is static; the CLI displays the current flow paths for the active flows that exist when you issue the command and does not display updated information when the state of an existing flow changes or when a new flow arrives on the X-Series Platform. Use the poll parameter to continuously poll the NPMs and display updated information at regular intervals. Use this parameter to continuously monitor traffic over time, observing changes in the states of existing flows and obtaining flow path information for new flows that arrive on the X-Series Platform. NOTE: Press Ctrl-y to stop updating the command output and return to the CLI prompt. By default, this command displays flow path information for all active flows. You can use one or more of the following parameters to filter the command output to display flow path information only for active flows that match the criteria that you specify with the parameters: source-address destination-address source-port destination-port protocol domain circuit-id module master-npm fast-path-only

By default, this command lists the active flows in the order in which they appear in the AFT. Use the sort parameter to sort the list of flows, as described in Parameters on page 371.

Commands for Configuring and Managing Flow Provisioning

370

Syntax
show flow-path active [verbose] [poll <polling_interval>] [source-address {<IP_address> | <lowest_IP_address> <highest_IP_address>}] [destination-address {<IP_address> | <lowest_IP_address> <highest_IP_address>}] [source-port {<port_number> | <lowest_port_number> <highest_port_number>}] [destination-port {<port_number> | <lowest_port_number> <highest_port_number>}] [protocol {<protocol_number> | <lowest_protocol_number> <highest_protocol_number>}] [domain {<domain_ID> | <lowest_domain_ID> <highest_domain_ID>}] [circuit-id {<cct_ID_number> | <lowest_cct_ID_number> <highest_cct_ID_number>}] [module {<np_slot_number> | <lowest_np_slot_number> <highest_np_slot_number>}] [master-npm {<np_slot_number> | <lowest_np_slot_number> <highest_np_slot_number>}] [sort]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter verbose Description Changes the format in which the CLI displays the output of the command and displays information about the full path for each active flow, from ingress NPM interface to egress NPM interface. See Default Output on page 374 for more details. poll <polling_interval> Polls the NPMs continuously and displays updated information every <polling_interval> seconds. NOTE: Press Ctrl-y to stop polling the NPMs and return to the CLI prompt. Valid values for <polling_interval> are from 1-3600. source-address {<IP_address> | <lowest_IP_address> <highest_IP_address>} Filters the command output using the specified source IP address matching criteria. Specify a single IP address to display flow path information only for active flows that have the specified source IP address. Specify a range of IP addresses to display flow path information only for active flows whose source IP addresses are within the specified range.

XOS Command Reference Guide

371

Parameter destination-address {<IP_address> | <lowest_IP_address> <highest_IP_address>}

Description Filters the command output using the specified destination IP address matching criteria. Specify a single IP address to display flow path information only for active flows that have the specified destination IP address. Specify a range of IP addresses to display flow path information only for active flows whose destination IP addresses are within the specified range.

source-port {<port_number> | <lowest_port_number> <highest_port_number>}

Filters the command output using the specified source port matching criteria. Specify a single port number to display flow path information only for active flows that have the specified source port number. Specify a range of port numbers to display flow path information only for active flows whose source port numbers are within the specified range.

destination-port {<port_number> | <lowest_port_number> <highest_port_number>}

Filters the command output using the specified destination port matching criteria. Specify a single port number to display flow path information only for active flows that have the specified destination port number. Specify a range of port numbers to display flow path information only for active flows whose destination port numbers are within the specified range.

protocol {<protocol_number> | <lowest_protocol_number> <highest_protocol_number>}

Filters the command output using the specified protocol matching criteria. Specify a single protocol number to display flow path information only for active flows that have the specified protocol number. Specify a range of protocol numbers to display flow path information only for active flows whose protocol numbers are within the specified range.

Commands for Configuring and Managing Flow Provisioning

372

Parameter domain {<domain_ID> | <lowest_domain_ID> <highest_domain_ID>}

Description Filters the command output using the specified domain matching criteria. Specify a single domain ID number to display flow path information only for active flows received on circuits with the specified domain ID number. Specify a range of domain ID numbers to display flow path information only for active flows received on circuits whose domain ID numbers are within the specified range. Use the show circuit command to display the domain ID numbers assigned to circuits configured on the X-Series Platform NOTE: By default, XOS assigns all new circuits to domain number 1. You can assign a circuit to a different domain by specifying the domain parameter with the configure circuit command. If you assign a single domain ID to all of the circuits configured for a VAP group, you can use the show flow-path active command to monitor the status of all of the flows that pass through that VAP group. This is particularly useful when monitoring flows that pass through multiple, serialized VAP groups, since you can assign a unique domain ID to each VAP groups circuits.

circuit-id {<cct_ID_number> | <lowest_cct_ID_number> <highest_cct_ID_number>}

Filters the command output using the specified circuit ID matching criteria. Specify a single circuit ID number to display flow path information only for active flows received on the circuit with the specified circuit ID number. Specify a range of circuit ID numbers to display flow path information only for active flows received on the circuits whose circuit ID numbers are within the specified range. Use the show circuit command to display the circuit ID numbers assigned to circuits configured on the X-Series Platform NOTE: XOS assigns a default circuit ID number to every new circuit. You can assign a new circuit ID number to a circuit by specifying the circuit-id parameter with the configure circuit command.

module {<np_slot_number> | <lowest_np_slot_number> <highest_np_slot_number>}

Filters the command output using the specified originating NPM matching criteria. Specify a single NPM slot number to display flow path information only for active flows that originate on the NPM with the specified slot number. Specify a range of NPM slot numbers to display information only about active flows that originate on the NPMs whose slot numbers are within the specified range.

XOS Command Reference Guide

373

Parameter master-npm {<np_slot_number> | <lowest_np_slot_number> <highest_np_slot_number>}

Description Filters the command output using the specified master NPM matching criteria. Specify a single NPM slot number to display flow path information only for active flows whose master NPM has the specified slot number. Specify a range of NPM slot numbers to display flow path information only for active flows whose master NPM has a slot number within the specified range.

sort

Sorts the list of active flow paths that the command displays, using the following criteria, in the order shown. The CLI sorts the list of flow paths: 1. 2. 3. 4. 5. first by destination IP address then by source IP address then by protocol number then by destination port then by source port

Default Output
By default, the show flow-path active command displays information in a table, using the following format: Module <NPM_name1> Source:port <IP>:<port> Destination:port <IP>:<port> Prot <#> Dom <ID#>

rx circuit <ID#> rx active <VAP_name> [rx passive] tx_port <slot>_<port> master <NPM_name> <NPM_name2> <IP>:<port> <IP>:<port> <#> <ID#>

rx circuit <ID#> master <NPM_name>

Drop(<drop_reason>)

The output has the format shown in the entry for <NPM_name1> if the originating NPM transfers the flow to a VAP for processing. The output has the format shown in the entry for <NPM_name2> if the originating NPM drops the flow. The following table describes the information provided in each column/row/field in the command output. Column/Row Heading or Field Module <NPM_nameN> Information Provided Name of the NPM from which the flow originates. An NPM name has the format: np<NPM_slot_number> Use the show chassis command to display the module names assigned to the NPMs installed in the X-Series Platform. Source:port <IP>:<port> Source IP address and source port number for the flow.

Commands for Configuring and Managing Flow Provisioning

374

Column/Row Heading or Field Destination:port <IP>:<port> Prot <#> Dom <ID#> rx circuit <ID#>

Information Provided Destination IP address and destination port number for the flow. Numeric identifier for the protocol that the flow uses.

Domain ID number assigned to the first circuit on which the flow enters an active VAP group. Circuit ID number assigned to the first circuit on which the flow enters an active VAP group. Use the show circuit command to display the circuit ID numbers assigned to the circuits configured on the X-Series Platform.

rx active <VAP_name> [rx passive]

Name of the first active VAP that receives the flow. If a Tap is configured on the circuit on which the flow enters the active VAP group, the name of the TAP appears in the rx_passive field. If no tap is configured, this field is blank. NOTE: A VAP name has the format: <VAP_group_name>_<VAP_Index_Number> Use the show ap-vap-mapping command to display the index numbers assigned to the VAPs in each VAP group configured on the X-Series Platform.

tx_port <slot>_<port>

NPM slot number and port number for the NPM interface on which the flow exits the X-Series Platform. Use the verbose parameter with the show ip-mapping command to determine which NPM interfaces are mapped to circuit IP addresses configured for an active VAP group.

XOS Command Reference Guide

375

Column/Row Heading or Field Drop(<drop_reason_ID>)

Information Provided Indicates that the originating NPM drops the flow for the reason specified by <drop_reason_ID>. Possible values for <drop_reason_ID> are: No L2 policy match There are no non-IP flow rules that apply to this layer 2 flow. NOTE: Circuit information is not displayed for flows with this drop reason ID. No L3 policy match There are no IP flow rules that apply to this layer 3 flow. NOTE: Circuit information is not displayed for flows with this drop reason ID. L3 drop policy This layer 3 flow matches the conditions defined in the packet matching criteria for an IP flow rule configured with the action, drop. PS2Master failed A VAP group IP flow rule configured with the action, pass-to-master, or a system-level IP flow rule with the action, pass-to-masters, applies to this flow. The NPM attempted to send this flow to one or more master VAPs, but the operation failed because none of the master VAPs were in the Active state. PS2IDX failed A VAP group IP flow rule configured with the action, pass-to-vap, applies to this flow. The NPM attempted to send this flow to the appropriate VAP, but the operation failed because the VAP was not in the Active state. Load-balance failed A VAP group IP flow rule configured with the action, load-balance, applies to this flow. The NPM attempted to load balance this flow across the VAPs in the appropriate VAP group, but the operation failed because there were no active VAPs in the group or because there were no VAPs in the VAP groups load-balance VAP list. Broadcast failed A flow rule configured with the action, broadcast, applies to this flow. The NPM attempted to broadcast this flow to all VAPs in one VAP group or to all VAPs in all VAP groups, but the operation failed because none of the VAPs to which the NPM sent the flow were in the Active state. No Reason One or more flow rules were successfully applied to this flow, and none of those IP flow rules are configured with the action, drop.

Master <NPM_name>

Master NPM assigned to the flow.

Commands for Configuring and Managing Flow Provisioning

376

Verbose Output
The verbose output for this command has the following format: <NPM_Name1> Source Addr <IP_address>, Destination Addr <IP_address> Protocol <prot_name> (<#>), Dest Port {<#> | <port_prot>(<#>)}, Source Port {<#> | <port_prot>(<#>)}, Domain <ID#> rx circuit <ID#1> rx active <VAP_name1> [rx passive] rx circuit <ID#2> rx active <VAP_name2> [rx passive] ... rx circuit <ID#N> rx active <VAP_nameN> [rx passive] rx circuit <ID#NPM> rx active <NPM_name> [rx passive] tx_port <slot>_<port> master <NPM_name> <NPM_or_VAP_Name2> Source Addr <IP_address>, Destination Addr <IP_address> Protocol <prot_name> (<#>), Dest Port {<#> | <port_prot>(<#>)}, Source Port {<#> | <port_prot>(<#>)}, Domain <ID#> rx circuit <ID#1> Drop(<drop_reason>) master <NPM_name> The format shown in the entry for <NPM_or_VAP_name1> is used if the flow is received by an NPM or VAP and then transferred to a VAP for processing. The format shown in the entry for <NPM_or_VAP_name2> is used if the flow is received by an NPM or VAP and then rerouted to an external system or dropped. The following table describes the information provided in each column/row/field in the command output. Column/Row Heading or Field <NPM_nameN> Information Provided Name of the NPM from which the flow originates. An NPM name has the format: np<NPM_slot_number> Use the show chassis command to display the module names assigned to the NPMs installed in the X-Series Platform. Source Addr <IP_address> Destination Addr <IP_address> Protocol <prot_name> (<#>) Source IP address for the flow. Destination IP address for the flow. Name of the protocol that the flow uses and the numeric identifier for that protocol. For example, if the flow uses UDP, this field displays: Protocol udp (17) Dest Port {<#> | <port_prot>(<#>)} Destination port number for the flow or destination port protocol and port number for the flow. NOTE: Destination port protocol appears only if the destination port has a standard protocol. For example, if the destination port is 80, this field displays: Dest Port http (80)

XOS Command Reference Guide

377

Column/Row Heading or Field

Information Provided

Source Port {<#> | <port_prot>(<#>)} Source port number for the flow or source port protocol and port number for the flow. NOTE: Source port protocol appears only if the source port has a standard protocol. For example, if the source port is 80, this field displays: Dest Port http (80) Domain <ID#> rx circuit <ID#1> rx active <VAP_name1> [rx passive] rx circuit <ID#2> rx active <VAP_name2> [rx passive] ... rx circuit <ID#N> rx active <VAP_nameN> [rx passive] Domain ID number assigned to the first circuit on which the flow enters an active VAP group. Sequence of paths that the flow uses to enter an active VAP group on the X-Series Platform and then pass through one or more additional active VAP groups. The paths are listed in the order in which the active VAP groups configured on the X-Series Platform receive and process the flow. The CLI displays the following information about each path that the flow uses to pass through an active VAP group before arriving at its final egress interface on the NPM: rx circuit <ID#N> Circuit ID number assigned to the circuit on which the flow enters the active VAP group. Use the show circuit command to display the circuit ID numbers assigned to the circuits configured on the X-Series Platform. Use the verbose parameter with the show ip-mapping command to determine which NPM interfaces are mapped to the circuit IP addresses configured for a VAP group. rx active <VAP_nameN> Name of the active VAP that receives the flow. A VAP name has the format: <VAP_group_name>_<VAP_Index_Number> Use the show ap-vap-mapping command to display the index numbers assigned to the VAPs in each VAP group configured on the X-Series Platform. rx passive If a Tap is configured on the circuit on which the flow enters the active VAP group, the name of the TAP appears in the rx_passive field. If no tap is configured, this field is blank.

Commands for Configuring and Managing Flow Provisioning

378

Column/Row Heading or Field rx circuit <ID#NPM> rx active <NPM_name> [rx passive]

Information Provided Path that the flow uses to arrive at its egress interface on the NPM. The egress interface is the physical interface that the flow uses to exit the X-Series Platform. The CLI displays the following information about this path: rx circuit <ID#NPM> Circuit ID number assigned to the circuit mapped to the egress interface on the NPM. NOTE: This circuit is mapped to the last VAP group that the flow passes through before exiting the X-Series Platform. Use the show circuit command to display the circuit ID numbers assigned to the circuits configured on the X-Series Platform. Use the verbose parameter with the show ip-mapping command to determine which NPM interfaces are mapped to the circuit IP addresses configured for a VAP group. rx active <NPM_name> Name of the NPM from which the flow exits the X-Series Platform. A VAP name has the format: <VAP_group_name>_<VAP_Index_Number> Use the show ap-vap-mapping command to display the index numbers assigned to the VAPs in each VAP group configured on the X-Series Platform. rx passive This field contains the name of the Tap if one is configured on the circuit mapped to the flows egress interface on the NPM. If no Tap is configured, this field is blank.

tx_port <slot>_<port>

NPM slot number and port number for the NPM interface on which the flow exits the X-Series Platform. NOTE: This interface is mapped to a circuit that is mapped to the last VAP group that the flow passes through before exiting the X-Series Platform. Use the show circuit command to display the circuit ID numbers assigned to the circuits configured on the X-Series Platform. Use the verbose parameter with the show ip-mapping command to determine which NPM interfaces are mapped to the circuit IP addresses configured for a VAP group.

XOS Command Reference Guide

379

Column/Row Heading or Field Drop(<drop_reason_ID>)

Information Provided Indicates that the originating NPM drops the flow for the reason specified by <drop_reason_ID>. Possible values for <drop_reason_ID> are: No L2 policy match There are no non-IP flow rules that apply to this layer 2 flow. NOTE: Circuit information is not displayed for flows with this drop reason ID. No L3 policy match There are no IP flow rules that apply to this layer 3 flow. NOTE: Circuit information is not displayed for flows with this drop reason ID. L3 drop policy This layer 3 flow matches the conditions defined in the packet matching criteria for an IP flow rule configured with the action, drop. PS2Master failed A VAP group IP flow rule configured with the action, pass-to-master, or a system-level IP flow rule with the action, pass-to-masters, applies to this flow. The NPM attempted to send this flow to one or more master VAPs, but the operation failed because none of the master VAPs were in the Active state. PS2IDX failed A VAP group IP flow rule configured with the action, pass-to-vap, applies to this flow. The NPM attempted to send this flow to the appropriate VAP, but the operation failed because the VAP was not in the Active state. Load-balance failed A VAP group IP flow rule configured with the action, load-balance, applies to this flow. The NPM attempted to load balance this flow across the VAPs in the appropriate VAP group, but the operation failed because there were no active VAPs in the group or because there were no VAPs in the VAP groups load-balance VAP list. Broadcast failed A flow rule configured with the action, broadcast, applies to this flow. The NPM attempted to broadcast this flow to all VAPs in one VAP group or to all VAPs in all VAP groups, but the operation failed because none of the VAPs to which the NPM sent the flow were in the Active state. No Reason One or more flow rules were successfully applied to this flow, and none of those IP flow rules are configured with the action, drop.

Master <NPM_name>

Master NPM assigned to the flow.

Restrictions
Default Privilege Level: 15

Commands for Configuring and Managing Flow Provisioning

380

Examples
Example 1: Displaying all Active Flow Paths Using the Default Command Output Format The following command displays the initial entry path and the egress NPM interface for every active flow that the X-Series Platform is currently processing. In this example, a VAP group called testvapgroup is currently configured on the X-Series Platform and is running a firewall application. CBS# show flow-path active This command may take a few minutes. Do you want to continue? <Y or N> [Y]: Y Module Source:port Destination:port Prot Dom np2 172.16.10.100:2009 172.16.20.240:80 6 1 rx circuit 1027 rx active testvapgroup_2 tx_port 4_2 master np2 np4 172.16.20.240:80 rx passive

172.16.10.144:53814 rx passive

rx circuit 1028 rx active testvapgroup_1 tx_port 2_2 master np2 np2 rx circuit 1029 master np2 CBS# 172.16.10.207:31754 Drop(PS2IDX failed)

172.16.20.240:80

Example 2: Filtering the Default Command Output Format The following command displays initial entry path and egress NPM interface information only for the active flows whose source port number is 80: CBS# show flow-path active source-port 80 This command may take a few minutes. Do you want to continue? <Y or N> [Y]: Y Module Source:port Destination:port Prot Dom np4 172.16.20.240:80 172.16.10.144:53814 6 1 rx circuit 1028 rx active testvapgroup_1 tx_port 2_2 master np2 CBS# rx passive

Example 3: Displaying all Active Flow Paths Using the Verbose Command Output Format The following command displays the complete flow path for every active flow that the X-Series Platform is currently processing. In this example, a VAP group called testvapgroup is currently configured on the X-Series Platform and is running a firewall application. CBS# show flow-path active verbose This command may take a few minutes. np4 Do you want to continue? <Y or N> [Y]: Y

Source Addr 172.16.10.100, Destination Addr 172.16.20.240 Protocol tcp (6), Dest Port http(80), Source Port 2009, Domain 1 rx circuit 1027 rx active testvapgroup_2 rx passive rx circuit 1030 rx active np2 rx passive tx_port 2_2 master np2 np2 Source Addr 172.16.20.240, Destination Addr 172.16.10.144 Protocol tcp (6), Dest Port 53814, Source Port http(80), Domain 1 rx circuit 1028 rx active testvapgroup_1 rx passive rx circuit 1031 rx active np4 rx passive tx_port 4_2 master np2
XOS Command Reference Guide 381

np2

Source Addr 172.16.10.207, Destination Addr 172.16.20.240 Protocol tcp (6), Dest Port http(80), Source Port 31754, Domain 1 rx circuit 1029 Drop(PS2IDX failed) master np2 CBS#

show flow distribution

Displays the number of flows that each Network Processor Module (NPM) installed in the X-Series Platform has assigned to each virtual application processor (VAP) in each VAP group configured on the X-Series Platform, and displays the rates at which each NPM assigns new and existing flows to each VAP. Use this command to determine whether flows are being load balanced across all members of a VAP group and to monitor the volume of traffic that each VAP group is processing. By default, this command lists the NPM-to-VAP flow assignments in the order in which the NPMs assign the flows to VAPs in a VAP group. Use the sort parameter to sort the list of NPM-to-VAP flow assignments by VAP group name or by APM slot number.

Syntax
show flow distribution [sort {vap-group | apm-slot}]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter sort {vap-group | apm-slot} Description Sorts the list of VAP flow assignments. Use one of the following keywords to specify the method used to sort the list: vap-group Sorts the list of VAP flow assignments first by VAP group name, then by VAP index number, and then by APM slot number. apm-slot Sorts the list of VAP flow assignments first by APM slot number, then by VAP group name, and then by VAP index number.

Output
This command displays information in a table, using the following format. The command output shows the number of flows that each NPM assigns to each VAP in each VAP group. NOTE: Table entries appear only for the NPMs that are actually installed in the X-Series Platform. New Flows Rate VAP ============= <name1> <Delta_#flows> <name1> <Delta_#flows> Aged Flows Rate ============= <Delta_#flows> <Delta_#flows> Flows ===== <#> <#>

NP Uptime np1 <#> days, <hh:mm> np2 <#> days, <hh:mm>

Slot <AP#> <AP#>

Commands for Configuring and Managing Flow Provisioning

382

np3 np4 np1 np2 np3 np4 ...

<#> <#> <#> <#> <#> <#>

days, days, days, days, days, days,

<hh:mm> <hh:mm> <hh:mm> <hh:mm> <hh:mm> <hh:mm>

<AP#> <AP#> <AP#> <AP#> <AP#> <AP#>

<name1> <name1> <name2> <name2> <name2> <name2>

<Delta_#flows> <Delta_#flows> <Delta_#flows> <Delta_#flows> <Delta_#flows> <Delta_#flows>

<Delta_#flows> <Delta_#flows> <Delta_#flows> <Delta_#flows> <Delta_#flows> <Delta_#flows>

<#> <#> <#> <#> <#> <#>

The following table describes the information provided in each column/row. Column/Row Heading NP Information Provided Name of the NPM that assigns flows to a VAP. Use the show chassis command to display the NPM names assigned to the NPMs installed in your X-Series Platform. Uptime Amount of time that the NPM has been in the UP state, in days, hours, and minutes. Hours and minutes are expressed in the format: mm:ss. For example, 9 hours and 7 minutes is 09:07. Slot VAP Slot number for the APM assigned to the VAP to which the NPM assigns flows. Name of the VAP to which the NPM assigns flows. A VAP name has the format: <VAP_group_name>_<VAP_Index_Number> Use the show ap-vap-mapping command to display the index numbers assigned to the VAPs in each VAP group configured on the X-Series Platform. New Flows Rate The change in the number of new flows that the NPM assigns to the VAP, since the past second. A negative value indicates that the number of new flows that the NPM currently assigns to the VAP is lower than the number of new flows that the NPM assigned to the VAP a second ago. For example, if an NPM assigns 10 new flows to the VAP now, but the NPM assigned 15 new flows to that VAP a second ago, the New Flows Rate is -5. Aged Flows Rate The change in the number of existing flows that the NPM assigns to the VAP, since the past second. A negative value indicates that the number of existing flows that the NPM currently assigns to the VAP is lower than the number of existing flows that the NPM assigned to the VAP a second ago. For example, if an NPM assigns 10 existing flows to the VAP now, but the NPM assigned 15 existing flows to that VAP a second ago, the Aged Flows Rate is -5. Flows Total number of flows that the NPM currently assigns to the VAP.

XOS Command Reference Guide

383

Restrictions
Default Privilege Level: 0

Examples
Example 1: Default Command Output The following command displays the number of flows that each Network Processor Module (NPM) installed in the X-Series Platform has assigned to each VAP in each VAP group configured on the X-Series Platform, and display the rates at which each NPM assigns new and existing flows to each VAP. There are two VAP groups configured on this X-Series Platform one called testvapgroup, which has three VAPs, and one called ipsvapgroup, which has two VAPs. CBS# show flow distribution New Flows Rate ========== 0 7344 0 6340 0 5733 0 5223 0 -5463 0 -4253 0 0 0 0 0 0 0 0 Aged Flows Rate ========== 0 5133 0 5538 0 5670 0 5041 0 -4210 0 -3452 0 0 0 0 0 0 0 0 Flows ========= 0 72043 0 79002 0 69182 0 68423 0 0 0 0 0 0 0 0 0 0 0 0

NP np1 np2 np3 np4 np1 np2 np3 np4 np1 np2 np3 np4 np1 np2 np3 np4 np1 np2 np3 np4 CBS#

0 3 0 3 0 3 0 3 0 3 0 3 0 3 0 3 0 3 0 3

Uptime days, 00:00 days, 19:17 days, 00:00 days, 19:17 days, 00:00 days, 19:17 days, 00:00 days, 19:17 days, 00:00 days, 19:17 days, 00:00 days, 19:17 days, 00:00 days, 19:17 days, 00:00 days, 19:17 days, 00:00 days, 19:17 days, 00:00 days, 19:17

Slot 7 7 7 7 8 8 8 8 9 9 9 9 5 5 5 5 6 6 6 6

VAP testvapgroup_1 testvapgroup_1 testvapgroup_1 testvapgroup_1 testvapgroup_2 testvapgroup_2 testvapgroup_2 testvapgroup_2 testvapgroup_3 testvapgroup_3 testvapgroup_3 testvapgroup_3 ipsvapgroup_1 ipsvapgroup_1 ipsvapgroup_1 ipsvapgroup_1 ipsvapgroup_2 ipsvapgroup_2 ipsvapgroup_2 ipsvapgroup_2

Example 2: Sorting the Command Output Based on the default command output shown in Example 1, an X-Series Platform administrator can see that none of the NPMs are assigning flows to the VAPs in the VAP group called ipsvapgroup. The administrator expects this output because he has just reloaded that VAP group, and it has not yet come up. However, the default output also reveals a major problem. The NPMs have suddenly stopped assigning new and existing flows to one of the VAPs in the VAP group called testvapgroup, and the NPMs are now assigning many more new and existing flows to the other two VAPs in the group. To more clearly see this pattern, the X-Series Platform administrator executes the following command to sort the above list of NPM-to-VAP assignments first by APM slot number, then by VAP group name, and then by VAP index number.

Commands for Configuring and Managing Flow Provisioning

384

CBS# show flow distribution apm-slot New Flows Rate ========== 0 0 0 0 0 0 0 0 0 5337 0 5340 0 4733 0 4733 0 -5463 0 -4253 Aged Flows Rate ========== 0 0 0 0 0 0 0 0 0 4212 0 3538 0 3670 0 3040 0 -4210 0 -3452 Flows ========= 0 0 0 0 0 0 0 0 0 49667 0 79002 0 43182 0 68423 0 0 0 0

NP np1 np2 np3 np4 np1 np2 np3 np4 np1 np2 np3 np4 np1 np2 np3 np4 np1 np2 np3 np4 CBS#

0 3 0 3 0 3 0 3 0 3 0 3 0 3 0 3 0 3 0 3

Uptime days, 00:00 days, 19:17 days, 00:00 days, 19:17 days, 00:00 days, 19:17 days, 00:00 days, 19:17 days, 00:00 days, 19:17 days, 00:00 days, 19:17 days, 00:00 days, 19:17 days, 00:00 days, 19:17 days, 00:00 days, 19:17 days, 00:00 days, 19:17

Slot 5 5 5 5 6 6 6 6 7 7 7 7 8 8 8 8 9 9 9 9

VAP ipsvapgroup_1 ipsvapgroup_1 ipsvapgroup_1 ipsvapgroup_1 ipsvapgroup_2 ipsvapgroup_2 ipsvapgroup_2 ipsvapgroup_2 testvapgroup_1 testvapgroup_1 testvapgroup_1 testvapgroup_1 testvapgroup_2 testvapgroup_2 testvapgroup_2 testvapgroup_2 testvapgroup_3 testvapgroup_3 testvapgroup_3 testvapgroup_3

The sorted command output clearly shows that there is a problem with the APM in slot 9. This APM is probably down. The change in the number of new and existing flows assigned to the other APMs assigned to testvapgroup suggests that the NPMs have moved all of the failed APMs flows onto the remaining two APMs assigned to the group. The administrator can confirm the above hypothesis by using the show chassis command to display the current state of all modules installed in the chassis.

show npm-originated-flow-stats
This command displays statistics for IP flows originated from the NPMs on an X-Series Platform. The command displays statistics for each NPM in the X-Series chassis. Flow counts represent a snapshot of changes. NOTE: Flow counts are uni-directional.

Syntax
show npm-originated-flow-stats

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0

XOS Command Reference Guide

385

Output
The output for the show npm-originated-flow-stats command has the following format: CBS# show npm-originated-flow-stats Originated flows from slot 1 Total flows count: TCP flows : 0 UDP flows : 79525 ICMP flows : 13027 Other-IP flows : 0 New flows rate (per second): TCP flows : 0 UDP flows : 0 ICMP flows : 0 Other-IP flows : 0 Aged flows rate (per second): TCP flows : 0 UDP flows : 0 ICMP flows : 0 Other-IP flows : 0 Originated flows from Total flows count: TCP flows UDP flows ICMP flows Other-IP flows slot 2 : : : : 0 162723 12820 0

New flows rate (per second): TCP flows : 0 UDP flows : 0 ICMP flows : 0 Other-IP flows : 0 Aged flows rate (per second): TCP flows : 0 UDP flows : 0 ICMP flows : 0 Other-IP flows : 0 The following table describes the information provided in each column/row:. Column/Row Heading Originated flows from slot Total flows count New flows rate (per second) Aged flows rate (per second Information Provided Number of the slot that contains an NPM. The number of flows in the flow table. The number of new flows entering the flow table. The number of existing flows removed from the flow table. NOTE: Flows are removed due to inactivity or flow termination. TCP flows IP flows from TCP traffic.

Commands for Configuring and Managing Flow Provisioning

386

Column/Row Heading UDP flows ICMP flows Other-IP flows

Information Provided IP flows from UDP traffic. IP flows from ICMP traffic. IP flows from any source other than TCP, UDP, or ICMP.

configure check-flow-rule
Enables or disables (using no) flow rule checking for the X-Series Platform. Flow rule checking is enabled by default. NOTE: If flow rule checking has been disabled and is then enabled, all the activated flow rules are checked for conflicts. The purpose of flow rule checking is to ensure that the NPM can successfully apply existing flow rules to every flow that arrives on a logical interface configured on the X-Series Platform. If the NPM is unable to successfully apply any flow rules to a flow that arrives on a logical interface, the NPM drops that flow. The NPM can apply only one flow rule to a flow at any given time. If a single flow meets the matching criteria for multiple flow rules, the NPM uses the priority levels assigned to those flow rules to determine the order in which to apply them to the flow. If the flow rules have the same priority level, the NPM cannot determine the order in which to apply them, and the NPM drops the flow. If flow rule checking is enabled, each time you issue the activate command to activate a flow rule, XOS checks for policy conflicts between the flow rule that you are attempting to activate and the flow rules that are currently activated on the X-Series Platform. If XOS detects a policy conflict, the activate operation fails and the CLI issues an error message. Two flow rules have conflicting policies if all of the following conditions are true: Both flow rules apply to the same virtual application processor (VAP) group. NOTE: System-level flow rules apply to all VAP groups configured on the X-Series Platform. VAP group flow rules apply only to the VAP group for which they are configured. The two flow rules have overlapping matching criteria; both flow rules can apply to the same flow. Both flow rules have the same priority level. Use the show check-flow-rule command to determine whether flow rule checking is enabled on your X-Series Platform.

Syntax
[no] configure check-flow-rule

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 15

Example
The following command disables flow rule checking for the X-Series Platform: CBS# configure no check-flow-rule CBS#
XOS Command Reference Guide 387

Commands for Clearing Flows from the X-Series Platform

This section describes the commands that you can use to clear flows from the X-Series Platform. This section contains the following command descriptions: clear flow-active on page 388 clear interface on page 390 clear netstat on page 392 clear switch-data-path on page 393 clear vdf-status on page 393

clear flow-active
Deletes connection and load-balancing information for all active flows that match the specified filtering criteria. You specify filtering criteria using the parameters listed below. If you do not specify filtering criteria, this command deletes all active flow connection and load-balancing information from all Network Processor Modules (NPMs) installed in the X-Series Platform.

Caution: If you do not specify filtering criteria, the clear flow-active command stops all traffic, and in most cases, it causes a complete service interruption that may last for several minutes. You should consider these risks carefully before issuing this command. Crossbeam Systems recommends that you use this command only after consulting with a Crossbeam Systems Customer Support or Professional Services representative.

Syntax
clear flow-active [source-address <IP_address>/<0-32>] [destination-address <IP_address>/<0-32>] [source-port <lowest_port_number> <highest_port_number>] [destination-port <lowest_port_number> <highest_port_number>] [protocol <lowest_protocol_number> <highest_protocol_number>] [domain <lowest_domain_ID> <highest_domain_ID>] [circuit-id <lowest_circuit_ID> <highest_circuit_ID>] [module <lowest_slot_number> <highest_slot_number>] [master-npm <lowest_slot_number> <highest_slot_number>] [fast-path-only]

Context
You access this command from the main CLI context.

Commands for Configuring and Managing Flow Provisioning

388

Parameters
The following table lists the parameters used with this command. Parameter source-address <IP_address>/<0-32> Description Deletes active flow connection and load-balancing information only for flows whose source IP addresses belong to the specified IP network. You must specify the source IP network address and subnet mask using CIDR format. NOTE: When using the clear flow-active command, do not configure either the source or destination address as a.b.c.d/0 where a.b.c.d is not 0.0.0.0. This address format (for example, 5.5.5.5/0) is not valid. destination-address <IP_address>/<0-32> Deletes active flow connection and load-balancing information only for flows whose destination IP addresses belong to the specified IP network. You must specify the destination IP network address and subnet mask using CIDR format. NOTE: When using the clear flow-active command, do not configure either the source or destination address as a.b.c.d/0 where a.b.c.d is not 0.0.0.0. This address format (for example, 5.5.5.5/0) is not valid. source-port <lowest_port_number> <highest_port_number> destination-port <lowest_port_number> <highest_port_number> protocol <lowest_protocol_number> <highest_protocol_number> domain <lowest_domain_ID> <highest_domain_ID> Deletes active flow connection and load-balancing information only for flows whose source port numbers are within the specified range of port numbers. Deletes active flow connection and load-balancing information only for flows whose destination port numbers are within the specified range of port numbers. Deletes active flow connection and load-balancing information only for flows whose protocol numbers are within the specified range of protocol numbers. Deletes active flow connection and load-balancing information only for flows assigned to circuits whose domain ID numbers are within the specified range of domain ID numbers. Deletes active flow connection and load-balancing information only for flows assigned to circuits whose circuit ID numbers are within the specified range of circuit ID numbers. Deletes active flow connection and load-balancing information only flows whose originating modules are installed in the specified range of slots in the X-Series Platform. Deletes active flow connection and load-balancing information only for flows whose master NPMs have slot numbers within the specified range.

circuit-id <lowest_circuit_ID> <highest_circuit_ID> module <lowest_slot_number> <highest_slot_number>

master-npm <lowest_slot_number> <highest_slot_number>

XOS Command Reference Guide

389

Parameter fast-path-only

Description Deletes active flow connection and load-balancing information only for flows being processed using the Fast Path. See the XOS Configuration Guide for information about the Fast Path.

Restrictions
Default Privilege Level: 15

Example
The following command deletes all connection and load-balancing information for all active flows whose source IP address belongs to the IP network, 10.170.54.0/24, and whose destination IP addresses belong to the network 10.170.101.0/24: CBS# clear flow-active source-address 10.170.54.0/24 destination-address 10.170.101.0/24 CBS#

clear interface
Clears the total, processed, and dropped packet counters for all interfaces configured on the X-Series Platform or for the specified interface. NOTE: This command clears packet counters only for the current CLI console session. Use the show interface command to display the date and time at which you last cleared an interfaces packet counters during the current CLI console session.

Syntax
clear interface {all | gigabitethernet <slot>/<port> | 10gigabitethernet <slot>/<port> high-availability}

Context
You access this command from the main CLI context.

Inline Commands
The following table lists the CLI commands used inline with the clear interface command. Command all gigabitethernet <slot>/<port> Description Clears the total, processed, and dropped packet counters for all interfaces configured on the X-Series Platform. Clears the total, processed, and dropped packet counters only for the Gigabit Ethernet interface configured on the specified port on the NPM in the specified slot. Clears the total, processed, and dropped packet counters only for the 10 Gigabit Ethernet interface configured on the specified port on the NPM in the specified slot.

10gigabitethernet <slot>/<port>

Commands for Configuring and Managing Flow Provisioning

390

Command high-availability

Description Clears the total, processed, and dropped packet counters for the High Availability port on the primary CPM.

Restrictions
Default Privilege Level: 15

Example
In this example, the X-Series Platform administrator wants to determine the number of packets that an interface receives in one hour and calculate the percentage of packets that the interface drops during that time. The administrator first issues the following command to clear the total, processed, and dropped packet counters only for the interface for which he wants to calculate the percentage of packets dropped per hour the Gigabit Ethernet interface configured on port 1 on the NPM in slot 1 in the X-Series Platform. CBS# clear interface gigabitethernet 1/1 CBS# The administrator issues the following command to ensure that the interfaces packet counters have been cleared: CBS# show interface gigabitethernet 1/1 Gigabitethernet 1/1 is up Interface is in use Hardware address is N/A SFP info: phy_present|phy_good Media Type: Copper, Vendor Name: Methode Elec. MTU 1500 bytes, BW 1 Gigabit, full-duplex, auto-negotiation is enabled Last clearing of "show interface" counters Fri Feb 12 20:33:34 2010 PHY stats: Statistics on physical line Received: Total frames 0 (bytes 0) Broadcast frames 0 Undersized frames 0 Oversized frames 0 Throttles 0 Total errors 0 Frame check sequence (FCS) errors 0 Frame errors 0 Overrun errors 0 Ignored errors 0 Transmitted: Total frames 0 (bytes 0) Underrun errors 0 Total errors 0 Collisions 0 Next, the administrator waits one hour, and then issues the show interface command again: CBS# show interface gigabitethernet 1/1 Gigabitethernet 1/1 is up Interface is in use Hardware address is N/A

XOS Command Reference Guide

391

SFP info: phy_present|phy_good Media Type: Copper, Vendor Name: Methode Elec. MTU 1500 bytes, BW 1 Gigabit, full-duplex, auto-negotiation is enabled Last clearing of "show interface" counters Fri Feb 12 20:33:34 2010 PHY stats: Statistics on physical line Received: Total frames 517305 (bytes 33877872) Broadcast frames 143 Undersized frames 0 Oversized frames 0 Throttles 0 Total errors 0 Frame check sequence (FCS) errors 0 Frame errors 0 Overrun errors 0 Ignored errors 0 Transmitted: Total frames 0 (bytes 0) Underrun errors 0 Total errors 0 Collisions 0 CBS#

clear netstat
Clears all network protocol statistics counters for the X-Series Platform. NOTE: This command clears network protocol statistics counters only for the current CLI console session. Use the show netstat command to display the date and time at which you last cleared the network protocol statistics counters during the current CLI console session.

Syntax
clear netstat

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 15

Example
The following command clears all network protocol statistics for the current CLI console session: CBS# clear netstat CBS#

Commands for Configuring and Managing Flow Provisioning

392

clear switch-data-path
Clears all switch data path (SDP) statistics counters for one or more Control Processor Modules (CPMs) and/or Application Processor Modules (APMs) installed in the X-Series Platform. NOTE: This command clears SDP statistics counters only for the current CLI console session. Use the show switch-data-path command to display the date and time at which you last cleared the SDP statistics counters during the current CLI console session.

Syntax
clear switch-data-path {all | module {<slot_number> | <lowest_slot_number> <highest_slot_number>}}

Context
You access this command from the main CLI context.

Inline Commands
The following table lists the CLI commands used inline with the command_name command. Command all module {<slot_number> | <lowest_slot_number> <highest_slot_number>} Description Clears all SDP statistics counters for all CPMs and APMs installed in the X-Series Platform. Clears all SDP statistics counters only for one or more specific APMs and/or CPMs. Specify a single CPM or APM slot number to clear all SDP statistics counters only for the CPM or APM installed in that slot. Specify a range of slot numbers to clear all SDP statistics counters only for the CPMs and/or APMs installed in the specified range of slots. Valid slot numbers are from 1-14.

Restrictions
Default Privilege Level: 15

Example
The following command clears all SDP statistics counters for the APMs installed in slots 7-9. In this example, these APMs are assigned to the VAP group called testvapgroup: CBS# clear switch-data-path module 7 9 CBS#

clear vdf-status
This command clears the virtual defragmentation (VDF) statistics counters on NPMs and APMs.

XOS Command Reference Guide

393

By default, this command clears information about all NPMs, APMs, and VAP groups. You can use one of the following parameters to selectively clear information for specific modules or VAP groups. module VAP-group-member NOTE: The statistics are cleared for the current session only and are note cleared on the module.

Syntax
clear vdf-status [module <module_name>] [vap-group-member <VAP_group_name>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter module Description (Optional) Clears VDF statistics for the specified modules. Specify a module (APM or NPM) or list of modules separated by spaces for which VDF statistics are to be cleared. An NPM name has the format: np<NPM_number> An APM name has the format: ap<APM_number> Use the show chassis command to display the module names assigned to the NPMs and APMs installed in the X-Series Platform. vap-group-member (Optional) Clears VDF statistics for all member VAPs in the specified VAP group. Specify the name of a VAP group to clear the VDF status for all member VAPs.

Restrictions
Default Privilege Level: 15

Example
The following command clears the virtual defragmentation statistics counters for all modules: CBS# clear vdf-status The following command clears the virtual defragmentation statistics counters for an NPM and an APM: CBS# clear vdf-status module np2 ap3 The following command clears the virtual defragmentation statistics counters for all VAPs in a VAP group: CBS# clear vdf-status vap-group-member <VAP_group_name>

Commands for Configuring and Managing Flow Provisioning

394

7
Commands for Configuring Interfaces for a VAP Group
You must create and configure interfaces for a virtual application processor (VAP) group to enable the members of that VAP group to send and receive traffic. A VAP group interface has three parts: Circuit A virtualized Ethernet connection configured for members of a VAP group. The primary purpose of a circuit is to provide a connection between the members of a VAP group and a physical interface on a Network Processor Module (NPM). However, you can also configure a circuit to provide an internal connection between members of one or more VAP groups configured on the same X-Series Platform. You create and configure a circuit, assign the circuit to one or more VAP groups, and configure each VAP group to process traffic passing through the circuit. When you assign a circuit to a VAP group, XOS creates a Virtual Network Device (VND) for that circuit on each VAP in the group. The VAP operating system and the application running on a VAP use VNDs as Linux networking interfaces. NOTE: Some circuit configuration settings change VND configuration settings, thereby changing the configuration of the Linux networking device on each VAP in the VAP group. Physical interface An Ethernet port on an NPM that you configure to pass traffic between the X-Series Platform and an external network. Logical interface An interface that logically links a circuits VNDs to a physical interface on an NPM. You configure a logical interface on a physical interface and then map the logical interface to a circuit that you have assigned to one or more VAP groups. An NPM uses logical interface mapping to identify the VNDs that send and receive traffic over each of its physical interfaces. NOTE: You can map only one circuit to each logical interface. However, you can map multiple logical interfaces to the same physical interface, allowing multiple circuits to pass traffic over a single physical interface. You can also use link aggregation to bond multiple physical interfaces to a single logical interface, allowing one circuit to pass traffic over multiple physical interfaces. This chapter describes the CLI commands that you can use to create and configure circuits, physical interfaces, and logical interfaces for a VAP group. This chapter contains the following sections: Commands for Configuring Circuits on page 396 Commands for Configuring IP Routes and Managing Destination MAC Address Resolution for VAP Groups on page 451 Commands for Configuring Physical and Logical Interfaces for a VAP Group on page 466 Commands for Configuring Interface Redundancy on page 541

XOS Command Reference Guide

395

Commands for Configuring Circuits

This section describes the commands that you can use to configure a circuit to pass traffic, assign the circuit to a virtual application processor (VAP) group, and configure the VAP group to process traffic passing through the circuit. This section contains the following command descriptions: configure circuit on page 397 device-name (conf-cct context) on page 399 link-state-resistant (conf-cct context) on page 400 proxy-arp (conf-cct context) on page 402 incoming-circuit-group (conf-cct context) on page 403 vap-group (conf-cct context) on page 406 ip (conf-cct-vapgroup context) (IPv6 and IPv4) on page 407 alias (conf-cct-vapgroup-ip context) (IPv6 and IPv4) on page 411 ip-flow-rule-priority (conf-cct-vapgroup context) on page 415 verify-next-hop-ip (conf-cct-vapgroup context) (IPv6 and IPv4) on page 416 default-egress-vlan-tag (conf-cct-vapgroup context) on page 417 replace-vlan-tag (conf-cct-vapgroup context) on page 419 management-circuit (conf-cct-vapgroup context) on page 421 dhcp-relay (conf-cct-vapgroup context) on page 422 promiscuous-mode (conf-cct-vapgroup context) on page 423 mac-addr (conf-cct-vapgroup context) on page 424 mtu (conf-cct-vapgroup context) on page 427 ip-forwarding (conf-cct-vapgroup context) on page 428 icmp-redirect (conf-cct-vapgroup) on page 429 enable (conf-cct-vapgroup) on page 430 circuit (conf-bridge-mode context) on page 447 show (conf-bridge-mode context) on page 449

Commands for Configuring Interfaces for a VAP Group

396

configure circuit
Creates and configures a new circuit or configures the specified existing circuit. Places you in the conf-cct context in which you can configure the specified circuit and assign it to one or more virtual application processor (VAP) groups. A circuit is a virtualized Ethernet connection configured for members of a VAP group. The primary purpose of a circuit is to provide a connection between the members of a VAP group and a physical interface on a Network Processor Module (NPM). However, you can also configure a circuit to provide an internal connection between members of one or more VAP groups configured on the same X-Series Platform. When you assign a circuit to a VAP group, XOS creates a Virtual Network Device (VND) for that circuit on each VAP in the group. The VAP operating system and the application running on a VAP use VNDs as Linux networking interfaces. NOTE: Some circuit configuration settings change VND configuration settings, thereby changing the configuration of a VAP groups Linux networking devices. By default, when you create a new circuit, XOS assigns that circuit to domain 1. Optionally, you can use the domain parameter to assign a different domain to the circuit that you are configuring. An Active Flow Table (AFT) entry for an active flow includes six flow classification criteria: source and destination IP address, source and destination port, protocol, and circuit domain. A circuit domain serves as a unique identifier for the flows that the NPM assigns to a particular circuit. When a packet enters an NPM, the NPM uses the information in its AFT to determine which system-level and VAP group flow rules apply to the packet and to determine how to process the packet. NOTE: You should use the domain parameter to assign unique domains to circuits only if your network configuration allows a single flow to ingress the X-Series Platform twice, using two different circuits. The X-Series Platform uses a circuits ID number to identify that circuit and the flows that pass through it. By default, XOS automatically assigns a unique circuit ID number to each new circuit that you create. Optionally, you can use the circuit-id parameter to assign a different circuit ID number to a new circuit. Use the configure no circuit <circuit_name> command to delete the specified circuit.

Syntax
configure circuit <circuit_name> [domain <domain_ID_number>] [circuit-id <circuit_ID_number>] configure no circuit <circuit_name>

Contexts and Subcommands

You access this command from the main CLI context. This command places you in the conf-cct context in which you can configure the specified circuit and assign it to one or more VAP groups. You can access the following commands from this context: device-name (conf-cct context) on page 399 link-state-resistant (conf-cct context) on page 400 proxy-arp (conf-cct context) on page 402 incoming-circuit-group (conf-cct context) on page 403 tcp-rst-injection (conf-cct context) on page 402 vap-group (conf-cct context) on page 406 show (conf-cct context) on page 431

XOS Command Reference Guide

397

Parameters
The following table lists the parameters used with this command. Parameter <circuit_name> domain <domain_ID_number> Description Name assigned to the circuit that you wish to create or configure. Assigns the specified domain ID number to the circuit that you are configuring. Valid values are from 1 to 4095. Default is 1. NOTE: You should use the domain parameter to assign unique domains to circuits only if your network configuration allows a single flow to ingress the X-Series Platform twice, using two different circuits. circuit-id <circuit_ID_number> Assigns the specified user-defined circuit ID number to the circuit that you are configuring. NOTE: You cannot use this parameter to change the ID number assigned to an existing circuit. Valid values for user-defined circuit ID numbers are from 1 to 4095. By default, XOS creates each new circuit with a unique circuit ID number between 1025 and 4095. NOTE: Crossbeam recommends configuring circuits with user-defined circuit ID numbers between 1 and 1024 to avoid duplicating default circuit ID numbers.

Restrictions
Default Privilege Level: 15 You cannot use the circuit-id parameter to change the ID number assigned to an existing circuit.

Example
The following command creates a new circuit named testcct with circuit ID number 1: CBS# configure circuit testcct circuit-id 1 CBS(conf-cct)#

Commands for Configuring Interfaces for a VAP Group

398

device-name (conf-cct context)

Assigns the specified device name to all Virtual Network Devices (VNDs) that XOS creates for the circuit that you are configuring. When you assign a circuit to a VAP group, XOS creates a Virtual Network Device (VND) for that circuit on each VAP in the group. The VAP operating system and the application running on a VAP use VNDs as Linux networking interfaces, and use VND names to identify these interfaces. NOTE: When you use an application management program to view and manage application interfaces or when you supply an interface name during an application installation interview, you identify each interface using its device name, not its circuit name. To avoid confusion, Crossbeam recommends that you configure every circuit with a descriptive circuit name, and configure each circuits device name to match its circuit name. A circuits default device name is vnd<ID#>, where <ID#> is the circuit ID number assigned to the circuit. For example, if a circuit has the circuit ID number 1025, the circuits default device name is vnd1025. Use the no device-name command to restore the default device name for the circuit that you are configuring. Use the show (conf-cct context) command to display the circuit ID number and device name currently assigned to the circuit that you are configuring.

Syntax
device-name <device_name> no device-name

Context
You access this command from the conf-cct context. You access this context from the main CLI context by issuing the configure circuit command.

Parameters
The following table lists the parameters used with this command. Parameter <device_name> Description Device name that you want to assign to the VNDs that XOS creates for the circuit that you are configuring. A circuits default device name is vnd<ID#>, where <ID#> is the circuit ID number assigned to the circuit. NOTE: Do not use sit0 or gre0 as the name of the circuit. These are reserved names.

Restrictions
Default Privilege Level: 15 After you prefix a circuits device name with wrp, you cannot change that device name. Instead, you must delete the circuit and recreate it with a new device name. A circuits device name cannot be lo, gre0, or sit0. A circuits device name cannot begin with eth. A circuits device name cannot be more than 12 characters in length.

XOS Command Reference Guide

399

Example
The following command places you in the conf-cct context in which you can configure the existing circuit called testcct: CBS# configure circuit testcct CBS(conf-cct)# The following command changes the device name for the circuit called testcct from the default name, vnd<ID#>, to the user-defined name, testcct: CBS(conf-cct)# device-name testcct CBS(conf-cct)# When you assign the circuit called testcct to a VAP group, XOS creates a Virtual Network Device (VND) for that circuit on each VAP in the group, and assigns the user-defined device name, testcct, to each of these VNDs. The VAP operating system and the application running on the VAP group use these VNDs as Linux networking interfaces; each interface has the user-defined device name, testcct.

link-state-resistant (conf-cct context)

When you assign a circuit to a VAP group, XOS creates a Virtual Network Device (VND) for that circuit on each VAP in the group. The VAP operating system and the application running on a VAP use VNDs as Linux networking interfaces. By default, all circuit VNDs have a default link state of Down, and when a circuit is mapped to a logical interface configured for a physical interface, the link state of the circuits VNDs always matches the link state of the physical interface. Therefore: If a circuit is not mapped to a logical interface configured for a physical interface, the circuit cannot process traffic. If a circuit is mapped to a logical interface configured for a physical interface, when the link state of the physical interface is Down, the link state of the circuits VNDs is also Down, and the circuit cannot process traffic. The link-state-resistant command sets the default link state to Up for all VNDs that XOS creates for the circuit that you are configuring, and decouples the link state of the circuits VNDs from the link state of the physical interfaces (if any) whose logical interfaces are mapped to the circuit. You use the link-state-resistant command when an application requires a virtual interface whose link state is not dependent on the link state of a physical interface. This command is also used when configuring a circuit to provide an internal connection between members of one or more VAP groups configured on the same X-Series Platform when there is a physical interface configured. When you configure a circuit with the link-state-resistant command: If you map the circuit to a logical interface configured for a physical interface on an NPM and the link state of the physical interface is Down, the circuit stops processing traffic passing through that interface. However, the link state of the circuits VNDs remains Up. This allows the circuit to continue processing traffic passing between VAPs in a single VAP group, or between multiple VAP groups configured on the X-Series Platform. Use the no link-state-resistant command to restore the default behavior for the circuit that you are configuring. Use the show (conf-cct context) command to determine whether a circuit is configured with the link-state-resistant command.

Commands for Configuring Interfaces for a VAP Group

400

Syntax
[no] link-state-resistant

Context
You access this command from the conf-cct context. You access this context from the main CLI context by issuing the configure circuit command.

Restrictions
Default Privilege Level: 15

Example
The following command places you in the conf-cct context, from which you can configure the existing circuit called testcct: CBS# configure circuit testcct CBS(conf-cct)# The following command sets the default link state to Up for all VNDs that XOS creates for the circuit called testcct, and decouples the link state of the VNDs that XOS creates for the circuit called testcct from the link state of the physical interfaces whose logical interfaces are mapped to that circuit: CBS(conf-cct)# link-state-resistant CBS(conf-cct)# If you map the circuit called testcct to a logical interface configured for a physical interface on an NPM and the link state of the physical interface is Down, the circuit stops processing traffic passing through that interface. However, the link state of the circuits VNDs remains Up. This allows testcct to continue processing traffic passing between VAPs in a single VAP group and/or between multiple VAP groups configured on the X-Series Platform.

XOS Command Reference Guide

401

proxy-arp (conf-cct context)

When you assign a circuit to a VAP group, XOS creates a Virtual Network Device (VND) for that circuit on each VAP in the group. The VAP operating system and the application running on a VAP use VNDs as Linux networking interfaces. Enables or disables (using no) Proxy ARP for the circuit that you are configuring. By default, when you create a new circuit, Proxy ARP is disabled for that circuit. When Proxy ARP is enabled for a circuit, a VAP group can use that circuit to reply to ARP requests for NATed IP addresses that are defined in Check Point but not in XOS. Thus, the VAP group acts as a proxy for the ARP requests for NATed IP addresses. Use the show (conf-cct context) command to determine whether Proxy ARP is enabled for the circuit that you are configuring.

Syntax
[no] proxy-arp

Context
You access this command from the conf-cct context. You access this context from the main CLI context by issuing the configure circuit command.

Restrictions
Default Privilege Level: 15

Example
The following command places you in the conf-cct context in which you can configure the existing circuit called testcct: CBS# configure circuit testcct CBS(conf-cct)# The following command enables Proxy ARP for the circuit called testcct: CBS(conf-cct)# proxy-arp CBS(conf-cct)# A VAP group can use the circuit called testcct to reply to ARP requests for NATed IP addresses that are defined in Check Point but not in XOS. Thus, the VAP group acts as a proxy for the ARP requests for NATed IP addresses.

tcp-rst-injection (conf-cct context)

Enables the aggressive aging-out of TCP flows from the chassis when an application initiates an RST to the endpoints of the TCP connections. When an application such as an IPS determines that a TCP flow is malicious, the application may inject a reset (RST) to terminate the flow. The RST is typically sent to the source and destination addresses. The tcp-rst-injection command aggressively ages out the TCP flows related to the RST based on the source and destination addresses and ports, IP protocol, and domain information from the flow table. The default setting is no tcp-rst-injection.

Commands for Configuring Interfaces for a VAP Group

402

NOTE: Some applications require an additional circuit for RST injection. Refer to your application documentation for specific requirements.

Syntax
tcp-rst-injection [no] tcp-rst-injection

Context
You access this command from the conf-cct context. You access this context from the main CLI context by issuing the configure circuit command.

Restrictions
Default Privilege Level: 15

Example
The following command places you in the conf-cct context in which you can configure the existing circuit called testcct: CBS# configure circuit testcct CBS(conf-cct)# The following command enables tcp-rst-injection on testcct. CBS(conf-cct)# tcp-rst-injection CBS(conf-cct)#

incoming-circuit-group (conf-cct context)

Assigns the specified incoming circuit group (ICG) number to the circuit that you are configuring. When a packet enters an NPM, the NPM uses the information in its Active Flow Table to determine which system-level and VAP group flow rules apply to the packet and to determine how to process the packet. Each Active Flow Table (AFT) entry includes the following information: source and destination IP address, source and destination port, circuit domain, and incoming circuit group. An incoming circuit group serves as a unique identifier for the flows that the NPM assigns to the circuits in a particular ICG. A circuits default ICG number is 1. Use the no incoming-circuit-group command to restore this default setting for the circuit that you are configuring. Use the show (conf-cct context) command to display the ICG number assigned to the circuit that you are configuring. To assign a name to an incoming circuit group, use the configure incoming-circuit-group-name command. To see a list of incoming circuit groups, including any names assigned to them, use the show incoming-circuit-group-name command.

Syntax
incoming-circuit-group <ICG_number> no incoming-circuit-group

XOS Command Reference Guide

403

Context
You access this command from the conf-cct context. You access this context from the main CLI context by issuing the configure circuit command.

Parameters
The following table lists the parameters used with this command. Parameter <ICG_number> Description Incoming circuit group number that you want to assign to the circuit that you are configuring. Valid values are from 1 to 255. Default is 1.

Restrictions
Default Privilege Level: 15

Example
The following command places you in the conf-cct context in which you can configure the existing circuit called testcct: CBS# configure circuit testcct CBS(conf-cct)# The following command assigns the circuit called testcct to incoming circuit group number 5: CBS(conf-cct)# incoming-circuit-group 5 CBS(conf-cct)#

Commands for Configuring Interfaces for a VAP Group

404

configure incoming-circuit-group-name
Configures the name of a specified incoming circuit group. To display a list of incoming circuit groups along with any assigned names, use the show incoming-circuit-group-name command.

Syntax
configure incoming-circuit-group-name <ICG_number> <ICG_name> configure no incoming-circuit-group-name <ICG_number> <ICG_name>

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <ICG_number> Description Specifies the number of the incoming circuit group (ICG) to which you want to apply a name. Range: 2255 <ICG_name> Specifies the name that you want to apply to the incoming circuit group (ICG).

Restrictions
Default Privilege Level: 15 Warning messages are displayed in each of the following instances: Assigning a circuit to an unconfigured ICG Deleting an ICG-name that is currently in use Changing an existing ICG-name In each of these cases, the command will successfully execute, however, a warning message will appear in the CLI. If the warning appears, check your configuration for potential conflicts in ICG naming.

Example
The following command assigns the name internal to incoming circuit group 3. CBS# configure incoming-circuit-group-name 3 internal

XOS Command Reference Guide

405

vap-group (conf-cct context)

Assigns the circuit that you are configuring to the specified virtual application processor (VAP) group. Places you in the conf-cct-vapgroup context in which you can configure the specified VAP group to process traffic passing through the circuit that you are configuring. NOTE: You can assign a single circuit to multiple VAP groups. When you assign a circuit to a VAP group, XOS creates a Virtual Network Device (VND) for that circuit on each VAP in the group. The VAP operating system and the application running on a VAP use VNDs as Linux networking interfaces. NOTE: Some circuit configuration settings change VND configuration settings, thereby changing the configuration of the Linux networking device on each VAP in the VAP group. Use the no parameter to remove the circuit that you are configuring from the specified VAP group. Use the show (conf-cct context) command to display the current VAP group configurations for the circuit that you are currently configuring.

Syntax
[no] vap-group <VAP_group_name>

Contexts and Subcommands

You access this command from the conf-cct context. You access this context from the main CLI context by issuing the configure circuit command. This command places you in the conf-cct-vapgroup context in which you can configure the specified VAP group to process traffic passing through the circuit that you are configuring. You can access the following commands from the conf-cct-vapgroup context: ip (conf-cct-vapgroup context) (IPv6 and IPv4) on page 407 alias (conf-cct-vapgroup-ip context) (IPv6 and IPv4) on page 411 ip-flow-rule-priority (conf-cct-vapgroup context) on page 415 verify-next-hop-ip (conf-cct-vapgroup context) (IPv6 and IPv4) on page 416 default-egress-vlan-tag (conf-cct-vapgroup context) on page 417 replace-vlan-tag (conf-cct-vapgroup context) on page 419 management-circuit (conf-cct-vapgroup context) on page 421 dhcp-relay (conf-cct-vapgroup context) on page 422 promiscuous-mode (conf-cct-vapgroup context) on page 423 mac-addr (conf-cct-vapgroup context) on page 424 mtu (conf-cct-vapgroup context) on page 427 ip-forwarding (conf-cct-vapgroup context) on page 428 icmp-redirect (conf-cct-vapgroup) on page 429 enable (conf-cct-vapgroup) on page 430

Commands for Configuring Interfaces for a VAP Group

406

Parameters
The following table lists the parameters used with this command. Parameter <VAP_group_name> Description Specifies the name of the existing VAP group that you want to assign to the circuit that you are configuring, or specifies the name of the existing VAP group from which you want to remove the circuit that you are configuring.

Restrictions
Default Privilege Level: 15 You must use the configure vap-group command to create and configure a VAP group before assigning a circuit to that VAP group.

Example
The following command places you in the conf-cct context in which you can configure the existing circuit called testcct: CBS# configure circuit testcct CBS(conf-cct)# The following command assigns the circuit called testcct to the VAP group called testvapgroup, and places you in the conf-cct-vapgroup context in which you can configure the VAP group called testvapgroup to process traffic passing through the circuit called testcct: CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-vapgroup)#

ip (conf-cct-vapgroup context) (IPv6 and IPv4)

When you assign a circuit to a VAP group, XOS creates a Virtual Network Device (VND) for that circuit on each VAP in the group. The VAP operating system and the application running on a VAP use VNDs as Linux networking interfaces. The ip command assigns a primary IP address to each of the VNDs that XOS creates for the circuit on the VAP group that you are configuring. This command also places you in the conf-cct-vapgroup-ip context in which you can assign an alias IP address to each of the VNDs that XOS creates for the circuit on the VAP group that you are configuring. By default, the ip command assigns a single primary IP address to each of the VNDs that XOS creates for the circuit on the VAP group that you are configuring. Use the increment-per-vap parameter to assign a range of consecutive primary IP addresses to the VNDs that XOS creates for the circuit on the VAP group that you are configuring. When you specify this parameter, XOS assigns a unique primary IP address to each VND. When you specify the increment-per-vap parameter, XOS assigns consecutive primary circuit IP addresses to consecutive VAP index numbers, with the lowest primary circuit IP address number assigned to VAP index number 1. For example, if you specify a primary circuit IPv4 address range from 2.2.2.35 through 2.2.2.37, XOS assigns these primary circuit IP addresses: VAP index 1 IP address 2.2.2.35

XOS Command Reference Guide

407

VAP index 2 IP address 2.2.2.36 VAP index 3 IP address 2.2.2.37 IMPORTANT: To assign a primary circuit IP address to every VAP in a group, the number of primary circuit IP addresses in the specified range must be equal to or greater than the number of VAPs in the group. If the number of primary circuit IP addresses in the specified range is greater than the number of VAPs in the group, XOS reserves the unused primary circuit IP addresses. Each time you add a new VAP to the VAP group, XOS assigns one of the unused primary circuit IP addresses to the new VAP. You use the increment-per-vap parameter when configuring a circuit for application management traffic. Assigning a unique management IP address to each VAP lets you access and manage each VAP as a separate instance of an application. You can also use the increment-per-vap parameter when configuring a circuit to pass traffic between different VAPs in a VAP group. For example, you must use this parameter when configuring a synchronization circuit for a Check Point firewall application. By default, XOS determines the primary broadcast IP address for a circuit by applying the subnet mask specified for the primary IP addresses. Optionally, you can specify a user-defined broadcast IP address. Each time you assign one or more primary circuit IP addresses to a VAP group, XOS generates a default IP flow rule for that VAP group. XOS defines this default IP flow rule as follows: Flow matching criteria: Destination IP address matches at least one of the primary circuit IP addresses that configured for the VAP group. Source IP address does not match the network or broadcast IP address. Action: load-balance See action load-balance (ip-flow-rule context) on page 304 for more information on this action. Default IP flow rule priority level: 10 Use the ip-flow-rule-priority (conf-cct-vapgroup context) command to change this default priority level. Use the no ip command to delete all primary IP address(es) currently assigned to the VNDs that XOS creates for the circuit on the VAP group that you are configuring. Use the show (conf-cct context) command to display the primary IP addresses assigned to the VNDs that XOS creates for the circuit that you are configuring on each VAP group assigned to the circuit.

Syntax (IPv4)
ip {<IP_address> <netmask> | <IP_address>/<0-32>} [<broadcast_IP_address>] [increment-per-vap <IP_address>] ip {<lowest_IP_address> <netmask> | <lowest_IP_address>/<0-32>} [<broadcast_IP_address>] [increment-per-vap <highest_IP_address>] no ip

Syntax (IPv6)
ip {<IP_address>/<0-128>} no ip

Commands for Configuring Interfaces for a VAP Group

408

Contexts and Subcommands

You access this command from the conf-cct-vapgroup context. You access this context from the main CLI context by issuing the configure circuit command to configure a specific circuit and then issuing the vap-group (conf-cct context) command to configure a specific VAP group to process traffic passing through the circuit. This command places you in the conf-cct-vapgroup-ip context in which you can assign an alias IP address to each of the VNDs that XOS creates for the circuit on the VAP group that you are configuring. You can access the following command from this context: alias (conf-cct-vapgroup-ip context) (IPv6 and IPv4) on page 411

Parameters
The following table lists the parameters used with this command. Parameter {<IP_address> <netmask> | <IP_address>/<0-32>} Description Assigns the specified primary IP address to each VND that XOS creates for the circuit on the VAP group that you are configuring. You must specify the subnet mask for the primary IP address. You can specify a subnet mask in dotted-quad format (for example, 10.15.3.5 255.255.0.0), or you can specify an IP network using CIDR notation (for example, 10.15.0.0/16). NOTE: You cannot specify the subnet mask, 0.0.0.0. If you specify an IP network using CIDR notation, you cannot use /0. {<lowest_IP_address> <netmask> | <lowest_IP_address>/<0-32>} increment-per-vap <highest_IP_address> Assigns the specified range of consecutive primary IP addresses to the VNDs that XOS creates for the circuit on the VAP group that you are configuring. When you specify this parameter, XOS assigns a unique primary IP address to each VND. XOS assigns consecutive primary circuit IP addresses to consecutive VAP index numbers, with the lowest primary circuit IP address number assigned to VAP index number 1. You must specify the subnet mask for the lowest primary IP address in the range. You can specify a subnet mask in dotted-quad format (for example, 10.15.3.5 255.255.0.0), or you can specify an IP network using CIDR notation (for example, 10.15.0.0/16). NOTE: You cannot specify the subnet mask, 0.0.0.0. If you specify an IP network using CIDR notation, you cannot use /0.

XOS Command Reference Guide

409

Parameter <broadcast_IP_address>

Description Assigns the specified primary broadcast IP address to the circuit for the VAP group that you are currently configuring. By default, XOS determines the primary broadcast IP address for a circuit by the applying the subnet mask specified for the primary IP address(es). NOTE: The broadcast IP must match the primary IP, VRRP IP, Virtual IP, and alias IP addresses assigned to a circuit for a VAP group.

Restrictions
Default Privilege Level: 15 If you assign an IPv4 primary address to a circuit, you can assign either IPv4 or IPv6 alias addresses. If you assign an IPv6 primary address, you can assign only IPv6 alias addresses. A primary IP address cannot have the subnet mask, 0.0.0.0. If you specify an IP network for a primary IP address using CIDR notation, you cannot use /0. A primary circuit IP address cannot be in the same network as the X-Series Platforms configured and operational system internal network IP addresses. Use the show system-internal-network command to display the current configured and operational system internal network IP addresses for your X-Series Platform. The broadcast IP, primary IP, VRRP IP, Virtual IP, and alias IP addresses assigned to a circuit for a VAP group must all belong to the same subnet.

Example
The following commands place you in the conf-cct-vapgroup context in which you can configure the VAP group called testvapgroup to process traffic passing through the circuit called testcct: CBS# configure circuit testcct CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-vapgroup)# The following command assigns a range of four primary IP addresses to the VNDs that XOS creates for the circuit called testcct on the VAP group called testvapgroup, assigning a unique primary IP address to each VND. This command also places you in the CLI context in which you can configure an alias IP address for each of the VNDs that XOS creates for the circuit called testcct on the VAP group called testvapgroup. NOTE: Since the VAP group called testvapgroup consists of only three VAPs, this command assigns the first three primary circuit IP addresses in the range to VAP index numbers 1, 2, and 3 and reserves the fourth primary circuit IP address. If you add a fourth VAP to this group, XOS assigns the fourth primary circuit IP address to the new VAP. CBS(conf-cct-vapgroup)# ip 2.2.2.35/24 increment-per-vap 2.2.2.38 CBS(conf-cct-vapgroup-ip)# NOTE: To assign an IPv6 address, use this command: CBS(conf-cct-vapgroup)# ip fd00:1900:4545:3:200:f8ff:fe21:67ca The increment-per-vap sub-command is not supported for IPv6. All VAPs in a VAP group must share one IP address.

Commands for Configuring Interfaces for a VAP Group

410

alias (conf-cct-vapgroup-ip context) (IPv6 and IPv4)

When you assign a circuit to a VAP group, XOS creates a Virtual Network Device (VND) for that circuit on each VAP in the group. The VAP operating system and the application running on a VAP use VNDs as Linux networking interfaces. The alias command assigns a secondary (alias) IP address to each of the VNDs that XOS creates for the circuit on the VAP group that you are configuring. By default, the alias command assigns a single alias IP address to each of the VNDs that XOS creates for the circuit on the VAP group that you are configuring. Use the increment-per-vap parameter to assign a range of consecutive alias IP addresses to the VNDs that XOS creates for the circuit on the VAP group that you are configuring. When you specify this parameter, XOS assigns a unique alias IP address to each VND. When you specify the increment-per-vap parameter, XOS assigns consecutive alias circuit IP addresses to consecutive VAP index numbers, with the lowest alias circuit IP address number assigned to VAP index number 1. For example, if you specify an alias circuit IPv4 address range from 2.2.2.35 through 2.2.2.37, XOS assigns these alias circuit IP addresses: VAP index 1 IP address 2.2.2.35 VAP index 2 IP address 2.2.2.36 VAP index 3 Ip address 2.2.2.37

Mixing IPv6 and IPv4 Alias Addresses

If you specify the IP address for a circuit as an IPv4 address, alias addresses for that circuit can be any mixture of IPv4 and IPv6 addresses. If you specify the circuit address as IPv6, all alias addresses for the circuit must be IPv6 addresses. IMPORTANT: To assign an alias circuit IP address to every VAP in a group, the number of alias circuit IP addresses in the specified range must be equal to or greater than the number of VAPs in the group. If the number of alias circuit IP addresses in the specified range is greater than the number of VAPs in the group, XOS reserves the unused alias circuit IP addresses. Each time you add a new VAP to the VAP group, XOS assigns one of the unused alias circuit IP addresses to the new VAP. By default, XOS determines the alias broadcast IP address for a circuit by applying the subnet mask specified for the alias IP addresses. Optionally, you can specify a user-defined broadcast IP address. Use the no alias command to delete all alias IP address(es) currently assigned to the VNDs that XOS creates for the circuit on the VAP group that you are configuring. Use the show (conf-cct context) command to display the alias IP addresses assigned to the VNDs that XOS creates for the circuit that you are configuring on each VAP group assigned to the circuit.

Syntax (IPv4)
[no] alias {<IP_address> <netmask> | <IP_address>/<0-32>} [<broadcast_IP_address>] {[increment-per-vap <IP_address>] | [floating]}

Syntax (IPv6)
[no] alias <IP_address>/<0-128>

XOS Command Reference Guide

411

Context
You access this command from the conf-cct-vapgroup-ip context. You access this context from the main CLI context, as follows: 1. 2. 3. Issue the configure circuit command to configure a specific circuit. Issue the vap-group (conf-cct context) command to configure a specific VAP group to process traffic passing through the circuit. Issue the ip (conf-cct-vapgroup context) (IPv6 and IPv4) command to assign a primary IP address to each of the VNDs that XOS creates for the circuit on the VAP group that you are configuring.

Parameters
The following table lists the parameters used with this command. Parameter (IPv4) {<IP_address> <netmask> | <IP_address>/<0-32>} Description Assigns the specified alias IP address to each VND that XOS creates for the circuit on the VAP group that you are configuring. You must specify the subnet mask for the alias IP address. You can specify a subnet mask in dotted-quad format (for example, 10.15.3.5 255.255.0.0), or you can specify an IP network using CIDR notation (for example, 10.15.0.0/16). NOTE: You cannot specify the subnet mask, 0.0.0.0. If you specify an IP network using CIDR notation, you cannot use /0. {<lowest_IP_address> <netmask> | <lowest_IP_address>/<0-32>} increment-per-vap <highest_IP_address> Assigns the specified range of consecutive alias IP addresses to the VNDs that XOS creates for the circuit on the VAP group that you are configuring. When you specify this parameter, XOS assigns a unique alias IP address to each VND. XOS assigns consecutive alias circuit IP addresses to consecutive VAP index numbers, with the lowest alias circuit IP address number assigned to VAP index number 1. You must specify the subnet mask for the lowest alias IP address in the range. You can specify a subnet mask in dotted-quad format (for example, 10.15.3.5 255.255.0.0), or you can specify an IP network using CIDR notation (for example, 10.15.0.0/16). NOTE: You cannot specify the subnet mask, 0.0.0.0. If you specify an IP network using CIDR notation, you cannot use /0.

Commands for Configuring Interfaces for a VAP Group

412

Parameter (IPv4) <broadcast_IP_address>

Description Assigns the specified alias broadcast IP address to the circuit for the VAP group that you are currently configuring. By default, XOS determines the alias broadcast IP address for a circuit by the applying the subnet mask specified for the alias IP address(es). NOTE: The broadcast IP must match the primary IP, VRRP IP, Virtual IP, and alias IP addresses assigned to a circuit for a VAP group.

floating

Assigns the alias IP address to the master VAP, allowing traffic, cluster management, and synchronization communication to go directly to the master VAP. If a new master VAP is elected, the address floats to the new master. NOTE: This parameter can be used only with an IPv4 address. NOTE: This parameter cannot be used with increment-per-vap. NOTE: Only one floating address can be used for any one circuit.

Parameter (IPv6) <IP_address>/<0-128>}

Description Assigns the specified alias IP address to each VND that XOS creates for the circuit on the VAP group that you are configuring. You must specify the subnet mask for the alias IP address. You can specify an IP network using CIDR notation (for example, fd00:1545:be72:e5af::cf33:54aa/64). NOTE: If you specify an IP network using CIDR notation, you cannot use /0.

Restrictions
Default Privilege Level: 15 An alias IP address cannot have the subnet mask, 0.0.0.0. If you specify an IP network for an alias IP address using CIDR notation, you cannot use /0. A alias circuit IP address cannot be in the same network as the X-Series Platforms configured and operational system internal network IP addresses. Use the show system-internal-network command to display the current configured and operational system internal network IP addresses for your X-Series Platform. The broadcast IP, primary IP, VRRP IP, Virtual IP, and alias IP addresses assigned to a circuit for a VAP group must all belong to the same subnet.

XOS Command Reference Guide

413

Example (IPv4)
The following commands place you in the conf-cct-vapgroup context in which you can configure the VAP group called testvapgroup to process traffic passing through the circuit called testcct: CBS# configure circuit testcct CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-vapgroup)# The following command assigns a range of four primary IP addresses to the VNDs that XOS creates for the circuit called testcct on the VAP group called testvapgroup, assigning a unique primary IP address to each VND. This command also places you in the CLI context in which you can configure an alias IP address for each of the VNDs that XOS creates for the circuit called testcct on the VAP group called testvapgroup. NOTE: Since the VAP group called testvapgroup consists of only three VAPs, this command assigns the first three primary circuit IP addresses in the range to VAP index numbers 1, 2, and 3 and reserves the fourth primary circuit IP address. If you add a fourth VAP to this group, XOS assigns the fourth primary circuit IP address to the new VAP. CBS(conf-cct-vapgroup)# ip 2.2.2.35/24 increment-per-vap 2.2.2.38 CBS(conf-cct-vapgroup-ip)# The following command assigns a single alias IP address to each of the VNDs that XOS creates for the circuit called testcct on the VAP group called testvapgroup: CBS(conf-cct-vapgroup-ip)# alias 6.6.6.35/24 CBS(conf-cct-vapgroup-ip)#

Example (IPv6)
The following commands place you in the conf-cct-vapgroup context in which you can configure the VAP group called testvapgroup to process traffic passing through the circuit called testcct: CBS# configure circuit testcct CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-vapgroup)# The following command assigns a single IPv6 address to the VNDs that XOS creates for the circuit called testcct on the VAP group called testvapgroup, assigning the same primary IP address to each VND. This command also places you in the CLI context in which you can configure an alias IP address for each of the VNDs that XOS creates for the circuit called testcct on the VAP group called testvapgroup. NOTE: Since the VAP group called testvapgroup consists of only three VAPs, this command assigns the first three primary circuit IP addresses in the range to VAP index numbers 1, 2, and 3 and reserves the fourth primary circuit IP address. If you add a fourth VAP to this group, XOS assigns the fourth primary circuit IP address to the new VAP. CBS(conf-cct-vapgroup)# ip fd00:1545:be72:e5af::cf33:54aa/64 CBS(conf-cct-vapgroup-ip)# The following command assigns a single alias IPv6 address to each of the VNDs that XOS creates for the circuit called testcct on the VAP group called testvapgroup: CBS(conf-cct-vapgroup-ip)# alias fd00:1545:be72:e5af::cf33:33ff/64 CBS(conf-cct-vapgroup-ip)#

Commands for Configuring Interfaces for a VAP Group

414

ip-flow-rule-priority (conf-cct-vapgroup context)

Assigns the specified priority level to the default IP flow rule that XOS creates when you assign one or more primary circuit IP addresses to the VAP group that you are configuring. Network Processor Modules (NPMs) use IP flow rules configured for a VAP group to determine how to process IP traffic destined for the members of that VAP group. NOTE: See ip-flow-rule (config-vap-grp context) on page 302 for more information on configuring IP flow rules for a VAP group. You set priority levels for VAP group IP flow rules to specify the order in which the NPM applies those IP flow rules to IP traffic flows assigned to a circuit configured for the VAP group. The NPM applies IP flow rules configured for a VAP group one at a time, in order of priority level, applying the IP flow rule with the highest priority level first. Each time you assign one or more primary circuit IP addresses to a VAP group, XOS generates a default IP flow rule for that VAP group. XOS defines this default IP flow rule as follows: Flow matching criteria: Destination IP address matches at least one of the primary circuit IP addresses that configured for the VAP group. Source IP address does not match the network or broadcast IP address. Action: load-balance NOTE: See action load-balance (ip-flow-rule context) on page 304 for more information about this action. Default IP flow rule priority level: 10 The ip-flow-rule-priority command changes the priority level for this default IP flow rule. When XOS creates a default IP flow rule, that flow rule has priority level 10. However, the default setting for the ip-flow-rule-priority command is priority level 21. Use the no ip-flow-rule-priority command to restore this default setting for the IP flow rule that XOS creates when you assign a primary circuit IP address to the VAP group that you are configuring. Use the show (conf-cct context) command to display the priority level assigned to the default IP flow rule that XOS creates for each VAP group assigned to a circuit.

Syntax
ip-flow-rule-priority <priority_level> no ip-flow-rule-priority

Context
You access this command from the conf-cct-vapgroup context. You access this context from the main CLI context by issuing the configure circuit command to configure a specific circuit and then issuing the vap-group (conf-cct context) command to configure a specific VAP group to process traffic passing through the circuit.

XOS Command Reference Guide

415

Parameters
The following table lists the parameters used with this command. Parameter <priority_level> Description Priority level that you want to assign to the default VAP group IP flow rule that XOS creates when you assign a primary circuit IP address to the VAP group that you are configuring. Valid values are from 0 to 31. Default is 21.

Restrictions
Default Privilege Level: 15

Example
The following commands place you in the conf-cct-vapgroup context in which you can configure the VAP group called testvapgroup to process traffic passing through the circuit called testcct: CBS# configure circuit testcct CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-testvapgroup)# The following command assigns priority level 15 to the default IP flow rule that XOS creates for the VAP group called testvapgroup when you assign a primary IP address to the VAP group for the circuit called testcct: CBS(conf-cct-testvapgroup)# ip-flow-rule-priority 15 CBS(conf-cct-testvapgroup)#

verify-next-hop-ip (conf-cct-vapgroup context) (IPv6 and IPv4)

Directs the VAP group that you are configuring to verify connectivity to the specified next-hop IP address and to perform a redundant interface failover in the event that a next-hop IP address health check fails. This option is effective only if the circuit is assigned to an interface that has been configured for redundancy. When you specify this option, the system periodically sends ARP requests (IPv4) or neighbor solicitations (IPv6) to the next-hop IP address. If the ARP requests or neighbor solicitations fail, and the link state of the inactive (backup) interface is Up, the system performs a redundant interface failover. After the failover has been completed, the system tries to reach the next-hop IP address over the backup interface. NOTE: This is a true redundant interface failover, in which XOS moves all logical interfaces (not just the one mapped to the circuit that you are configuring) over to the backup interface. See Commands for Configuring Interface Redundancy on page 541 for information about configuring redundant interfaces. Use the no parameter to delete the specified next-hop IP address health check configuration.

Syntax
[no] verify-next-hop-ip <IP_address>

Commands for Configuring Interfaces for a VAP Group

416

Context
You access this command from the conf-cct-vapgroup context. You access this context from the main CLI context by issuing the configure circuit command to configure a specific circuit and then issuing the vap-group (conf-cct context) command to configure a specific VAP group to process traffic passing through the circuit.

Parameters
The following table lists the parameters used with this command. Parameter <IP_address> Description Specifies the next-hop IP address that you want to assign to the circuit for the VAP group that you are configuring. The X-Series Platform verifies connectivity to the next-hop IP address.

Restrictions
Default Privilege Level: 15

Example
The following commands place you in the conf-cct-vapgroup context in which you can configure the VAP group called testvapgroup to process traffic passing through the circuit called testcct: CBS# configure circuit testcct CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-testvapgroup)# The following command configures the VAP group called testvapgroup to verify connectivity to the next-hop IPv4 address, 10.10.10.5, through the circuit called testcct. This command also configures the X-Series Platform to treat a next-hop IP address health check failure as a redundant interface failover trigger for the physical interface logically linked to the circuit called testcct. CBS(conf-cct-testvapgroup)# verify-next-hop-ip 10.10.10.5 CBS(conf-cct-testvapgroup)# The following command configures the VAP group called testvapgroup to verify connectivity to the next-hop IPv6 address, 3000:AC10::3713, through the circuit called testcct. This command also configures the X-Series Platform to treat a next-hop IP address health check failure as a redundant interface failover trigger for the physical interface logically linked to the circuit called testcct. CBS(conf-cct-testvapgroup)# verify-next-hop-ip 3000:AC10::3713 CBS(conf-cct-testvapgroup)#

default-egress-vlan-tag (conf-cct-vapgroup context)

When you assign a circuit to a VAP group, XOS creates a Virtual Network Device (VND) for that circuit on each VAP in the group. The VAP operating system and the application running on a VAP use VNDs as Linux networking interfaces.

XOS Command Reference Guide

417

The default-egress-vlan-tag command configures a VAP group to use the specified VLAN tag as the default VLAN tag for traffic egressing the VAP group through the circuit that you are configuring. The VAP groups circuit VNDs assign the specified default egress VLAN tag to all untagged packets egressing the VAP group through the circuit. Optionally, you can specify the hide-vlan-header parameter to configure the VAP group to remove the VLAN tag from the header of every packet ingressing the VAP group through the circuit that you are configuring. NOTE: Use the hide-vlan-header parameter for circuits mapped to VAP groups on which installed applications require the removal of VLAN tags from packet headers for proper operation. By default, a VAP group does not apply a VLAN tag to a packet passing through a circuit; untagged packets always remain untagged after passing through a circuit. Use the no default-egress-vlan-tag command to restore this default behavior for a VAP group assigned to the circuit that you are configuring. Use the show (conf-cct context) command to display the default egress VLAN tag configuration (if any) for each VAP group assigned to the circuit that you are configuring.

Syntax
default-egress-vlan-tag <VLAN_ID> [hide-vlan-header] no default-egress-vlan-tag

Context
You access this command from the conf-cct-vapgroup context. You access this context from the main CLI context by issuing the configure circuit command to configure a specific circuit and then issuing the vap-group (conf-cct context) command to configure a specific VAP group to process traffic passing through the circuit.

Parameters
The following table lists the parameters used with this command. Parameter <VLAN_ID> Description VLAN tag that you want to apply to untagged packets egressing the VAP group through the circuit that you are configuring. The VAP groups circuit VNDs assign the specified default egress VLAN tag to all untagged packets egressing the VAP group through the circuit. Valid values are from 0 to 4094.

Commands for Configuring Interfaces for a VAP Group

418

Parameter hide-vlan-header

Description Configures the VAP group to remove the VLAN tag from the header of every packet ingressing the VAP group through the circuit that you are configuring. NOTE: Use the hide-vlan-header parameter for circuits mapped to VAP groups on which installed applications require the removal of VLAN tags from packet headers for proper operation. To delete this parameter from an existing circuit configuration for a VAP group, you must re-enter the default-egress-vlan-tag command without specifying this parameter.

Restrictions
Default Privilege Level: 15 Each egress VLAN tag that you configure must be unique. You cannot use the same default egress VLAN tag for multiple circuits configured on the X-Series Platform. Use the show (conf-cct context) command to display the default and replacement egress VLAN tag configuration (if any) for each VAP group assigned to the circuit that you are configuring.

Example
The following commands place you in the conf-cct-vapgroup context in which you can configure the VAP group called testvapgroup to process traffic passing through the circuit called testcct: CBS# configure circuit testcct CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-testvapgroup)# The following command configures the VAP group called testvapgroup to use the default egress VLAN tag, 1660, for traffic passing through the circuit called testcct. The testcct VNDs assign VLAN tag 1660 to all untagged packets egressing the VAP group called testvapgroup through the circuit called testcct: CBS(conf-cct-testvapgroup)# default-egress-vlan-tag 1660 CBS(conf-cct-testvapgroup)#

replace-vlan-tag (conf-cct-vapgroup context)

When you assign a circuit to a VAP group, XOS creates a Virtual Network Device (VND) for that circuit on each VAP in the group. The VAP operating system and the application running on a VAP use VNDs as Linux networking interfaces. The replace-vlan-tag command configures a VAP group to use the specified egress VLAN tag for all traffic passing through the circuit that you are configuring. The VAP groups circuit VNDs remove all VLAN tags assigned to packets ingressing the VAP group through the circuit that you are configuring and replace those VLAN tags with the specified egress VLAN tag. You can use the replace-vlan-tag command to map a ports ingress traffic, which has a VLAN ID of x, to the ports egress traffic, which has a VLAN ID of y. This practice is especially useful when a port is connected to an external switch.

XOS Command Reference Guide

419

By default, a VAP group does not use a specific egress VLAN tag for traffic passing through a circuit; a packets ingress and egress VLAN tags are the same, and untagged packets remain untagged after passing through a circuit. Use the no replace-vlan-tag command to restore this default behavior for a VAP group assigned to the circuit that you are configuring.

Syntax
replace-vlan-tag <VLAN_ID> no replace-vlan-tag

Context
You access this command from the conf-cct-vapgroup context. You access this context from the main CLI context by issuing the configure circuit command to configure a specific circuit and then issuing the vap-group (conf-cct context) command to configure a specific VAP group to process traffic passing through the circuit.

Parameters
The following table lists the parameters used with this command. Parameter <VLAN_ID> Description Specifies the egress VLAN tag with which you want to replace the ingress VLAN tag assigned to each packet that ingresses the VAP group through the circuit that you are configuring. Valid values are from 0 to 4094.

Restrictions
Default Privilege Level: 15 Each egress VLAN tag that you configure must be unique. You cannot use the same replacement egress VLAN tag for multiple circuits configured on the X-Series Platform. Use the show (conf-cct context) command to display the default and replacement egress VLAN tag configurations (if any) for each VAP group assigned to the circuit that you are configuring.

Example
The following commands place you in the conf-cct-vapgroup context in which you can configure the VAP group called testvapgroup to process traffic passing through the circuit called testcct: CBS# configure circuit testcct CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-testvapgroup)# The following command removes all ingress VLAN tags from packets ingressing on the VAP group called testvapgroup through the circuit called testcct, and replaces those ingress VLAN tags with the egress VLAN ID number 1670: CBS(conf-cct-testvapgroup)# replace-vlan-tag 1670 CBS(conf-cct-testvapgroup)#

Commands for Configuring Interfaces for a VAP Group

420

management-circuit (conf-cct-vapgroup context)

Configures a VAP group to treat all traffic passing through the circuit that you are configuring as application management traffic, rather than traffic that is to be inspected by the application running on the VAP group. NOTE: Some applications inspect traffic received on any circuit. Use the management-circuit command to prevent these applications from inspecting management traffic passing through the circuit that you are configuring. Refer to your application installation and configuration guide to determine whether you must configure the circuit used for application management traffic with the management-circuit command. Use the no parameter to remove the management-circuit command from a VAP group circuit configuration.

Syntax
[no] management-circuit

Context
You access this command from the conf-cct-vapgroup context. You access this context from the main CLI context by issuing the configure circuit command to configure a specific circuit and then issuing the vap-group (conf-cct context) command to configure a specific VAP group to process traffic passing through the circuit.

Restrictions
Default Privilege Level: 15

Example
The following commands place you in the conf-cct-vapgroup context in which you can configure the VAP group called testvapgroup to process traffic passing through the circuit called testcct: CBS# configure circuit testcct CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-testvapgroup)# The following command configures the VAP group called testvapgroup to use the circuit called testcct for application management traffic: CBS(conf-cct-testvapgroup)# management-circuit CBS(conf-cct-testvapgroup)#

XOS Command Reference Guide

421

dhcp-relay (conf-cct-vapgroup context)

Configures a VAP group to use the circuit that you are configuring to listen for DHCP broadcasts. The VAP group accepts all DHCP broadcasts that it receives on this circuit and forwards them to the servers included in the VAP groups DHCP relay server list. Use the no parameter to delete the dhcp-relay command from a VAP group circuit configuration. IMPORTANT: You must configure a VAP group to listen for DHCP broadcasts using one or more circuits before you configure a DHCP relay server list for that VAP group. Use the show (conf-cct context) command to determine whether a VAP group can listen for and accept DHCP broadcasts received on the circuit that you are configuring. See dhcp-relay-server-list (config-vap-grp context) on page 201 for instructions on configuring a DHCP relay server list for a VAP group.

Syntax
[no] dhcp-relay

Context
You access this command from the conf-cct-vapgroup context. You access this context from the main CLI context by issuing the configure circuit command to configure a specific circuit and then issuing the vap-group (conf-cct context) command to configure a specific VAP group to process traffic passing through the circuit.

Restrictions
Default Privilege Level: 15

Example
The following commands place you in the conf-cct-vapgroup context in which you can configure the VAP group called testvapgroup to process traffic passing through the circuit called testcct: CBS# configure circuit testcct CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-testvapgroup)# The following command configures the VAP group called testvapgroup to use the circuit called testcct to listen for DHCP broadcasts: CBS(conf-cct-testvapgroup)# dhcp-relay CBS(conf-cct-testvapgroup)#

Commands for Configuring Interfaces for a VAP Group

422

promiscuous-mode (conf-cct-vapgroup context)

When you assign a circuit to a VAP group, XOS creates a Virtual Network Device (VND) for that circuit on each VAP in the group. The VAP operating system and the application running on a VAP use VNDs as Linux networking interfaces. The promiscuous-mode command configures the VAP group to accept every packet received on the circuit that you are configuring, without considering the packets destination MAC address. Specify the promiscuous-mode command without parameters to configure the VAP group to accept packets passing through the circuit without forwarding them to any other interfaces. Use this command to configure a circuit as a Tap, and use that circuit to support a sniffing application such as an Intrusion Detection System (IDS). Specify the promiscuous-mode command with the active parameter to configure the VAP group to accept packets passing through the circuit and forward them to another interface configured for the VAP group. Use this command to configure a circuit to support a bridging application, such as an Intrusion Prevention System (IPS). NOTE: See configure bridge-mode on page 445 for instructions on bridging circuits assigned to a VAP group. By default, a VAP can accept a packet passing through a circuit only if one of the following conditions is true: The packets destination MAC address matches the MAC address assigned to the VND on which the VAP receives the packet. The packets destination MAC address is a broadcast MAC address. The packets destination MAC address is a multicast MAC address. Use the no promiscuous-mode command to restore the default circuit behavior for the VAP group that you are configuring.

Syntax
promiscuous-mode [active] no promiscuous-mode

Context
You access this command from the conf-cct-vapgroup context. You access this context from the main CLI context by issuing the configure circuit command to configure a specific circuit and then issuing the vap-group (conf-cct context) command to configure a specific VAP group to process traffic passing through the circuit.

Parameters
The following table lists the parameters used with this command. Parameter active Description Configures the VAP group to accept packets passing through the circuit and forward them to another interface. Use this parameter to configure a circuit to support a bridging application, such as an Intrusion Prevention System (IPS).

XOS Command Reference Guide

423

Restrictions
Default Privilege Level: 15 A circuit can be configured for a VAP group using only one of the following commands: promiscuous-mode promiscuous-mode active ip-forwarding See ip-forwarding (conf-cct-vapgroup context) on page 428 for more information about the ip-forwarding command.

Example
The following commands place you in the conf-cct-vapgroup context in which you can configure the VAP group called testvapgroup to process traffic passing through the circuit called testcct: CBS# configure circuit testcct CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-testvapgroup)# The following command configures the VAP group called testvapgroup to accept every packet received on the circuit called testcct, without considering the packets destination MAC address. This command also configures the VAP group called testvapgroup to forward packets received on the circuit called testvapgroup to another interface configured for that VAP group. CBS(conf-cct-testvapgroup)# promiscuous-mode active CBS(conf-cct-testvapgroup)#

mac-addr (conf-cct-vapgroup context)

When you assign a circuit to a VAP group, XOS creates a Virtual Network Device (VND) for that circuit on each VAP in the group. The VAP operating system and the application running on a VAP use VNDs as Linux networking interfaces. XOS generates a MAC address for a circuit if the circuit is mapped to a VAP group and is attached to a logical interface, either by mapping it to a physical interface or by configuring an internal interface between VAP groups using the configure interface-internal command. The mac-addr command assigns the specified user-defined MAC address to each of the VNDs that XOS creates for the circuit on the VAP group that you are configuring. IMPORTANT: Only assign a user-specified MAC address to a VAP groups circuit VNDs if those VNDs must communicate with an external device that expects the VNDs to have a specific MAC address. Use the system-reserved parameter to specify a user-defined MAC address that belongs to the X-Series Platforms pool of system-reserved MAC addresses. Each system-reserved address has one of the following formats: 00:03:d2:eX:XX:YY 00:03:d2:fX:XX:YY where: X:XX is a unique address sequence. The MAC addresses in the system-reserved address pool have sequential values for X:XX, starting at 0:01.

Commands for Configuring Interfaces for a VAP Group

424

YY is the system identifier assigned to the X-Series Platform. Use the show system-identifier command to display the system ID assigned to your X-Series Platform. The show running-config command displays user-defined MAC addresses that are not part of the system-reserved pool. This command does not display the system-reserved MAC addresses for the X-Series Platform. By default, XOS assigns a single system-reserved MAC address to all of the VNDs that it creates for a circuit on a VAP group. Use the no mac-addr command to restore the default MAC address for the VNDs that XOS creates for the circuit on the VAP group that you are configuring. Use the show (conf-cct context) command to display the MAC addresses assigned to the VNDs that XOS creates for the circuit that you are configuring on each VAP group assigned to that circuit.

MAC Address Inheritance

A single MAC address (user-defined or system generated) can be assigned to multiple VLANs on a VAP group using the logical-all parameter under the configure interface command. If you do not specify a MAC address in Step 1, a system generated MAC address will be used. The following steps describe this process. 1. Create a base circuit with a user-defined MAC address. circuit int100base device-name int100base vap-group fw mac-addr 44:44:44:44:44:44 ip 100.100.100.100/24 100.100.100.255 2. Create a VLAN circuit. circuit int100v circuit-id 1106 device-name int100v vap-group fw ip-forwarding default-egress-vlan-tag 100 ip 101.101.101.101/24 101.101.101.255 vap-group L2 promiscuous-mode active 3. Create the interface, and assign a logical-all to the base circuit. interface gigabitethernet 1/4 int100 logical-all int100base circuit int100base logical int100v ingress-vlan-tag 100 100 circuit int100v Use the show circuit command on the VAP group to verify the MAC address assignment. Once the base circuit is configured with the logical-all and a user defined MAC address, the additional VLANs inherit the MAC address automatically. If the user changes the MAC address on the base circuit, the VLANs will inherit the new MAC address. Assigning a logical to the base circuit in Step 3 prevents changes to the base circuit MAC address from being applied to the VLANs. The MAC addresses on the VLANs remain as assigned in the initial configuration. To display configured VLAN information, use the show vlan command.

XOS Command Reference Guide

425

Syntax
mac-addr <MAC_address> [system-reserved] no mac-addr

Context
You access this command from the conf-cct-vapgroup context. You access this context from the main CLI context by issuing the configure circuit command to configure a specific circuit and then issuing the vap-group (conf-cct context) command to configure a specific VAP group to process traffic passing through the circuit.

Parameters
The following table lists the parameters used with this command. Parameter <MAC_address> Description User-defined MAC address that you want to assign to each of the VNDs that XOS creates for the circuit on the VAP group that you are configuring. You must specify the MAC address using standard hexadecimal MAC address format (aa:bb:cc:dd:ee:ff). NOTE: The specified MAC address cannot contain all 0s (0:0:0:0:0:0) or all fs (ff:ff:ff:ff:ff:ff). system-reserved Enables the specified user-defined MAC address to be a system-reserved MAC address. Specify the all-series parameter with the show running-config command to display the system-reserved MAC addresses for your X-Series Platform.

Restrictions
Default Privilege Level: 15 A MAC address cannot contain only 0s (0:0:0:0:0:0) or only fs (ff:ff:ff:ff:ff:ff). The VNDs that XOS creates for a specific circuit on a specific VAP group must have a unique MAC address. Use the show circuit command to display the MAC address assigned to the VNDs that XOS creates for each circuit on each VAP group configured on the X-Series Platform.

Example
The following commands place you in the conf-cct-vapgroup context in which you can configure the VAP group called testvapgroup to process traffic passing through the circuit called testcct: CBS# configure circuit testcct CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-testvapgroup)# The following command assigns the MAC address, aa:bb:cc:dd:ee:ff, to each of the VNDs that XOS creates for the circuit called testcct on the VAP group called testvapgroup: CBS(conf-cct-testvapgroup)# mac-addr aa:bb:cc:dd:ee:ff CBS(conf-cct-testvapgroup)#

Commands for Configuring Interfaces for a VAP Group

426

mtu (conf-cct-vapgroup context)

When you assign a circuit to a VAP group, XOS creates a Virtual Network Device (VND) for that circuit on each VAP in the group. The VAP operating system and the application running on a VAP use VNDs as Linux networking interfaces. The mtu command sets the Maximum Transmission Unit (MTU) size for the VNDs that XOS creates for the circuit on the VAP group that you are configuring. You specify the MTU in bytes. The default MTU size is 1500 bytes. Use the no mtu command to restore this default setting for the VNDs that XOS creates for the circuit on the VAP group that you are configuring. Use the show (conf-cct context) command to display the MTU size configured for the VNDs that XOS creates for the circuit that you are configuring on each VAP group assigned to that circuit.

Syntax
mtu <size> no mtu

Context
You access this command from the conf-cct-vapgroup context. You access this context from the main CLI context by issuing the configure circuit command to configure a specific circuit and then issuing the vap-group (conf-cct context) command to configure a specific VAP group to process traffic passing through the circuit.

Parameters
The following table lists the parameters used with this command. Parameter <size> Description Maximum Transmission Unit (MTU) size, in bytes, that you want to apply to the VNDs that XOS creates for the circuit on the VAP group that you are configuring. Valid values are from 68 to 9000. Default is 1500. NOTE: If IPv6 has been enabled for the VAP group, the minimum MTU size is 1280. If you attempt to configure a number smaller than 1280, an error message appears.

Restrictions
Default Privilege Level: 15

Example
The following commands place you in the conf-cct-vapgroup context in which you can configure the VAP group called testvapgroup to process traffic passing through the circuit called testcct: CBS# configure circuit testcct CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-testvapgroup)#

XOS Command Reference Guide

427

The following command sets the Maximum Transmission Unit (MTU) size to 4000 bytes for each VND that XOS creates for the circuit called testcct on the VAP group called testvapgroup: CBS(conf-cct-testvapgroup)# mtu 4000 CBS(conf-cct-testvapgroup)#

ip-forwarding (conf-cct-vapgroup context)

When you assign a circuit to a VAP group, XOS creates a Virtual Network Device (VND) for that circuit on each VAP in the group. The VAP operating system and the application running on a VAP use VNDs as Linux networking interfaces. The ip-forwarding command enables the VAP group to forward IP packets received on the circuit that you are configuring. IMPORTANT: Enabling IP forwarding for a VAP group also enables IP forwarding for all of that VAP groups circuits. The circuit-level ip-forwarding command has no effect if IP forwarding is enabled for the VAP group that you are configuring. Use the show vap-group command to determine whether IP forwarding is enabled for a VAP group. See ip-forwarding (config-vap-grp context) on page 192 for instructions on enabling and disabling IP forwarding for a VAP group. NOTE: In almost all cases, the application installed on a VAP group handles packet forwarding for that VAP group and for all circuits assigned to that VAP group. Therefore, you should enable IP forwarding for a VAP group and configure the VAP group to forward IP packets received on one or more circuits only if your application installation and configuration guide specifically instructs you to do so. By default, a VAP group cannot forward IP packets received on a circuit. Use the no parameter to restore this default circuit behavior for the VAP group that you are configuring. Use the show (conf-cct context) command to determine whether any VAP group can forward IP received on the circuit that you are currently configuring.

Syntax
[no] ip-forwarding

Context
You access this command from the conf-cct-vapgroup context. You access this context from the main CLI context by issuing the configure circuit command to configure a specific circuit and then issuing the vap-group (conf-cct context) command to configure a specific VAP group to process traffic passing through the circuit.

Restrictions
Default Privilege Level: 15 A circuit can be configured for a VAP group using only one of the following commands: promiscuous-mode promiscuous-mode active ip-forwarding

Commands for Configuring Interfaces for a VAP Group

428

See promiscuous-mode (conf-cct-vapgroup context) on page 423 for more information about the promiscuous-mode and promiscuous-mode active command.

Example
The following commands place you in the conf-cct-vapgroup context in which you can configure the VAP group called testvapgroup to process traffic passing through the circuit called testcct: CBS# configure circuit testcct CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-testvapgroup)# The following command configures the VAP group called testvapgroup to forward IP packets received on the circuit called testcct: CBS(conf-cct-testvapgroup)# ip-forwarding CBS(conf-cct-testvapgroup)#

icmp-redirect (conf-cct-vapgroup)
Configures a VAP group to accept ICMP redirect packets received on the circuit that you are configuring. NOTE: ICMP redirect packets change information in a hosts routing table. Therefore, configuring a host to accept ICMP redirect packets is often considered to be a security risk. By default, a VAP group drops all ICMP redirect packets received on a circuit. Use the no parameter to restore this default circuit behavior for the VAP group that you are configuring. Use the show (conf-cct context) command to determine whether any VAP groups are configured to accept ICMP redirect packets received on the circuit that you are configuring.

Syntax
[no] icmp-redirect

Context
You access this command from the conf-cct-vapgroup context. You access this context from the main CLI context by issuing the configure circuit command to configure a specific circuit and then issuing the vap-group (conf-cct context) command to configure a specific VAP group to process traffic passing through the circuit.

Restrictions
Default Privilege Level: 15

Example
The following commands place you in the conf-cct-vapgroup context in which you can configure the VAP group called testvapgroup to process traffic passing through the circuit called testcct: CBS# configure circuit testcct CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-testvapgroup)#

XOS Command Reference Guide

429

The following command configures the VAP group called testvapgroup to accept ICMP redirect packets received on the circuit called testcct: CBS(conf-cct-testvapgroup)# icmp-redirect CBS(conf-cct-testvapgroup)#

enable (conf-cct-vapgroup)
When you assign a circuit to a VAP group, XOS creates a Virtual Network Device (VND) for that circuit on each VAP in the group. The VAP operating system and the application running on a VAP use VNDs as Linux networking interfaces. This command enables or disables (using no) all of the VNDs that XOS creates for the circuit on the VAP group that you are configuring. A circuits VNDs are enabled by default. This command is useful when changing an applications mode of operation requires changing the VAP groups interface configuration. You can configure circuits to support multiple modes of operation and then disable the circuits that are not required to support the applications current mode of operation. For example, you can use this technique to facilitate operating mode changes for an application that can run in either Intrusion Detection System (IDS) mode or Intrusion Prevention System (IPS) mode. Use the show (conf-cct context) command to determine whether the VNDs that XOS creates for the circuit that you are configuring are enabled or disabled on each VAP group assigned to the circuit.

Syntax
[no] enable

Context
You access this command from the conf-cct-vapgroup context. You access this context from the main CLI context by issuing the configure circuit command to configure a specific circuit and then issuing the vap-group (conf-cct context) command to configure a specific VAP group to process traffic passing through the circuit.

Restrictions
Default Privilege Level: 15

Example
The following commands place you in the conf-cct-vapgroup context in which you can configure the VAP group called testvapgroup to process traffic passing through the circuit called testcct: CBS# configure circuit testcct CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-testvapgroup)# The following command disables the VNDs that XOS creates for the circuit called testcct on the VAP group called testvapgroup: CBS(conf-cct-testvapgroup)# no enable CBS(conf-cct-testvapgroup)#

Commands for Configuring Interfaces for a VAP Group

430

show (conf-cct context)

Displays the current configuration settings for the circuit that you are configuring for each VAP group assigned to that circuit.

Syntax
show

Context
You access this command from the conf-cct context. You access this context from the main CLI context by issuing the configure circuit command.

Output
This command displays the current circuit configuration settings for each VAP group assigned to the circuit that you are configuring, using the following format: Circuit Name Circuit-Id Device Name Incoming Circuit Group Link State Resistant (true/false) Promiscuous Mode Proxy ARP Enabled (true/false) IP Forwarding (true/false) ICMP Redirect (true/false) Reclassify NAT Flows (true/false) IP Flow Rule Priority IP Flow Rule No Failover (true/false) VAP Group Verify Next Hop IP Aggregation Mode Domain New Flow Control (true/false) DHCP Relay (true/false) Default Egress Vlan Tag Hide VLAN Header (true/false) Replace Egress Vlan Tag MAC Address MTU Management Circuit (true/false) Enable (true/false) Primary Type IP Address IP Broadcast Address Increment-per-vap Mode (true/false) IP Address High Alias Index IP Address IP Broadcast Address Increment-per-vap Mode (true/false) IP Address High : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : <circuit_name> <ID_number> <device_name> <ICG_number> {t | f} {unknown | no promiscuous | promiscuous | promiscuous active} {t | f} [t | f] [t | f] [t | f] [<priority_level>] [t | f] [<VAP_group_name>] [<next_hop_IP_address>] {none | multi-link} <domain_ID_number> {t | f} [t | f] [N/A | <VLAN_ID>] {N/A | t | f} [N/A | <VLAN_ID>] [<MAC_address> [(system-reserved)]] [<MTU_size>] [t | f] [t | f] [primary | ip-less] [<primary_IP_address>/<0-32>](IPv4) [<primary_IP_address>/<0-128>](IPv6) [<primary_broadcast_IP_address>] [t | f] [<primary_IP_address>] <alias_index_number> <alias_IP_address>/<0-32> (IPv4) <alias_IP_address>/<0-128> (IPv6) <alias_broadcast_IP_address> {t | f} <alias_IP_address>

XOS Command Reference Guide

431

The following table describes the information provided in each column/row. Row Heading Circuit Name Information Provided Name of the circuit that you are configuring. See configure circuit on page 397 for instructions on assigning a name to a new circuit. NOTE: You cannot change the name of an existing circuit. Circuit-Id Circuit ID number assigned to the circuit. Default is a system-assigned number between 1025 and 4095. See configure circuit on page 397 for information about assigning a user-defined circuit ID to a new circuit. NOTE: You cannot change the ID number assigned to an existing circuit. Device Name Device name assigned to the VNDs that XOS creates for the circuit on each VAP group to which the circuit is assigned. Default device name is vnd<ID#>, where <ID#> is the circuit ID number assigned to the circuit. See device-name (conf-cct context) on page 399 for information about configuring a device name for a circuit. Incoming Circuit Group ID number for the incoming circuit group (ICG) to which the circuit is assigned. Default is 1. See incoming-circuit-group (conf-cct context) on page 403 for information about assigning a circuit to an ICG. Link State Resistant (true/false) Indicates whether the Virtual Network Devices (VNDs) that XOS creates for the circuit on a VAP group are configured as virtualized internal interfaces that function independently of the physical interfaces on the Network Processor Modules (NPMs). This row displays either f (false) or t (true): f (false) Default setting. The VNDs that XOS creates for the circuit on a VAP group cannot function without a logical link to a physical interface. The VNDs have a default link state of Down, and the link state of the circuits VNDs always matches the link state of the physical interface mapped to the circuit. t (true) The VNDs that XOS creates for the circuit on a VAP group are configured as link-state-resistant interfaces that have a default link state of Up, and the link state of the VNDs is not dependent on the link state of any physical interface. See link-state-resistant (conf-cct context) on page 400 for information about configuring a circuit to enable its VNDs to function as virtualized internal interfaces.

Commands for Configuring Interfaces for a VAP Group

432

Row Heading Promiscuous Mode

Information Provided VAP group promiscuous mode setting for the circuit: unknown Circuit is not assigned to a VAP group. no promiscuous Default VAP group setting. Each VAP in the VAP group can accept a packet received on the circuit only if one of the following conditions is true: The packets destination MAC address matches the MAC address assigned to the VND on which the VAP receives the packet. The packets destination MAC address is a broadcast MAC address. The packets destination MAC address is a multicast MAC address. promiscuous VAP group is configured to accept every packet received on the circuit, without considering the packets destination MAC address. VAP group accepts packets passing through the circuit without forwarding them to any other interfaces. promiscuous active VAP group is configured to accept every packet received on the circuit, without considering the packets destination MAC address. VAP group accepts packets passing through the circuit and forwards them to another interface configured for the VAP group. See promiscuous-mode (conf-cct-vapgroup context) on page 423 for information about setting the promiscuous mode for a VAP group assigned to a circuit.

Proxy ARP Enabled (true/false)

Indicates whether Proxy ARP is enabled (t) or disabled (f) for the circuit. Default is disabled (f). See proxy-arp (conf-cct context) on page 402 for information about enabling and disabling Proxy ARP for a circuit.

IP Forwarding (true/false)

This row is blank if the circuit is not assigned to a VAP group. Indicates whether IP forwarding is enabled (t) or disabled (f) on the circuit for the VAP group. Default is disabled (f). See ip-forwarding (conf-cct-vapgroup context) on page 428 for information about configuring a VAP group to forward IP packets received on a circuit. NOTE: Enabling IP forwarding for a VAP group, enables IP forwarding on all of the VAP groups circuits. Use the show vap-group command to determine whether IP forwarding is enabled for a VAP group. See ip-forwarding (config-vap-grp context) on page 192 for information about enabling and disabling IP forwarding for a VAP group.

XOS Command Reference Guide

433

Row Heading ICMP Redirect (true/false)

Information Provided This row is blank if the circuit is not assigned to a VAP group. Indicates whether acceptance of ICMP redirect packets is enabled (t) or disabled (f) on the circuit for the VAP group. Default is disabled (f). See icmp-redirect (conf-cct-vapgroup) on page 429 for information about configuring a VAP group to accept ICMP redirect packets received on a circuit.

Reclassify NAT Flows (true/false)

This row is blank if the circuit is not assigned to a VAP group. Indicates whether reclassification of NAT flows is enabled (t) or disabled (f) on the circuit for the VAP group. Default is disabled (f). NOTE: You can change this setting only if the X-Series Platform is running in Series-2 NPM mode. Therefore, you cannot change this setting on an X-Series Platform running XOS V8.5 or later.

IP Flow Rule Priority

This row is blank if the circuit is not assigned to a VAP group. Priority level assigned to the default IP flow rule that XOS creates for the VAP group when one or more primary IP addresses is assigned to the VAP group for this circuit. Default IP flow rule priority level for a new circuit is 10. Default setting for a user-configured IP flow rule priority level is 21. See ip-flow-rule-priority (conf-cct-vapgroup context) on page 415 for information about configuring the priority level for a default IP flow rule that XOS creates for a VAP group.

IP Flow Rule No Failover (true/false)

This row is blank if the circuit is not assigned to a VAP group. Indicates whether the circuit-level IP flow rule, no-failover, is enabled (t) or disabled (f) for the VAP group. Default is disabled (f). NOTE: You can change this setting only if the X-Series Platform is running in Series-2 NPM mode. Therefore, you cannot change this setting on an X-Series Platform running XOS V8.5 or later.

VAP Group

This row is blank if the circuit is not assigned to a VAP group. Name of the VAP group to which this circuit configuration applies. See vap-group (conf-cct context) on page 406 for information about assigning a VAP group to a circuit and configuring that VAP group to process traffic passing through a circuit.

Commands for Configuring Interfaces for a VAP Group

434

Row Heading Verify Next Hop IP

Information Provided This row is blank if a next-hop IP address is not assigned to the circuit for this VAP group or if the circuit is not assigned to a VAP group. Next-hop IP address assigned to the circuit for the VAP group. NOTE: The system verifies connectivity to this IP address and triggers a redundant interface failover if the next-hop IP address health check fails. See verify-next-hop-ip (conf-cct-vapgroup context) (IPv6 and IPv4) on page 416 for information about assigning a next-hop IP address to a VAP group.

Aggregation Mode

Indicates whether the circuit is mapped to a group interface configured for the VAP group, and if so, displays the mode configured for that group interface. This row displays one of the following keywords: none Circuit is not mapped to a group interface configured for the VAP group. multi-link Circuit is mapped to a group interface configured for the VAP group, and the group interface is configured in multi-link mode. See mode (conf-group-intf context) on page 497 for information about configuring a group interface mode and mapping a circuit to a group interface.

Domain

ID number for the domain to which the circuit is assigned. Default is 1. See configure circuit on page 397 for information about assigning a circuit to a domain.

New Flow Control (true/false)

Indicates whether New Flow Control is enabled (t) or disabled (f) for the circuit. Default is enabled (t). NOTE: You can change this setting only if the X-Series Platform is running in Series-2 NPM mode. Therefore, you cannot change this setting on an X-Series Platform running XOS V8.5 or later.

DHCP Relay (true/false)

This row is blank if the circuit is not assigned to a VAP group. Indicates whether DHCP Relay is enabled (t) or disabled (f) on the circuit for the VAP group. Default is disabled (f). If DHCP Relay is enabled, the VAP group can use the circuit to listen for DHCP broadcasts and forward them to the servers in the VAP groups DHCP relay server list. See dhcp-relay (conf-cct-vapgroup context) on page 422 for information about enabling and disabling DHCP Relay on a circuit for a VAP group. See dhcp-relay-server-list (config-vap-grp context) on page 201 for instructions on configuring a DHCP relay server list for a VAP group.

XOS Command Reference Guide

435

Row Heading Default Egress Vlan Tag

Information Provided This row is blank if the circuit is not assigned to a VAP group. If the circuit is assigned to a VAP group, this row displays one of the following: N/A Default setting. Indicates that the VAP group does not apply a VLAN tag to untagged packets passing through the circuit. VLAN ID number Default egress VLAN tag configured for the VAP group for the circuit. The VAP group applies the specified VLAN tag to all untagged packets egressing the VAP group through the circuit. See default-egress-vlan-tag (conf-cct-vapgroup context) on page 417 for information about configuring a VAP group with a default egress VLAN tag for a circuit.

Hide VLAN Header (true/false)

Displays one of the following Hide VLAN Header settings: N/A VAP group is not configured with a default egress VLAN tag for this circuit. t Hide VLAN Header is enabled. The VAP group is configured with a default egress VLAN tag for the circuit, and the VAP group removes the VLAN tag from the header of every packet ingressing the VAP group through the circuit. NOTE: This setting is also displayed when a circuit is not assigned to a VAP group. f Default setting. Hide VLAN Header is disabled. The VAP group is configured with a default egress VLAN tag for the circuit, but the VAP group does not remove VLAN tags from the headers of packets ingressing the VAP group through the circuit. See default-egress-vlan-tag (conf-cct-vapgroup context) on page 417 for information on enabling and disabling Hide VLAN Header for a VAP group configured with a default egress VLAN tag for a circuit.

Commands for Configuring Interfaces for a VAP Group

436

Row Heading Replace Egress Vlan Tag

Information Provided This row is blank if the circuit is not assigned to a VAP group. If the circuit is assigned to a VAP group, this row displays one of the following: N/A Default setting. Indicates that the VAP group does not use a specific egress VLAN tag for traffic passing through the circuit. A packets ingress and egress VLAN tags are the same, and untagged packets remain untagged after passing through the circuit. VLAN ID number Replacement egress VLAN tag configured for the VAP group for the circuit. The VAP group applies the specified egress VLAN tag to all packets passing through the circuit. The VAP group removes all VLAN tags assigned to packets ingressing the VAP group through the circuit and replaces those VLAN tags with the specified egress VLAN tag. See replace-vlan-tag (conf-cct-vapgroup context) on page 419 for information about configuring a VAP group with a replacement egress VLAN tag for a circuit.

MAC Address : <MAC_address> [system-reserved]

This row is blank if the circuit is not assigned to a VAP group. <MAC_address> is the MAC address assigned to the Virtual Network Devices (VNDs) that XOS creates for the circuit on the VAP group. The system-reserved keyword indicates that the MAC address belongs to the X-Series Platforms pool of system-reserved MAC addresses. By default, XOS assigns a single system-reserved MAC address to all of the VNDs that it creates for a circuit on a VAP group. See mac-addr (conf-cct-vapgroup context) on page 424 for information about configuring a MAC address for the VNDs that XOS creates for a circuit on a VAP group.

MTU

This row is blank if the circuit is not assigned to a VAP group. Maximum Transfer Unit size, in bytes, for the VNDs that XOS creates for the circuit on the VAP group. Default is 1500. NOTE: If IPv6 has been enabled for the VAP group, the minimum MTU size is 1280. If you attempt to configure a number smaller than 1280, an error message appears. See mtu (conf-cct-vapgroup context) on page 427 for information about setting the MTU size for the VNDs that XOS creates for a circuit on a VAP group.

XOS Command Reference Guide

437

Row Heading Management Circuit (true/false)

Information Provided This row is blank if the circuit is not assigned to a VAP group. Indicates one of the following: f Default setting. Application installed on the VAP group inspects all traffic passing through the circuit. t VAP group circuit configuration includes the management-circuit command. The application installed on the VAP group treats all traffic passing through the circuit as management traffic, and does not inspect the traffic. See management-circuit (conf-cct-vapgroup context) on page 421 for information about this VAP group circuit configuration setting.

Enable (true/false)

This row is blank if the circuit is not assigned to a VAP group. Indicates whether the Virtual Network Devices (VNDs) that XOS creates for the circuit on the VAP group are enabled (t) or disabled (f). Default is enabled (t). See enable (conf-cct-vapgroup) on page 430 for information about enabling and disabling a VAP groups VNDs for a circuit.

Primary Type

This row is blank if the circuit is not assigned to a VAP group. If the circuit is assigned to a VAP group, this row displays one of the following keywords: ip-less Default setting. The VNDs that XOS creates for the circuit on the VAP group do not have primary IP addresses assigned to them. primary A primary IP address is assigned to each of the VNDs that XOS creates for the circuit on the VAP group. See ip (conf-cct-vapgroup context) (IPv6 and IPv4) on page 407 for information about assigning a primary IP address to each of the VNDs that XOS creates for a circuit on a VAP group.

Commands for Configuring Interfaces for a VAP Group

438

Row Heading IP Address: [<primary_IP_address>/<0-32>] (IPv4) [<primary_IP_address>/<0-128>] (IPv6)

Information Provided This row is blank if the circuit is not assigned to a VAP group. This row does not appear if the VNDs that XOS creates for the circuit on the VAP group do not have primary IP addresses assigned to them. If this row appears in a VAP groups circuit configuration, this row displays one of the following: The single primary IP address and subnet mask assigned to each of the VAP groups VNDs for the circuit. The lowest primary IP address in the range of consecutive primary IP addresses assigned to the VAP groups VNDs for the circuit and the subnet mask for those primary IP addresses. NOTE: If a range of consecutive primary IP addresses is assigned to the VAP groups VNDs for a circuit, XOS assigns a unique primary circuit IP address to each VAP in the group. XOS assigns consecutive primary circuit IP addresses to consecutive VAP index numbers, with the lowest primary circuit IP address number assigned to VAP index number 1. See ip (conf-cct-vapgroup context) (IPv6 and IPv4) on page 407 for information about assigning a primary IP address to each of the VNDs that XOS creates for a circuit on a VAP group.

IP Broadcast Address : [<primary_broadcast_IP_address>]

This row does not appear if the IP address is IPv6. This row is blank if the circuit is not assigned to a VAP group. This row does not appear if the VNDs that XOS creates for the circuit on the VAP group do not have primary IP addresses assigned to them. If this row appears in a VAP groups circuit configuration, this row displays the primary broadcast IP address assigned to the circuit for the VAP group. By default, XOS determines the primary broadcast IP address for a circuit by applying the subnet mask specified for the primary IP addresses assigned to the VAP groups VNDs for the circuit. See ip (conf-cct-vapgroup context) (IPv6 and IPv4) on page 407 for information about assigning a user-defined primary broadcast IP address to a circuit for a VAP group.

XOS Command Reference Guide

439

Row Heading Increment-per-vap Mode (true/false) (Under Primary Type)

Information Provided This row is blank if the circuit is not assigned to a VAP group. If the circuit is assigned to a VAP group, this row indicates whether increment-per-vap is enabled (t) or disabled (f) for the primary IP addresses assigned to the VNDs that XOS creates for the circuit on the VAP group. Default is disabled (f). If increment-per-vap is enabled, a range of consecutive primary IP addresses is assigned to the VNDs that XOS creates for the circuit on the VAP group. NOTE: XOS assigns a unique primary circuit IP address to each VAP in the group. XOS assigns consecutive primary circuit IP addresses to consecutive VAP index numbers, with the lowest primary circuit IP address number assigned to VAP index number 1. See ip (conf-cct-vapgroup context) (IPv6 and IPv4) on page 407 for information about assigning a unique primary IP address to each of the VNDs that XOS creates for a circuit on a VAP group.

IP Address High : [<primary_IP_address>]

This row is blank if the circuit is not assigned to a VAP group. This row does not appear if increment-per-vap is disabled (f) for the primary IP addresses assigned to the VNDs that XOS creates for the circuit on the VAP group. If this row appears in a VAP groups circuit configuration, this row displays the highest primary IP address in the range of consecutive primary IP addresses assigned to the VNDs that XOS creates for the circuit on the VAP group. NOTE: If a range of consecutive primary IP addresses is assigned to the VAP groups VNDs for a circuit, XOS assigns a unique primary circuit IP address to each VAP in the group. XOS assigns consecutive primary circuit IP addresses to consecutive VAP index numbers, with the lowest primary circuit IP address number assigned to VAP index number 1. See ip (conf-cct-vapgroup context) (IPv6 and IPv4) on page 407 for information about assigning a unique primary IP address to each of the VNDs that XOS creates for a circuit on a VAP group.

Alias Index

This row appears only if an alias IP address is assigned to each of the VNDs that XOS creates for the circuit on the VAP group. This row displays the lowest VAP index number to which an alias circuit IP address is currently assigned. Default is 1. See alias (conf-cct-vapgroup-ip context) (IPv6 and IPv4) on page 411 for information about assigning an alias IP address to each of the VNDs that XOS creates for a circuit on a VAP group.

Commands for Configuring Interfaces for a VAP Group

440

Row Heading IP Address: <alias_IP_address>/<0-32> (IPv4) <alias_IP_address>/<0-128> (IPv6)

Information Provided This row appears only if an alias IP address is assigned to each of the VNDs that XOS creates for the circuit on the VAP group. This row displays one of the following: The single alias IP address and subnet mask assigned to each of the VAP groups VNDs for the circuit. The lowest alias IP address in the range of consecutive alias IP addresses assigned to the VAP groups VNDs for the circuit and the subnet mask for those alias IP addresses. NOTE: If a range of consecutive alias IP addresses is assigned to the VAP groups VNDs for a circuit, XOS assigns a unique alias circuit IP address to each VAP in the group. XOS assigns consecutive alias circuit IP addresses to consecutive VAP index numbers, with the lowest alias circuit IP address number assigned to VAP index number 1. See alias (conf-cct-vapgroup-ip context) (IPv6 and IPv4) on page 411 for information about assigning an alias IP address to each of the VNDs that XOS creates for a circuit on a VAP group.

IP Broadcast Address : <alias_broadcast_IP_address>

This row appears only if an alias IP address is assigned to each of the VNDs that XOS creates for the circuit on the VAP group. This row displays the alias broadcast IP address assigned to the circuit for the VAP group. By default, XOS determines the alias broadcast IP address for a circuit by applying the subnet mask specified for the alias IP addresses assigned to the VAP groups VNDs for the circuit. See alias (conf-cct-vapgroup-ip context) (IPv6 and IPv4) on page 411 for information about assigning a user-defined alias broadcast IP address to a circuit for a VAP group.

XOS Command Reference Guide

441

Row Heading Increment-per-vap Mode (true/false) (Under the Alias Index field)

Information Provided This row appears only if an alias IP address is assigned to each of the VNDs that XOS creates for the circuit on the VAP group. This row indicates whether increment-per-vap is enabled (t) or disabled (f) for the alias IP addresses assigned to the VNDs that XOS creates for the circuit on the VAP group. Default is disabled (f). If increment-per-vap is enabled, a range of consecutive alias IP addresses is assigned to the VNDs that XOS creates for the circuit on the VAP group. NOTE: XOS assigns a unique alias circuit IP address to each VAP in the group. XOS assigns consecutive alias circuit IP addresses to consecutive VAP index numbers, with the lowest alias circuit IP address number assigned to VAP index number 1. See alias (conf-cct-vapgroup-ip context) (IPv6 and IPv4) on page 411 for information about assigning a unique alias IP address to each of the VNDs that XOS creates for a circuit on a VAP group.

IP Address High : <alias_IP_address>

This row appears only if an alias IP address is assigned to each of the VNDs that XOS creates for the circuit on the VAP group, and increment-per-vap is enabled (t) for those alias IP addresses. This row displays the highest alias IP address in the range of consecutive alias IP addresses assigned to the VNDs that XOS creates for the circuit on the VAP group. NOTE: If a range of consecutive alias IP addresses is assigned to the VAP groups VNDs for a circuit, XOS assigns a unique alias circuit IP address to each VAP in the group. XOS assigns consecutive alias circuit IP addresses to consecutive VAP index numbers, with the lowest alias circuit IP address number assigned to VAP index number 1. See alias (conf-cct-vapgroup-ip context) (IPv6 and IPv4) on page 411 for information about assigning a unique alias IP address to each of the VNDs that XOS creates for a circuit on a VAP group.

Restrictions
Default Privilege Level: 15

Commands for Configuring Interfaces for a VAP Group

442

Example (IPv4)
The following command places you in the conf-cct context in which you can configure the existing circuit called testcct: CBS# configure circuit testcct CBS(conf-cct)# The following command displays the current configuration settings for the circuit called testcct for the VAP group called testvapgroup (which is the only VAP group to which that circuit is assigned). NOTE: This example output displays some (though not all) of the configuration settings that you would create if you issued the commands that we have provided throughout this section. CBS(conf-cct)# show Circuit Name Circuit-Id Device Name Incoming Circuit Group Promiscuous Mode Proxy ARP Enabled (true/false) IP Forwarding (true/false) ICMP Redirect (true/false) Reclassify NAT Flows (true/false) IP Flow Rule Priority IP Flow Rule No Failover (true/false) VAP Group Verify Next Hop IP Aggregation Mode Domain New Flow Control (true/false) DHCP Relay (true/false) Default Egress Vlan Tag Hide VLAN Header (true/false) Replace Egress Vlan Tag MAC Address MTU Management Circuit (true/false) Enable (true/false) Primary Type IP Address IP Broadcast Address Increment-per-vap Mode (true/false) IP Address High

: : : : : : : : : : : : : : : : : : : : : : : : : : : : :

testcct 1 testcct 1 no promiscuous f f f f 15 f testvapgroup 10.10.10.5 none 1 t f 1660 f N/A 00:03:d2:e0:02:02 (system-reserved) 4000 f t primary 2.2.2.35/24 2.2.2.255 f 2.2.2.38

Alias Index IP Address IP Broadcast Address Increment-per-vap Mode (true/false)

: : : :

1 6.6.6.35/24 6.6.6.255 f

CBS(conf-cct)#

XOS Command Reference Guide

443

Example (IPv6)
The following command places you in the conf-cct context in which you can configure the existing circuit called testcct: CBS# configure circuit testcct CBS(conf-cct)# The following command displays the current configuration settings for the circuit called testcct for the VAP group called testvapgroup (which is the only VAP group to which that circuit is assigned). NOTE: This example output displays some (though not all) of the configuration settings that you would create if you issued the commands that we have provided throughout this section. CBS(conf-cct)# show Circuit Name Circuit-Id Device Name Incoming Circuit Group Promiscuous Mode Proxy ARP Enabled (true/false) IP Forwarding (true/false) ICMP Redirect (true/false) Reclassify NAT Flows (true/false) IP Flow Rule Priority IP Flow Rule No Failover (true/false) VAP Group Verify Next Hop IP Aggregation Mode Domain New Flow Control (true/false) DHCP Relay (true/false) Default Egress Vlan Tag Hide VLAN Header (true/false) Replace Egress Vlan Tag MAC Address MTU Management Circuit (true/false) Enable (true/false) Primary Type IP Address Increment-per-vap Mode (true/false)

: : : : : : : : : : : : : : : : : : : : : : : : : : :

testcct 1 testcct 1 no promiscuous f f f f 15 f testvapgroup 10.10.10.5 none 1 t f 1660 f N/A 00:03:d2:e0:02:02 (system-reserved) 4000 f t primary fd00:1545:be72:e5af::cf33:54aa/64 f

Alias Index IP Address Increment-per-vap Mode (true/false)

: 1 : fd00:1545:be72:e5af::cf33:12/64 : f

CBS(conf-cct)#

Commands for Configuring Interfaces for a VAP Group

444

configure bridge-mode
When you assign a circuit to a virtual application processor (VAP) group, XOS creates a Virtual Network Device (VND) for that circuit on each VAP in the group. The VAP operating system and the application running on a VAP use VNDs as Linux networking interfaces. XOS supports bridging interfaces that connect members of a VAP group to different segments of the same LAN. To bridge interfaces on a VAP group, use the configure bridge-mode command to configure a template circuit as a virtualized network bridging device for a VAP group, and configure that device to bridge the VNDs that XOS creates for a pair of traffic circuits assigned to the VAP group. Then, configure logical interfaces for the physical interfaces that are connected to the LAN segments that you want to bridge, and map each traffic circuit to a logical interface. NOTE: Either or both of the two bridged traffic circuits can be mapped to a logical interface configured for a link aggregation group (LAG), allowing each circuit to pass traffic over multiple physical interfaces. The configure bridge-mode command configures the specified template circuit as a new virtualized network bridging device, or configures the existing device created using the specified template circuit. This command also places you in the conf-bridge-mode context in which you can map traffic circuits to the specified virtualized network bridging device. See circuit (conf-bridge-mode context) on page 447 for instructions on mapping traffic circuits to a virtualized network bridging device. IMPORTANT: You must create and configure a template circuit before configuring it as a virtual network bridging device. To create and configure a template circuit, perform the following steps: 1. 2. 3. Use the configure circuit command to create the circuit. Use the device-name (conf-cct context) command to assign a device name to each of the circuits VNDs. Use the vap-group (conf-cct context) command to assign the circuit to the VAP group for which you want to configure the virtualized network bridging device. NOTE: For applications requiring an IP address on the virtual network bridging device, assign the IP address to the template circuit before creating the bridge. Refer to your application documentation for IP address requirements. By default, the configure bridge-mode command configures a new virtualized network bridging device in bridge mode; in this mode, XOS creates the bridge between the VNDs for the two traffic circuits mapped to the bridging device. Use the transparent parameter to configure a virtualized network bridging device in transparent mode; in this mode the application installed on the VAP group creates the bridge between the VNDs for the two traffic circuits mapped to the bridging device. NOTE: After you configure a virtualized network bridging device in transparent mode, you cannot reconfigure it in bridge mode. Instead, you must delete the device and recreate it in bridge mode. Use the no parameter to delete the virtualized network bridging device created using the specified template circuit. Use the show (conf-bridge-mode context) command to display the current configuration settings for the virtualized network bridging device that you are configuring.

Syntax
configure [no] bridge-mode <template_circuit_name> [transparent]

XOS Command Reference Guide

445

Contexts and Subcommands

You access this command from the main CLI context. This command places you in the conf-bridge-mode context in which you can map traffic circuits to the virtualized network bridging device created using the specified template circuit. You can access the following commands from this context: circuit (conf-bridge-mode context) on page 447 show (conf-bridge-mode context) on page 449

Parameters
The following table lists the parameters used with this command. Parameter <template_circuit_name> transparent Description Name of the template circuit used to create the virtualized network bridging device that you are configuring. Configures the specified template circuit as a virtualized network bridging device in transparent mode; in this mode the application installed on the VAP group creates the bridge between the VNDs for the two traffic circuits mapped to the bridging device. NOTE: After you configure a virtualized network bridging device in transparent mode, you cannot reconfigure it in bridge mode. Instead, you must delete the device and recreate it in bridge mode.

Restrictions
Default Privilege Level: 15 You must create and configure a template circuit before using the configure bridge-mode command to configure that template circuit as a virtualized network bridging device. After you configure a virtualized network bridging device in transparent mode, you cannot reconfigure it in bridge mode. Instead, you must delete the device and recreate it in bridge mode.

Example
The following commands create and configure a template circuit called testbridge and assign that circuit to the VAP group called testvapgroup: CBS# configure circuit testbridge CBS(conf-cct)# device-name testbridge CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-vapgroup)# end CBS# The following command configures the template circuit called testbridge as a new virtualized network bridging device for the VAP group called testvapgroup, and configures the new device in transparent mode. This command also places you in the conf-bridge-mode context in which you can map two traffic circuits to the virtualized network bridging device created using the template circuit called testbridge. CBS# configure bridge-mode testbridge transparent CBS(conf-bridge-mode)#

Commands for Configuring Interfaces for a VAP Group

446

circuit (conf-bridge-mode context)

When you assign a circuit to a virtual application processor (VAP) group, XOS creates a Virtual Network Device (VND) for that circuit on each VAP in the group. The VAP operating system and the application running on a VAP use VNDs as Linux networking interfaces. XOS supports bridging VNDs that connect members of a VAP group to different segments of the same LAN. To bridge the VNDs for a pair of circuits assigned to a VAP group, you configure a template circuit as a virtualized network bridging device for the VAP group, and then map the two traffic circuits to that device. You then configure logical interfaces for the physical interfaces that are connected to the different LAN segments and map each traffic circuit to a logical interface. NOTE: Either or both of the two bridged traffic circuits can be mapped to a logical interface configured for a link aggregation group (LAG), allowing each circuit to pass traffic over multiple physical interfaces. The circuit command maps the specified traffic circuit to the virtualized network bridging device that you are configuring. IMPORTANT: You must create and configure each traffic circuit before mapping it to a virtual network bridging device. To create and configure a traffic circuit, perform the following steps: 1. 2. 3. Use the configure circuit command to create the circuit. Use the device-name (conf-cct context) command to assign a device name to each of the circuits VNDs. Use the vap-group (conf-cct context) command to assign the circuit to the VAP group for which you want to configure the virtualized network bridging device. NOTE: If the application does not specifically require an IP address on the virtual network bridging device, do not assign a primary IP address to the VNDs that XOS creates for the traffic circuit on the VAP group. Refer to your application documentation for IP address requirements. 4. Use the promiscuous-mode active command to configure the VAP group to accept every packet received on the circuit, without considering the packets destination MAC address and to configure the VAP group to forward packets received on this circuit to another interface configured for the VAP group. See promiscuous-mode (conf-cct-vapgroup context) on page 423 for information about this command. 5. To configure serialization, add one of the traffic circuits to a layer 3 VAP group. Then, use the configure interface-internal command to configure an internal interface and assign that circuit to the interface-internal.

For information about configuring bridged configurations for serialization, see the XOS Configuration Guide and the Serialization Cookbook: IPS and Firewall.

When you map two traffic circuits to the same virtualized network bridging device, the VAP group forwards packets received on each traffic circuit to the VNDs that XOS creates on the VAP group for the other traffic circuit. Thus, the device bridges the two LAN segments connected to the physical interfaces that are logically linked to the VNDs for the two traffic circuits. NOTE: You can map only two traffic circuits to each virtualized network bridging device that you create and configure using the circuit (conf-bridge-mode context) command. Use the no parameter to remove the specified traffic circuit from the configuration for the virtualized network bridging device that you are currently configuring. Use the show (conf-bridge-mode context) command to display the current configuration settings for the virtualized network bridging device that you are configuring.

XOS Command Reference Guide

447

Syntax
[no] circuit <circuit_name>

Context
You access this command from the conf-bridge-mode context. You access this context from the main CLI context by issuing the configure bridge-mode command.

Parameters
The following table lists the parameters used with this command. Parameter <circuit_name> Description Name of the traffic circuit that you wish to map to or remove from the virtualized network bridging device that you are configuring.

Restrictions
Default Privilege Level: 15 You must create and configure each traffic circuit before mapping it to a virtualized network bridging device. Each traffic circuit mapped to a virtualized network bridging device must be IP-less. You must include the promiscuous-mode active command in the VAP group circuit configuration for each traffic circuit mapped to a virtualized network bridging device configured for that VAP group. Use the show circuit command to determine whether a VAP group circuit configuration includes the promiscuous-mode active command See promiscuous-mode (conf-cct-vapgroup context) on page 423 for information about this command. You can map only two traffic circuits to each virtualized network bridging device that you create using the circuit (conf-bridge-mode context) command. Use the show (conf-bridge-mode context) command to list the circuits currently mapped to the virtualized network bridging device that you are configuring.

Example
The following commands create two IP-less traffic circuits called testbridgecct1 and testbridgecct2, assign the circuits to the VAP group called testvapgroup, and configure the VAP group to use the two circuits to support a bridging application: CBS# configure circuit testbridgecct1 CBS(conf-cct)# device-name testbrcct1 CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-vapgroup)# promiscuous-mode active CBS(conf-cct-vapgroup)# end CBS# configure circuit testbridgecct2 CBS(conf-cct)# device-name testbrcct2 CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-vapgroup)# promiscuous-mode active CBS(conf-cct-vapgroup)# end

Commands for Configuring Interfaces for a VAP Group

448

The following command places you in the conf-bridge-mode context in which you can map traffic circuits to the existing virtualized network bridging device created using the template circuit called testbridge: CBS# configure bridge-mode testbridge transparent CBS(conf-bridge-mode)# The following commands map the two traffic circuits called testbridgecct1 and testbridgecct2 to the virtualized network bridging device created using the template circuit called testbridge: CBS(conf-bridge-mode)# circuit testbridgecct1 CBS(conf-bridge-mode)# circuit testbridgecct2 CBS(conf-bridge-mode)#

show (conf-bridge-mode context)

Displays the current configuration settings for the virtualized network bridging device that you are configuring.

Syntax
show

Context
You access this command from the conf-bridge-mode context. You access this context from the main CLI context by issuing the configure bridge-mode command.

Output
The output for this command has the following format: Bridge Mode Name Mode Member Circuit Member Circuit (1 row) : : : : <template_circuit_name> {bridge | transparent} <bridged_traffic_circuit_name1> <bridged_traffic_circuit_name2>

The following table describes the information provided in each column/row. Column/Row Heading Bridge Mode Name Mode Information Provided Name of the template circuit used to create the virtualized network bridging device. Indicates the current operating mode configured for the virtualized network bridging device: bridge Default setting. The virtualized network bridging device is operating in bridge mode. In this mode, XOS creates the bridge between the VNDs for the two traffic circuits mapped to the bridging device. transparent The virtualized network bridging device is operating in transparent mode. In this mode the application installed on the VAP group creates the bridge between the VNDs for the two traffic circuits mapped to the bridging device.

XOS Command Reference Guide

449

Column/Row Heading

Information Provided

Member Circuit : Name of the first (or only) traffic circuit mapped to the <bridged_traffic_circuit_name1> virtualized network bridging device. This row appears only if at least one traffic circuit is mapped to the virtualized network bridging device. See circuit (conf-bridge-mode context) on page 447 for information about mapping traffic circuits to a virtualized network bridging device. Member Circuit : Name of the second traffic circuit mapped to the virtualized <bridged_traffic_circuit_name2> network bridging device. This row appears only if two traffic circuits are mapped to the virtualized network bridging device. See circuit (conf-bridge-mode context) on page 447 for information about mapping traffic circuits to a virtualized network bridging device.

Restrictions
Default Privilege Level: 15

Example
The following command places you in the conf-bridge-mode context in which you can map traffic circuits to the existing virtualized network bridging device created using the template circuit called testbridge: CBS# configure bridge-mode testbridge transparent CBS(conf-bridge-mode)# The following command displays the current configuration for the virtualized network bridging device created using the template circuit called testbridge. NOTE: This command displays the virtualized network bridging device configuration settings that you would create if you issued the example commands that we have provided under the circuit (conf-bridge-mode context) command. CBS(conf-bridge-mode)# show Bridge Mode Name : testbridge Mode : transparent Member Circuit : testbridgecct1 Member Circuit : testbridgecct2 (1 row)

Commands for Configuring Interfaces for a VAP Group

450

Commands for Configuring IP Routes and Managing Destination MAC Address Resolution for VAP Groups
This section describes the CLI commands that you can use to configure IP routes and manage destination MAC address resolution for one or more VAP groups. This section contains the following command descriptions: configure ip route (IPv6 and IPv4) on page 452 metric (config-ip-route context) on page 454 verify-next-hop (config-ip-route context) on page 455 configure ip default-network (IPv6 and IPv4) on page 456 metric (conf-ip-default-network context) on page 458 verify-next-hop (conf-ip-default-network context) on page 459 configure arp on page 460 configure neighbor-discovery (IPv6) on page 461 configure ipv6-tunnel (IPv6) on page 463

XOS Command Reference Guide

451

configure ip route (IPv6 and IPv4)

Configures a static IP route for VAP group traffic and places you in the config-ip-route context in which you can configure the specified IP route. VAPs must use the specified IP route for all packets whose destination IP addresses are in the specified destination network. NOTE: This command defines static IP routes for VAP group traffic only. This command does not define static IP routes for X-Series Platform management traffic. To define a static IP route for X-Series Platform management traffic, use the configure management ip-route command. When a packets destination IP address belongs to the destination IP networks defined for multiple static IP routes, a VAP uses the static IP route whose destination IP network address matches the most bits in the packets destination IP address. By default, a user-defined static IP route applies to all traffic passing between the members of the VAP groups configured on the X-Series Platform and the external networks connected to the physical interfaces on the Network Processor Modules (NPMs). You can use the following parameters to apply a static IP route only to specific VAP group interfaces: domain Applies the static IP route only to traffic passing through the circuits that belong to the specified domain. Use the show circuit command to display the domain ID assigned to each circuit configured on the X-Series Platform. By default, all circuits belong to domain 1. Use the configure circuit command to assign a circuit to a different domain. circuit Applies the static IP route only to traffic passing through the specified circuit. vap-group Applies the static IP route only to traffic passing through the specified VAP group. Optionally, you can use the description parameter to append a description to the IP route table entry created for a user-defined static IP route. Use the configure no ip route command to delete the specified static IP route. Use the show ip route command to display all static IP routes configured for VAP group traffic and all static IP routes configured for X-Series Platform management traffic.

Syntax (IPv4)
configure ip route {<IP_address> <subnet_mask> | <IP_address>/<0-32>} <next_hop_IP_address> [domain <domain_ID>] [circuit <circuit_name>] [vap-group <VAP_group_name>] [description <description>] configure no ip route {<IP_address> <subnet_mask> | <IP_address>/<0-32>} <next_hop_IP_address>

Syntax (IPv6)
configure ip route <IP_address>/<0-128> <next_hop_IP_address> [domain <domain_ID>] [circuit <circuit_name>] [vap-group <VAP_group_name>] [description <description>] configure no ip route <IP_address>/<0-128> <next_hop_IP_address>

Commands for Configuring Interfaces for a VAP Group

452

Contexts and Subcommands

You access this command from the main CLI context. This command places you in the config-ip-route context in which you can configure the specified static IP route. You can access the following commands from this context: metric (config-ip-route context) on page 454 verify-next-hop (config-ip-route context) on page 455

Parameters
The following table lists the parameters used with this command. Parameter {<IP_address> <subnet_mask> | <IP_address>/<0-32>} Description Destination network for which you want to define a static IP route. You must specify the subnet mask for the primary IP address. You can specify the destination network with a subnet mask in dotted-quad format (for example, 10.15.3.5 255.255.0.0), or you can specify the network using CIDR notation (for example, 10.15.0.0/16). (IPv6) <IP_address>/<0-128> Destination network for which you want to define a static IP route. You must specify the IPv6 address using CIDR notation. Entering an address and subnet mask is not acceptable. Example: fd00::200:f8ff:fe21:67cf/64 <next_hop_IP_address> domain <domain_ID> Next hop IP address that packets must use to reach the destination network. Configures the static IP route to apply only to traffic passing through the circuits that belong to the specified domain. Valid values for <domain_ID> are from 1 to 4095. Default is 1. Use the show circuit command to display the domain ID assigned to each circuit configured on the X-Series Platform. By default, all circuits belong to domain 1. Use the configure circuit command to assign a circuit to a different domain. circuit <circuit_name> vap-group <VAP_group_name> description <description> Configures the static IP route to apply only to traffic passing through the specified circuit. Configures the static IP route to apply only to traffic passing through the specified VAP group. Creates a textual description and associates that description with the destination network that you have defined for the static IP route. You can use this description to help you identify the destination network in the list of static IP routes displayed when you issue the show ip route command.

XOS Command Reference Guide

453

Restrictions
Default Privilege Level: 15 An IP route is considered to be invalid if either of the following conditions is true: The next-hop IP address belongs to the same network as the destination IP address. The destination network IP address is the same as a primary circuit IP address or a virtual circuit IP address configured for a VAP group. The destination IP address configured for an IP route cannot be the same as either the configured system internal network IP address or the operational system internal network IP address. Use the show system-internal-network command to display the configured and operational system internal network IP addresses assigned to your X-Series Platform.

Example (IPv4)
The following command creates a static IP route for packets passing through the Virtual Network Devices (VNDs) that XOS creates for the circuit called testcct on the VAP group called testvapgroup and places you in the config-ip-route context in which you can configure the specified static IP route: CBS# configure ip route 2.2.2.0/24 192.213.212.111 vap-group testvapgroup circuit testcct CBS(config-ip-route)#

Example (IPv6)
The following command creates a static IP route for packets passing through the Virtual Network Devices (VNDs) that XOS creates for the circuit called testcct on the VAP group called testvapgroup and places you in the config-ip-route context in which you can configure the specified static IP route: CBS# configure ip route fd00::200:f8ff:fe21:67cf/64 fd00::192.213.212.111 vap-group testvapgroup circuit testcct CBS(config-ip-route)#

metric (config-ip-route context)

Assigns the specified metric value to the static IP route that you are configuring. When a packets destination IP address belongs to the destination IP networks defined for multiple static IP routes, the packet uses the static IP route whose destination IP network address matches the most bits in the packets destination IP address. If a packets destination IP address matches the same number of bits in the destination IP network addresses defined for multiple static IP routes, the packet uses the static IP route with the lowest metric value. The default metric value is 0. Use the no metric command to restore this default setting for the static IP route that you are configuring.

Syntax
metric <metric_value> no metric

Commands for Configuring Interfaces for a VAP Group

454

Context
You access this command from the config-ip-route context. You access this context from the main CLI context by issuing the configure ip route (IPv6 and IPv4) command.

Parameters
The following table lists the parameters used with this command. Parameter <metric_value> Description Metric value that you want to assign to the static IP route that you are configuring. Valid values are: IPv4: 1 to 255, inclusive, with a default of 0 (zero) IPv6: 257 to 511, inclusive with a default value of 256

Restrictions
Default Privilege Level: 15

Example
The following command creates a static IP route for packets passing through the Virtual Network Devices (VNDs) that XOS creates for the circuit called testcct on the VAP group called testvapgroup and places you in the config-ip-route context in which you can configure the specified static IP route: CBS# configure ip route 2.2.2.0/24 192.213.212.111 vap-group testvapgroup circuit testcct CBS(config-ip-route)# The following command assigns the metric value 10 to the above static IP route: CBS(config-ip-route)# metric 10 CBS(config-ip-route)#

verify-next-hop (config-ip-route context)

Directs each VAP that belongs to a VAP group configured on the X-Series Platform to send an ARP request to the next-hop IP address for the static IP route that you are configuring before sending a packet to that next-hop IP address. If an ARP request fails, XOS increases the metric value of the IP route; if other IP routes are defined for the same destination network, the VAPs will use those alternate routes to send traffic to the destination network. By default, when you configure a static IP route using the configure ip route (IPv6 and IPv4) command, VAPs do not test their connections to the host whose IP address is configured as the next-hop IP address for the static IP route. Use the no parameter to restore this default behavior.

Syntax
[no] verify-next-hop

XOS Command Reference Guide

455

Context
You access this command from the config-ip-route context. You access this context from the main CLI context by issuing the configure ip route (IPv6 and IPv4) command.

Restrictions
Default Privilege Level: 15

Example
The following command creates a static IP route for packets passing through the Virtual Network Devices (VNDs) that XOS creates for the circuit called testcct on the VAP group called testvapgroup and places you in the config-ip-route context in which you can configure the specified static IP route: CBS# configure ip route 2.2.2.0/24 192.213.212.111 vap-group testvapgroup circuit testcct CBS(config-ip-route)# The following command directs the VNDs that XOS creates for the circuit called testcct on the VAP group called testvapgroup to send an ARP request to 192.213.212.111 before sending a packet to that next-hop IP address. If an ARP request fails, XOS increases the metric value of the above IP route; if other IP routes are defined for the destination network, 2.2.2.0/24, the members of testvapgroup will use those alternate routes to send traffic to the destination network. CBS(config-ip-route)# verify-next-hop CBS(config-ip-route)#

configure ip default-network (IPv6 and IPv4)

Defines a default IP route (also called a default gateway) for VAP group traffic and places you in the conf-ip-default-network context in which you can configure the specified default IP route. VAPs must use the default IP route for a packet when they are unable to assign a single user-defined static IP route to that packet. NOTE: This command defines a default IP route for VAP group traffic only. This command does not define a default IP routes for X-Series Platform management traffic. To define a default IP route for X-Series Platform management traffic, use the configure management default-gateway command. By default, a user-defined default IP route applies to all traffic passing between the members of the VAP groups configured on the X-Series Platform and the external networks connected to the physical interfaces on the Network Processor Modules (NPMs). You can use the following parameters to apply a default IP route only to specific VAP group interfaces: circuit Applies the default IP route only to traffic passing through the specified circuit. vap-group Applies the default IP route only to traffic passing through the specified VAP group. Optionally, you can use the description parameter to append a description to a default IP route. Use the configure no ip default-network command to delete the specified default IP route. Use the show ip default-network command to display the default IP routes configured on the X-Series Platform.

Commands for Configuring Interfaces for a VAP Group

456

Syntax
configure ip default-network <next_hop_IP_address> [circuit <circuit_name>] [vap-group <VAP_group_name>] [description <description>] configure no ip default-network <next_hop_IP_address>

Contexts and Subcommands

You access this command from the main CLI context. This command places you in the conf-ip-default-network context in which you can configure the specified default IP route. You can access the following commands from this context: metric (conf-ip-default-network context) on page 458 verify-next-hop (conf-ip-default-network context) on page 459

Parameters
The following table lists the parameters used with this command. Parameter <next_hop_IP_address> circuit <circuit_name> vap-group <VAP_group_name> description <description> Description Next hop IP address that you want to use for the default IP route that you are configuring. Configures the default IP route to apply only to traffic passing through the specified circuit. Configures the default IP route to apply only to traffic passing through the specified VAP group. Creates a textual description and associates that description with the next-hop IP address for the default IP route that you have defined. You can use this description to help you identify the next-hop IP address in the list of default IP routes displayed when you issue the show ip default-network command.

Restrictions
Default Privilege Level: 15

Example
The following command creates a default IP route for packets passing through the VNDs that XOS creates for the circuit called testcct on the VAP group called testvapgroup and places you in the conf-ip-default-network context in which you can configure the specified default IP route: IPv4 CBS# configure ip default-network 10.10.100.1 vap-group testvapgroup circuit testcct CBS(conf-ip-default-network)# IPv6 CBS# configure ip default-network fd00:1230:4545:213:145:f800:ba21:25fa vap-group testvapgroup circuit testcct CBS(conf-ip-default-network)#

XOS Command Reference Guide

457

metric (conf-ip-default-network context)

Assigns the specified metric value to the default IP route that you are configuring. When multiple default IP routes apply to a single packet, the packet uses the default IP route with the lowest metric value. The default metric value is 0. Use the no metric command to restore this default setting for the default IP route that you are configuring.

Syntax
metric <metric_value> no metric

Context
You access this command from the conf-ip-default-network context. You access this context from the main CLI context by issuing the configure ip default-network (IPv6 and IPv4) command.

Parameters
The following table lists the parameters used with this command. Parameter <metric_value> Description Metric value that you want to assign to the static IP route that you are configuring. Valid values are: IPv4: 1 to 255, inclusive, with a default of 0 (zero) IPv6: 257 to 511, inclusive with a default value of 256

Restrictions
Default Privilege Level: 15

Example
The following command creates a default IP route for packets passing through the VNDs that XOS creates for the circuit called testcct on the VAP group called testvapgroup and places you in the conf-ip-default-network context in which you can configure the specified default IP route: IPv4 CBS# configure ip default-network 10.10.100.1 vap-group testvapgroup circuit testcct CBS(conf-ip-default-network)# IPv6 CBS# configure ip default-network fd00:1230:4545:213:145:f800:ba21:25fa vap-group testvapgroup circuit testcct CBS(conf-ip-default-network)#

Commands for Configuring Interfaces for a VAP Group

458

The following command assigns the metric value 15 to the above default IP route: CBS(conf-ip-default-network)# metric 15 CBS(conf-ip-default-network)#

verify-next-hop (conf-ip-default-network context)

Directs each VAP that belongs to a VAP group configured on the X-Series Platform to send an ARP request to the next-hop IP address for the default IP route that you are configuring before sending a packet to that next-hop IP address. If an ARP request fails, XOS increases the metric value of the IP route; if other IP routes are defined for the same destination network, the VAPs will use those alternate routes to send traffic to the destination network. By default, when you configure a default IP route using the configure ip default-network (IPv6 and IPv4) command, VAPs do not test their connections to the host whose IP address is configured as the next-hop IP address for the default IP route. Use the no parameter to restore this default behavior.

Syntax
[no] verify-next-hop

Context
You access this command from the conf-ip-default-network context. You access this context from the main CLI context by issuing the configure ip default-network (IPv6 and IPv4) command.

Restrictions
Default Privilege Level: 15

Example
The following command creates a default IP route for packets passing through the VNDs that XOS creates for the circuit called testcct on the VAP group called testvapgroup and places you in the conf-ip-default-network context in which you can configure the specified default IP route: IPv4 CBS# configure ip default-network 10.10.100.1 vap-group testvapgroup circuit testcct CBS(conf-ip-default-network)# IPv6 CBS# configure ip default-network fd00:1230:4545:213:145:f800:ba21:25fa vap-group testvapgroup circuit testcct CBS(conf-ip-default-network)# The following command directs the VNDs that XOS creates for the circuit called testcct on the VAP group called testvapgroup to send an ARP request to 10.10.100.1 before sending a packet to that next-hop IP address. If an ARP request fails, XOS increases the metric value of the above IP route; if other default IP routes are defined, the members of testvapgroup will use those alternate default IP routes. CBS(conf-ip-default-network)# verify-next-hop CBS(conf-ip-default-network)#

XOS Command Reference Guide

459

configure arp
When you assign a circuit to a virtual application processor (VAP) group, XOS creates a Virtual Network Device (VND) for that circuit on each VAP in the group. The VAP operating system and the application running on a VAP use VNDs as Linux networking interfaces. The configure arp command adds a new static Address Resolution Protocol (ARP) entry or configures an existing static ARP entry in the ARP cache that the X-Series Platform uses to resolve MAC addresses for IP packets destined for the members of a VAP group. By default, an NPM can apply a static ARP entry to any packet passing between the members of a VAP group and a physical interface on an NPM. You can use the following parameters to apply a static ARP entry only to packets destined for specific VAP group interfaces: domain Applies the static ARP entry only to packets destined for the VNDs that XOS creates for the circuits that belong to the specified domain. Use the show circuit command to display the domain ID assigned to each circuit configured on the X-Series Platform. By default, all circuits belong to domain 1. Use the configure circuit command to assign a circuit to a different domain. circuit Applies the static ARP entry only to packets destined for the VNDs that XOS creates for the specified circuit. vap-group Applies the static ARP entry only to packets destined for the circuit VNDs that XOS creates on the specified VAP group. Use the configure no arp command to delete the specified static ARP entry from the ARP cache. Use the show arp command to display the static ARP entries currently stored in the ARP cache on the X-Series Platform.

Syntax
configure arp <IP_address> <MAC_address> [domain <domain_ID>] [vap-group <VAP_group_name>] [circuit <circuit_name>] configure no arp <IP_address> <MAC_address>

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <IP_address> Description Destination IP address for the static ARP entry that you are configuring.

Commands for Configuring Interfaces for a VAP Group

460

Parameter <MAC_address>

Description Destination MAC address for the static ARP entry that you are configuring. The NPM assigns this destination MAC address to each packet whose destination IP address matches the one that you define in the ARP entry. NOTE: You cannot specify a MAC address that contains only 0s or only fs.

domain <domain_ID>

Configures the specified static ARP entry to apply only to packets destined for the VNDs that XOS creates for the circuits that belong to the specified domain. Valid values for <domain_ID> are from 1 to 4095. Default value is 1. Use the show circuit command to display the domain ID assigned to each circuit configured on the X-Series Platform. By default, all circuits belong to domain 1. Use the configure circuit command to assign a circuit to a different domain.

vap-group <VAP_group_name> circuit <circuit_name>

Configures the specified static ARP entry only to packets destined for the VNDs that XOS creates for the specified circuit. Configures the specified static ARP entry to apply only to packets destined for the circuit VNDs that XOS creates on the specified VAP group.

Restrictions
Default Privilege Level: 15 An ARP entry cannot include a MAC address that contains only 0s (0:0:0:0:0:0) or only fs (ff:ff:ff:ff:ff:ff).

Example
The following command configures a new static ARP entry that maps the IP address 1.1.2.20 to the MAC address 00:03:d2:00:02:0d. This command also configures the new ARP entry to apply only to packets destined for VNDs that XOS creates for the circuit called testcct on the VAP group called testvapgroup: CBS# configure arp 1.1.2.20 00:03:d2:00:02:0d vap-group testvapgroup circuit testcct CBS#

configure neighbor-discovery (IPv6)

When you assign a circuit to a virtual application processor (VAP) group, XOS creates a Virtual Network Device (VND) for that circuit on each VAP in the group. The VAP operating system and the application running on a VAP use VNDs as Linux networking interfaces. The configure neighbor-discovery command adds a new static entry or configures an existing static entry in the neighbor-discovery cache that the X-Series Platform uses to resolve MAC addresses for IP packets destined for the members of a VAP group. By default, an NPM can apply a neighbor-discovery static entry to any packet passing between the members of a VAP group and a physical interface on an NPM.

XOS Command Reference Guide

461

Syntax
configure neighbor-discovery <IP_address> <MAC_address> [domain <domain_ID>] [vap-group <VAP_group_name>] [circuit <circuit_name>] configure no neighbor-discovery <IP_address> <MAC_address>

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <IP_address> <MAC_address> Description Destination IP address for the static neighbor-discovery entry that you are configuring. Destination MAC address for the static neighbor-discovery entry that you are configuring. The NPM assigns this destination MAC address to each packet whose destination IP address matches the one that you define in the ARP entry. NOTE: You cannot specify a MAC address that contains only 0s or only fs. domain <domain_ID> Configures the specified static neighbor-discovery entry to apply only to packets destined for the VNDs that XOS creates for the circuits that belong to the specified domain. Valid values for <domain_ID> are from 1 to 4095. Default value is 1. Use the show circuit command to display the domain ID assigned to each circuit configured on the X-Series Platform. By default, all circuits belong to domain 1. Use the configure circuit command to assign a circuit to a different domain. vap-group <VAP_group_name> circuit <circuit_name> Configures the specified static neighbor-discovery entry to apply only to packets destined for the specified VAP group. Configures the specified static neighbor-discovery entry to apply only to packets destined for the specified circuit.

Restrictions
Default Privilege Level: 15 A neighbor entry cannot include a MAC address that contains only 0s (0:0:0:0:0:0) or only fs (ff:ff:ff:ff:ff:ff).

Example
The following command configures a new static neighbor entry that maps the IP address fd00::330:f3cb:fb31:56ab to the MAC address 00:03:d2:00:02:0d. This command also configures the new neighbor entry to apply only to packets destined for VNDs that XOS creates for the circuit called testcct on the VAP group called testvapgroup:

Commands for Configuring Interfaces for a VAP Group

462

CBS# configure neighbor-discovery fd00::330:f3cb:fb31:56ab 00:03:d2:00:02:0d vap-group testvapgroup circuit testcct CBS#

configure ipv6-tunnel (IPv6)

This command configures tunnels for passing IPv6 traffic. NOTE: To create an ISATAP IPv6 tunnel with this command you must have the Routing Software (RSW) 8.0 installed.

Syntax
configure ipv6-tunnel {6to4 | gre | ipv6ip | isatap} circuit <circuit_name> vap-group <VAP_group_name> configure no ipv6-tunnel {6to4 | gre | ipv6ip | isatap} circuit <circuit_name> vap-group <VAP_group_name> NOTE: Both 6to4 and isatap ipv6 tunnels provide automatic detection of next hop IPv6 addresses. When configuring these tunnels, you need to provide only the source address.

Contexts and Subcommands

You enter this command from the main CLI context. This command places you in the conf-tunnel-<tunnel_type> context in which you can configure the specified tunnel. You can access the following commands from this context path-mtu-discovery (conf-tunnel-<tunnel_type> context) on page 464 source-address (conf-tunnel-<tunnel_type> context) on page 465 time-to-live (conf-tunnel-<tunnel_type> context) on page 465

Parameters
The following table lists the parameters used with this command. Parameter 6to4 | gre | ipv6ip | isatap Description 6to4 Specifies IPv6 automatic tunneling. gre Uses Generic Route Encapsulation (GRE) protocol. ipv6ip Uses IPv6 over IPv4 encapsulation protocol. isatap Uses Intra-Site Automatic Tunneling Addressing Protocol (ISATAP). NOTE: An isatap tunnel can be configured in the CLI but the user must also configure the RSW software (NSM) to perform router advertisements. circuit <circuit_name> vap-group <VAP_group_name> Associates the tunnel with the specified circuit. Associates the tunnel with the specified VAP group.

XOS Command Reference Guide

463

Restrictions
Default Privilege Level: 15

Examples
This example creates an IPv6 6to4 tunnel and associates it with vap-group vg1. CBS# CBS# configure circuit tun1 CBS(conf-cct)# vap-group vg1 CBS(conf-cct-vapgroup)# ip 2002:c0a8:022a::1/48 %WARNING: IPv6 primary address was configured. No IPv4 aliases will be allowed for this circuit CBS(conf-cct-vapgroup-ip)# end CBS# CBS# configure circuit tunb CBS(conf-cct)# vap-group vg1 CBS(conf-cct-vapgroup)# ip 192.168.2.42/24 CBS(conf-cct-vapgroup-ip)# end CBS# configure ipv6-tunnel 6to4 circuit tun1 vap-group vg1 CBS(conf-tunnel-6to4)# source-address 192.168.2.42 CBS(conf-tunnel-6to4)# NOTE: There are two requirements for 6to4 tunnels: The IPv6 address for circuit tun1 must begin with 2002:. In the IP address of the tun1 circuit (2002:c0a8:022a::1/48), the second and third fields must be hexadecimal conversions of the IPv4 address of the tunb circuit (192.168.2.42/24). In this example: c0 corresponds to 192 a8 corresponds to 168 02 corresponds to 2 2a corresponds to 42

path-mtu-discovery (conf-tunnel-<tunnel_type> context)

Enables the tunnel to discover the Maximum Transmission Unit (MTU) for the path defined by the tunnel end points.

Syntax
[no] path-mtu-discovery

Context
You access this command from the conf-tunnel-<tunnel_type> context. You access this context from the main CLI context by issuing the configure ipv6-tunnel (IPv6) command.

Restrictions
Default Privilege Level: 15

Commands for Configuring Interfaces for a VAP Group

464

source-address (conf-tunnel-<tunnel_type> context)

Specifies the source end point address of the tunnel. If you are configuring a gre or ipv6ip tunnel, you must also specify a destination address.

Syntax
[no] source-address <source_address> [destination-address <destination_address>]

Context
You access this command from the conf-tunnel-<tunnel_type> context. You access this context from the main CLI context by issuing the configure ipv6-tunnel (IPv6) command.

Parameters
The following table lists the parameters used with this command. Parameter destination-address <destination_address> Description Specifies the other end point address of the tunnel. NOTE: Does not apply to 6to4 or ISATAP tunnels.

Restrictions
Default Privilege Level: 15

time-to-live (conf-tunnel-<tunnel_type> context)

Specifies the time-to-live (in seconds) for traffic that is traversing the tunnel. If a packet is not answered within this time, the destination is considered unreachable. Valid values are 0 to 256. Default is 64.

Syntax
[no] time-to-live

Context
You access this command from the conf-tunnel-<tunnel_type> context. You access this context from the main CLI context by issuing the configure ipv6-tunnel (IPv6) command.

Restrictions
Default Privilege Level: 15

XOS Command Reference Guide

465

Commands for Configuring Physical and Logical Interfaces for a VAP Group
This section describes the CLI commands that you can use to create and configure logical and physical interfaces for a VAP group. This section contains the following command descriptions: configure interface on page 467 logical (conf-intf-gig or conf-intf-10gig context) on page 469 circuit (intf-gig-logical or intf-10gig-logical context) on page 471 show (intf-gig-logical or intf-10gig-logical context) on page 473 logical-all (conf-intf-gig or conf-intf-10gig context) on page 475 circuit (intf-gig-logical-all or intf-10gig-logical-all context) on page 477 standby-only (conf-intf-gig or conf-intf-10gig context) on page 479 pause-frame (conf-intf-gig or conf-intf-10gig context) on page 480 auto-negotiate (conf-intf-gig context) on page 481 duplex-mode (conf-intf-gig context) on page 482 media-speed (conf-intf-gig context) on page 483 enable (conf-intf-gig or conf-intf-10gig context) on page 485 show (conf-intf-gig or conf-intf-10gig context) on page 485 configure interface-internal on page 488 logical (conf-intf-internal context) on page 490 logical-all (conf-intf-internal context) on page 492 circuit (conf-intf-internal-log or conf-intf-internal-log-all context) on page 494 configure group-interface on page 496 mode (conf-group-intf context) on page 497 interface-type (conf-group-intf context) on page 500 pause-frame (conf-grp-intf-gig or conf-grp-intf-10gig context) on page 502 auto-negotiate (conf-grp-intf-gig context) on page 503 duplex-mode (conf-grp-intf-gig context) on page 504 media-speed (conf-grp-intf-gig context) on page 506 interface (conf-group-intf context) on page 510 enable (conf-grp-intf-intf context) on page 512 logical (conf-group-intf context) on page 514 circuit (conf-group-intf-logical context) on page 516 show (conf-group-intf context) on page 519 configure acl-interface on page 524 direction (conf-acl-intf context) on page 526 vlan (conf-acl-intf context) on page 527 ether-type (conf-acl-intf context) on page 529 source-mac (conf-acl-intf context) on page 531 destination-mac (conf-acl-intf context) on page 533 configure redundancy-interface on page 541 failovermode (conf-intf-redun context) on page 545

Commands for Configuring Interfaces for a VAP Group

466

configure interface
When you assign a circuit to a virtual application processor (VAP) group, XOS creates a Virtual Network Device (VND) for that circuit on each VAP in the group. The VAP operating system and the application running on a VAP use VNDs as Linux networking interfaces. The configure interface command configures a single Ethernet port on a Network Processor Module (NPM) to pass traffic between the X-Series Platform and an external network. This command also places you in the CLI context in which you can configure settings for the specified Ethernet interface, and create and configure one or more logical interfaces for the specified Ethernet interface. NOTE: An NPM uses logical interfaces to identify the circuit VNDs that send and receive traffic over a specific physical interface. See the following sections for more information about configuring a logical interface to create a logical link between a circuits VNDs and a physical interface on an NPM: logical (conf-intf-gig or conf-intf-10gig context) on page 469 logical-all (conf-intf-gig or conf-intf-10gig context) on page 475 for Use the no parameter to delete the XOS configuration for the specified Ethernet interface. Use the show (conf-intf-gig or conf-intf-10gig context) command to display the current configuration settings for the Ethernet interface that you are configuring.

Syntax
configure [no] interface {gigabitethernet | 10gigabitethernet} <slot>/<port>

Contexts and Subcommands

You access this command from the main CLI context. The configure interface gigabitethernet command places you in the conf-intf-gig context, in which you can configure settings for the specified Gigabit Ethernet interface, and create and configure one or more logical interfaces for that Gigabit Ethernet interface. The configure interface 10gigabitethernet command places you in the conf-intf-10gig context, in which you can configure settings for the specified 10 Gigabit Ethernet interface, and create and configure one or more logical interfaces for that 10 Gigabit Ethernet interface. You can access the following commands only from the conf-intf-gig context: auto-negotiate (conf-intf-gig context) on page 481 duplex-mode (conf-intf-gig context) on page 482 media-speed (conf-intf-gig context) on page 483 You can access the following commands from either the conf-intf-gig context or the conf-intf-10gig context: logical (conf-intf-gig or conf-intf-10gig context) on page 469 logical-all (conf-intf-gig or conf-intf-10gig context) on page 475 standby-only (conf-intf-gig or conf-intf-10gig context) on page 479 pause-frame (conf-intf-gig or conf-intf-10gig context) on page 480 enable (conf-intf-gig or conf-intf-10gig context) on page 485 show (conf-intf-gig or conf-intf-10gig context) on page 485

XOS Command Reference Guide

467

Inline Commands
The following table lists the CLI commands used inline with the configure interface command. Command gigabitethernet Description Configures a Gigabit Ethernet port on an NPM to pass traffic between the X-Series Platform and an external network. Configures a 10 Gigabit Ethernet port on an NPM to pass traffic between the X-Series Platform and an external network.

10gigabitethernet

Parameters
The following table lists the parameters used with this command. Parameter <slot> Description Chassis slot number assigned to the NPM on which you want to configure an Ethernet port to pass traffic between the X-Series Platform and an external network. NPM port number assigned to the Ethernet interface that you want to configure. NOTE: On an NPM-86x0, only ports 11 and 12 are 10 Gigabit Ethernet interfaces. All other NPM ports are Gigabit Ethernet ports.

<port>

Restrictions
Default Privilege Level: 15

Example
The following command configures 10 Gigabit Ethernet port number 12 on the NPM installed in slot number 1 to pass traffic between the X-Series Platform and an external network. This command also places you in the conf-intf-10gig context in which you can configure settings for the 10 Gigabit Ethernet interface, and create and configure logical interfaces for that interface. CBS# configure interface 10gigabitethernet 1/12 CBS(conf-intf-10gig)#

Commands for Configuring Interfaces for a VAP Group

468

logical (conf-intf-gig or conf-intf-10gig context)

When you assign a circuit to a virtual application processor (VAP) group, XOS creates a Virtual Network Device (VND) for that circuit on each VAP in the group. The VAP operating system and the application running on a VAP use VNDs as Linux networking interfaces. The logical command creates and configures a new logical interface or configures the specified existing logical interface for the physical interface that you are configuring. This command also places you in the intf-gig-logical or intf-10gig-logical context in which you can map a circuit to the specified logical interface. When you map a circuit to a logical interface, you create a logical link between that circuits VNDs and the physical interface that you are configuring. A Network Processor Module (NPM) uses logical interface mapping to identify the VNDs that send and receive traffic over each of its physical interfaces. NOTE: You can map only one circuit to each logical interface. However, you can map multiple logical interfaces to the same physical interface. See circuit (intf-gig-logical or intf-10gig-logical context) on page 471 for more information about mapping a circuit to a logical interface configured with the logical command. When one or more VLANs are connected to a physical interface configured on an NPM, the NPM uses logical interface mapping to identify the VNDs that send and receive traffic over those VLANs. By default, a logical interface does not provide a logical link between a VLAN and a circuits VNDs. This means that by default, a circuit passes only untagged traffic arriving on a physical interface. You can use the ingress-vlan-tag parameter to configure a logical interface to create a logical link between a circuits VNDs and one or more VLANs. Specify this parameter with a single VLAN tag to enable the circuits VNDs to accept only packets with the specified VLAN tag. Specify this parameter with a range of VLAN tags to enable the circuits VNDs to accept only packets whose VLAN tags are within the specified range. You can configure multiple logical interfaces with the ingress-vlan-tag parameter to provide a VAP group with a separate virtualized Ethernet connection for each VLAN connected to the physical interface. To do this, you configure a separate logical interface for each VLAN, and then map one of the VAP groups circuits to each VLAN-tagged logical interface. NOTE: A single physical interface cannot have multiple logical interfaces configured with overlapping VLAN tag ranges. You can use the logical-all command to configure a logical interface to enable a circuits VNDs to accept all tagged and untagged packets. (See logical-all (conf-intf-gig or conf-intf-10gig context) on page 475 for more information about this command.) After you configure a logical interface, you cannot change its VLAN tag configuration. Instead, you must delete the existing logical interface and recreate it with the desired VLAN tag configuration. Use the no logical command to delete the specified logical interface from the physical interface that you are configuring. Use the show (intf-gig-logical or intf-10gig-logical context) on page 473 command to display the current configuration settings for the logical interface that you are configuring.

XOS Command Reference Guide

469

Syntax
logical <logical_name> [ingress-vlan-tag {<VLAN_ID> | <lowest_VLAN_ID> <highest_VLAN_ID>}] no logical <logical_name>

Contexts and Subcommands

You access this command from the conf-intf-gig or conf-intf-10gig context. You can access either of these contexts by issuing the configure interface command. This command places you in either the intf-gig-logical or intf-10gig-logical context, in which you can map a circuit to the logical interface that you are configuring. You can access the following commands from the intf-gig-logical or intf-10gig-logical context: circuit (intf-gig-logical or intf-10gig-logical context) on page 471 show (intf-gig-logical or intf-10gig-logical context) on page 473

Parameters
The following table lists the parameters used with this command. Parameter <logical_name> ingress-vlan-tag {<VLAN_ID> | <lowest_VLAN_ID> <highest_VLAN_ID>} Description Name assigned to the logical interface that you wish to create, configure, or delete. Configures the logical interface to create a logical link between a circuits VNDs and either a single VLAN or a range of VLANs. Specify a single VLAN tag, <VLAN_ID>, to enable the circuit mapped to the logical interface to accept only packets with the specified VLAN tag. Specify this parameter with a range of VLAN tags, <lowest_VLAN_ID> <highest_VLAN_ID>, to enable the circuit mapped to the logical interface to accept only packets whose VLAN tags are within the specified range. Valid values for <VLAN_ID>, <lowest_VLAN_ID>, and <highest_VLAN_ID> are from 0 to 4094. NOTE: A single physical interface cannot have multiple logical interfaces configured with overlapping VLAN tag ranges.

Restrictions
Default Privilege Level: 15 A single physical interface cannot have multiple logical interfaces configured with overlapping VLAN tag ranges. An interface redundancy configuration consists of one backup interface and one or more master interfaces that use the backup interface. Multiple interfaces participating in the same interface redundancy configuration cannot be configured to pass traffic in the same broadcast domain.

Commands for Configuring Interfaces for a VAP Group

470

Therefore, in an interface redundancy configuration: Only one interface can have logical interfaces configured to enable circuits to accept untagged packets. Multiple interfaces cannot have logical interfaces configured with the same VLAN tag or with overlapping VLAN tag ranges. NOTE: Logical interfaces that are not configured with the ingress-vlan-tag parameter are assigned to the VLAN tag range, 0-0.

Example
The following command configures 10 Gigabit Ethernet port number 12 on the NPM installed in slot number 1 to pass traffic between the X-Series Platform and an external network. This command also places you in the conf-intf-10gig context in which you can configure settings for the 10 Gigabit Ethernet interface, and create and configure logical interfaces for that interface. CBS# configure interface 10gigabitethernet 1/12 CBS(conf-intf-10gig)# The following command configures a logical interface for the above physical interface, and configures that logical interface to create a link between a circuits VNDs and the VLAN with the ID number 1660, which is connected to the physical interface. This command also places you in the intf-10gig-logical context in which you can map a circuit to the new logical interface (called testlogical). CBS(conf-intf-10gig)# logical testlogical ingress-vlan-tag 1660 CBS(intf-10gig-logical)# A circuit mapped to the logical interface called testlogical can accept packets arriving on 10 Gigabit Ethernet interface 1/12 only if those packets have the VLAN tag, 1660.

circuit (intf-gig-logical or intf-10gig-logical context)

When you assign a circuit to a virtual application processor (VAP) group, XOS creates a Virtual Network Device (VND) for that circuit on each VAP in the group. The VAP operating system and the application running on a VAP use VNDs as Linux networking interfaces. When you map a circuit to a logical interface, you create a logical link between that circuits VNDs and the physical interface that you are configuring. A Network Processor Module (NPM) uses logical interface mapping to identify the VNDs that send and receive traffic over each of its physical interfaces. When one or more VLANs are connected to a physical interface configured on an NPM, the NPM uses logical interface mapping to identify the VNDs that send and receive traffic over those VLANs. NOTE: See logical (conf-intf-gig or conf-intf-10gig context) on page 469 for more information about configuring a logical interface to create a logical link between a circuits VNDs and one or more specific VLANs. See logical-all (conf-intf-gig or conf-intf-10gig context) on page 475 for more information about configuring a logical interface to create a logical link between a circuits VNDs and all VLANs connected to the physical interface that you are configuring. The circuit command maps the specified circuit to the logical interface that you have just configured with the logical command. NOTE: You can map only one circuit to each logical interface. However, you can map multiple logical interfaces to the same physical interface.

XOS Command Reference Guide

471

Use the no parameter to remove the specified circuit from the logical interface that you are configuring.

Syntax
[no] circuit <circuit_name>

Contexts
You access this command from either the intf-gig-logical context or the intf-10gig-logical context. You access the intf-gig-logical context from the main CLI context, as follows: 1. 2. Issue the gigabitethernet command inline with the configure interface command to configure a Gigabit Ethernet port on an NPM to pass traffic between the X-Series Platform and an external network. Issue the logical (conf-intf-gig or conf-intf-10gig context) command to configure a logical interface for the specified Gigabit Ethernet interface.

You access the intf-10gig-logical context from the main CLI context, as follows: 1. 2. Issue the 10gigabitethernet command inline with the configure interface command to configure a 10 Gigabit Ethernet port on an NPM to pass traffic between the X-Series Platform and an external network. Issue the logical (conf-intf-gig or conf-intf-10gig context) command to configure a logical interface for the specified 10 Gigabit Ethernet interface.

Parameters
The following table lists the parameters used with this command. Parameter <circuit_name> Description Name of the circuit that you wish to map to the logical interface that you are configuring. Use the show circuit command to display all current circuit configurations.

Restrictions
Default Privilege Level: 15 A circuit can be assigned to only one logical interface. NOTE: You can map multiple logical interfaces to the same physical interface, allowing multiple circuits to pass traffic over a single physical interface. You can also use link aggregation to bond multiple physical interfaces to a single logical interface, allowing one circuit to pass traffic over multiple physical interfaces.

Example
The following command configures 10 Gigabit Ethernet port number 12 on the NPM installed in slot number 1 to pass traffic between the X-Series Platform and an external network. This command also places you in the conf-intf-10gig context in which you can configure settings for the 10 Gigabit Ethernet interface, and create and configure logical interfaces for that interface. CBS# configure interface 10gigabitethernet 1/12 CBS(conf-intf-10gig)#

Commands for Configuring Interfaces for a VAP Group

472

The following command configures a logical interface for the above physical interface, and configures that logical interface to create a link between a circuits VNDs and the VLAN with the ID number 1660, which is connected to the physical interface. This command also places you in the intf-10gig-logical context in which you can map a circuit to the new logical interface (called testlogical). CBS(conf-intf-10gig)# logical testlogical ingress-vlan-tag 1660 CBS(intf-10gig-logical)# The following command maps the circuit called testvlan1660 to the logical interface called testlogical on 10 Gigabit Ethernet interface 1/12: CBS(intf-10gig-logical)# circuit testvlan1660 CBS(intf-10gig-logical)# The circuit called testvlan1660 is mapped to the VAP group called testvapgroup. The VNDs that XOS creates for the circuit called testvlan1660 on the VAP group called testvapgroup will process traffic arriving on 10 Gigabit Ethernet interface 1/12 from VLAN 1660.

show (intf-gig-logical or intf-10gig-logical context)

Displays the current configuration settings and circuit mapping for the logical interface that you are configuring.

Syntax
show

Contexts
You access this command from either the intf-gig-logical context or the intf-10gig-logical context. You access the intf-gig-logical context from the main CLI context, as follows: 1. 2. Issue the gigabitethernet command inline with the configure interface command to configure a Gigabit Ethernet port on an NPM to pass traffic between the X-Series Platform and an external network. Issue the logical (conf-intf-gig or conf-intf-10gig context) command to configure a logical interface for the specified Gigabit Ethernet interface.

You access the intf-10gig-logical context from the main CLI context, as follows: 1. 2. Issue the 10gigabitethernet command inline with the configure interface command to configure a 10 Gigabit Ethernet port on an NPM to pass traffic between the X-Series Platform and an external network. Issue the logical (conf-intf-gig or conf-intf-10gig context) command to configure a logical interface for the specified 10 Gigabit Ethernet interface.

Output
The output for this command has the following format: Logical Line : Interface : Ingress VLAN Tag Range : Circuit Name : (1 row) <logical_name> {gigabitethernet | 10gigabitethernet} <slot>/<port> {none | <lowest_VLAN_ID> : <highest_VLAN_ID>} [<circuit_name>]

XOS Command Reference Guide

473

The following table describes the information provided in each column/row. Column/Row Heading Logical Line Information Provided Name assigned to the logical interface. See logical (conf-intf-gig or conf-intf-10gig context) on page 469 for information on assigning a name to a new logical interface. Interface Displays the following information about the physical interface for which the logical interface is configured. Interface type (Gigabit Ethernet or 10 Gigabit Ethernet) NPM slot number Ethernet port number See configure interface on page 467 for information about configuring an Ethernet port on an NPM to pass traffic between the X-Series Platform and an external network. Ingress VLAN Tag Range Indicates the range of VLANs (if any) from which a circuit mapped to this logical interface can accept traffic. This row displays one of the following: none Indicates that a circuit mapped to this logical interface accepts only untagged traffic arriving on the physical interface for which the logical interface is configured. <lowest_VLAN_ID> : <highest_VLAN_ID> The range of VLANs from which a circuit mapped to this logical interface can accept traffic arriving on the physical interface for which the logical interface is configured. NOTE: If both VLAN ID numbers are the same, the circuit accepts traffic only from the specified VLAN. See logical (conf-intf-gig or conf-intf-10gig context) on page 469 for information about configuring a logical interface to enable a circuits VNDs to accept packets from a single VLAN or a range of VLANs connected to a physical interface. Circuit Name Name of the circuit mapped to the logical interface. This row is blank if the logical interface is not mapped to a circuit. See circuit (intf-gig-logical or intf-10gig-logical context) on page 471 for information about mapping a circuit to a physical interface configured with the logical command.

Restrictions
Default Privilege Level: 15

Commands for Configuring Interfaces for a VAP Group

474

Example
The following command configures 10 Gigabit Ethernet port number 12 on the NPM installed in slot number 1 to pass traffic between the X-Series Platform and an external network. This command also places you in the conf-intf-10gig context in which you can configure settings for the 10 Gigabit Ethernet interface, and create and configure logical interfaces for that interface. CBS# configure interface 10gigabitethernet 1/12 CBS(conf-intf-10gig)# The following command configures a logical interface for the above physical interface, and configures that logical interface to create a link between a circuits VNDs and the VLAN with the ID number 1660, which is connected to the physical interface. This command also places you in the intf-10gig-logical context in which you can map a circuit to the new logical interface (called testlogical). CBS(conf-intf-10gig)# logical testlogical ingress-vlan-tag 1660 CBS(intf-10gig-logical)# The following command displays the current configuration settings and circuit mapping for the logical interface called testlogical. NOTE: This example output displays the configuration settings that you would create if you issued the example commands that we have provided for the configure interface, logical (conf-intf-gig or conf-intf-10gig context), and circuit (intf-gig-logical or intf-10gig-logical context) commands. CBS(intf-10gig-logical)# Logical Line : Interface : Ingress VLAN Tag Range : Circuit Name : (1 row) CBS(intf-10gig-logical)# show testlogical 10gigabitethernet 1/12 1660 : 1660 testvlan1660

logical-all (conf-intf-gig or conf-intf-10gig context)

When you assign a circuit to a virtual application processor (VAP) group, XOS creates a Virtual Network Device (VND) for that circuit on each VAP in the group. The VAP operating system and the application running on a VAP use VNDs as Linux networking interfaces. When you map a circuit to a logical interface, you create a logical link between that circuits VNDs and the physical interface that you are configuring. A Network Processor Module (NPM) uses logical interface mapping to identify the VNDs that send and receive traffic over each of its physical interfaces. When one or more VLANs are connected to a physical interface configured on an NPM, the NPM uses logical interface mapping to identify the VNDs that send and receive traffic over those VLANs. The logical-all command creates and configures a new logical interface or configures the specified existing logical interface as a logical link between a circuits VNDs and all VLANs connected to the physical interface that you are configuring. This command also places you in the intf-gig-logical-all or intf-10gig-logical-all context in which you can map a circuit to the specified logical interface. NOTE: You can map only one circuit to each logical interface. See circuit (intf-gig-logical-all or intf-10gig-logical-all context) for more information about mapping a circuit to a logical interface configured with the logical-all command. When you use the logical-all command to configure a logical interface for a physical interface, the VNDs that XOS creates for a circuit mapped to that logical interface can accept all tagged and untagged packets arriving on the physical interface.

XOS Command Reference Guide

475

You use the logical (conf-intf-gig or conf-intf-10gig context) command to configure a logical interface to enable a circuits VNDs to accept untagged packets or to enable a circuits VNDs to accept VLAN-tagged packets from one or more specific VLANs (instead of accepting all tagged and untagged packets). NOTE: While you can configure multiple logical interfaces for the same physical interface, each physical interface can have only one logical interface configured with the logical-all command. After you configure a logical interface, you cannot change its VLAN tag configuration. Instead, you must delete the existing logical interface and recreate it with the desired configuration. Use the no parameter to delete the specified logical interface from the physical interface that you are configuring.

Syntax
[no] logical-all <logical_name>

Contexts and Subcommands

You access this command from the conf-intf-gig or conf-intf-10gig context. You can access either of these contexts by issuing the configure interface command. This command places you in either the intf-gig-logical-all or intf-10gig-logical-all context, in which you can map a circuit to the logical interface that you are configuring. You can access the following command from the intf-gig-logical-all or intf-10gig-logical-all context: circuit (intf-gig-logical-all or intf-10gig-logical-all context) on page 477

Parameters
The following table lists the parameters used with this command. Parameter <logical_name> Description Name assigned to the logical interface that you want to create, configure, or delete.

Restrictions
Default Privilege Level: 15 A physical interface can have only one logical interface configured with the logical-all command. If a physical interface has a logical interface configured with the logical-all command, that physical interface cannot be configured as a redundant interface.

Example
The following command configures 10 Gigabit Ethernet port number 11 on the NPM installed in slot number 1 to pass traffic between the X-Series Platform and an external network. This command also places you in the conf-intf-10gig context in which you can configure settings for the 10 Gigabit Ethernet interface, and create and configure logical interfaces for that interface. CBS# configure interface 10gigabitethernet 1/11 CBS(conf-intf-10gig)#

Commands for Configuring Interfaces for a VAP Group

476

The following command configures a logical interface for the above physical interface, and configures that logical interface to create a link between a circuits VNDs and all VLANs connected to the physical interface. This command also places you in the intf-10gig-logical-all context in which you can map a circuit to the new logical interface (called testlogicalall). CBS(conf-intf-10gig)# logical-all testlogicalall CBS(intf-10gig-logical-all)# A circuit mapped to the logical interface called testlogicalall can accept all VLAN-tagged packets arriving on 10 Gigabit Ethernet interface 1/11.

circuit (intf-gig-logical-all or intf-10gig-logical-all context)

When you assign a circuit to a virtual application processor (VAP) group, XOS creates a Virtual Network Device (VND) for that circuit on each VAP in the group. The VAP operating system and the application running on a VAP use VNDs as Linux networking interfaces. When you map a circuit to a logical interface, you create a logical link between that circuits VNDs and the physical interface that you are configuring. A Network Processor Module (NPM) uses logical interface mapping to identify the VNDs that send and receive traffic over each of its physical interfaces. When one or more VLANs are connected to a physical interface configured on an NPM, the NPM uses logical interface mapping to identify the VNDs that send and receive traffic over those VLANs. You use the logical-all (conf-intf-gig or conf-intf-10gig context) command to configure a logical interface to enable a circuits VNDs to accept all tagged and untagged packets arriving on a physical interface. NOTE: While you can configure multiple logical interfaces for the same physical interface, each physical interface can have only one logical interface configured with the logical-all command. After you have used the logical-all command to configure a logical interface for a physical interfaces, you can configure additional logical interfaces for that physical interface using the logical (conf-intf-gig or conf-intf-10gig context) command. The logical (conf-intf-gig or conf-intf-10gig context) command configures a logical interface to enable a circuits VNDs to accept untagged packets or to enable a circuits VNDs to accept VLAN-tagged packets from one or more specific VLANs (instead of accepting all tagged and untagged packets). The circuit command maps the specified circuit to the logical interface that you have just configured with the logical-all command. NOTE: You can map only one circuit to each logical interface. Use the no parameter to remove the specified circuit from the logical interface that you are configuring.

Syntax
[no] circuit <circuit_name>

Contexts
You access this command from either the intf-gig-logical-all context or the intf-10gig-logical-all context. You access the intf-gig-logical-all context from the main CLI context, as follows: 1. Issue the gigabitethernet command inline with the configure interface command to configure a Gigabit Ethernet port on an NPM to pass traffic between the X-Series Platform and an external network.

XOS Command Reference Guide

477

2.

Issue the logical-all (conf-intf-gig or conf-intf-10gig context) command to configure a logical interface for the specified Gigabit Ethernet interface.

You access the intf-10gig-logical-all context from the main CLI context, as follows: 1. 2. Issue the 10gigabitethernet command inline with the configure interface command to configure a 10 Gigabit Ethernet port on an NPM to pass traffic between the X-Series Platform and an external network. Issue the logical-all (conf-intf-gig or conf-intf-10gig context) command to configure a logical interface for the specified 10 Gigabit Ethernet interface.

Parameters
The following table lists the parameters used with this command. Parameter <circuit_name> Description Name of the circuit that you wish to map to the logical interface that you have just configured with the logical-all command. Use the show circuit command to display all current circuit configurations.

Restrictions
Default Privilege Level: 15 A circuit can be assigned to only one logical interface. NOTE: You can map multiple logical interfaces to the same physical interface, allowing multiple circuits to pass traffic over a single physical interface. However, a physical interface can have only one logical interface configured with the logical-all command. All other logical interfaces must be configured with the logical (conf-intf-gig or conf-intf-10gig context) command. Whether you configure a logical interface with the logical or logical-all command, you can always use link aggregation to bond multiple physical interfaces to a single logical interface, allowing one circuit to pass traffic over multiple physical interfaces.

Example
The following command configures 10 Gigabit Ethernet port number 11 on the NPM installed in slot number 1 to pass traffic between the X-Series Platform and an external network. This command also places you in the conf-intf-10gig context in which you can configure settings for the 10 Gigabit Ethernet interface, and create and configure logical interfaces for that interface. CBS# configure interface 10gigabitethernet 1/11 CBS(conf-intf-10gig)# The following command configures a logical interface for the above physical interface, and configures that logical interface to create a link between a circuits VNDs and all VLANs connected to the physical interface. This command also places you in the intf-10gig-logical-all context in which you can map a circuit to the new logical interface (called testlogicalall). CBS(conf-intf-10gig)# logical-all testlogicalall CBS(intf-10gig-logical-all)#

Commands for Configuring Interfaces for a VAP Group

478

The following command maps the circuit called testallvlans to the logical interface called testlogicalall on 10 Gigabit Ethernet interface 1/11: CBS(intf-10gig-logical-all)# circuit testallvlans CBS(intf-10gig-logical-all)# The circuit called testallvlans is mapped to the VAP group called testvapgroup. The VNDs that XOS creates for the circuit called testallvlans on the VAP group called testvapgroup will process all tagged and untagged traffic arriving on 10 Gigabit Ethernet interface 1/11.

standby-only (conf-intf-gig or conf-intf-10gig context)

When you assign a circuit to a virtual application processor (VAP) group, XOS creates a Virtual Network Device (VND) for that circuit on each VAP in the group. The VAP operating system and the application running on a VAP use VNDs as Linux networking interfaces. A logical interface creates a logical link between a circuits VNDs and a physical interface on a Network Processor Module (NPM). You configure a logical interface on a physical interface and then map the logical interface to a circuit that you have assigned to one or more VAP groups. An NPM uses logical interface mapping to identify the VNDs that send and receive traffic over each of its physical interfaces. One advantage of using logical interfaces to map circuit VNDs to physical interfaces is that you can easily configure interface redundancy for a VAP group. When one physical interface fails, its logical interfaces can be moved over to another functional physical interface. An interface redundancy configuration consists of one backup interface and one or more master interfaces that use the backup interface. The standby-only command configures the X-Series Platform to use the physical interface that you are configuring as the backup interface in an interface redundancy configuration. NOTE: If you have more than one NPM in your chassis, you should configure master and backup interfaces on different NPMs. This way, if one NPM fails, the master interfaces configured on that NPM can failover to backup interfaces on a functional NPM. See configure redundancy-interface on page 541 for more information about creating an interface redundancy configuration to enable traffic to failover from one physical interface to another. Use the no parameter to delete the standby-only command from the configuration for the physical interface that you are configuring. Use the show redundancy-interface on page 707 command to determine whether the interface that you are configuring is part of an interface redundancy configuration. Use the show (conf-intf-gig or conf-intf-10gig context) command to determine whether this interface is configured with the standby-only command.

Syntax
[no] standby-only

Context
You access this command from the conf-intf-gig or conf-intf-10gig context. You can access either of these contexts by issuing the configure interface command.

XOS Command Reference Guide

479

Restrictions
Default Privilege Level: 15 A master interface cannot be configured with the standby-only command. Members of a group interface cannot be configured as backup interfaces. However, members of a group interface can be configured as master interfaces. A redundant interface cannot have a logical interface configured with the logical-all (conf-intf-gig or conf-intf-10gig context) command. Multiple interfaces participating in the same interface redundancy configuration cannot be configured to pass traffic in the same broadcast domain. Therefore, in an interface redundancy configuration: Only one interface can have logical interfaces configured to enable circuits to accept untagged packets. Multiple interfaces cannot have logical interfaces configured with the same VLAN tag or with overlapping VLAN tag ranges. NOTE: Logical interfaces that are not configured with the ingress-vlan-tag parameter are assigned to the VLAN tag range, 0-0.

Example
The following command configures 10 Gigabit Ethernet port number 12 on the NPM installed in slot number 2 to pass traffic between the X-Series Platform and an external network. This command also places you in the conf-intf-10gig context in which you can configure settings for the 10 Gigabit Ethernet interface, and create and configure logical interfaces for that interface. CBS# configure interface 10gigabitethernet 2/12 CBS(conf-intf-10gig)# The following command configures the X-Series Platform to use the above interface as a backup interface in an interface redundancy configuration. NOTE: The master interface in this configuration will be 10 Gigabit Ethernet port number 12 on the NPM installed in slot number 1. See the example under configure redundancy-interface on page 541 for more information about this interface redundancy configuration. CBS(conf-intf-10gig)# standby-only CBS(conf-intf-10gig)#

pause-frame (conf-intf-gig or conf-intf-10gig context)

Enables or disables (using no) support for PAUSE frames on the physical interface that you are configuring. PAUSE frame support is enabled by default. When PAUSE frame support is enabled on an interface, if an external system attempts to transmit data over that interface faster than the interface can accept data, the X-Series Platform sends a PAUSE frame to the external system, which halts transmissions from the external system for a short period of time. Use the show (conf-intf-gig or conf-intf-10gig context) command to determine whether PAUSE frame support is enabled or disabled on the interface that you are configuring.

Syntax
[no] pause-frame

Commands for Configuring Interfaces for a VAP Group

480

Context
You access this command from the conf-intf-gig or conf-intf-10gig context. You can access either of these contexts from the main CLI context by issuing the configure interface command.

Restrictions
Default Privilege Level: 15

Example
The following command configures Gigabit Ethernet port number 1 on the NPM installed in slot number 1 to pass traffic between the X-Series Platform and an external network. This command also places you in the conf-intf-gig context in which you can configure settings for the Gigabit Ethernet interface, and create and configure logical interfaces for that interface. CBS# configure interface gigabitethernet 1/1 CBS(conf-intf-gig)# The following command disables PAUSE frame support on Gigabit Ethernet interface 1/1: CBS(conf-intf-gig)# no pause-frame CBS(conf-intf-gig)#

auto-negotiate (conf-intf-gig context)

Enables or disables (using no) auto-negotiation on the Gigabit Ethernet interface that you are configuring. Auto-negotiation is enabled by default. NOTE: This setting is not configurable on 10 Gigabit Ethernet interfaces. If auto-negotiation is enabled on an interface, when an external system establishes a connection with the X-Series Platform using that interface, the X-Series Platform works with the external system to choose the optimal duplex mode and media speed for that connection. If auto-negotiation is disabled on an interface, the X-Series Platform uses the duplex mode and media speed settings configured for the Gigabit Ethernet interface for all external connections established on that interface. NOTE: Use the duplex-mode (conf-intf-gig context) command to set the duplex mode for the Gigabit Ethernet interface that you are configuring. Use the media-speed (conf-intf-gig context) command to set the media speed for the Gigabit Ethernet interface that you are configuring. Use the show (conf-intf-gig or conf-intf-10gig context) command to display the duplex mode and media speed settings for the Gigabit Ethernet interface that you are configuring. Use the show (conf-intf-gig or conf-intf-10gig context) command to determine whether auto-negotiation is enabled or disabled on the Gigabit Ethernet interface that you are configuring

Syntax
[no] auto-negotiate

Context
You access this command from the conf-intf-gig context. You access this context from the main CLI context by issuing the gigabitethernet command inline with the configure interface command.

XOS Command Reference Guide

481

Restrictions
Default Privilege Level: 15 This setting is not configurable on 10 Gigabit Ethernet interfaces.

Example
The following command configures Gigabit Ethernet port number 1 on the NPM installed in slot number 1 to pass traffic between the X-Series Platform and an external network. This command also places you in the conf-intf-gig context in which you can configure settings for the Gigabit Ethernet interface, and create and configure logical interfaces for that interface. CBS# configure interface gigabitethernet 1/1 CBS(conf-intf-gig)# The following command disables auto-negotiation on Gigabit Ethernet interface 1/1: CBS(conf-intf-gig)# no auto-negotiate CBS(conf-intf-gig)#

duplex-mode (conf-intf-gig context)

Sets the duplex mode for the Gigabit Ethernet interface that you are configuring. You can configure a Gigabit Ethernet interface to operate in half-duplex mode or full-duplex mode. NOTE: This setting applies only to Gigabit Ethernet interfaces with copper connectors. This setting is not configurable for 10 Gigabit Ethernet interfaces. This setting has no effect if auto-negotiation is enabled on the interface that you are configuring. See auto-negotiate (conf-intf-gig context) on page 481 for information about enabling and disabling auto-negotiation on an interface. The default duplex mode setting is full-duplex mode. To restore this default behavior, you can use the no duplex-mode command or the duplex-mode full command. Use the show (conf-intf-gig or conf-intf-10gig context) command to display the duplex mode setting for the interface that you are configuring.

Syntax
duplex-mode {full | half} no duplex-mode

Context
You access this command from the conf-intf-gig context. You access this context from the main CLI context by issuing the gigabitethernet command inline with the configure interface command.

Commands for Configuring Interfaces for a VAP Group

482

Parameters
The following table lists the parameters used with this command. Parameter full Description Configures the Gigabit Ethernet interface to operate in full-duplex mode. This is the default setting. half Configures the Gigabit Ethernet interface to operate in half-duplex mode.

Restrictions
Default Privilege Level: 15 This setting applies only to Gigabit Ethernet interfaces with copper connectors. This setting is not configurable for 10 Gigabit Ethernet interfaces. This setting has no effect if auto-negotiation is enabled on the interface that you are configuring. Use the show (conf-intf-gig or conf-intf-10gig context) command to determine whether auto-negotiation is enabled or disabled on the interface that you are configuring. See auto-negotiate (conf-intf-gig context) on page 481 for information about enabling and disabling auto-negotiation on an interface.

Example
The following command configures Gigabit Ethernet port number 1 on the NPM installed in slot number 1 to pass traffic between the X-Series Platform and an external network. This command also places you in the conf-intf-gig context in which you can configure settings for the Gigabit Ethernet interface, and create and configure logical interfaces for that interface. CBS# configure interface gigabitethernet 1/1 CBS(conf-intf-gig)# The following command configures Gigabit Ethernet interface 1/1 to operate in half-duplex mode: CBS(conf-intf-gig)# duplex-mode half CBS(conf-intf-gig)#

media-speed (conf-intf-gig context)

Sets the media speed for the Gigabit Ethernet interface that you are configuring. You can set the media speed to 10 Mbps, 100 Mbps, or 1Gbps. NOTE: This setting applies only to Gigabit Ethernet interfaces with copper connectors. This setting is not configurable for 10 Gigabit Ethernet interfaces. This setting has no effect if auto-negotiation is enabled on the interface that you are configuring. See auto-negotiate (conf-intf-gig context) on page 481 for information about enabling and disabling auto-negotiation on an interface. The default media speed setting for a Gigabit Ethernet interface is 1000 Mbps. To restore this default setting, you can use the no media-speed command or the media-speed 1000 command.

XOS Command Reference Guide

483

Use the show (conf-intf-gig or conf-intf-10gig context) command to display the media speed setting for the interface that you are configuring.

Syntax
media-speed {10 | 100 | 1000} no media-speed

Context
You access this command from the conf-intf-gig context. You access this context from the main CLI context by issuing the gigabitethernet command inline with the configure interface command.

Parameters
The following table lists the parameters used with this command. Parameter 10 100 1000 Description Sets the media speed to 10 Mbps for the Gigabit Ethernet interface that you are configuring. Sets the media speed to 100 Mbps for the Gigabit Ethernet interface that you are configuring. Sets the media speed to 1 Gbps for the Gigabit Ethernet interface that you are configuring. This is the default setting.

Restrictions
Default Privilege Level: 15 This setting applies only to Gigabit Ethernet interfaces with copper connectors. This setting is not configurable for 10 Gigabit Ethernet interfaces. This setting has no effect if auto-negotiation is enabled on the interface that you are configuring. Use the show (conf-intf-gig or conf-intf-10gig context) command to determine whether auto-negotiation is enabled or disabled on the interface that you are configuring. See auto-negotiate (conf-intf-gig context) on page 481 for information about enabling and disabling auto-negotiation on an interface.

Example
The following command configures Gigabit Ethernet port number 1 on the NPM installed in slot number 1 to pass traffic between the X-Series Platform and an external network. This command also places you in the conf-intf-gig context in which you can configure settings for the Gigabit Ethernet interface, and create and configure logical interfaces for that interface. CBS# configure interface gigabitethernet 1/1 CBS(conf-intf-gig)# The following command sets the media speed to 10 Mbps for Gigabit Ethernet interface 1/1: CBS(conf-intf-gig)# media-speed 10 CBS(conf-intf-gig)#

Commands for Configuring Interfaces for a VAP Group

484

enable (conf-intf-gig or conf-intf-10gig context)

Enables or disables (using no) the Gigabit Ethernet or 10 Gigabit Ethernet interface that you are configuring. An interface is enabled by default. When an interface is disabled, the Network Processor Module (NPM) does not allow traffic to pass through that interface. Use the show (conf-intf-gig or conf-intf-10gig context) command to determine whether the interface that you are currently configuring is enabled or disabled.

Syntax
[no] enable

Context
You access this command from the conf-intf-gig or conf-intf-10gig context. You can access either of these contexts from the main CLI context by issuing the configure interface command.

Restrictions
Default Privilege Level: 15

Example
The following command configures Gigabit Ethernet port number 1 on the NPM installed in slot number 1 to pass traffic between the X-Series Platform and an external network. This command also places you in the conf-intf-gig context in which you can configure settings for the Gigabit Ethernet interface, and create and configure logical interfaces for that interface. CBS# configure interface gigabitethernet 1/1 CBS(conf-intf-gig)# The following command temporarily disables Gigabit Ethernet interface 1/1: CBS(conf-intf-gig)# no enable CBS(conf-intf-gig)# The NPM will not allow traffic to pass through Gigabit Ethernet interface 1/1 until you issue the following commands: CBS# configure interface gigabitethernet 1/1 CBS(conf-intf-gig)# enable CBS(conf-intf-gig)#

show (conf-intf-gig or conf-intf-10gig context)

Displays the current configuration settings for the Network Processor Module (NPM) Gigabit Ethernet or 10 Gigabit Ethernet interface that you are configuring.

Syntax
show

XOS Command Reference Guide

485

Context
You access this command from the conf-intf-gig or conf-intf-10gig context. You can access either of these contexts from the main CLI context by issuing the configure interface command.

Output
The output for this command has the following format for a gigabitethernet interface: Interface Enable (true/false) Auto Negotiate Enabled (true/false) Media Speed (Mbits) Duplex Mode Pause Frame (true/false) Standby Only (true/false) (1 row) : : : : : : : {gigabitethernet} <slot>/<port> {t | f} {t | f} {auto | 100 | 10} {auto | full | half} {t | f} {t | f}

The output for this command has the following format for a 10gigabitethernet interface: Interface Enable (true/false) Pause Frame (true/false) Standby Only (true/false) (1 row) : : : : {10gigabitethernet} <slot>/<port> {t | f} {t | f} {t | f}

The following table describes the information provided in each column/row. Column/Row Heading Interface Information Provided Ethernet interface type, NPM slot number, and port number assigned to the interface that you are configuring. This row displays information in the following format: {gigabitethernet | 10gigabitethernet} <slot>/<port> where: {gigabitethernet | 10gigabitethernet} indicates whether this is a Gigabit Ethernet interface or a 10 Gigabit Ethernet interface. <slot> is the chassis slot number assigned to the NPM on which you are configuring the interface. <port> is the NPM port number assigned to the interface. See configure interface on page 467 for information about configuring an Ethernet port on an NPM to pass traffic between the X-Series Platform and an external network. Auto Negotiate Enabled (true/false) Indicates whether auto-negotiation is enabled (t) or disabled (f) on the interface that you are configuring. Default is enabled (t). See auto-negotiate (conf-intf-gig context) on page 481 for information about enabling and disabling auto-negotiation on an interface.

Commands for Configuring Interfaces for a VAP Group

486

Column/Row Heading Media Speed (Mbits)

Information Provided Media speed setting for the interface that you are configuring. This row displays one of the following keywords: auto Indicates that auto-negotiation is enabled on the interface. When an external system establishes a connection with the X-Series Platform using this interface, the X-Series Platform works with the external system to choose the optimal media speed for that connection. 100 Media speed is 100 Mbps. This the default setting when auto-negotiation is disabled. 10 Media speed is 10 Mbps. See media-speed (conf-intf-gig context) on page 483 for information about setting the media speed for an interface.

Duplex Mode

Duplex mode setting for the interface that you are configuring. This row displays one of the following keywords: auto Indicates that auto-negotiation is enabled on the interface. When an external system establishes a connection with the X-Series Platform using this interface, the X-Series Platform works with the external system to choose the optimal duplex mode for that connection. full Interface is operating in full-duplex mode. This the default setting when auto-negotiation is disabled. half Interface is operating in half-duplex mode. See duplex-mode (conf-intf-gig context) on page 482 for information about setting the duplex mode for an interface.

Pause Frame (true/false)

Indicates whether PAUSE frame support is enabled (t) or disabled (f) for the interface that you are configuring. Default is enabled (t). See pause-frame (conf-intf-gig or conf-intf-10gig context) on page 480 for information about enabling and disabling PAUSE frame support for an interface.

Standby Only (true/false)

Indicates whether Standby Only is enabled (t) or disabled (f) for the interface that you are configuring. Default is disabled (f). If Standby Only is enabled for an interface, the interface can be used as a backup interface in an interface redundancy configuration. See standby-only (conf-intf-gig or conf-intf-10gig context) on page 479 for information about enabling and disabling Standby Only for an interface.

Restrictions
Default Privilege Level: 15

Example
The following command configures Gigabit Ethernet port number 1 on the NPM installed in slot number 1 to pass traffic between the X-Series Platform and an external network. This command also places you in the conf-intf-gig context in which you can configure settings for the Gigabit Ethernet interface, and create and configure logical interfaces for that interface.

XOS Command Reference Guide

487

CBS# configure interface gigabitethernet 1/1 CBS(conf-intf-gig)# The following command displays the current configuration settings for Gigabit Ethernet interface 1/1. NOTE: This command displays the interface configuration settings that you would create if you issued the example commands that we have provided throughout this section. CBS(conf-intf-gig)# show Interface Enable (true/false) Auto Negotiate Enabled (true/false) Media Speed (Mbits) Duplex Mode Pause Frame (true/false) Standby Only (true/false) (1 row) CBS(conf-intf-gig)# : : : : : : : gigabitethernet 1/1 t f 10 half f t

configure interface-internal
An interface-internal defines an interface that can be used for internal connectivity between VAPs. Like an external interface, an interface-internal can be segmented into separate logical interfaces. Each logical interface can be configured to handle a range of VLAN traffic, non-VLAN traffic, or all traffic, tagged or untagged. You can use interface-internal to configure a synchronization circuit to connect member VAPs within a VAP group. For example, you use this type of circuit for Check Point cluster synchronization. You can also use an interface-internal to configure serialization. Serialization refers to the flow of data traffic from one application to a second application installed on the same X-Series Platform. You install and configure each application on a separate virtual application processor (VAP) group and connect the two VAP groups internally, in series. Traffic passes from one application to the next, allowing multi-layered, in-depth inspection, consistent with a user-defined security policy. In serialization, an interface-internal is a virtualized interface used to pass traffic from an application installed on one VAP group to another application installed on another VAP group configured on the same X-Series Platform. To create and configure an interface-internal, you perform the following steps: 1. Make sure you have created the circuits required by your configuration. For a synchronization circuit, create the circuit and assign it to the VAP group (for example, the VAP group associated with a Check Point firewall application). For serialization, create a bridge circuit if required (e.g. for Layer 2 to Layer 3 serialization), and two traffic circuits, and assign one of the traffic circuits to both VAP groups for which you want to configure serialization. 2. 3. 4. 5. Configure an interface-internal. Configure one or more logical or logical-all interfaces for the interface-internal, and segment VLAN and non-VLAN traffic among the logical interfaces as required. Assign the appropriate circuits to the logical interfaces. Configure options to override the flow-table-limit, fragment-handling-options, and packet-validation settings for each circuit on this interface (optional).

Commands for Configuring Interfaces for a VAP Group

488

The interface-internal command creates and configures an internal interface and maps the specified logical lines to the internal interface. Circuits are then assigned to these logical lines. You can create multiple logical interfaces for the interface-internal. A logical interface can be configured to handle a range of VLAN traffic, non-VLAN traffic, or both VLAN and non-VLAN traffic: A logical interface configured with an ingress-vlan-tag accepts VLAN traffic for the specified VLAN tag or range. A logical interface configured without an ingress-vlan-tag accepts only non-VLAN traffic. A logical interface configured with the logical-all command accepts VLAN and non-VLAN traffic not handled by other logical lines. When you create and configure an interface-internal, XOS creates the interface on the applications VAP group that is assigned to a circuit mapped through a logical interface to the internal interface. XOS creates an internal interface for a VAP group by creating a Virtual Network Device (VND) on each VAP in the group. The VAP operating system and the application running on the VAP group use the internal interface VNDs as Linux networking interfaces. Use the no interface-internal command to delete the internal interface.

Syntax
configure interface-internal <internal_interface_name> configure no interface-internal <internal_interface_name>

Context and Subcommands

You access this command from the main CLI context. The configure interface-internal command places you in the conf-intf-internal context, from which you can configure one or more logical interfaces for this internal interface. You can access the following commands from the conf-intf-internal context: logical (conf-intf-internal context) logical-all (conf-intf-internal context)

Parameters
The following table lists the parameters used with this command. Parameter <internal_interface_name> Description Specifies a unique name for the internal interface.

Restrictions
Default Privilege Level: 15 A circuit mapped to an interface-internal must meet the following configuration requirements: The circuit must be assigned to both VAP groups for which you want to configure serialization, or the circuit must be assigned to a single VAP group for internal communication among the member VAPs. The circuit configuration for a bridging applications VAP group must include the promiscuous-mode active command. (See promiscuous-mode (conf-cct-vapgroup context) on page 423 for more information about this command.)

XOS Command Reference Guide

489

Example
In this example, we are configuring an interface-internal to configure synchronization for a firewall application. The following commands create a circuit sync1 and assign it to the VAP group fw1: CBS# configure circuit sync1 CBS(conf-cct)# device-name sync1 CBS(conf-cct)# vap-group fw1 CBS(conf-cct-vapgroup)# end CBS# The following commands create an interface-internal if_sync, assign it to the logical-all interface log_if_sync, and map it to the circuit sync1. CBS# configure interface-internal if_sync CBS(conf-intf-internal)# logical-all log_if_sync CBS(conf-intf-internal-log-all)# circuit sync1 CBS(conf-intf-int-log-all-cct)# end CBS# For information about configuring an interface-internal for serialization or bridged configurations, see the XOS Configuration Guide and the Serialization Cookbook: IPS and Firewall.

logical (conf-intf-internal context)

When you assign a circuit to a virtual application processor (VAP) group, XOS creates a Virtual Network Device (VND) for that circuit on each VAP in the group. The VAP operating system and the application running on a VAP use VNDs as Linux networking interfaces. The logical command creates and configures a new logical interface or configures the specified existing logical interface for the interface-internal that you are configuring. This command also places you in the conf-intf-internal-log context in which you can map a circuit to the specified logical interface. When you map a circuit to a logical interface, you create a logical link between that circuits VNDs and the interface-internal that you are configuring. NOTE: You can map only one circuit to each logical interface. However, you can map multiple logical interfaces to the same interface-internal. See circuit (conf-intf-internal-log or conf-intf-internal-log-all context) on page 494 for more information about mapping a circuit to a logical interface configured with the logical command. When one or more VLANs are connected to an interface-internal, the interface-internal uses logical interface mapping to identify the VNDs that send and receive traffic over those VLANs. By default, a logical interface does not provide a logical link between a VLAN and a circuits VNDs. This means that by default, a circuit passes only untagged traffic arriving on an interface-internal. You can use the ingress-vlan-tag parameter to configure a logical interface to create a logical link between a circuits VNDs and one or more VLANs. Specify this parameter with a single VLAN tag to enable the circuits VNDs to accept only packets with the specified VLAN tag. Specify this parameter with a range of VLAN tags to enable the circuits VNDs to accept only packets whose VLAN tags are within the specified range.

Commands for Configuring Interfaces for a VAP Group

490

You can configure multiple logical interfaces with the ingress-vlan-tag parameter to provide a VAP group with a separate virtualized Ethernet connection for each VLAN connected to the interface-internal. To do this, you configure a separate logical interface for each VLAN, and then map one of the VAP groups circuits to each VLAN-tagged logical interface. NOTE: A single interface-internal cannot have multiple logical interfaces configured with overlapping VLAN tag ranges. You can use the logical-all command to configure a logical interface to enable a circuits VNDs to accept all tagged and untagged packets. (See logical-all (conf-intf-internal context) on page 492 for more information about this command.) After you configure a logical interface, you cannot change its VLAN tag configuration. Instead, you must delete the existing logical interface and recreate it with the desired VLAN tag configuration. Use the no logical command to delete the specified logical interface from the physical interface that you are configuring.

Syntax
logical <logical_name> [ingress-vlan-tag {<VLAN_ID> | <lowest_VLAN_ID> <highest_VLAN_ID>}] no logical <logical_name>

Contexts and Subcommands

You access this command from the conf-intf-internal context. You can access this context by issuing the configure interface-internal command. This command places you in the conf-intf-internal-log context, in which you can map a circuit to the logical interface that you are configuring. You can access the following command from the conf-intf-internal-log context: circuit (conf-intf-internal-log or conf-intf-internal-log-all context)

Parameters
The following table lists the parameters used with this command. Parameter <logical_name> Description Name assigned to the logical interface that you wish to create, configure, or delete.

XOS Command Reference Guide

491

Parameter ingress-vlan-tag {<VLAN_ID> | <lowest_VLAN_ID> <highest_VLAN_ID>}

Description Configures the logical interface to create a logical link between a circuits VNDs and either a single VLAN or a range of VLANs. Specify a single VLAN tag, <VLAN_ID>, to enable the circuit mapped to the logical interface to accept only packets with the specified VLAN tag. Specify this parameter with a range of VLAN tags, <lowest_VLAN_ID> <highest_VLAN_ID>, to enable the circuit mapped to the logical interface to accept only packets whose VLAN tags are within the specified range. Valid values for <VLAN_ID>, <lowest_VLAN_ID>, and <highest_VLAN_ID> are from 0 to 4094. NOTE: A single physical interface cannot have multiple logical interfaces configured with overlapping VLAN tag ranges.

Restrictions
Default Privilege Level: 15 A single interface-internal cannot have multiple logical interfaces configured with overlapping VLAN tag ranges.

Example
The following command creates an interface-internal named if_test. This command also places you in the conf-intf-internal context in which you can create and configure logical interfaces for that interface. CBS# configure interface-internal if_test CBS(conf-intf-internal)# The following command configures a logical interface called testlogical for the above interface-internal, and configures that logical interface to create a link between a circuits VNDs and the VLAN with the ID number 1660, which is connected to the interface-internal. This command also places you in the conf-intf-internal-log context in which you can map a circuit to the new logical interface. CBS(conf-intf-internal)# logical testlogical ingress-vlan-tag 1660 CBS(conf-intf-internal-log)# A circuit mapped to the logical interface called testlogical can accept packets arriving on the interface-internal if_test only if those packets have the VLAN tag, 1660.

logical-all (conf-intf-internal context)

When you assign a circuit to a virtual application processor (VAP) group, XOS creates a Virtual Network Device (VND) for that circuit on each VAP in the group. The VAP operating system and the application running on a VAP use VNDs as Linux networking interfaces.

Commands for Configuring Interfaces for a VAP Group

492

The logical-all command creates and configures a new logical interface or configures the specified existing logical interface for the interface-internal that you are configuring. This command also places you in the conf-intf-internal-log-all context in which you can map a circuit to the specified logical interface. When you map a circuit to a logical interface, you create a logical link between that circuits VNDs and the interface-internal that you are configuring. When you use the logical-all command to configure a logical interface for an interface-internal, the VNDs that XOS creates for a circuit mapped to that logical interface can accept all tagged and untagged packets arriving on the interface-internal. NOTE: You can map only one circuit to each logical interface. See circuit (conf-intf-internal-log or conf-intf-internal-log-all context) on page 494 for more information about mapping a circuit to a logical interface configured with the logical-all command. You use the logical (conf-intf-internal context) command to configure a logical interface to enable a circuits VNDs to accept untagged packets or to enable a circuits VNDs to accept VLAN-tagged packets from one or more specific VLANs (instead of accepting all tagged and untagged packets). NOTE: While you can configure multiple logical interfaces for the same physical interface, each physical interface can have only one logical interface configured with the logical-all command. After you configure a logical interface, you cannot change its VLAN tag configuration. Instead, you must delete the existing logical interface and recreate it with the desired configuration. Use the no parameter to delete the specified logical interface from the physical interface that you are configuring.

Syntax
[no] logical-all <logical_name>

Contexts and Subcommands

You access this command from the conf-intf-internal context. You can access this context by issuing the configure interface-internal command. This command places you in the conf-intf-internal-log-all context, in which you can map a circuit to the logical interface that you are configuring. You can access the following command from the conf-intf-internal-log-all context: circuit (conf-intf-internal-log or conf-intf-internal-log-all context)

Parameters
The following table lists the parameters used with this command. Parameter <logical_name> Description Name assigned to the logical interface that you want to create, configure, or delete.

XOS Command Reference Guide

493

Restrictions
Default Privilege Level: 15 A physical interface can have only one logical interface configured with the logical-all command. If a physical interface has a logical interface configured with the logical-all command, that physical interface cannot be configured as a redundant interface.

Example
The following command creates an interface-internal named if_test. This command also places you in the conf-intf-internal context in which you can create and configure logical interfaces for that interface. CBS# configure interface-internal if_test CBS(conf-intf-internal)# The following command configures a logical interface called testlogicalall for the above interface-internal. This command also places you in the conf-intf-internal-log-all context in which you can map a circuit to the new logical interface. CBS(conf-intf-internal)# logical-all testlogicalall CBS(conf-intf-internal-log-all)# A circuit mapped to the logical interface called testlogicalall can accept all tagged and untagged packets arriving on the interface-internal if_test.

circuit (conf-intf-internal-log or conf-intf-internal-log-all context)

Maps the specified circuit to the logical interface that you are configuring for an interface-internal. Use the no parameter to remove the specified circuit from the logical interface that you are configuring.

Syntax
[no] circuit <circuit_name> [[no] flow-table-limit] [[no] fragment-handling-options] [[no] packet-validation]

Contexts
You access this command from either the conf-intf-internal-log context or the conf-intf-internal-log-all context. You access the conf-intf-internal-log context from the main CLI context, as follows: 1. 2. Issue the configure interface-internal command to create or specify an interface-internal. Issue the logical (conf-intf-internal context) command to configure a logical interface for the specified interface-internal.

You access the conf-intf-internal-log-all context from the main CLI context, as follows: 1. 2. Issue the configure interface-internal command to create or specify an interface-internal. Issue the logical-all (conf-intf-internal context) command to configure a logical interface for the specified interface-internal.

Commands for Configuring Interfaces for a VAP Group

494

Parameters
The following table lists the parameters used with this command. Parameter <circuit_name> Description Name of the circuit that you wish to map to the logical interface that you are configuring. Use the show circuit command to display all current circuit configurations. [no] flow-table-limit Overrides the global action when the flow table limit has reached. Has this additional parameter: alternative-action pass Specifies that traffic should be passed after the flow table limit has been exceeded. [no] fragment-handling-options [no] packet-validation Enables or disables (using no) fragment handling protection which overwrites the global settings Enables or disables (using no) packet validation which overwrites the global settings. Has these additional parameters: [no] validate-ip-packet Overrides the global action for the invalid IP packets [no] validate-tcp-packet Overrides the global action for the invalid TCP packets [no] validate-tcp-xsum Overrides the global action for invalid TCP packets with respect to checksum

Restrictions
Default Privilege Level: 15 A circuit can be assigned to only one logical interface. NOTE: You can map multiple logical interfaces to the same interface-internal, allowing multiple circuits to pass traffic over a single interface-internal.

Example
The following command creates an interface-internal named if_test. This command also places you in the conf-intf-internal context in which you can create and configure logical interfaces for that interface. CBS# configure interface-internal if_test CBS(conf-intf-internal)# The following command configures a logical interface called testlogicalall for the above interface-internal. This command also places you in the conf-intf-internal-log-all context in which you can map a circuit to the new logical interface. CBS(conf-intf-internal)# logical-all testlogicalall CBS(conf-intf-internal-log-all)#

XOS Command Reference Guide

495

The following command maps the circuit testall_cct to the logical interface testlogicalall that is mapped to the interface-internal if_test. This command also places you in the conf-intf-int-log-cct context, in which you can CBS(conf-intf-internal-log)# circuit testall_cct CBS(conf-intf-int-log-cct)# A circuit mapped to the logical interface called testlogicalall can accept all tagged and untagged packets arriving on the interface-internal if_test.

MAC Address Inheritance

If you use the logical-all command to map a circuit (base circuit) to an interface-internal, all additional circuits (e.g. VLANs) mapped to the same VAP group inherit the base circuits MAC address automatically. If the user changes the MAC address on the base circuit, the VLAN circuits will inherit the new MAC address. If you use the logical command to map a circuit (base circuit) to an interface-internal, additional circuits (e.g. VLANs) mapped to the same VAP group do not inherit the base circuits MAC address automatically. If the user changes the MAC address on the base circuit, the VLAN circuits will retain their originally configured MAC addresses.

configure group-interface
Creates and configures a new group interface or configures the specified existing group interface. Places you in the conf-group-intf context in which you can configure the specified group interface. A group interface is a set of interfaces that are logically linked to one another, and are collectively used to pass traffic between an external network and the members of one or more virtual application processor (VAP) groups. You can configure a group interface to perform the following function: Link Aggregation You configure the group interface to link two or more physical interfaces to create a link aggregation group (LAG). XOS bonds all interfaces in a LAG to a single logical interface, allowing one circuit to pass traffic over all interfaces in the LAG. See mode (conf-group-intf context) on page 497 for information about configuring a group interface to create a LAG. Use the configure bridge-mode command to add a LAG to a bridged configuration. Use the show (conf-group-intf context) command to display the current configuration for the group interface that you are configuring. Use the no parameter to delete the specified group interface.

Syntax
configure [no] group-interface <group_interface_name>

Contexts and Subcommands

You access this command from the main CLI context.

Commands for Configuring Interfaces for a VAP Group

496

This command places you in the conf-group-intf context in which you can configure the specified group interface. You can access the following commands from this context: mode (conf-group-intf context) on page 497 interface-type (conf-group-intf context) on page 500 interface (conf-group-intf context) on page 510 logical (conf-group-intf context) on page 514 show (conf-group-intf context) on page 519

Parameters
The following table lists the parameters used with this command. Parameter <group_interface_name> Description Name assigned to the group interface that you want to create, configure, or delete.

Restrictions
Default Privilege Level: 15

Example
The following command creates a new group interface named testgrpint, and places you in the conf-group-intf context in which you can configure the new group interface: CBS# configure group-interface testgrpint CBS(conf-group-intf)#

mode (conf-group-intf context)

Sets the operating mode for the group interface that you are configuring and maps the specified template circuit to the group interface. NOTE: The specified template circuit must be assigned to at least one virtual application processor (VAP) group. When you assign a template circuit to a VAP group, XOS creates a Virtual Network Device (VND) for that circuit on each VAP in the group. When you map a template circuit to a group interface, based on the operating mode that you configure for that group interface, XOS configures the template circuit as a virtualized link aggregation device for each VAP group to which the circuit is assigned. IMPORTANT: You must set the operating mode for a group interface and map a template circuit to that group interface before adding members to that group interface. Each time you add a member to a group interface, XOS uses the template circuit configuration to create and configure a Virtual Network Device (VND) for that group interface member on each VAP in each VAP group to which the template circuit is assigned. The VAP operating system and the application running on a VAP use group interface member VNDs as Linux networking interfaces.

XOS Command Reference Guide

497

XOS creates a logical link between the template circuit VND and the group interface member VNDs on each VAP in each VAP group to which the template circuit is assigned. Each VAP uses its template circuit VND as a link aggregation device that links the group interface member VNDs to create a virtualized link aggregation group (LAG) XOS creates and configures a single logical interface for each group interface, and maps all group interface member VNDs to that logical interface. The logical interface provides a logical link between the physical interfaces that belong to the group and the VNDs that XOS creates for all members of the group. NOTE: The logical interface also provides a logical link between all group interface member VNDs and all VLANs connected to the physical interfaces that belong to the group. This enables group interface member VNDs to accept all tagged and untagged packets received on the physical interfaces that belong to the group. To use separate circuits for specific VLANs connected to the physical interfaces that belong to a group interface, you must configure additional logical interfaces for the group interface and map each logical interface to a single circuit. You can configure each additional logical interface to provide a link between its circuits VNDs and one or more VLANs. See logical (conf-group-intf context) on page 514 for more information about configuring a logical interface for a group interface. You configure a group interface to operate in Multi-link Mode. Use the show (conf-group-intf context) command to display the current operating mode for the group interface that you are configuring.

Multi-link Mode
In multi-link mode, a group interface links two or more physical interfaces to create a link aggregation group (LAG). XOS bonds all interfaces in a LAG to a single logical interface, allowing one circuit to pass traffic over all interfaces in the LAG. Before configuring a group interface to operate in multi-link mode, you create and configure a template circuit, assign it to one or more VAP groups, and configure each VAP group to process traffic passing through the circuit. XOS creates a Virtual Network Device (VND) for the template circuit on each VAP in each VAP group to which you assign the circuit. NOTE: See Commands for Configuring Circuits for information about creating a circuit, assigning it to a VAP group, and configuring the VAP group to process traffic passing through the circuit. When you configure a group interface to operate in multi-link mode, XOS configures the template circuit as a virtualized link aggregation device for each VAP group to which the template circuit is assigned. XOS uses the template circuit configuration to create and configure a VND for each group interface member on each VAP in each VAP group to which the template circuit is assigned. The VAP operating system and the application running on a VAP use group interface member VNDs as Linux networking interfaces. On each VAP, XOS links the group interface template circuit VND with all of the group interface member VNDs. The template circuit VND functions as a link aggregation device that links the group interface member VNDs to create a virtual link aggregation group (LAG) on the VAP. XOS creates and configures a single logical interface for each multi-link mode group interface, and maps all group interface member VNDs to that logical interface. The logical interface provides a logical link between the physical interfaces configured as members of the LAG and the VNDs that XOS creates for those physical interfaces. Thus, the physical interfaces in a multi-link mode group interface are configured as members of a LAG. This LAG passes traffic between an external network and the members of the VAP groups to which the template circuit is assigned.

Commands for Configuring Interfaces for a VAP Group

498

NOTE: The logical interface for a multi-link mode group interface also provides a logical link between the group interface member VNDs and all VLANs connected to the physical interfaces in the LAG. This enables the group interface member VNDs to accept all tagged and untagged packets received on the physical interfaces in the LAG. If you wish to break up a VLAN trunk into multiple VLAN circuits, you must configure the group interface with a separate logical interface for each VLAN circuit, and configure each logical interface to create a logical link between its circuits VNDs and one or more VLANs. See logical (conf-group-intf context) on page 514 for information about configuring a logical interface for a group interface. A VAP group treats a LAG as if it were a single interface. Therefore, if you configure a group interface to operate in multi-link mode, you can configure that group interface (LAG) as a member of a bridge-mode configuration.

MAC Address Inheritance

If you apply a user-defined MAC address to the mode multi-link circuit, additional circuits (e.g. VLAN circuits) mapped to the same VAP group inherit the mode circuits MAC address automatically. If the user changes the MAC address on the mode circuit, the VLAN circuits will inherit the new MAC address. If you use the logical command to map additional circuits (e.g. VLAN circuits) to a mode multi-link group interface, the VLAN circuit does not inherit the mode circuits MAC address. If the user changes the MAC address on the mode circuit, the VLAN circuits will retain their originally configured MAC addresses.

Syntax
mode multi-link circuit <template_circuit_name>

Context
You access this command from the conf-group-intf context. You access this context from the main CLI context by issuing the configure group-interface command.

Parameters
The following table lists the parameters used with this command. Parameter multi-link Description Configures the group interface to operate in multi-link mode. See Multi-link Mode on page 498 for more information about this mode. circuit <template_circuit_name> Maps the specified template circuit to the group interface. XOS configures the template circuit as a virtualized link aggregation device for each VAP group to which the circuit is assigned. See Multi-link Mode on page 498 for more information:

Restrictions
Default Privilege Level: 15 You must set the operating mode for a group interface and map a template circuit to that group interface before adding members to that group interface.

XOS Command Reference Guide

499

You must assign a template circuit to at least one VAP group before mapping the template circuit to a group interface. Each template circuit can be mapped to only one group interface. The following restrictions apply to group interfaces configured to operate in Multi-link Mode: The group interface can include a maximum of eight physical interfaces. The group interface cannot include any internal interfaces. Group interface members cannot be used in interface redundancy configurations. See configure redundancy-interface on page 541 for more information about interface redundancy.

Example
The following commands create and configure a template circuit called testgrp and assign that circuit to the VAP group called testvapgroup: CBS# configure circuit testgrp CBS(conf-cct)# device-name testgrp CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-vapgroup)# end CBS# The following command places you in the conf-group-intf context in which you can configure the existing group interface called testgrpint: CBS# configure group-interface testgrpint CBS(conf-group-intf)# The following command configures the group interface called testgrpint to operate in Multi-link Mode, and assigns the template circuit called testgrp to that group interface: CBS(conf-group-intf)# mode multi-link circuit testgrp CBS(conf-group-intf)# The following commands configure physical ports as members of the LAG and enable the interfaces for this group interface. CBS(conf-group-intf)# interface-type gigabitethernet CBS(conf-grp-intf-gig)# exit CBS(conf-group-intf)# interface 1/2 CBS(conf-grp-intf-intf)# exit CBS(conf-group-intf)# interface 1/3 CBS(conf-grp-intf-intf)# end CBS# XOS configures the template circuit called testgrp as a virtualized link aggregation device for the VAP group called testvapgroup.

interface-type (conf-group-intf context)

Sets the Ethernet interface type to Gigabit Ethernet or 10 Gigabit Ethernet for the group interface that you are configuring. Places you in the conf-grp-intf-gig or conf-grp-intf-10gig context in which you can configure additional settings for the Gigabit Ethernet or 10 Gigabit Ethernet interfaces that belong to this group interface.

Commands for Configuring Interfaces for a VAP Group

500

XOS applies the specified Ethernet interface type setting to all members of the group interface that you are configuring. All Network Processor Module (NPM) interfaces that you configure as members of this group interface must be of the specified interface type. The default Ethernet interface type setting is Gigabit Ethernet. Use the interface-type gigabitethernet command to restore this default setting. NOTE: After you configure an interface as a member of a group interface, you cannot change the Ethernet interface type setting for that group interface. Use the show (conf-group-intf context) command to display the current Ethernet interface type setting for the group interface that you are configuring.

Syntax
interface-type {gigabitethernet | 10gigabitethernet}

Contexts and Subcommands

You access this command from the conf-group-intf context. You access this context from the main CLI context by issuing the configure group-interface command. The interface-type gigabitethernet command places you in the conf-grp-intf-gig context, in which you can configure settings for the Gigabit Ethernet interfaces that belong to the group interface that you are configuring. The interface-type 10gigabitethernet command places you in the conf-grp-intf-10gig context, in which you can configure settings for the 10 Gigabit Ethernet interfaces that belong to the group interface that you are configuring. You can access the following commands only from the conf-grp-intf-gig context: auto-negotiate (conf-grp-intf-gig context) on page 503 duplex-mode (conf-grp-intf-gig context) on page 504 media-speed (conf-grp-intf-gig context) on page 506 You can access the following commands from either the conf-grp-intf-gig context or the conf-grp-intf-10gig context: pause-frame (conf-grp-intf-gig or conf-grp-intf-10gig context) on page 502 enable (conf-grp-intf-gig or conf-grp-intf-10gig context) on page 508

Inline Commands
The following table lists the CLI commands used inline with the interface-type command. Command gigabitethernet 10gigabitethernet Description Sets the Ethernet interface type to Gigabit Ethernet for the group interface that you are configuring. Sets the Ethernet interface type to 10 Gigabit Ethernet for the group interface that you are configuring.

Restrictions
Default Privilege Level: 15

XOS Command Reference Guide

501

After you configure an interface as a member of a group interface, you cannot change the Ethernet interface type setting for that group interface.

Example
The following command places you in the conf-group-intf context in which you can configure the existing group interface called testgrpint: CBS# configure group-interface testgrpint CBS(conf-group-intf)# The following command sets the Ethernet interface type to Gigabit Ethernet for the group interface called testgrpint. This command also places you in the conf-grp-intf-gig context, in which you can configure additional settings for the Gigabit Ethernet interfaces that belong to the group interface called testgrpint. CBS(conf-group-intf)# interface-type gigabitethernet CBS(conf-grp-intf-gig)# XOS applies the above Ethernet interface configuration setting to all members of the group interface called testgrpint. All NPM interfaces that you configure as members of this group interface must be Gigabit Ethernet interfaces.

pause-frame (conf-grp-intf-gig or conf-grp-intf-10gig context)

Enables or disables (using no) support for PAUSE frames on all physical interfaces that belong to the group interface that you are configuring. By default, PAUSE frame support is enabled on all physical interfaces configured as members of a group interface. When PAUSE frame support is enabled on an interface, if an external system attempts to transmit data over that interface faster than the interface can accept data, the X-Series Platform sends a PAUSE frame to the external system, which halts transmissions from the external system for a short period of time. Use the show (conf-group-intf context) command to determine whether PAUSE frame support is enabled or disabled on the physical interfaces that belong to the group interface that you are configuring.

Syntax
[no] pause-frame

Contexts
You access this command from the conf-grp-intf-gig or conf-grp-intf-10gig context. To access the conf-grp-intf-gig context from the main CLI context, you perform the following steps: 1. 2. Issue the configure group-interface command to configure a specific group interface. Issue the gigabitethernet command inline with the interface-type (conf-group-intf context) command to configure settings for the Gigabit Ethernet interfaces that belong to the specified group interface.

To access the conf-grp-intf-10gig context from the main CLI context, you perform the following steps: 1. 2. Issue the configure group-interface command to configure a specific group interface. Issue the 10gigabitethernet command inline with the interface-type (conf-group-intf context) command to configure settings for the 10 Gigabit Ethernet interfaces that belong to the specified group interface.

Commands for Configuring Interfaces for a VAP Group

502

Restrictions
Default Privilege Level: 15

Example
The following command places you in the conf-group-intf context in which you can configure the existing group interface called testgrpint: CBS# configure group-interface testgrpint CBS(conf-group-intf)# The following command sets the Ethernet interface type to Gigabit Ethernet for the group interface called testgrpint. This command also places you in the conf-grp-intf-gig context, in which you can configure additional settings for the Gigabit Ethernet interfaces that belong to the group interface called testgrpint. CBS(conf-group-intf)# interface-type gigabitethernet CBS(conf-grp-intf-gig)# The following command disables PAUSE frame support on all Gigabit Ethernet interfaces that belong to the group interface called testgrpint: CBS(conf-grp-intf-gig)# no pause-frame CBS(conf-grp-intf-gig)#

auto-negotiate (conf-grp-intf-gig context)

Enables or disables (using no) auto-negotiation on the Gigabit Ethernet interfaces that belong to the group interface that you are configuring. By default, auto-negotiation is enabled on all Gigabit Ethernet interfaces configured as members of a group interface. NOTE: This setting is not configurable for members of a group interface whose Ethernet interface type is set to 10 Gigabit Ethernet. If auto-negotiation is enabled on an interface, when an external system establishes a connection with the X-Series Platform using that interface, the X-Series Platform works with the external system to choose the optimal duplex mode and media speed for that connection. If auto-negotiation is disabled on an interface, the X-Series Platform uses the duplex mode and media speed settings configured for the Gigabit Ethernet interface for all external connections established on that interface. NOTE: Use the duplex-mode (conf-grp-intf-gig context) command to set the duplex mode for the Gigabit Ethernet interfaces that belong to the group interface that you are configuring. Use the media-speed (conf-grp-intf-gig context) command to set the media speed for the Gigabit Ethernet interfaces that belong to the group interface that you are configuring. Use the show (conf-group-intf context) command to display the duplex mode and media speed settings for the Gigabit Ethernet interfaces that belong to the group interface that you are configuring. Use the show (conf-group-intf context) command to determine whether auto-negotiation is enabled or disabled on the Gigabit Ethernet interfaces that belong to the group interface that you are configuring

Syntax
[no] auto-negotiate

XOS Command Reference Guide

503

Context
You access this command from the conf-grp-intf-gig context. To access this context from the main CLI context, you perform the following steps: 1. 2. Issue the configure group-interface command to configure a specific group interface. Issue the gigabitethernet command inline with the interface-type (conf-group-intf context) command to configure settings for the Gigabit Ethernet interfaces that belong to the specified group interface.

Restrictions
Default Privilege Level: 15 This setting is not configurable for members of a group interface whose Ethernet interface type is set to 10 Gigabit Ethernet.

Example
The following command places you in the conf-group-intf context in which you can configure the existing group interface called testgrpint: CBS# configure group-interface testgrpint CBS(conf-group-intf)# The following command sets the Ethernet interface type to Gigabit Ethernet for the group interface called testgrpint. This command also places you in the conf-grp-intf-gig context, in which you can configure additional settings for the Gigabit Ethernet interfaces that belong to the group interface called testgrpint. CBS(conf-group-intf)# interface-type gigabitethernet CBS(conf-grp-intf-gig)# The following command disables auto-negotiation on all Gigabit Ethernet interfaces that belong to the group interface called testgrpint: CBS(conf-grp-intf-gig)# no auto-negotiate CBS(conf-grp-intf-gig)#

duplex-mode (conf-grp-intf-gig context)

Sets the duplex mode for the Gigabit Ethernet interfaces that belong to the group interface that you are configuring. Gigabit Ethernet interfaces can operate in half-duplex mode or full-duplex mode. NOTE: This setting applies only to Gigabit Ethernet interfaces with copper connectors. This setting is not configurable for members of a group interface whose Ethernet interface type is set to 10 Gigabit Ethernet. This setting has no effect if auto-negotiation is enabled on the interfaces that belong to the group interface that you are configuring. See auto-negotiate (conf-grp-intf-gig context) on page 503 for information about enabling and disabling auto-negotiation on the Gigabit Ethernet interfaces that belong to a group interface. The default duplex mode setting is full-duplex mode. To restore this default setting, you can use the no duplex-mode command or the duplex-mode full command. Use the show (conf-group-intf context) command to display the duplex mode setting for the Gigabit Ethernet interfaces that belong to the group interface that you are configuring.

Commands for Configuring Interfaces for a VAP Group

504

Syntax
duplex-mode {full | half} no duplex-mode

Context
You access this command from the conf-grp-intf-gig context. To access this context from the main CLI context, you perform the following steps: 1. 2. Issue the configure group-interface command to configure a specific group interface. Issue the gigabitethernet command inline with the interface-type (conf-group-intf context) command to configure settings for the Gigabit Ethernet interfaces that belong to the specified group interface.

Parameters
The following table lists the parameters used with this command. Parameter full Description Configures group interface members to operate in full-duplex mode. This is the default setting. half Configures group interface members to operate in half-duplex mode.

Restrictions
Default Privilege Level: 15 This setting applies only to Gigabit Ethernet interfaces with copper connectors. This setting is not configurable for members of a group interface whose Ethernet interface type is set to 10 Gigabit Ethernet. This setting has no effect if auto-negotiation is enabled on the interfaces that belong to the group interface that you are configuring. Use the show (conf-group-intf context) command to determine whether auto-negotiation is enabled or disabled on the Gigabit Ethernet interfaces that belong to the group interface that you are configuring. See auto-negotiate (conf-grp-intf-gig context) on page 503 for information about enabling and disabling auto-negotiation on the Gigabit Ethernet interfaces configured as members of a group interface. Members of a Multi-link Mode group interface cannot be configured to operate in half-duplex mode. If you attempt to issue the duplex-mode half command when configuring a multi-link mode group interface, the CLI displays an error message and reconfigures the group interface members to operate in full-duplex mode.

Example
The following command places you in the conf-group-intf context in which you can configure the existing group interface called testgrpint: CBS# configure group-interface testgrpint CBS(conf-group-intf)#

XOS Command Reference Guide

505

The following command sets the Ethernet interface type to Gigabit Ethernet for the group interface called testgrpint. This command also places you in the conf-grp-intf-gig context, in which you can configure additional settings for the Gigabit Ethernet interfaces configured as members of the group interface called testgrpint. CBS(conf-group-intf)# interface-type gigabitethernet CBS(conf-grp-intf-gig)# The following command configures the Gigabit Ethernet interfaces that belong to the group interface called testgrpint to operate in half-duplex mode: CBS(conf-grp-intf-gig)# duplex-mode half CBS(conf-grp-intf-gig)#

media-speed (conf-grp-intf-gig context)

Sets the media speed for the Gigabit Ethernet interfaces that belong to the group interface that you are configuring. You can set the media speed to 10 Mbps, 100 Mbps, or 1 Gbps. NOTE: This setting applies only to Gigabit Ethernet interfaces with copper connectors. This setting is not configurable for members of a group interface whose Ethernet interface type is set to 10 Gigabit Ethernet. This setting has no effect if auto-negotiation is enabled on the interfaces that belong to the group interface that you are configuring. See auto-negotiate (conf-grp-intf-gig context) on page 503 for information about enabling and disabling auto-negotiation on the Gigabit interfaces that belong to the group interface that you are configuring. The default media speed setting is 100 Mbps. To restore this default setting, you can use the no media-speed command or the media-speed 100 command. Use the show (conf-group-intf context) command to display the media speed setting for the Gigabit Ethernet interfaces that belong to the group interface that you are configuring.

Syntax
media-speed {10 | 100 | 1000} no media-speed

Context
You access this command from the conf-grp-intf-gig context. To access this context from the main CLI context, you perform the following steps: 1. 2. Issue the configure group-interface command to configure a specific group interface. Issue the gigabitethernet command inline with the interface-type (conf-group-intf context) command to configure settings for the Gigabit Ethernet interfaces that belong to the specified group interface.

Commands for Configuring Interfaces for a VAP Group

506

Parameters
The following table lists the parameters used with this command. Parameter 10 Description Sets the media speed to 10 Mbps for all Gigabit Ethernet interfaces that belong to the group interface that you are configuring. Sets the media speed to 100 Mbps for all Gigabit Ethernet interfaces that belong to the group interface that you are configuring. Sets the media speed to 1 Gbps for all Gigabit Ethernet interfaces that belong to the group interface that you are configuring. This is the default setting.

100

1000

Restrictions
Default Privilege Level: 15 This setting applies only to Gigabit Ethernet interfaces with copper connectors. This setting is not configurable for members of a group interface whose Ethernet interface type is set to 10 Gigabit Ethernet. This setting has no effect if auto-negotiation is enabled on the interfaces that belong to the group interface that you are configuring. Use the show (conf-group-intf context) command to determine whether auto-negotiation is enabled or disabled on the Gigabit Ethernet interfaces that belong to the group interface that you are configuring. See auto-negotiate (conf-grp-intf-gig context) on page 503 for information about enabling and disabling auto-negotiation on the Gigabit Ethernet interfaces configured as members of a group interface.

Example
The following command places you in the conf-group-intf context in which you can configure the existing group interface called testgrpint: CBS# configure group-interface testgrpint CBS(conf-group-intf)# The following command sets the Ethernet interface type to Gigabit Ethernet for the group interface called testgrpint. This command also places you in the conf-grp-intf-gig context, in which you can configure additional settings for the Gigabit Ethernet interfaces that belong to the group interface called testgrpint. CBS(conf-group-intf)# interface-type gigabitethernet CBS(conf-grp-intf-gig)# The following command sets the media speed to 10 Mbps for the Gigabit Ethernet interfaces that belong to the group interface called testgrpint: CBS(conf-grp-intf-gig)# media-speed 10 CBS(conf-grp-intf-gig)#

XOS Command Reference Guide

507

enable (conf-grp-intf-gig or conf-grp-intf-10gig context)

Enables or disables (using no) the group interface that you are configuring. All group interfaces are enabled by default. When a group interface is disabled, Network Processor Modules (NPMs) do not allow traffic to pass through any of the physical interfaces configured as members of that group interface. NOTE: You can disable individual physical interfaces that belong to an enabled group interface. However, you cannot enable individual physical interfaces that belong to a disabled group interface. See enable (conf-grp-intf-intf context) on page 512 for instructions on enabling and disabling individual interfaces within a group. The CLI issues a warning message each time you: Disable a group interface that includes individual physical interfaces that are currently enabled. Configure an enabled link aggregation group interface as a member of a disabled group interface. Enable a link aggregation group interface configured as a member of a disabled group interface. Use the show (conf-group-intf context) command to determine whether the group interface that you are currently configuring is enabled or disabled, and to determine whether the members of this group interface are enabled or disabled.

Syntax
[no] enable

Contexts
You access this command from the conf-grp-intf-gig or conf-grp-intf-10gig context. To access the conf-grp-intf-gig context from the main CLI context, you perform the following steps: 1. 2. Issue the configure group-interface command to configure a specific group interface. Issue the gigabitethernet command inline with the interface-type (conf-group-intf context) command to configure settings for the Gigabit Ethernet interfaces that belong to the specified group interface.

To access the conf-grp-intf-10gig context from the main CLI context, you perform the following steps: 1. 2. Issue the configure group-interface command to configure a specific group interface. Issue the 10gigabitethernet command inline with the interface-type (conf-group-intf context) command to configure settings for the 10 Gigabit Ethernet interfaces that belong to the specified group interface.

Restrictions
Default Privilege Level: 15 You can disable individual physical interfaces that belong to an enabled group interface. However, you cannot enable individual physical interfaces that belong to a disabled group interface. See enable (conf-grp-intf-intf context) on page 512 for instructions on enabling and disabling individual interfaces within a group.

Commands for Configuring Interfaces for a VAP Group

508

Example
The following command places you in the conf-group-intf context in which you can configure the existing group interface called testgrpint: CBS# configure group-interface testgrpint CBS(conf-group-intf)# The following command sets the Ethernet interface type to Gigabit Ethernet for the group interface called testgrpint. This command also places you in the conf-grp-intf-gig context, in which you can configure additional settings for the Gigabit Ethernet interfaces that belong to the group interface called testgrpint. CBS(conf-group-intf)# interface-type gigabitethernet CBS(conf-grp-intf-gig)# The following command temporarily disables the group interface called testgrpint: CBS(conf-grp-intf-gig)# no enable CBS(conf-grp-intf-gig)# NPMs will not allow traffic to pass through the Gigabit Ethernet interfaces that belong to the group interface called testgrpint until you issue the following commands: CBS# configure group-interface testgrpint CBS(conf-group-intf)# interface-type gigabitethernet CBS(conf-grp-intf-gig)# enable CBS(conf-grp-intf-gig)#

XOS Command Reference Guide

509

interface (conf-group-intf context)

Configures the specified Network Processor Module (NPM) Ethernet port to pass traffic between the X-Series Platform and an external network, and configures this Ethernet interface as a member of the group interface that you are configuring. Places you in the conf-grp-intf-intf context in which you can assign a device name to the Virtual Network Devices (VNDs) that XOS creates for the specified Ethernet interface, and in which you can enable or disable the specified Ethernet interface. NOTE: The specified NPM Ethernet port must be the interface type that you configured for the group interface using the interface-type (conf-group-intf context) command. IMPORTANT: You must set the operating mode for a group interface and map a template circuit to that group interface before configuring a physical interface as a member of that group interface. See mode (conf-group-intf context) on page 497 for information about configuring an operating mode and a template circuit for a group interface. Each time you add a physical interface to a group interface, XOS uses the template circuit configuration to create and configure a VND for that interface on each VAP in each VAP group to which the template circuit is assigned. The VAP operating system and the application running on a VAP use these VNDs as Linux networking interfaces. XOS creates a logical link between the template circuit VND and the group interface member VNDs on each VAP in each VAP group to which the template circuit is assigned. Each VAP uses its template circuit VND as a link aggregation device that links the group interface member VNDs to create a virtualized link aggregation group (LAG) XOS creates and configures a single logical interface for each group interface, and maps all group interface member VNDs to that logical interface. The logical interface provides a logical link between the physical interfaces that belong to the group and the VNDs that XOS creates for all members of the group. NOTE: The logical interface also provides a logical link between all group interface member VNDs and all VLANs connected to the physical interfaces that belong to the group. This enables group interface member VNDs to accept all tagged and untagged packets received on the physical interfaces that belong to the group. If you are configuring a physical interface as a member of a group interface operating in Multi-link Mode, and you wish to break up a VLAN trunk into multiple VLAN circuits, you must configure the group interface with a separate logical interface for each VLAN circuit, and configure each logical interface to create a logical link between its circuits VNDs and one or more VLANs. See logical (conf-group-intf context) on page 514 for more information about configuring a logical interface for a group interface. Use the show (conf-group-intf context) command to display the logical interfaces currently configured for the multi-link mode group interface that you are configuring. Use the no parameter to delete the specified physical interface from the group interface that you are configuring. IMPORTANT: After you configure a physical interface as a member of a group interface, that group interface must always include at least one physical interface. You cannot delete all existing physical interfaces from a group interface. Instead, you must delete the entire group interface, and then recreate it with new members. Use the show (conf-group-intf context) command to list the physical interfaces that belong to the group interface that you are configuring and display the current configuration settings applied to each physical interface.

Commands for Configuring Interfaces for a VAP Group

510

Syntax
[no] interface <slot>/<port>

Contexts and Subcommands

You access this command from the conf-group-intf context. You access this context from the main CLI context by issuing the configure group-interface command. This command places you in the conf-grp-intf-intf context in which you can assign a device name to the VNDs that XOS creates for the specified Ethernet interface, and in which you can enable or disable the specified Ethernet interface. You can access the following command from this context: enable (conf-grp-intf-intf context) on page 512

Parameters
The following table lists the parameters used with this command. Parameter <slot> Description Chassis slot number assigned to the NPM on which you want to configure an Ethernet interface as a member of the group interface that you are configuring. NPM port number assigned to the Ethernet interface that you want to configure as a member of the group interface that you are configuring. NOTE: The specified NPM port must be the interface type that you configured for the group interface using the interface-type (conf-group-intf context) command On an NPM-86x0, only ports 11 and 12 are 10 Gigabit Ethernet interfaces. All other NPM ports are Gigabit Ethernet ports.

<port>

Restrictions
Default Privilege Level: 15 You must set the operating mode for a group interface and map a circuit to that group interface before adding members to that group interface. After a physical interface has been configured as a standalone interface using the configure interface command, that physical interface cannot be configured as a member of a group interface. After you configure an interface as a member of a group interface, you cannot change the Ethernet interface type setting for that group interface. The following restrictions apply only to group interfaces configured to operate in Multi-link Mode: The group interface can include a maximum of eight physical interfaces. Group interface members cannot be used in interface redundancy configurations. See configure redundancy-interface on page 541 for more information about interface redundancy configurations.

XOS Command Reference Guide

511

Example
In this example, we will configure a physical interface as a member of a Multi-link Mode group interface called testgrpint. NOTE: The group interface template circuit is called testgrp. The following command places you in the conf-group-intf context in which you can configure the existing multi-link mode group interface called testgrpint: CBS# configure group-interface testgrpint CBS(conf-group-intf)# The following command configures Gigabit Ethernet port number 2 on the NPM installed in slot number 1 to pass traffic between the X-Series Platform and an external network, and configures this interface as a member of the group interface called testgrpint. This command also places you in the conf-grp-intf-intf context in which you can enable or disable Gigabit Ethernet interface 1/2. CBS(conf-group-intf)# interface 1/2 CBS(conf-grp-intf-intf)# exit CBS(conf-group-intf)# To complete the LAG, use the interface command to configure additional ports for the interface.

enable (conf-grp-intf-intf context)

Enables or disables (using no) the physical interface that you are configuring as a member of a group interface. By default, physical interfaces are enabled when configured as members of a group interface. When a physical interface is disabled, the Network Processor Module (NPM) does not allow traffic to pass through that physical interface. NOTE: You can disable individual physical interfaces that belong to an enabled group interface. However, you cannot enable individual physical interfaces that belong to a disabled group interface. See enable (conf-grp-intf-gig or conf-grp-intf-10gig context) on page 508 for instructions on enabling and disabling a group interface. The CLI issues a warning message each time you: Disable a group interface that includes individual physical interfaces that are currently enabled. Configure an enabled link aggregation group interface as a member of a disabled group interface. Enable a link aggregation group interface configured as a member of a disabled group interface. Use the show (conf-group-intf context) command to determine whether the group interface that you are currently configuring is enabled or disabled, and to determine whether the members of that group interface are enabled or disabled.

Syntax
[no] enable

Context
You access this command from the conf-grp-intf-intf context. You access this context by issuing the configure group-interface command to configure a specific group interface and then issuing the interface (conf-group-intf context) command to configure a physical interface as a member of that group interface.

Commands for Configuring Interfaces for a VAP Group

512

Restrictions
Default Privilege Level: 15 You can disable individual physical interfaces that belong to an enabled group interface. However, you cannot enable individual physical interfaces that belong to a disabled group interface. Use the show (conf-group-intf context) command to determine whether the group interface that you are configuring is enabled or disabled. See enable (conf-grp-intf-gig or conf-grp-intf-10gig context) on page 508 for instructions on enabling and disabling a group interface.

Example
The following command places you in the conf-group-intf context in which you can configure the existing group interface called testgrpint. CBS# configure group-interface testgrpint CBS(conf-group-intf)# The following command places you in the conf-grp-intf-intf context in which you can configure Gigabit Ethernet interface 1/2, which has been configured as a member of the group interface called testgrpint: CBS(conf-group-intf)# interface 1/2 CBS(conf-grp-intf-intf)# The following command disables Gigabit Ethernet interface 1/2: CBS(conf-grp-intf-intf)# no enable CBS(conf-grp-intf-intf)# The NPM will not allow traffic to pass through Gigabit Ethernet interface 1/2 until you issue the following commands: CBS# configure group-interface testgrpint CBS(conf-group-intf)# interface 1/2 CBS(conf-grp-intf-intf)# enable CBS(conf-grp-intf-intf)#

XOS Command Reference Guide

513

logical (conf-group-intf context)

XOS creates and configures a single logical interface for each group interface, and maps all group interface members to that logical interface. The logical interface provides a logical link between the physical interfaces that belong to the group and the Virtual Network Devices (VNDs) that XOS creates for all group interface members. The logical interface also provides a logical link between all group interface member VNDs and all VLANs connected to the physical interfaces that belong to the group. This enables group interface member VNDs to accept all tagged and untagged packets received on the physical interfaces that belong to the group. When you configure a group interface that operates in Multi-link Mode, the logical command configures a single logical interface for all physical interfaces that belong to the group. The logical interface provides a logical link between its circuits VNDs and one or more VLANs connected to the physical interfaces in the group. You configure logical interfaces for a multi-link mode group interface if you wish to break up a VLAN trunk into multiple VLAN circuits configured for one or more VAP groups connected to the members of the group interface. Use the no logical <logical_name> command to delete the specified logical interface from the group interface that you are configuring.

Syntax
logical <logical_name> ingress-vlan-tag {<VLAN_tag> | <lowest_VLAN_tag> <highest_VLAN_tag>} no logical <logical_name>

Contexts and Subcommands

You access this command from the conf-group-intf context. You access this context from the main CLI context by issuing the configure group-interface command. This command places you in the conf-group-intf-logical context in which you can map a VLAN circuit to the specified logical interface. You can access the following command from this context: circuit (conf-group-intf-logical context)

Parameters
The following table lists the parameters used with this command. Parameter <logical_name> Description Name assigned to the logical interface that you wish to create, configure, or delete.

Commands for Configuring Interfaces for a VAP Group

514

Parameter ingress-vlan-tag {<VLAN_ID> | <lowest_VLAN_ID> <highest_VLAN_ID>}

Description Configures the logical interface to create a logical link between a circuits VNDs and either a single VLAN or a range of VLANs. Specify a single VLAN tag, <VLAN_ID>, to enable the circuit mapped to the logical interface to accept only packets with the specified VLAN tag. Specify this parameter with a range of VLAN tags, <lowest_VLAN_ID> <highest_VLAN_ID>, to enable the circuit mapped to the logical interface to accept only packets whose VLAN tags are within the specified range. Valid values for <VLAN_ID>, <lowest_VLAN_ID>, and <highest_VLAN_ID> are from 0 to 4094. NOTE: A single group interface or internal interface cannot have multiple logical interfaces configured with overlapping VLAN tag ranges.

Restrictions
Default Privilege Level: 15 Each VLAN circuit mapped to a logical interface must be assigned to at least one of the VAP groups that is connected to the group interface, and each VAP groups circuit configuration must include the default-egress-vlan-tag (conf-cct-vapgroup context) command. Each VLAN circuit mapped to a logical interface configured for an internal interface must be assigned only to the VAP group on which the VLAN connection terminates. A single group interface or internal interface cannot have multiple logical interfaces configured with overlapping VLAN tag ranges. Multi-link mode group interface members cannot be used in interface redundancy configurations.

Example
In this example, we have configured a group interface called testgrpint to operate in Multi-link Mode. This group interface is mapped to the VAP group testvapgroup. We have configured the following interfaces as a members of the group interface called testgrpint: Gigabit Ethernet interface 1/2 Gigabit Ethernet interface 1/3 The group interface called testgrpint bonds Gigabit Ethernet interfaces 1/2 and 1/3 into a single logical interface and uses the circuit testgrp to pass traffic between this interface and the VAP group called testvapgroup. We wish to create separate connections for VLANs 101 and 102 with the members of the VAP group called testvapgroup. To do this, we need to create circuits for the VLANs for the VAP group testvapgroup and then create logical interfaces for the group interface called testgrpint for each VLAN circuit. NOTE: In the conf-group-intf context, the logical command creates a logical interface and maps an existing circuit to the logical interface. However for reference, the following example includes the circuit configuration steps as well.

XOS Command Reference Guide

515

The following commands create two circuits called vlan101 and vlan102. The VAP group called testvapgroup will use the circuit called vlan101 to connect to VLAN 101, and will use the circuit called vlan102 to connect to VLAN 102. CBS# configure circuit vlan101 CBS(conf-cct)# device-name vlan101 CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-vapgroup)# default-egress-vlan-tag 101 CBS(conf-cct-vapgroup)# ip 10.0.101.8/24 10.0.101.255 CBS(conf-cct-vapgroup-ip)# end CBS# configure circuit vlan102 CBS(conf-cct)# device-name vlan102 CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-vapgroup)# default-egress-vlan-tag 102 CBS(conf-cct-vapgroup)# ip 10.0.102.8/24 10.0.102.255 CBS(conf-cct-vapgroup-ip)# end CBS# The following command places you in the conf-group-intf context in which you can configure the existing multi-link mode group interface called testgrpint: CBS# configure group-interface testgrpint CBS(conf-group-intf)# The following commands create and configure a logical interface for the internal interface that belongs to the group interface called testgrpint for each VLAN circuit configured on the VAP group called testvapgroup, and map each VLAN circuit to a logical interface. NOTE: See circuit (conf-group-intf-logical context) on page 516 for more information about the command used to create each circuit that you want to map to a logical interface. CBS(conf-group-intf)# logical CBS(conf-group-intf-logical)# CBS(conf-group-intf-logical)# CBS(conf-group-intf)# logical CBS(conf-group-intf-logical)# CBS(conf-group-intf-logical)# CBS# vlan101 circuit exit vlan102 circuit end ingress-vlan-tag 101 vlan101 ingress-vlan-tag 102 vlan102

circuit (conf-group-intf-logical context)

Maps the specified VLAN circuit to the logical interface that you are configuring for a group interface or for an internal interface that belongs to a group interface. Use the no parameter to remove the specified circuit from the logical interface that you are configuring.

Syntax
[no] circuit <circuit_name> [[no] flow-table-limit] [[no] fragment-handling-options] [[no] packet-validation]

Context
You access this command from the conf-group-intf-logical context. You access this context from the main CLI context by issuing the configure group-interface command to configure a specific group interface and then issuing the logical (conf-group-intf context) command to configure a logical interface for the specified group interface.

Commands for Configuring Interfaces for a VAP Group

516

Parameters
The following table lists the parameters used with this command. Parameter <circuit_name> Description Name of the circuit that you wish to map to the logical interface that you are configuring. Use the show circuit command to display all current circuit configurations. [no] flow-table-limit Overrides the global action when the flow table limit has reached. Has this additional parameter: alternative-action pass Specifies that traffic should be passed after the flow table limit has been exceeded. [no] fragment-handling-options [no] packet-validation Enables or disables (using no) fragment handling protection which overwrites the global settings Enables or disables (using no) packet validation which overwrites the global settings. Has these additional parameters: [no] validate-ip-packet Overrides the global action for the invalid IP packets [no] validate-tcp-packet Overrides the global action for the invalid TCP packets [no] validate-tcp-xsum Overrides the global action for invalid TCP packets with respect to checksum

Restrictions
Default Privilege Level: 15 Each VLAN circuit mapped to a logical interface must be assigned to at least one of the VAP groups that is connected to the group interface, and each VAP groups circuit configuration must include the default-egress-vlan-tag (conf-cct-vapgroup context) command. Each VLAN circuit mapped to a logical interface configured for an internal interface must be assigned only to the VAP group on which the VLAN connection terminates.

Example
In this example, we have configured a group interface called testgrpint to operate in Multi-link Mode. This group interface is mapped to the VAP group testvapgroup. We have configured the following interfaces as a members of the group interface called testgrpint: Gigabit Ethernet interface 1/2 Gigabit Ethernet interface 1/3 The group interface called testgrpint bonds Gigabit Ethernet interfaces 1/2 and 1/3 into a single logical interface and uses the circuit testgrp to pass traffic between this interface and the VAP group called testvapgroup. We wish to create separate connections for VLANs 101 and 102 with the members of the VAP group called testvapgroup. To do this, we need to create circuits for the VLANs for the VAP group testvapgroup and then create logical interfaces for the group interface called testgrpint for each VLAN circuit.

XOS Command Reference Guide

517

NOTE: In the conf-group-intf-logical context, the circuit command maps an existing circuit to the logical interface. However for reference, the following example includes the circuit configuration steps as well. The following commands create two circuits called vlan101 and vlan102. The VAP group called testvapgroup will use the circuit called vlan101 to connect to VLAN 101, and will use the circuit called vlan102 to connect to VLAN 102. CBS# configure circuit vlan101 CBS(conf-cct)# device-name vlan101 CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-vapgroup)# default-egress-vlan-tag 101 CBS(conf-cct-vapgroup)# ip 10.0.101.8/24 10.0.101.255 CBS(conf-cct-vapgroup-ip)# end CBS# configure circuit vlan102 CBS(conf-cct)# device-name vlan102 CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-vapgroup)# default-egress-vlan-tag 102 CBS(conf-cct-vapgroup)# ip 10.0.102.8/24 10.0.102.255 CBS(conf-cct-vapgroup-ip)# end CBS# The following command places you in the conf-group-intf context in which you can configure the existing multi-link mode group interface called testgrpint: CBS# configure group-interface testgrpint CBS(conf-group-intf)# The following commands create and configure a logical interface for the internal interface that belongs to the group interface called testgrpint for each VLAN circuit configured on the VAP group called testvapgroup, and map each VLAN circuit to a logical interface. NOTE: See logical (conf-group-intf context) on page 514 for more information about the command used to map each circuit to its logical interface. CBS(conf-group-intf)# logical CBS(conf-group-intf-logical)# CBS(conf-group-intf-logical)# CBS(conf-group-intf)# logical CBS(conf-group-intf-logical)# CBS(conf-group-intf-logical)# CBS# vlan101 circuit exit vlan102 circuit end ingress-vlan-tag 101 vlan101 ingress-vlan-tag 102 vlan102

MAC Address Inheritance

If you use the logical command to map additional circuits (e.g. VLANs) to a mode multi-link group interface, the VLAN circuit does not inherit the mode circuits MAC address. If the user changes the MAC address on the mode circuit, the VLAN circuits will retain their originally configured MAC addresses.

Commands for Configuring Interfaces for a VAP Group

518

show (conf-group-intf context)

Displays the current configuration settings for the group interface that you are configuring and for each member of that group interface.

Syntax
show

Context
You access this command from the conf-group-intf context. You access this context from the main CLI context by issuing the configure group-interface command.

Output
The output for this command has the following format: Group Name Mode Mode Circuit Traffic Cleaning Validation: Interface Type Enable (true/false) Auto Negotiate Enabled (true/false) Media Speed (Mbits) Duplex Mode Pause Frame (true/false) Included Group Physical Interface (Device) [en/disable] : : : : : : : : : : : : <group_interface_name> [multi-link] [<template_circuit_name>]

Logical Interface (Circuit) ingress-vlan-tag

{gigabitethernet | 10gigabitethernet} {t | f} {t | f} {auto | 100 | 10} {auto | full | half} {t | f} <group_interface_name> {gigabitethernet | 10gigabitethernet} <slot>/<port> (<device_name>) [{enable | disable}] : <logical_interface_name> <lowest_VLAN_tag> <highest_VLAN_tag> (<VLAN_circuit_name>)

The following table describes the information provided in each column/row. Column/Row Heading Group Name Information Provided Name of the group interface that you are configuring. See configure group-interface on page 496 for information about assigning a name to a new group interface. Mode This row appears blank if the operating mode is not set for the group interface that you are configuring. Indicates the operating mode setting for the group interface that you are configuring: multi-link Group interface is configured to operate in Multi-link Mode. Group interface members are configured as members of a link aggregation group (LAG). See mode (conf-group-intf context) on page 497 for information about setting the operating mode for a group interface.

XOS Command Reference Guide

519

Column/Row Heading Mode Circuit

Information Provided This row appears blank if the operating mode is not set for the group interface that you are configuring. Name of the template circuit mapped to this group interface. See mode (conf-group-intf context) on page 497 for information about setting the operating mode for a group interface and mapping a template circuit to that group interface.

Interface Type

Indicates the Ethernet interface type setting for the group interface that you are configuring: gigabitethernet Default setting. Ethernet interface type is set to Gigabit Ethernet. 10gigabitethernet Ethernet interface type is set to 10 Gigabit Ethernet. XOS applies the specified Ethernet interface type setting to all members of the group interface that you are configuring. All Network Processor Module (NPM) interfaces that you configure as members of this group interface must be of the specified interface type. See interface-type (conf-group-intf context) on page 500 for information about setting the interface type for a group interface.

Enable (true/false)

Indicates whether the group interface is enabled (t) or disabled (f). Default is enabled (t). If a group interface is disabled, NPMs do not allow traffic to pass through any of the physical interfaces that belong to the group interface. See enable (conf-grp-intf-intf context) on page 512 for information about enabling and disabling a group interface.

Auto Negotiate Enabled (true/false) Indicates whether auto-negotiation is enabled (t) or disabled (f) on the physical interfaces that belong to the group interface that you are configuring. Default is enabled (t). NOTE: This setting applies to all physical interfaces that belong to this group interface. See auto-negotiate (conf-grp-intf-gig context) on page 503 for information about enabling and disabling auto-negotiation on the physical interfaces that belong to a group interface.

Commands for Configuring Interfaces for a VAP Group

520

Column/Row Heading Media Speed (Mbits)

Information Provided Media speed setting for the physical interfaces that belong to the group interface that you are configuring. This row displays one of the following keywords: auto Indicates that auto-negotiation is enabled on the interface. When an external system establishes a connection with the X-Series Platform using this interface, the X-Series Platform works with the external system to choose the optimal media speed for that connection. 100 Media speed is 100 Mbps. This the default setting when auto-negotiation is disabled. 10 Media speed is 10 Mbps. NOTE: This setting applies to all physical interfaces that belong to this group interface. See media-speed (conf-grp-intf-gig context) on page 506 for information about setting the media speed for the physical interfaces that belong to a group interface.

Duplex Mode

Duplex mode setting for the physical interfaces that belong to the group interface that you are configuring. This row displays one of the following keywords: auto Indicates that auto-negotiation is enabled on the interface. When an external system establishes a connection with the X-Series Platform using this interface, the X-Series Platform works with the external system to choose the optimal duplex mode for that connection. full Interface is operating in full-duplex mode. This the default setting when auto-negotiation is disabled. half Interface is operating in half-duplex mode. NOTE: This setting applies to all physical interfaces that belong to this group interface. See duplex-mode (conf-grp-intf-gig context) on page 504 for information about setting the duplex mode for the physical interfaces that belong to a group interface.

Pause Frame (true/false)

Indicates whether PAUSE frame support is enabled (t) or disabled (f) for the physical interfaces that belong to the group interface that you are configuring. Default is enabled (t). NOTE: This setting applies to all physical interfaces that belong to this group interface. See pause-frame (conf-grp-intf-gig or conf-grp-intf-10gig context) on page 502 for information about enabling and disabling PAUSE frame support for the physical interfaces that belong to a group interface.

XOS Command Reference Guide

521

Column/Row Heading Physical Interface (Device) [en/disable]

Information Provided This row appears only if you have configured a physical interface as a member of the group interface that you are configuring. The output for the show command includes one Physical Interface row for each physical interface that belongs to the group interface that you are configuring. Each row displays information in the following format: {gigabitethernet | 10gigabitethernet} <slot>/<port> (<device_name>) [{enable | disable}] where: {gigabitethernet | 10gigabitethernet} indicates whether the physical interface is a Gigabit Ethernet interface or a 10 Gigabit Ethernet interface. NOTE: Each physical interface must be of the Ethernet interface type configured for the group interface. <slot> is the chassis slot number assigned to the NPM on which you have configured the physical interface. <port> is the NPM port number assigned to the physical interface.
{enable | disable} indicates whether the physical interface

is enabled or disabled. Default is enabled. If an interface is disabled, the NPM does not allow traffic to pass through that interface, even if the group interface is enabled. NOTE: See enable (conf-grp-intf-intf context) on page 512 for information about enabling and disabling individual physical interfaces that belong to a group interface. See interface (conf-group-intf context) on page 510 for information about configuring a physical interface as a member of a group interface.

Commands for Configuring Interfaces for a VAP Group

522

Column/Row Heading Logical Interface (Circuit)

Information Provided This row appears only if you have configured a logical interface for the group interface that you are configuring or for the internal interface that belongs to that group interface. The output for the show command includes one Logical Interface row for each logical interface that you have configured. Each row displays information in the following format: <logical_interface_name> ingress-vlan-tag <lowest_VLAN_tag> <highest_VLAN_tag> (<VLAN_circuit_name>) where:
<logical_interface_name> is the name assigned to the

logical interface. <lowest_VLAN_tag> <highest_VLAN_tag> indicates the range of VLANs from which the VLAN circuit mapped to this logical interface can accept traffic. NOTE: If both VLAN ID numbers are the same, the circuit accepts traffic only from the specified VLAN.
<VLAN_circuit_name> is the name of the VLAN circuit mapped

to this logical interface. See logical (conf-group-intf context) on page 514 for information about configuring a logical interface for a group interface or for an internal interface configured as a member of a group interface.

Restrictions
Default Privilege Level: 15

Example
The following command places you in the conf-group-intf context in which you can configure the existing transparent mode group interface called testgrpint. CBS# configure group-interface testgrpint CBS(conf-group-intf)#

XOS Command Reference Guide

523

The following command displays the current configuration settings for the group interface called testgrpint and for the members of that group interface. NOTE: This command displays some of the configuration settings that you would create if you issued the example commands that we have provided throughout this section. CBS(conf-group-intf)# show Group Name Mode Mode Circuit Interface Type Enable (true/false) Auto Negotiate Enabled (true/false) Media Speed (Mbits) Duplex Mode Pause Frame (true/false) Physical Interface (Device) [en/disable] [enable] Logical Interface (Circuit) (vlan101) Logical Interface (Circuit) (vlan102) (1 row) CBS(conf-group-intf)# : : : : : : : : : : testgrpint transparent testgrp gigabitethernet t f 10 half f gigabitethernet 1/2 (testdev12)

: vlan101 ingress-vlan-tag 101 101 : vlan102 ingress-vlan-tag 102 102

configure acl-interface
When you configure an individual physical interface on a Network Processor Module (NPM) to pass traffic between the X-Series Platform and an external network, or when you configure a group interface that includes one or more physical interfaces, you can define an access control list (ACL) for that individual interface or group interface. An ACL consists of a filter and an action. When you define an ACL for an interface, the NPMs inspect all packets arriving on that interface and perform the ACLs action on all packets that match the criteria defined in the filter. NOTE: When you define an ACL for a group interface, the NPMs apply the ACL to all physical interfaces in the group. The configure acl-interface command creates and configures a new ACL filter or configures the specified existing ACL filter. This command also places you in the conf-acl-intf context in which you can configure the specified ACL filter. After you have created and configured an ACL filter, you can use that filter for ACLs that you define for one or more individual physical interfaces and/or group interfaces. Use the show acl-interface command to display the filtering criteria defined for each ACL filter that is currently configured on the X-Series Platform. Use the no parameter to delete the specified ACL filter. NOTE: Before deleting an ACL filter, you must delete all interface ACL definitions that include that filter. Use the show acl-interface-mapping command to display a list of the ACLs defined for each physical interface and group interface configured on the X-Series Platform.

Commands for Configuring Interfaces for a VAP Group

524

Syntax
configure [no] acl-interface <ACL_filter_name>

Contexts and Subcommands

You access this command from the main CLI context. This command places you in the conf-acl-intf CLI context in which you can configure the specified ACL filter. You can access the following commands from this context: direction (conf-acl-intf context) on page 526 vlan (conf-acl-intf context) on page 527 ether-type (conf-acl-intf context) on page 529 source-mac (conf-acl-intf context) on page 531 destination-mac (conf-acl-intf context) on page 533

Parameters
The following table lists the parameters used with this command. Parameter <ACL_filter_name> Description Name assigned to the ACL filter that you want to create, configure, or delete.

Restrictions
Default Privilege Level: 15 ACL mirroring can be done to more than one other interface provided that the target interfaces are on the same NPM. Multiple ACL filters can be configured for the same interface. When a packet arrives on an interface, the NPM applies the filters to the packet one at a time, in the order that the filters were configured. Remote mirroring (the mirrored port is on a different NPM than the source port) is not supported. Remote pass-through (the destination port is on a different NPM than the source port) is not supported. Before deleting an ACL filter, you must delete all interface ACL definitions that include that filter. Use the show show acl-interface-mapping command to display a list of the ACLs defined for each physical interface and group interface configured on the X-Series Platform.

Example
The following command creates a new ACL filter called testmirroracl and places you in the conf-acl-intf context in which you can configure this ACL filter: CBS# configure acl-interface testmirroracl CBS(conf-acl-intf)#

XOS Command Reference Guide

525

direction (conf-acl-intf context)

When you configure an individual physical interface on a Network Processor Module (NPM) to pass traffic between the X-Series Platform and an external network, or when you configure a group interface that includes one or more physical interfaces, you can define an access control list (ACL) for that individual interface or group interface. An ACL consists of a filter and an action. When you define an ACL for an interface, the NPMs inspect all packets arriving on that interface and perform the ACLs action on all packets that match the criteria defined in the filter. NOTE: When you define an ACL for a group interface, the NPMs apply the ACL to all physical interfaces in the group. The direction command defines flow direction filtering criteria for the ACL filter that you are configuring. When you configure an interface ACL that includes this filter, the NPM applies the ACLs action to traffic flowing into and/or out of the X-Series Platform, based on the parameter that you specify with the direction command: ingress-only NPM applies ACLs action only to traffic flowing into the X-Series Platform. This is the default flow direction filtering criteria defined when you create a new ACL filter. egress-only NPM applies ACLs action only to traffic flowing out of the X-Series Platform. bidirectional NPM applies ACLs action to all traffic flowing into and out of the X-Series Platform. Use the show acl-interface command to display the filtering criteria defined for each ACL filter that is currently configured on the X-Series Platform.

Syntax
direction {ingress-only | egress-only | bidirectional}

Context
You access this command from the conf-acl-intf context. You access this context from the main CLI context by issuing the configure acl-interface command.

Parameters
The following table lists the parameters used with this command. Parameter ingress-only Description Defines flow direction filtering criteria to match only ingress traffic. When an interface ACL includes the filter that you are configuring, the NPM applies the ACLs action only to packets ingressing the X-Series Platform over the interface for which the ACL is defined. This is the default flow direction filtering criteria defined when you create a new ACL filter. egress-only Defines flow direction filtering criteria to match only egress traffic. When an interface ACL includes the filter that you are configuring, the NPM applies the ACLs action only to packets egressing the X-Series Platform over the interface for which the ACL is defined.

Commands for Configuring Interfaces for a VAP Group

526

Parameter bidirectional

Description Defines flow direction filtering criteria as all traffic flowing into and out of the X-Series Platform. When an interface ACL includes the filter that you are configuring, the NPM applies the ACLs action to all packets passing through the interface for which the ACL is defined.

Restrictions
Default Privilege Level: 15

Example
The following command places you in the conf-acl-intf context in which you can configure the ACL filter called testmirroracl: CBS# configure acl-interface testmirroracl CBS(conf-acl-intf)# The following command defines flow direction filtering criteria for the ACL filter called testmirroracl, such that the filtering criteria match only ingress traffic: CBS(conf-acl-intf)# direction ingress-only CBS(conf-acl-intf)# When an interface ACL includes the filter called testmirroracl, the NPM applies the ACLs action only to packets ingressing the X-Series Platform over the interface for which the ACL is defined.

vlan (conf-acl-intf context)

When you configure an individual physical interface on a Network Processor Module (NPM) to pass traffic between the X-Series Platform and an external network, or when you configure a group interface that includes one or more physical interfaces, you can define an access control list (ACL) for that individual interface or group interface. An ACL consists of a filter and an action. When you define an ACL for an interface, the NPMs inspect all packets arriving on that interface and perform the ACLs action on all packets that match the criteria defined in the filter. NOTE: When you define an ACL for a group interface, the NPMs apply the ACL to all physical interfaces in the group. The vlan command defines VLAN tag filtering criteria for the ACL filter that you are configuring. When you configure an interface ACL that includes this filter, the NPM applies the ACLs action only to packets whose VLAN tags match the specified filtering criteria. You can specify VLAN tag filtering criteria using a mask. When you configure an interface ACL that includes this filter, if you specify VLAN tag filtering criteria with a mask, the NPM applies the ACLs action to a packet only if its VLAN tag matches the specified VLAN tag when the specified mask is applied. If you specify a VLAN tag without a mask, the NPM applies the ACLs action to a packet only if its VLAN tag matches the specified VLAN tag.

XOS Command Reference Guide

527

Use the show acl-interface command to display the filtering criteria defined for each ACL filter that is currently configured on the X-Series Platform.

Syntax
vlan {<VLAN_tag> | <VLAN_tag> <mask>}

Context
You access this command from the conf-acl-intf context. You access this context from the main CLI context by issuing the configure acl-interface command.

Parameters
The following table lists the parameters used with this command. Parameter <VLAN_tag> Description Defines VLAN tag filtering criteria, using the specified VLAN tag. When an interface ACL includes the filter that you are configuring, the NPM applies the ACLs action to a packet passing through the interface only if the packets VLAN tag matches the specified VLAN tag. You can specify a VLAN tag in decimal or hexadecimal format. Valid decimal values are from 0 to 4095. Valid hexadecimal values are from 0x000 to 0x0fff. <VLAN_tag> <mask> Defines VLAN tag filtering criteria, using the specified VLAN tag and the specified mask. When an interface ACL includes the filter that you are configuring, the NPM applies the ACLs action to a packet passing through the interface only if the packets VLAN tag matches the specified VLAN tag when the specified mask is applied. You can specify the VLAN tag and mask in decimal or hexadecimal format. Valid decimal values for <VLAN_tag> are from 0 to 4095. Valid hexadecimal values are from 0x000 to 0x0FFF. Valid decimal values for <mask> are from 0 to 4095. Valid hexadecimal values are from 0x000 to 0x0FFF. NOTE: The X-Series Platform applies the mask in binary format, where 0s indicate wildcard bits. A packets VLAN tag matches the specified VLAN tag if all their non-wildcard bits match. To apply the ACLs action only to packets with the specified VLAN tag, use a mask of 0x0FFF. To apply the ACLs action without considering a packets VLAN tag, use a mask of 0x0000.

Restrictions
Default Privilege Level: 15

Commands for Configuring Interfaces for a VAP Group

528

Example
The following command places you in the conf-acl-intf context in which you can configure the ACL filter called testmirroracl: CBS# configure acl-interface testmirroracl CBS(conf-acl-intf)# The following command defines VLAN tag filtering criteria for the ACL filter called testmirroracl, using the VLAN tag, 2000: CBS(conf-acl-intf)# vlan 2000 CBS(conf-acl-intf)# When an interface ACL includes the filter called testmirroracl, the NPM applies the ACLs action to a packet passing through the interface only if the packets VLAN ID number is 2000.

ether-type (conf-acl-intf context)

When you configure an individual physical interface on a Network Processor Module (NPM) to pass traffic between the X-Series Platform and an external network, or when you configure a group interface that includes one or more physical interfaces, you can define an access control list (ACL) for that individual interface or group interface. An ACL consists of a filter and an action. When you define an ACL for an interface, the NPMs inspect all packets arriving on that interface and perform the ACLs action on all packets that match the criteria defined in the filter. NOTE: When you define an ACL for a group interface, the NPMs apply the ACL to all physical interfaces in the group. The ether-type command defines Ethernet type filtering criteria for the access control list (ACL) filter that you are configuring. When you configure an interface ACL that includes this filter, the NPM applies the ACLs action only to packets whose Ethernet type codes match the specified filtering criteria. You can specify Ethernet type filtering criteria using a mask. When you configure an interface ACL that includes this filter, if you specify Ethernet type filtering criteria with a mask, the NPM applies the ACLs action to a packet only if its Ethernet type code matches the specified Ethernet type code when the specified mask is applied. If you specify an Ethernet type code without a mask, the NPM applies the ACLs action to a packet only if its Ethernet type code matches the specified Ethernet type code. Use the show acl-interface command to display the filtering criteria defined for each ACL filter that is currently configured on the X-Series Platform.

Syntax
ether-type {<Ethernet_type_code> | <Ethernet_type_code> <mask>}

Context
You access this command from the conf-acl-intf context. You access this context from the main CLI context by issuing the configure acl-interface command.

XOS Command Reference Guide

529

Parameters
The following table lists the parameters used with this command. Parameter <Ethernet_type_code> Description Defines Ethernet type filtering criteria, using the specified Ethernet type code. When an interface ACL includes the filter that you are configuring, the NPM applies the ACLs action to a packet passing through the interface only if the packets Ethernet type code matches the specified Ethernet type code. You must specify the Ethernet type code in hexadecimal format. Valid values are from 0x0000 to 0xFFFF. <Ethernet_type_code> <mask> Defines Ethernet type filtering criteria, using the specified Ethernet type code and the specified mask. When an interface ACL includes the filter that you are configuring, the NPM applies the ACLs action to a packet passing through the interface only if the packets Ethernet type code matches the specified Ethernet type code when the specified mask is applied. You must specify the Ethernet type code and mask in hexadecimal format. Valid values for <Ethernet_type_code> are from 0x0000 to 0xFFFF. Valid values for <mask> are from 0x0000 to 0xFFFF. NOTE: The X-Series Platform applies the mask in binary format, where 0s indicate wildcard bits. A packets Ethernet type code matches the specified Ethernet type code if all their non-wildcard bits match. To apply the ACLs action only to packets with the specified Ethernet type code, use a mask of 0xFFFF. To apply the ACLs action without considering a packets Ethernet type code, use a mask of 0x0000.

Restrictions
Default Privilege Level: 15

Example
The following command places you in the conf-acl-intf context in which you can configure the ACL filter called testmirroracl: CBS# configure acl-interface testmirroracl CBS(conf-acl-intf)# The following command defines Ethernet code filtering criteria for the ACL filter called testmirroracl, using the Ethernet code, 0x0002: CBS(conf-acl-intf)# ether-type 0x0002 CBS(conf-acl-intf)#

Commands for Configuring Interfaces for a VAP Group

530

When an interface ACL includes the filter called testmirroracl, the NPM applies the ACLs action to a packet passing through the interface only if the packets Ethernet type code is 0x0002.

source-mac (conf-acl-intf context)

When you configure an individual physical interface on a Network Processor Module (NPM) to pass traffic between the X-Series Platform and an external network, or when you configure a group interface that includes one or more physical interfaces, you can define an access control list (ACL) for that individual interface or group interface. An ACL consists of a filter and an action. When you define an ACL for an interface, the NPMs inspect all packets arriving on that interface and perform the ACLs action on all packets that match the criteria defined in the filter. NOTE: When you define an ACL for a group interface, the NPMs apply the ACL to all physical interfaces in the group. The source-mac command defines source MAC address filtering criteria for the access control list (ACL) filter that you are configuring. When you configure an interface ACL that includes this filter, the NPM applies the ACLs action only to packets whose source MAC addresses match the specified filtering criteria. You can specify source MAC address filtering criteria using a mask. When you configure an interface ACL that includes this filter, if you specify a source MAC address filtering criteria with a mask, the NPM applies the ACLs action to a packet only if its source MAC address matches the specified source MAC address when the specified mask is applied. If you specify a source MAC address without a mask, the NPM applies the ACLs action to a packet only if its source MAC address matches the specified source MAC address. NOTE: You can configure an ACL filter with the source-mac command only if you also configure the filter with the direction ingress-only command. See direction (conf-acl-intf context) on page 526 for more information about this command. Use the show acl-interface command to display the filtering criteria defined for each ACL filter that is currently configured on the X-Series Platform.

Syntax
source-mac {<source_MAC_address> | <source_MAC_address> <mask>}

Context
You access this command from the conf-acl-intf context. You access this context from the main CLI context by issuing the configure acl-interface command.

XOS Command Reference Guide

531

Parameters
The following table lists the parameters used with this command. Parameter <source_MAC_address> Description Defines source MAC address filtering criteria, using the specified source MAC address. When an interface ACL includes the filter that you are configuring, the NPM applies the ACLs action to a packet passing through the interface only if the packets source MAC address matches the specified source MAC address. You must specify the source MAC address using the standard hexadecimal address format (aa:bb:cc:dd:ee:ff). <source_MAC_address> <mask> Defines source MAC address filtering criteria, using the specified source MAC address and the specified mask. When an interface ACL includes the filter that you are configuring, the NPM applies the ACLs action to a packet passing through the interface only if the packets source MAC address matches the specified source MAC address when the specified mask is applied. You must specify the source MAC address and mask using the standard hexadecimal address format (aa:bb:cc:dd:ee:ff). NOTE: The X-Series Platform applies the mask in binary format, where 0s indicate wildcard bits. A packets source MAC address matches the specified source MAC address if all their non-wildcard bits match. To apply the ACLs action only to packets with the specified source MAC address, use a mask of ff:ff:ff:ff:ff:ff. To apply the ACLs action without considering a packets source MAC address, use a mask of 00:00:00:00:00:00.

Restrictions
Default Privilege Level: 15 If you configure an ACL filter with source MAC address filtering criteria, you must also configure that filter with traffic flow direction filtering criteria that matches only ingress traffic. See direction (conf-acl-intf context) on page 526 for information about defining traffic flow direction filtering criteria for an ACL filter. Use the show acl-interface command to display the filtering criteria defined for each ACL filter that is currently configured on the X-Series Platform.

Example
The following command places you in the conf-acl-intf context in which you can configure the ACL filter called testmirroracl: CBS# configure acl-interface testmirroracl CBS(conf-acl-intf)#

Commands for Configuring Interfaces for a VAP Group

532

The following command defines source MAC address filtering criteria for the ACL filter called testmirroracl, using the source MAC address, 3f:03:d2:e0:01:02: CBS(conf-acl-intf)# source-mac 3f:03:d2:e0:01:02 CBS(conf-acl-intf)# When an interface ACL includes the filter called testmirroracl, the NPM applies the ACLs action to a packet passing through the interface only if the packets source MAC address is 3f:03:d2:e0:01:02.

destination-mac (conf-acl-intf context)

When you configure an individual physical interface on a Network Processor Module (NPM) to pass traffic between the X-Series Platform and an external network, or when you configure a group interface that includes one or more physical interfaces, you can define an access control list (ACL) for that individual interface or group interface. An ACL consists of a filter and an action. When you define an ACL for an interface, the NPMs inspect all packets arriving on that interface and perform the ACLs action on all packets that match the criteria defined in the filter. NOTE: When you define an ACL for a group interface, the NPMs apply the ACL to all physical interfaces in the group. The destination-mac command defines destination MAC address filtering criteria for the access control list (ACL) filter that you are configuring. When you configure an interface ACL that includes this filter, the NPM applies the ACLs action only to packets whose destination MAC addresses match the specified filtering criteria. You can specify destination MAC address filtering criteria using a mask. When you configure an interface ACL that includes this filter, if you specify a destination MAC address filtering criteria with a mask, the NPM applies the ACLs action to a packet only if its destination MAC address matches the specified destination MAC address when the specified mask is applied. If you specify a destination MAC address without a mask, the NPM applies the ACLs action to a packet only if its destination MAC address matches the specified destination MAC address. NOTE: You can configure an ACL filter with the destination-mac command only if you also configure the filter with the direction ingress-only command. See direction (conf-acl-intf context) on page 526 for more information about this command. Use the show acl-interface command to display the filtering criteria defined for each ACL filter that is currently configured on the X-Series Platform.

Syntax
destination-mac {<destination_MAC_address> | <destination_MAC_address> <mask>}

Context
You access this command from the conf-acl-intf context. You access this context from the main CLI context by issuing the configure acl-interface command.

XOS Command Reference Guide

533

Parameters
The following table lists the parameters used with this command. Parameter <destination_MAC_address> Description Defines destination MAC address filtering criteria, using the specified destination MAC address. When an interface ACL includes the filter that you are configuring, the NPM applies the ACLs action to a packet passing through the interface only if the packets destination MAC address matches the specified destination MAC address. You must specify the destination MAC address using the standard hexadecimal address format (aa:bb:cc:dd:ee:ff). <destination_MAC_address> <wildcard_mask> Defines destination MAC address filtering criteria, using the specified destination MAC address and the specified mask. When an interface ACL includes the filter that you are configuring, the NPM applies the ACLs action to a packet passing through the interface only if the packets destination MAC address matches the specified destination MAC address when the specified mask is applied. You must specify the destination MAC address and mask using the standard hexadecimal address format (aa:bb:cc:dd:ee:ff). NOTE: The X-Series Platform applies the mask in binary format, where 0s indicate wildcard bits. A packets destination MAC address matches the specified destination MAC address if all their non-wildcard bits match. To apply the ACLs action only to packets with the specified destination MAC address, use a mask of ff:ff:ff:ff:ff:ff. To apply the ACLs action without considering a packets destination MAC address, use a mask of 00:00:00:00:00:00.

Restrictions
Default Privilege Level: 15 If you configure an ACL filter with destination MAC address filtering criteria, you must also configure that filter with traffic flow direction filtering criteria that matches only ingress traffic. See direction (conf-acl-intf context) on page 526 for information about defining traffic flow direction filtering criteria for an ACL filter. Use the show acl-interface command to display the filtering criteria defined for each ACL filter that is currently configured on the X-Series Platform.

Example
The following command places you in the conf-acl-intf context in which you can configure the ACL filter called testmirroracl: CBS# configure acl-interface testmirroracl CBS(conf-acl-intf)#

Commands for Configuring Interfaces for a VAP Group

534

The following command defines destination MAC address filtering criteria for the ACL filter called testmirroracl, using the destination MAC address, 00:03:d2:e0:01:02: CBS(conf-acl-intf)# destination-mac 00:03:d2:e0:01:02 CBS(conf-acl-intf)# When an interface ACL includes the filter called testmirroracl, the NPM applies the ACLs action to a packet passing through the interface only if the packets destination MAC address is 00:03:d2:e0:01:02.

configure interface-status-group
This command ties the status of interfaces or group interfaces together. If all interfaces and group interfaces in an interface-status-group are UP, then the state of the interface-status-group is UP. If any interface in the group is DOWN, then the group state is DOWN.

Syntax
configure interface-status-group <group_name> [[10gigabitethernet <slot/port>] | [gigabitethernet <slot/port>] | [group-interface <group_interface_name>]]

Context
You enter this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter 10gigabitethernet <slot/port> gigabitethernet <slot/port> group_interface_name Description The 10 Gigabit Ethernet port on an NPM to be included in the interface-status-group. The Gigabit Ethernet port on an NPM to be included in the interface-status-group. The name of name of an existing group interface to be included in the interface-status-group.

Restrictions
Default Privilege Level: 15 Before an interface or group interface can be included in an interface-status-group, the interface or group interface must be configured. Each interface in an interface-status-group cannot be included in any other interface-status-group. Including a group interface in an interface-status-group is equivalent to including each individual member of the group interface in the interface-status-group. This means that: Neither the group interface nor any member of the group interface can be included in any other interface-status-group You cannot include a group interface and a member of that group interface in the same interface-status-group. Doing so is equivalent to specifying the same interface twice.

XOS Command Reference Guide

535

configure acl-interface-mapping
This command maps a configured acl-interface to an interface or a group-interface.

Syntax
configure acl-interface-mapping [no] interface {gigabitethernet | 10gigabitethernet} <slot>/<port> [no] acl-interface <acl_interface_name> {capture | drop} configure acl-interface-mapping [no] interface {gigabitethernet | 10gigabitethernet} <slot>/<port> [no] acl-interface <acl_interface_name> {mirror | pass-through} [no] {gigabitethernet | 10gigabitethernet} <slot>/<port> configure acl-interface-mapping [no] group-interface <group_interface_name> [no] acl-interface <acl_interface_name> {capture | drop} configure acl-interface-mapping [no] group-interface <group_interface_name> [no] acl-interface <acl_interface_name> {mirror | pass-through} [no] {gigabitethernet | 10gigabitethernet} <slot>/<port>

Context
You enter this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter gigabitethernet <slot>/<port> 10gigabitethernet <slot>/<port> group-interface <group_interface_name> acl-interface <acl_interface_name> Description The Gigabit Ethernet port on an NPM to be mapped to an acl-interface. The 10 Gigabit Ethernet port on an NPM to be mapped to an acl-interface. The name of the group-interface to be mapped to an acl-interface. The name of the acl-interface to be mapped to the specified interface.

Commands for Configuring Interfaces for a VAP Group

536

Parameter <action>

Description capture Captures matched acl-interface and dumps to local eth2 interface on NPM drop Drops packets on this interface on matched acl-interface mirror Mirrors packets on matched acl-interface pass-through Allows packets to pass-through on matched acl-interface NOTE: When you specify either the mirror or pass-through parameter, you must specify the type of interface and the slot and port numbers for the interface that will be either mirrored to or that will be the pass-through destination for the first interface that you specified in the command. You can specify multiple destination interfaces for both mirror and pass-through, but they must all be on the same NPM as the source interface.

Restrictions
Default Privilege Level: 15 Remote mirroring (the mirrored port is on a different NPM than the source port) is not supported. Remote pass-through (the destination port is on a different NPM than the source port) is not supported. An interface or group-interface must be configured before it is used as a target to pass-through or mirror traffic. You can define multiple ACLs for the same interface. When a packet arrives on that interface, the NPM applies the ACLs to the packet one at a time, in the order in which the ACLs are configured. To reconfigure the precedence of acl-interface-mappings, you must delete mappings and then recreate them in the order you want. You cannot configure an interface as a mirror or pass-through target for itself. You cannot configure a single interface that is part of a group-interface to mirror traffic to a target interface. Instead, you must configure the entire group-interface to mirror the traffic to the target interface. Multiple ACL filters with the same function (for example, bi-directional) but different names, cannot be configured in the same one-to-many mirroring mapping. In this configuration, none of the mirrored interfaces pass traffic.

XOS Command Reference Guide

537

Example 1
This example shows: The configuration of an interface The configuration of an acl-interface The mapping of the acl-interface to the interface The setting of the action to mirror with two different mirror interfaces specified CBS# configure interface gigabitethernet 1/5 CBS(conf-intf-gig)# auto-negotiate CBS(conf-intf-gig)# enable CBS(conf-intf-gig)# end CBS# CBS# configure interface gigabitethernet 1/6 CBS(conf-intf-gig)# auto-negotiate CBS(conf-intf-gig)# enable CBS(conf-intf-gig)# end CBS# CBS# configure interface gigabitethernet 1/7 CBS(conf-intf-gig)# auto-negotiate CBS(conf-intf-gig)# enable CBS(conf-intf-gig)# end CBS# CBS# configure acl-interface testacl direction egress-only CBS# CBS# configure acl-interface-mapping CBS(conf-acl-intf-map)# interface gigabitethernet 1/5 CBS(conf-acl-map-intf-gig)# acl-interface testacl mirror CBS(conf-acl-map-intf-gig-mirror)# gigabitethernet 1/6 CBS(conf-acl-map-intf-gig-mirror)# gigabitethernet 1/7 CBS(conf-acl-map-intf-gig-mirror)# end CBS#

Commands for Configuring Interfaces for a VAP Group

538

Example 2
This example shows: The configuration of an interface The configuration of an acl-interface The mapping of the acl-interface to the interface The setting of the action to pass-through with two different pass-through interfaces specified CBS# configure interface gigabitethernet 1/5 CBS(conf-intf-gig)# auto-negotiate CBS(conf-intf-gig)# enable CBS(conf-intf-gig)# end CBS# CBS# configure interface gigabitethernet 1/6 CBS(conf-intf-gig)# auto-negotiate CBS(conf-intf-gig)# enable CBS(conf-intf-gig)# end CBS# CBS# configure interface gigabitethernet 1/7 CBS(conf-intf-gig)# auto-negotiate CBS(conf-intf-gig)# enable CBS(conf-intf-gig)# end CBS# CBS# configure acl-interface acla direction ingress-only CBS# CBS# configure acl-interface-mapping CBS(conf-acl-intf-map)# interface gigabitethernet 1/5 CBS(conf-acl-map-intf-gig)# acl-interface acla pass-through CBS(conf-acl-map-intf-gig-pass-thru)# gigabitethernet 1/6 CBS(conf-acl-map-intf-gig-pass-thru)# gigabitethernet 1/7 CBS(conf-acl-map-intf-gig-pass-thru)# end CBS#

XOS Command Reference Guide

539

Example 3
This example shows: The configuration of two interfaces The configuration of two acl-interfaces The mapping of the two acl-interfaces, each to one of the interfaces The setting of the action to mirror with two different mirror interfaces specified and with overlap (one or more of the mirror interfaces that are specified for the two acl-interfaces are the same) CBS# configure interface gigabitethernet 1/4 CBS(conf-intf-gig)# auto-negotiate CBS(conf-intf-gig)# enable CBS(conf-intf-gig)# end CBS# CBS# configure interface gigabitethernet 1/5 CBS(conf-intf-gig)# auto-negotiate CBS(conf-intf-gig)# enable CBS(conf-intf-gig)# end CBS# CBS# configure interface gigabitethernet 1/6 CBS(conf-intf-gig)# auto-negotiate CBS(conf-intf-gig)# enable CBS(conf-intf-gig)# end CBS# CCBS# configure interface gigabitethernet 1/7 CBS(conf-intf-gig)# auto-negotiate CBS(conf-intf-gig)# enable CBS(conf-intf-gig)# end CBS# CBS# configure interface gigabitethernet 1/8 CBS(conf-intf-gig)# auto-negotiate CBS(conf-intf-gig)# enable CBS(conf-intf-gig)# end CBS# CBS# configure acl-interface acla vlan 1000 CBS# CBS# configure acl-interface aclb vlan 1000 0xffe CBS# CBS# configure acl-interface-mapping CBS(conf-acl-intf-map)# interface gigabitethernet 1/4 CBS(conf-acl-map-intf-gig)# acl-interface acla mirror CBS(conf-acl-map-intf-gig-mirror)# gigabitethernet 1/6 CBS(conf-acl-map-intf-gig-mirror)# gigabitethernet 1/7 CBS(conf-acl-map-intf-gig-mirror)# end CBS# CBS# configure acl-interface-mapping CBS(conf-acl-intf-map)# interface gigabitethernet 1/5 CBS(conf-acl-map-intf-gig)# acl-interface aclb mirror CBS(conf-acl-map-intf-gig-mirror)# gigabitethernet 1/6 CBS(conf-acl-map-intf-gig-mirror)# gigabitethernet 1/8 CBS(conf-acl-map-intf-gig-mirror)# end CBS# NOTE: The mapping of acl-interface acla overlaps the mapping of acl-interface aclb. They both are applied to interface gigabitethernet 1/6 and acla takes precedence because it was configured first.

Commands for Configuring Interfaces for a VAP Group

540

Commands for Configuring Interface Redundancy

This section describes the CLI commands that you can use to create and implement an interface redundancy configuration. This section contains the following command descriptions: configure redundancy-interface on page 541 failovermode (conf-intf-redun context) on page 545

configure redundancy-interface
When you assign a circuit to a virtual application processor (VAP) group, XOS creates a Virtual Network Device (VND) for that circuit on each VAP in the group. The VAP operating system and the application running on a VAP use VNDs as Linux networking interfaces. A logical interface creates a logical link between a circuits VNDs and a physical interface on a Network Processor Module (NPM). You configure a logical interface on a physical interface and then map the logical interface to a circuit that you have assigned to one or more VAP groups. An NPM uses logical interface mapping to identify the VNDs that send and receive traffic over each of its physical interfaces. One advantage of using logical interfaces to map circuit VNDs to physical interfaces is that you can easily configure interface redundancy for a VAP group. When one physical interface fails, its logical interfaces can be moved over to another functional physical interface. An interface redundancy configuration consists of one backup interface and one or more master interfaces that use the backup interface. In the event that a master interface fails, the logical interfaces move over to the backup interface, and the circuits mapped to those logical interfaces start sending and receiving traffic over the backup interface. The configure redundancy-interface command configures a pair of interfaces to participate in an interface redundancy configuration. This command also places you in the conf-intf-redun context in which you can set the failover mode for the specified master/backup redundant interface pair. NOTE: If you have more than one NPM in your chassis, you should configure master and backup interfaces on different NPMs. This way, if one NPM fails, the master interfaces configured on that NPM can failover to backup interfaces on a functional NPM. NOTE: The configure redundancy-interface command allows you to configure only one master/backup redundant interface pair at a time. However, you can create multiple master/backup redundant interface pairs that include the same backup interface. Master interfaces that share the same backup interface are considered to be part of the same redundancy interface configuration. Use the configure no redundancy-interface command to delete the specified master/backup interface redundancy pair. If the specified master interface is the only master interface in the redundancy interface configuration, the no redundancy-interface command also deletes the redundancy interface configuration. Use the show redundancy-interface command to display all redundant interface pairs configured on the X-Series Platform.

Syntax
configure redundancy-interface master {gigabitethernet | 10gigabitethernet} <slot>/<port> backup {gigabitethernet | 10gigabitethernet} <slot>/<port> mac-usage {master | active}

XOS Command Reference Guide

541

configure no redundancy-interface master {gigabitethernet | 10gigabitethernet} <slot>/<port> backup {gigabitethernet | 10gigabitethernet} <slot>/<port>

Contexts and Subcommands

You access this command from the main CLI context. This command places you in the conf-intf-redun context in which you can set the failover mode for the specified master/backup redundant interface pair. You can access the following command from this context: failovermode (conf-intf-redun context) on page 545

Inline Commands
The following table lists the CLI commands used inline with the configure interface-redundancy command. Command
master {gigabitethernet | 10gigabitethernet} <slot>/<port>

Description Configures the specified Network Processor Module (NPM) Ethernet interface as the master interface in the master/backup redundant interface pair that you are configuring. You specify an NPM Ethernet interface using its interface type (Gigabit Ethernet or 10 Gigabit Ethernet), its NPM slot number, and its NPM port number. For example, you specify the Gigabit Ethernet interface configured on port number 1 on the NPM installed in slot number 2 in the X-Series Platform, as follows: gigabitethernet 2/1 NOTE: The specified interface must be configured to pass traffic between the X-Series Platform and an external network. Use the show interface command to display the interfaces that are currently configured to pass traffic. See configure interface on page 467 for information about configuring an NPM interface to pass traffic.

Commands for Configuring Interfaces for a VAP Group

542

Command backup {gigabitethernet | 10gigabitethernet} <slot>/<port>

Description Configures the specified Network Processor Module (NPM) Ethernet interface as the backup interface in the master/backup redundant interface pair that you are configuring. You specify an NPM Ethernet interface using its interface type (Gigabit Ethernet or 10 Gigabit Ethernet), its NPM slot number, and its NPM port number. For example, you specify the Gigabit Ethernet interface configured on port number 1 on the NPM installed in slot number 2 in the X-Series Platform, as follows: gigabitethernet 1/3 NOTE: The specified interface must be configured to pass traffic between the X-Series Platform and an external network. In addition, the specified interface must be configured with the standby-only (conf-intf-gig or conf-intf-10gig context) command. Use the configure interface command to configure an NPM interface to pass traffic. Use the show (conf-intf-gig or conf-intf-10gig context) command to determine whether an interface is configured with the standby-only command.

Parameters
The following table lists the parameters used with this command. Parameter mac-usage {master | active} Description Sets the MAC usage mode for the master/backup redundant interface pair that you are configuring. In the event of a redundant interface failover, the MAC usage mode determines whether the backup interface uses its own MAC address or the master interfaces MAC address. You must specify one of the following MAC usage modes: master In the event of a failover, the system assigns the master interfaces MAC address to the backup interface. This is the recommended setting. active In the event of a failover, the active interface uses its own MAC address. Therefore, the backup interface always uses its own MAC address rather than the master interfaces MAC address.

Restrictions
Default Privilege Level: 15 A master interface cannot be configured with the standby-only (conf-intf-gig or conf-intf-10gig context) command.

XOS Command Reference Guide

543

A member of a group interface operating in Multi-link Mode cannot be configured as a backup interface. A member of a group interface operating in Multi-link Mode cannot be configured as a redundant interface.

Example
In this example, we will create a master/backup redundant interface pair in which the master interface is 10 Gigabit Ethernet interface 1/12 and the backup interface is 10 Gigabit Ethernet interface 2/12. The following commands configure 10 Gigabit Ethernet port number 12 on the NPM installed in slot number 1 to pass traffic between the X-Series Platform and an external network: CBS# configure interface 10gigabitethernet 1/12 CBS(conf-intf-10gig)# end CBS# The following commands configure 10 Gigabit Ethernet port number 12 on the NPM installed in slot number 2 to pass traffic between the X-Series Platform and an external network, and configure the X-Series Platform to use the this interface as a backup interface in an interface redundancy configuration: CBS# configure interface 10gigabitethernet 2/12 CBS(conf-intf-10gig)# standby-only CBS(conf-intf-10gig)# end CBS# The following command configures 10 Gigabit Ethernet interface 1/12 and 10 Gigabit Ethernet interface 2/12 as a master/backup redundant interface pair and places you in the conf-intf-redun context in which you can set the failover mode for this master/backup redundant interface pair. CBS# configure redundancy-interface master 10gigabitethernet 1/12 backup 10gigabitethernet 2/12 mac-usage master CBS(conf-intf-redun)#

Commands for Configuring Interfaces for a VAP Group

544

failovermode (conf-intf-redun context)

Sets the failover mode for the master/backup redundant interface pair that you are configuring. The failover mode for a master/backup redundant interface pair determines the X-Series Platforms response to a master interface failure. The default failover mode setting is preemption-on. If the failover mode is set to preemption-on, when the master interface fails, the backup interface services traffic until the master interface recovers. When the master interface recovers, it automatically resumes service. Traffic flow switches from master to backup and then back to master. Use the failovermode preemption-on command to restore this default setting. Use the show redundancy-interface command to display the failover mode configured for each master/backup redundant interface pair configured on the X-Series Platform.

Syntax
failovermode {preemption-on | preemption-off | manual-swback | manual-failover | no-failover}

Context
You access this command from the conf-intf-redun context. You access this context from the main CLI context by issuing the configure redundancy-interface command.

Parameters
The following table lists the parameters used with this command. Parameter preemption-on Description Sets the failover mode for the master/backup redundant interface pair that you are configuring to preemption-on. If the failover mode is set to preemption-on, when the master interface fails, the backup interface services traffic until the master interface recovers. When the master interface recovers, it automatically resumes service. Traffic flow switches from master to backup and then back to master. NOTE: This is the default failover mode setting for a new master/backup redundant interface pair. preemption-off Sets the failover mode for the master/backup redundant interface pair that you are configuring to preemption-off. If the failover mode is set to preemption-off, when the master interface fails, the backup physical interface services traffic. However, when the master interface recovers, it does not resume service.

XOS Command Reference Guide

545

Parameter manual-swback

Description Sets the failover mode for the master/backup redundant interface pair that you are configuring to manual-swback. If the failover mode is set to manual-swback, when the master interface fails, the backup physical interface services traffic. However, when the master interface recovers, you must manually switch over the traffic from the backup interface to the master interface. To manually switch over the traffic from the backup interface to the master interface, use the failovermode no-failover command.

manual-failover

Performs a manual failover operation. When you issue the failovermode command with the manual-failover parameter, traffic immediately switches from the active interface to the redundant interface. Sets the failover mode for the master/backup redundant interface pair that you are configuring to no-failover. Usage Cases: 1. If the failover mode is set to no-failover at a time when neither the master or backup interface has failed, then later, when the master interface fails, the X-Series Platform takes no action. A master interface failure does not result in a failover event. 2. Under the following conditions, the no-failover command can be used to force a failback to the master: The backup interface has become the active interface because of a master interface failure. No automatic failback to the master interface (for example, preemption-off) has been configured. The master interface recovers. NOTE: After you use the no-failover command to force a failback to the master interface, you must then configure the failovermode that you want.

no-failover

Restrictions
Default Privilege Level: 15

Example
The following command configures 10 Gigabit Ethernet interface 1/12 and 10 Gigabit Ethernet interface 2/12 as a master/backup redundant interface pair and places you in the conf-intf-redun context in which you can set the failover mode for this master/backup redundant interface pair. CBS# configure redundancy-interface master 10gigabitethernet 1/12 backup 10gigabitethernet 2/12 mac-usage master CBS(conf-intf-redun)#

Commands for Configuring Interfaces for a VAP Group

546

The following command sets the failover mode for the above master/backup redundant interface pair to preemption-off: CBS(conf-intf-redun)# failovermode preemption-off CBS(conf-intf-redun)# When 10 Gigabit Ethernet interface 1/12 fails, 10 Gigabit Ethernet interface 2/12 services traffic. However, when 10 Gigabit Ethernet interface 1/12 recovers, it does not resume service. After 10 Gigabit Ethernet interface 1/12 recovers, the following command forces a failback to the master interface (Gigabit Ethernet 1/12). CBS(conf-intf-redun) failover-mode no-failover After 10 Gigabit Ethernet interface 1/12 becomes master, you must then configure the failovermode that you want. For example: CBS# configure redundancy-interface master 10gigabitethernet 1/12 backup 10gigabitethernet 2/12 mac-usage master failovermode preemption-off

XOS Command Reference Guide

547

Commands for Configuring Interfaces for a VAP Group

548

8
Commands for Configuring and Managing Multi-System High-Availability
This chapter contains XOS commands related to configuring virtual router redundancy protocol (VRRP) for multi-system high-availability on the X-Series Platform. This section contains the following command descriptions: configure management high-availability on page 550 auto-negotiate (conf-mgmt-ha context) on page 551 duplex-mode (conf-mgmt-ha context) on page 551 speed (conf-mgmt-ha context) on page 552 configure remote-box on page 553 configure vrrp failover-group on page 554 priority (conf-vrrp-group context) on page 555 preemption (conf-vrrp-group context) on page 556 advertise-interval (conf-vrrp-group context) on page 557 monitor-circuit (conf-vrrp-group context) on page 557 priority-delta (conf-vrrp-failover-cct context) on page 558 monitor-interface (conf-vrrp-group context) on page 559 priority-delta (conf-intf-gig or conf-intf-10gig context) on page 561 monitor-group-interface (conf-vrrp-group context) on page 562 priority-delta (conf-vrrp-failover-grpintf) on page 563 ospf-cost-increment (conf-vrrp-group context) on page 564 virtual-router (conf-vrrp-group context) on page 565 backup-stay-up (conf-vrrp-failover-vr context) on page 566 dist-port-threshold (conf-vrrp-failover-vr context) on page 567 mac-usage (conf-vrrp-failover-vr context) on page 567 priority-delta (conf-vrrp-failover-vr context) on page 568 vap-group (conf-vrrp-failover-vr context) on page 569 ip (conf-vrrp-vr-vapgroup context) (IPv6 and IPv4) on page 570 verify-next-hop-ip (conf-vrrp-vr-vapgroup context) (IPv6 and IPv4) on page 573 priority-delta (conf-vrrp-vr-verify-next-hop context) on page 574 virtual-ip (conf-vrrp-vr-vapgroup context) (IPv6 and IPv4) on page 575 enable (conf-vrrp-group context) on page 578 configure vrrp vap-group on page 578 active-vap-threshold (conf-vrrp-vap-group context) on page 579 enable (conf-vrrp-vap-group context) on page 580 failover-group-list (conf-vrrp-vap-group context) on page 580 hold-down-timer (conf-vrrp-vap-group context) on page 581 priority-delta (conf-vrrp-vap-group context) on page 582 vrrp-relinquish-master on page 583

XOS Command Reference Guide

549

configure management high-availability

Configures a management interface on the CPM to function in a multi-system high-availability configuration and places you in the conf-mgmt-ha context in which you configure the high-availability interface. Use this command when you have a switch joining the high-availability interfaces (control link ports) of the two chassis and automatic setup of communication between high-availability interfaces either does not work, or you know in advance that auto-negotiation between these interfaces will not work. Repeat this process for the other chassis.

Syntax
configure management high-availability {cp1|cp2}

Contexts and Subcommands

You access this command from the main CLI context. This command places you in the conf-mgmt-ha context in which you configure the specified high-availability interface. You can access the following commands from this context: auto-negotiate (conf-mgmt-ha context) on page 551 duplex-mode (conf-mgmt-ha context) on page 551 speed (conf-mgmt-ha context) on page 552

Parameters
The following table lists the parameters used with this command. Parameter cp1 | cp2 Description Configures the primary (cp1) or secondary (cp2) CPM in your X-Series Platform.

Restrictions
Default privilege level: 15

Example
The following command configures the management high availability (HA) interface on the primary CPM designated as cp1 as the high-availability link to the management interface on the backup X-Series Platform. CBS# configure management high-availability cp1 CBS(conf-mgmt-ha)#

Commands for Configuring and Managing Multi-System High-Availability

550

auto-negotiate (conf-mgmt-ha context)

Enables auto-negotiation for the high-availability interface on the CPM. The no parameter removes auto-negotiation from the interface.

Syntax
[no] auto-negotiate

Context
You access this command from the conf-mgmt-ha context. You access this context from the main CLI context by issuing the configure management high-availability command.

Restrictions
Default privilege level: 15

Example
The following commands enable auto negotiation on the high-availability interface on the cp1 CPM. CBS# configure management high-availability cp1 CBS(conf-mgmt-ha)# auto-negotiate CBS(conf-mgmt-ha)#

duplex-mode (conf-mgmt-ha context)

Sets the duplex-mode for the high-availability interface that you are configuring. The default setting is full-duplex. The no parameter restores the default setting.

Syntax
[no] duplex-mode {half | full}

Context
You access this command from the conf-mgmt-ha context. You access this context from the main CLI context by issuing the configure management high-availability command.

Parameters
The following table lists the parameters used with this command. Parameter half full Description Sets the duplex mode to half-duplex for the high-availability interface that you are configuring. Sets the duplex mode to full-duplex for the high-availability interface that you are configuring. This is the default value.

XOS Command Reference Guide

551

Restrictions
Default privilege level: 15

Example
The following commands configure the high-availability interface on the cp1 CPM to half duplex. CBS# configure management high-availability cp1 CBS(conf-mgmt-ha)# duplex-mode half CBS(conf-mgmt-ha)#

speed (conf-mgmt-ha context)

Sets the transmission speed for the high-availability interface that you are configuring. The default interface speed is 1000 Mb/s. The no parameter restores the default setting.

Syntax
[no] speed {10 | 100 | 1000}

Context
You access this command from the conf-mgmt-ha context. You access this context from the main CLI context by issuing the configure management high-availability command.

Parameters
The following table lists the parameters used with this command. Parameter 10 100 1000 Description Sets the interface speed to 10 Mb/s Sets the interface speed to 100 Mb/s. Sets the interface speed to 1000 Mb/s. This is the default value.

Restrictions
Default privilege level: 15

Example
The following commands set the transmission speed to 100 Mb/s for the high-availability interface on the CPM designated as cp1. CBS# configure management high-availability cp1 CBS(conf-mgmt-ha)# speed 100 CBS(conf-mgmt-ha)#

Commands for Configuring and Managing Multi-System High-Availability

552

configure remote-box
Configures the local X-Series Platform to use the Control Processor Module(s) on another X-Series Platform as backup CPMs in the event that the CPMs installed in the local X-Series Platform fail. A remote CPM is one that is installed in another X-Series Platform. You specify a remote CPM using one or more of these five address: Internal IP address of remote Primary CPM (for example, 1.1.<System ID>.20> Management Interface 1 IP address of remote CP1 Management Interface 2 IP address of remote CP1 Management Interface 1 IP address of remote CP2 Management Interface 2 IP address of remote CP2 NOTE: By default, Management Interfaces 1 and 2 are disabled on a CPM. To enable either management interface, you must first assign an IP address to it. NOTE: Issue the show internal-ip command on the remote X-Series Platform to display the internal IP address assigned to current primary CPM. To obtain the IP addresses of the management interfaces on the primary and secondary CPMs, use the configure management command, specifying the interface that you want. When you are in the conf-mgmt-gig context, enter the show command. NOTE: You can use the remote- box command to specify additional backup CPMs (one command for each remote chassis). Use the no parameter to delete the specified IP addresses from the remote-box configuration for your X-Series Platform.

Syntax
configure [no] remote-box <system_id> <ipAddr1> [<ipAddr2>] [<ipAddr3>] [<ipAddr4>] [<ipAddr5>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <system_id> Description Identifier for the X-Series Platform that you want to use as a backup. Each X-Series Platform must have a unique ID. Values are 1 to 255. IP address of the interfaces listed earlier in this section

<ipAddr1> through <ipAddr5>

Restrictions
Default privilege level: 15 You can configure a maximum of five addresses for any one X-Series Platform.

XOS Command Reference Guide

553

Example
The command at the end of this example specifies all five possible interfaces on a remote chassis with these characteristics: System ID: 35 Remote Primary CPM HA Port (internal) IP address: 1.1.35.20 Remote CP1 Management Port 1 (eth2) IP address: 192.168.64.146 Management Port 2 (eth3) IP address: 192.168.64.137 Remote CP2 Management Port 1 (eth2) IP address: 192.168.64.147 Management Port 2 (eth3) IP address: 192.168.64.138 CBS# configure remote-box 35 1.1.35.20 192.168.64.137 192.168.64.138 192.168.64.146 192.168.64.147 CBS#

configure vrrp failover-group

A Virtual Router Redundancy Protocol (VRRP) failover group is a group of Virtual Routers (VRs), circuits, and interfaces that are configured to participate in a multi-system High Availability (HA) configuration. A Virtual Router (VR) is used to provide HA support for the Virtual Network Devices (VNDs) that XOS creates for a circuit on a virtual application processor (VAP) group. You must configure a VR for each VAP group whose circuit VNDs you want to configure for HA. Each failover group needs a counterpart failover group on each X-Series Platform participating in VRRP multi-box redundancy. Only a failover group, not the entire system or an individual VAP group, can fail over. The configure vrrp failover-group command creates and configures a failover group, or configures the specified existing VRRP failover group. This command also places you in the conf-vrrp-group context in which you can configure the specified VRRP failover group. Use the configure vrrp no failover-group command to delete the specified VRRP failover group.

Syntax
configure vrrp failover-group <name> failover-group-id <id_number> configure vrrp no failover-group <name>

Contexts and Subcomands

You access this command from the main CLI context. This command places you in the conf-vrrp-group context in which you configure the specified VRRP failover group. You can access the following commands from this context: priority (conf-vrrp-group context) on page 555 preemption (conf-vrrp-group context) on page 556 advertise-interval (conf-vrrp-group context) on page 557 monitor-circuit (conf-vrrp-group context) on page 557

Commands for Configuring and Managing Multi-System High-Availability

554

priority-delta (conf-vrrp-failover-cct context) on page 558 monitor-interface (conf-vrrp-group context) on page 559 priority-delta (conf-intf-gig or conf-intf-10gig context) on page 561 monitor-group-interface (conf-vrrp-group context) on page 562 priority-delta (conf-vrrp-failover-grpintf) on page 563 ospf-cost-increment (conf-vrrp-group context) on page 564 virtual-router (conf-vrrp-group context) on page 565 enable (conf-vrrp-group context) on page 578

Parameters
The following table lists the parameters used with this command. Parameter failover-group <name> Description Alphanumeric name for the group. This can be a new name to create a group, or the name of an existing group to modify its configuration. Use no to delete an existing group. The name must be 80 characters or fewer. Identifier for the failover group. Values can be 1 to 255. The identifier must be unique on the X-Series Platform, but the counterpart failover group on another X-Series Platform must have the same ID.

failover-group-id <id_number>

Restrictions
There is no hard limit on the number of VRRP MAC addresses you can assign; however, be aware that MAC addresses affect the APM VND driver performance. A virtual router can have only one VAP group per circuit. Default privilege level: 15

Example
The following command creates a VRRP failover group named vrrp_fw with a failover-group-id of 200 for a firewall application. CBS# configure vrrp failover-group vrrp_fw failover-group-id 200 CBS(conf-vrrp-group)#

priority (conf-vrrp-group context)

Defines the priority level for a VRRP failover group. Valid values are 1 to 255. The default value is 100. The failover group with the highest priority becomes the master failover group. NOTE: If you use 255, preemption is automatically enabled. The no parameter restores the default value.

XOS Command Reference Guide

555

Syntax
[no] priority <priority_value>

Context
You access this command from the conf-vrrp-group context. You access this context from the main CLI context by issuing the configure vrrp failover-group command.

Parameters
The following table lists the parameters used with this command. Parameter <priority_value> Description Sets the priority to a value from 1 to 255. The failover group with the highest priority becomes the master failover group. The default value is 100.

Restrictions
Default Privilege Level: 15

Example
The following commands configure a VRRP failover group called vrrp_fw with a failover-id of 200 and then assigns a priority of 200. CBS# configure vrrp failover-group vrrp_fw failover-group-id 200 CBS(conf-vrrp-group)# priority 200 CBS(conf-vrrp-group)#

preemption (conf-vrrp-group context)

Upon failure of the master failover group, the backup failover group services traffic. The original master resumes being master when it becomes available. When disabled (using no), upon failure of the master failover group, the backup failover group services traffic. The original master does not resume being master when it becomes available, unless the backup fails. By default, preemption is disabled.

Syntax
[no] preemption

Context
You access this command from the conf-vrrp-group context. You access this context from the main CLI context by issuing the configure vrrp failover-group command.

Restrictions
Default Privilege Level: 15

Commands for Configuring and Managing Multi-System High-Availability

556

Example
The following commands configure preemption on a vrrp_fw failover group with a failover group id of 200. CBS# configure vrrp failover-group vrrp_fw failover-group-id 200 CBS(conf-vrrp-group)# preemption CBS#

advertise-interval (conf-vrrp-group context)

Sets the time interval, in seconds, between VRRP advertisements (messages sent by the current master failover group indicating the master groups presence and priority). The default value is 2 seconds. Valid values are 1 to 255. The no parameter restores the default value.

Syntax
[no] advertise-internal <number_of_seconds>

Context
You access this command from the conf-vrrp-group context. You access this context from the main CLI context by issuing the configure vrrp failover-group command.

Parameters
The following table lists the parameters used with this command. Parameter <number_of_seconds> Description Time in seconds between advertisements from 1 to 255 seconds. The default time is 2 seconds. Use the no command to restore the value to the default.

Restrictions
Default privilege level: 15

Example
These commands set the advertise interval to 5 seconds on a vrrp_fw failover group with a failover group id of 200. CBS# configure vrrp failover-group vrrp_fw failover-group-id 200 CBS(conf-vrrp-group)# advertise-interval 5

monitor-circuit (conf-vrrp-group context)

Configures VRRP health monitoring for the specified circuit, and places you in the conf-vrrp-failover-cct context in which you can configure a priority-delta value for that circuit. If the link state of the circuits Virtual Network Devices (VNDs) is Down, XOS subtracts the circuits VRRP priority-delta value from the priority value for the VRRP failover group.

XOS Command Reference Guide

557

IMPORTANT: This command does not configure a circuit as a member of a VRRP failover group. A circuit can participate in a VRRP failover only if a Virtual Router is configured for the circuit. Use the no parameter to delete the specified circuit VRRP health monitoring configuration.

Syntax
[no] monitor-circuit <circuit_name> <priority-delta> [no] monitor-circuit <circuit_name>

Contexts and Subcommands

You access this command from the conf-vrrp-group context. You access this context from the main CLI context by issuing the configure vrrp failover-group command. This command places you in the conf-vrrp-failover-cct context in which you can configure a priority-delta value for the specified circuit. You can access the following command from this context: priority-delta (conf-vrrp-failover-cct context) on page 558

Parameters
The following table lists the parameters used with this command. Parameter <circuit_name> Description Name of the circuit for which you want to configure VRRP health monitoring. NOTE: The specified circuit does not participate in a VRRP failover unless one or more Virtual Routers are configured for the circuit.

Restrictions
Default privilege level: 15

Example
The following command places you in the conf-vrrp-group context in which you configure the monitoring interfaces for the VRRP failover group called vrrp_fw: CBS# configure vrrp failover-group vrrp_fw failover-group-id 200 The following command configures the vrrp_fw failover group with the lan circuit. CBS(conf-vrrp-group)# monitor-circuit lan CBS(conf-vrrp-failover-cct)#

priority-delta (conf-vrrp-failover-cct context)

VRRP reduces the VRRP priority by this value when the link state of the associated circuit is Down.

Syntax
priority-delta <delta_value>

Commands for Configuring and Managing Multi-System High-Availability

558

Context
You access this command from the conf-vrrp-failover-cct context. You enter that context from the conf-vrrp-group context by issuing the configure vrrp failover-group command and then the monitor-circuit (conf-vrrp-group context) command.

Parameters
The following table lists the parameters used with this command. Parameter <delta_value> Description Sets a priority-delta value from 0 to 255 that will be subtracted from the failover group priority when the link state of the interface is Down. The default value is 1. A value of 0 (zero) turns off priority-delta.

Restrictions
Default privilege level: 15

Example
The following command places you in the conf-vrrp-group context in which you configure the interfaces and priority delta for the VRRP failover group called vrrp_fw: CBS# configure vrrp failover-group vrrp_fw CBS(conf-vrrp-group)# The following command assigns the lan circuit to the VRRP failover group: CBS(conf-vrrp-group)# monitor-circuit lan CBS(conf-vrrp-failover-cct)# The following command assigns a priority-delta value of 105 to the lan circuit. VRRP uses this priority-delta value when the link state of the circuit is Down: CBS(conf-vrrp-failover-cct)# priority-delta 105 CBS(conf-vrrp-failover-cct)#

monitor-interface (conf-vrrp-group context)

Configures VRRP health monitoring for the specified Gigabit Ethernet or 10 Gigabit Ethernet interface, and places you in the conf-intf-gig or conf-intf-10gig context in which you can configure a priority-delta value for that interface. If the link state of the interface is Down, XOS subtracts the interfaces VRRP priority-delta value from the priority value for the VRRP failover group. IMPORTANT: This command does not configure an interface as a member of a VRRP failover group. The interface does not participate in VRRP failovers. Use the no parameter to delete the specified interface VRRP health monitoring configuration.

XOS Command Reference Guide

559

Syntax
[no] monitor-interface {gigabitethernet | 10gigabitethernet} <slot>/<port>

Contexts and Subcommands

You access this command from the conf-vrrp-group context. You access this context from the main CLI context by issuing the configure vrrp failover-group command. The monitor-interface gigabitethernet command places you in the conf-intf-gig context, in which you can configure the VRRP monitoring of the interface on the specified Gigabit Ethernet port on the NPM. The monitor-interface 10gigabitethernet command places you in the conf-intf-10gig context, in which you can configure the VRRP monitoring of the interface on the specified 10 Gigabit Ethernet port on the NPM. You can access the following commands from either the conf-intf-gig context or the conf-intf-10gig context: priority-delta (conf-vrrp-failover-grpintf)

Inline Commands
The following table lists the CLI commands used inline with the monitor-interface command. Command gigabitethernet <slot>/<port> Description Configures VRRP health monitoring for the specified Gigabit Ethernet interface, and places you in the conf-intf-gig context in which you can configure a priority-delta value for that interface. You specify an interface using its NPM slot number and port number, separated by a forward slash (/) character. 10gigabitethernet <slot>/<port> Specifies the use of the 10 Gigabit Ethernet interface on the CPM. Configures VRRP health monitoring for the specified 10 Gigabit Ethernet interface, and places you in the conf-intf-10gig context in which you can configure a priority-delta value for that interface. You specify an interface using its NPM slot number and port number.

Restrictions
Default privilege level: 15

Example
The following command places you in the conf-vrrp-group context in which you can configure the VRRP failover group called vrrp_fw: CBS# configure vrrp failover-group vrrp_fw failover-group-id 200 The following command configures VRRP health monitoring for the 10 Gigabit Ethernet interface on port number 12 on the NPM installed in slot 1:

Commands for Configuring and Managing Multi-System High-Availability

560

CBS(conf-vrrp-group)# monitor-interface 10gigabitethernet 1/12 CBS(conf-intf-10gig)#

priority-delta (conf-intf-gig or conf-intf-10gig context)

VRRP reduces the VRRP priority by this value when the link state of the associated interface is Down.

Syntax
priority-delta <delta_value>

Context
You access this command from either the conf-intf-gig or conf-intf-10gig context. You access this context from the main CLI context by issuing the configure vrrp failover-group command to configure a specific VRRP failover group and then issuing the monitor-interface (conf-vrrp-group context) command to configure VRRP health monitoring for a specific interface.

Parameters
The following table lists the parameters used with this command. Parameter <delta_value> Description Sets a priority-delta value from 0 to 255 that will be subtracted from the failover group priority when the link state of the interface is Down. The default value is 1. A value of 0 (zero) turns off priority-delta.

Restrictions
Default privilege level: 15

Example
The following command places you in the conf-vrrp-group context in which you configure the interfaces and priority delta for the VRRP failover group called vrrp_fw: CBS# configure vrrp failover-group vrrp_fw CBS(conf-vrrp-group)# The following command configures monitoring of a 10 Gigabit Ethernet interface (port 12) on the NPM in slot 1 for the VRRP failover group: CBS(conf-vrrp-group)# monitor-interface 10gigabitethernet 1/12 CBS(conf-intf-10gig)# The following command assigns a priority-delta value of 105 to the failover-groups 10 Gigabit Ethernet interface that VRRP uses when the interface fails: CBS(conf-intf-10gig)# priority-delta 105 CBS(conf-intf-10gig)#

XOS Command Reference Guide

561

monitor-group-interface (conf-vrrp-group context)

Configures VRRP health monitoring for the specified group interface, and places you in the conf-vrrp-failover-grpinf context in which you can configure a priority-delta value for that group interface and a threshold for the number of ports that must be in the active, distributing state. If the number of ports in the active distributing state falls below the value of the dist-port-threshold parameter, or if the link state of the group-interface is Down, XOS subtracts the interface VRRP priority-delta value from the priority value for the VRRP failover group. NOTE: This command does not configure a group-interface as a member of a VRRP failover group. The group-interface can be configured as part of the VRRP failover group or it can be independent from the failover group. Use the no parameter to remove the specified group interface from the VRRP health monitoring configuration.

Syntax
monitor-group-interface <group_interface_name> <priority_delta> <dist-port-threshold> no monitor-group-interface <group_interface_name>

Context
You access this command from the conf-vrrp-group context. You access this context by issuing the configure vrrp failover-group command to configure a specific VRRP failover group.

Parameters
The following table lists the parameters used with this command. Parameter <priority_delta> Description Sets a priority-delta value from 0 to 255 that will be subtracted from the failover group priority when the link state of the group interface is Down or if the number of ports in the active distributing state falls below the value of the dist_port_threshold parameter. The default value is 1. A value of 0 (zero) turns off priority-delta. Sets the minimum number of ports that must be in the active, distributing state. If the number of ports in that state falls below this threshold, the priority delta value is subtracted from failover group priority. Values range from 1 to 8.

<dist_port_threshold>

Restrictions
Default privilege level: 15

Commands for Configuring and Managing Multi-System High-Availability

562

Example
The following command places you in the conf-vrrp-group context in which you configure the interfaces and priority delta for the VRRP failover group called vrrp_fw: CBS# configure vrrp failover-group vrrp_fw CBS(conf-vrrp-group)# The following command configures monitoring of group interface (gig15_35) for the VRRP failover group: CBS(conf-vrrp-group)# monitor-group-interface gig15_35 CBS(conf-vrrp-failover-grpinf)# The following command assigns a priority-delta value of 205 to the group interface that VRRP uses when the interface fails: CBS(conf-vrrp-failover-grpinf)# priority-delta 205 CBS(conf-vrrp-failover-grpinf)# The following command configures the minimum number of active, distributing ports to 5. When the number of ports falls below this value, the VRRP priority delta value is subtracted from the failover group priority. CBS(conf-vrrp-failover-grpinf)# dist-port-threshold 5 CBS(conf-vrrp-failover-grpinf)#

priority-delta (conf-vrrp-failover-grpintf)
VRRP reduces the VRRP priority by this value when the link state of the associated group-interface is Down or if the number of ports in the active distributing state falls below the value of the dist-port-threshold parameter.

Syntax
priority-delta <delta_value>

Context
You access this command from the conf-vrrp-failover-grpintf context. You access this context from the main CLI context by issuing the configure vrrp failover-group command to configure a specific VRRP failover group and then issuing the monitor-group-interface (conf-vrrp-group context) command to configure VRRP health monitoring for a specific group-interface.

Parameters
The following table lists the parameters used with this command. Parameter <delta_value> Description Sets a priority-delta value from 0 to 255 that will be subtracted from the failover group priority when the link state of the group-interface is Down or if the number of ports in the active distributing state falls below the value of the dist-port-threshold parameter. The default value is 1. A value of 0 (zero) turns off priority-delta.

XOS Command Reference Guide

563

Restrictions
Default privilege level: 15

Example
The following command places you in the conf-vrrp-group context in which you configure the interfaces and priority delta for the VRRP failover group called vrrp_fw: CBS# configure vrrp failover-group vrrp_fw CBS(conf-vrrp-group)# The following command configures monitoring of a 10 Gigabit Ethernet interface (port 12) on the NPM in slot 1 for the VRRP failover group: CBS(conf-vrrp-group)# monitor-interface 10gigabitethernet 1/12 CBS(conf-intf-10gig)# The following command assigns a priority-delta value of 105 to the failover-groups 10 Gigabit Ethernet interface that VRRP uses when the interface fails: CBS(conf-intf-10gig)# priority-delta 105 CBS(conf-intf-10gig)#

ospf-cost-increment (conf-vrrp-group context)

Configures the specified circuit as a member of the VRRP failover group that you are configuring, and directs the X-Series Platform to increase or decrease the OSPF link costs for the interfaces mapped to the specified circuit each time the VRRP failover group changes state. Any VRRP state transition from master to backup causes the OSPF link costs to increase. Any VRRP state transition from backup to master causes the OSPF link costs to return to their configured default values. This ensures that the Crossbeam Routing Software (RSW) always updates OSPF routes to include only the interfaces configured on the master VAP group.

Syntax
ospf-cost-increment circuit <circuit_name> <increment_cost>

Context
You access this command from the conf-vrrp-group context. You access this context from the main CLI context by issuing the configure vrrp failover-group command.

Parameters
The following table lists the parameters used with this command. Parameter <circuit_name> Description The circuit mapped to the OSPF interfaces whose link costs you want to increase when the VRRP failover group that you are configuring enters the backup state. The amount by which the X-Series Platform increases or decreases the OSPF link cost of the interfaces mapped to the specified circuit when a VRRP failover takes place.

<increment_cost>

Commands for Configuring and Managing Multi-System High-Availability

564

Restrictions
Default Privilege Level: 15

Example
Configures the circuit called ospf_circuit as a member of the VRRP failover group called vrrp_vap (failover group ID 2), and directs the X-Series Platform to increase or decrease the OSPF link costs for the interfaces mapped to the circuit called ospf_circuit each time the VRRP failover group called vrrp_vap changes state. Any VRRP state transition from master to backup causes the OSPF link costs to increase by 5. Any VRRP state transition from backup to master causes the OSPF link costs to decrease by 5. This ensures that the Crossbeam Routing Software (RSW) always updates OSPF routes to include only the interfaces configured on the master VAP group. CBS# configure vrrp failover-group vrrp_vap1 failover-group-id 2 CBS(conf-vrrp-group)# ospf-cost-increment circuit ospf_circuit 5

virtual-router (conf-vrrp-group context)

Creates or modifies a virtual router and assigns a VRRP ID and a circuit to the virtual router. From this command, you can also assign a backup stay up parameter, mac usage, priority-delta, and a VAP group to the virtual router. The no parameter deletes the virtual router.

Syntax
[no] virtual-router vrrp-id <router_identifier> circuit <circuit_name>

Context
You access this command from the conf-vrrp-group context. You access this context from the main CLI context by issuing the configure vrrp failover-group command. This command places you in the conf-vrrp-failover-vr context. You can access the following commands from this context: backup-stay-up (conf-vrrp-failover-vr context) on page 566 dist-port-threshold (conf-vrrp-failover-vr context) on page 567 mac-usage (conf-vrrp-failover-vr context) on page 567 priority-delta (conf-vrrp-failover-vr context) on page 568 vap-group (conf-vrrp-failover-vr context) on page 569

Parameters
The following table lists the parameters used with this command. Parameter vrrp-id <router_identifier> Description Sets a virtual router identifier that must be the same on the related virtual router on the backup X-Series Platform. Values range from 1 through 4096. Assigns an existing circuit to the virtual router.

circuit <circuit_name>

XOS Command Reference Guide

565

Restrictions
Default Privilege Level: 15

Example
The following command places you in the conf-vrrp-group context in which you configure the virtual router for the VRRP failover group called vrrp_fw: CBS# configure vrrp failover-group vrrp_fw CBS(conf-vrrp-group)# This command configures a virtual router for the vrrp_fw failover group with a vrrp-id of 200 and associates the lan circuit with the virtual router. CBS(conf-vrrp-group)# virtual-router vrrp-id 200 circuit lan CBS(conf-vrrp-failover-vr)#

backup-stay-up (conf-vrrp-failover-vr context)

Backup VRRP interfaces stay up even if the circuit is in VRRP backup mode. The no parameter disables this function.

Syntax
backup-stay-up

Context
You access this command from the conf-vrrp-failover-vr context. You access this context from the conf-vrrp-group context that you enter by issuing the configure vrrp failover-group command from the main CLI.

Restrictions
Default Privilege Level: 15

Example
The following command places you in the conf-vrrp-group context in which you configure the virtual router for the VRRP failover group called vrrp_fw: CBS# configure vrrp failover-group vrrp_fw CBS(conf-vrrp-group)# This command configures a virtual router for the vrrp_fw failover group with a vrrp-id of 200 and associates the lan circuit with the virtual router. CBS(conf-vrrp-group)# virtual-router vrrp-id 200 circuit lan CBS(conf-vrrp-failover-vr)# This command configures backup-stay-up for the virtual router. CBS(conf-vrrp-failover-vr)# backup-stay-up CBS(conf-vrrp-failover-vr)#

Commands for Configuring and Managing Multi-System High-Availability

566

dist-port-threshold (conf-vrrp-failover-vr context)

Defines the number of ports that must be in the active distributing state. If the number of ports in that state fall below this value, the associated priority-delta is subracted from the vrrp priority of the virtual-router.

Syntax
dist-port-threshold <minimum_number_of_ports>

Context
You access this command from the conf-vrrp-failover-vr context. You access this context from the conf-vrrp-group context that you enter by issuing the configure vrrp failover-group command from the main CLI.

Parameters
The following table lists the parameters used with this command. Parameter <minimum_number_of_ports> Description The minimum number of ports that must be in the active distributing state. Range: 1 8

Restrictions
Default Privilege Level: 15

mac-usage (conf-vrrp-failover-vr context)

Assigns a MAC address to the VRRP circuit as follows: vrrp-mac Unique VRRP MAC address generated on the basis of VRRP ID. interface MAC address configured on the physical interface. This is the default. The no parameter removes the mac usage.

Syntax
[no] mac-usage {vrrp-mac | interface}

Context
You access this command from the conf-vrrp-failover-vr context. You access this context from the conf-vrrp-group context that you enter by issuing the configure vrrp failover-group command from the main CLI.

XOS Command Reference Guide

567

Parameters
The following table lists the parameters used with this command. Parameter vrrp-mac Description Generates a VRRP MAC address based on the vrrp-id value assigned to the virtual router. For example, on a chassis with a System ID of 141, a generated MAC address would be: 00:32:D2:EX.XX.141 OR 00:32:D2:FX.XX.141 where X.XX are digits that are generated by XOS. interface Uses the physical interface MAC address. This is the default value.

Restrictions
There is no hard limit on the number of VRRP MAC addresses you can assign. If the virtual router that you are configuring has an IPv6 address, only the vrrp-mac parameter is allowed. Default Privilege Level: 15

Example
The following command places you in the conf-vrrp-group context in which you configure the virtual router for the VRRP failover group called vrrp_fw: CBS# configure vrrp failover-group vrrp_fw CBS(conf-vrrp-group)# This command configures a virtual router for the vrrp_fw failover group with a vrrp-id of 200 and associates the lan circuit with the virtual router. CBS(conf-vrrp-group)# virtual-router vrrp-id 200 circuit lan CBS(conf-vrrp-failover-vr)# This command configures mac-usage for the virtual router to use a generated VRRP MAC address based on the vrrp-id value. See vrrp-mac in the previous table. CBS(conf-vrrp-failover-vr)# mac-usage vrrp-mac CBS(conf-vrrp-failover-vr)#

priority-delta (conf-vrrp-failover-vr context)

Set the priority-delta to decrement the failover groups VRRP priority whenever the link state of an interface on the VRRP circuit is Down. The priority-delta can be 0 to 255. The default value is 1. The priority-delta is added back to the priority when the interface returns to the Up state.

Syntax
priority-delta <delta_value>

Commands for Configuring and Managing Multi-System High-Availability

568

Context
You access this command from the conf-vrrp-failover-vr context. You access this context from the conf-vrrp-group context that you enter by issuing the configure vrrp failover-group command from the main CLI.

Parameters
The following table lists the parameters used with this command. Parameter priority-delta <delta_value> Description Sets a priority-delta value from 0 to 255 that will be subtracted from the failover group priority when the link state of the interface is Down. The default value is 1. A value of 0 (zero) turns off priority-delta.

Restrictions
Default Privilege Level: 15

Example
The following command places you in the conf-vrrp-group context in which you configure the virtual router for the VRRP failover group called vrrp_fw: CBS# configure vrrp failover-group vrrp_fw CBS(conf-vrrp-group)# This command configures a virtual router for the vrrp_fw failover group with a vrrp-id of 200 and associates the lan circuit with the virtual router. CBS(conf-vrrp-group)# virtual-router vrrp-id 200 circuit lan CBS(conf-vrrp-failover-vr)# This command configures the priority-delta for the virtual router to 105. CBS(conf-vrrp-failover-vr)# priority-delta 105 CBS(conf-vrrp-failover-vr)#

vap-group (conf-vrrp-failover-vr context)

Include the circuits VAP group in the failover group. Only one VAP group is allowed per circuit for a virtual router. Also, the circuit must already be mapped to the VAP group with configure circuit <name> vap-group <name>. The no parameter deletes the VAP group from the virtual router.

Syntax
vap-group <VAP_group_name>

XOS Command Reference Guide

569

Context
You access this command from the conf-vrrp-failover-vr context. You access this context from the conf-vrrp-group context that you enter by issuing the configure vrrp failover-group command from the main CLI and then the virtual-router (conf-vrrp-group context) command. After using the vap-group command on a virtual router, you can configure the following: ip (conf-vrrp-vr-vapgroup context) (IPv6 and IPv4) verify-next-hop-ip (conf-vrrp-vr-vapgroup context) (IPv6 and IPv4) virtual-ip (conf-vrrp-vr-vapgroup context) (IPv6 and IPv4)

Parameters
The following table lists the parameters used with this command: Parameter <VAP_group_name> Description Existing VAP group associated with the circuit.

Restrictions
Default Privilege Level: 15

Example
The following command places you in the conf-vrrp-group context in which you configure the virtual router for the VRRP failover group called vrrp_fw: CBS# configure vrrp failover-group vrrp_fw CBS(conf-vrrp-group)# This command configures a virtual router for the vrrp_fw failover group with a vrrp-id of 200 and associates the lan circuit with the virtual router. CBS(conf-vrrp-group)# virtual-router vrrp-id 200 circuit lan CBS(conf-vrrp-failover-vr)# This command assigns the fwvpn VAP group to the virtual router. CBS(conf-vrrp-failover-vr)# vap-group fwvpn CBS(conf-vrrp-vr-vapgroup)#

ip (conf-vrrp-vr-vapgroup context) (IPv6 and IPv4)

Assign a unique IP address to the virtual router only when its circuit is NOT configured with an IP address. This address is considered to be the primary address. The no parameter deletes the IP address.

Syntax (IPv4)
ip {<IP_address> <netmask> | <IP_address>/<1-32>} [<broadcast_IP_address>] [increment-per-vap <IP_address>] ip {<lowest_IP_address> <netmask> | <lowest_IP_address>/<1-32>} [<broadcast_IP_address>] [increment-per-vap <highest_IP_address>] no ip

Commands for Configuring and Managing Multi-System High-Availability

570

Syntax (IPv6)
ip <IP_address>/<1-128> no ip

Context
You access this command from the conf-vrrp-vr-vapgroup context. You access this context from the conf-vrrp-group context that you enter by issuing the configure vrrp failover-group command from the main CLI and then the virtual-router (conf-vrrp-group context) command and vap-group (conf-vrrp-failover-vr context) commands.

Parameters
The following table lists the parameters used with this command. Parameter (IPv4) {<IP_address> <netmask> | <IP_address>/<1-32>} Description Assigns the specified primary IP address to the virtual router that you are configuring. You must specify the subnet mask for the primary IP address. You can specify a subnet mask in dotted-quad format (for example, 10.15.3.5 255.255.0.0), or you can specify an IP network using CIDR notation (for example, 10.15.0.0/16). NOTE: You cannot specify the subnet mask, 0.0.0.0. If you specify an IP network using CIDR notation, you cannot use /0. <broadcast_IP_address> Assigns the specified primary broadcast IP address to the circuit for the VAP group that you are currently configuring. By default, XOS determines the primary broadcast IP address for a circuit by applying the subnet mask specified for the primary IP address(es). NOTE: The broadcast IP must match the primary IP, VRRP IP, Virtual IP, and alias IP addresses assigned to a circuit for a VAP group.

XOS Command Reference Guide

571

Parameter (IPv4) {<lowest_IP_address> <netmask> | <lowest_IP_address>/<1-32>} increment-per-vap <highest_IP_address>

Description Assigns the specified range of consecutive primary IP addresses to the VNDs that XOS creates for the circuit on the VAP group that you are configuring. When you specify this parameter, XOS assigns a unique primary IP address to each VND. XOS assigns consecutive primary circuit IP addresses to consecutive VAP index numbers, with the lowest primary circuit IP address number assigned to VAP index number 1. You must specify the subnet mask for the lowest primary IP address in the range. You can specify a subnet mask in dotted-quad format (for example, 10.15.3.5 255.255.0.0), or you can specify an IP network using CIDR notation (for example, 10.15.0.0/16). NOTE: You cannot specify the subnet mask, 0.0.0.0. If you specify an IP network using CIDR notation, you cannot use /0.

Parameter (IPv6) <IP_address>/<1-128>

Description Assigns the specified primary IP address to the virtual router that you are configuring. You must specify the subnet mask for the primary IP address. You can specify a subnet mask in CIDR notation only (for example, fd00:1900:4545::f8ff:fe21:67ca/64). NOTE: When using CIDR notation, you cannot use /0.

Restrictions
Default Privilege Level: 15 A primary, alias, VRRP, or virtual IPv4 address assigned to a circuit cannot have the subnet mask, 0.0.0.0. If you specify an IPv4 or IPv6 address using CIDR notation, you cannot use /0. The host portion of a primary, alias, VRRP, or virtual IP address cannot contain 0s.

Example
The following command places you in the conf-vrrp-group context in which you configure the virtual router for the VRRP failover group called vrrp_fw: CBS# configure vrrp failover-group vrrp_fw CBS(conf-vrrp-group)# This command configures a virtual router for the vrrp_fw failover group with a vrrp-id of 200 and associates the lan circuit with the virtual router. CBS(conf-vrrp-group)# virtual-router vrrp-id 200 circuit lan CBS(conf-vrrp-failover-vr)# This command assigns the fwvpn VAP group to the virtual router and an IP address of 192.168.2.103 with a mask of 24 in CIDR format. CBS(conf-vrrp-failover-vr)# vap-group fwvpn CBS(conf-vrrp-vr-vapgroup)# ip 192.168.2.104/24

Commands for Configuring and Managing Multi-System High-Availability

572

CBS(conf-vrrp-vr-vapgroup)# This command assigns the fwvpn VAP group to the virtual router and an IP address of fd00:1900:4545::f8ff:fe21:67ca with a mask of 64 in CIDR format. CBS(conf-vrrp-failover-vr)# vap-group fwvpn CBS(conf-vrrp-vr-vapgroup)# ip fd00:1900:4545::f8ff:fe21:67ca/64 CBS(conf-vrrp-vr-vapgroup)#

verify-next-hop-ip (conf-vrrp-vr-vapgroup context) (IPv6 and IPv4)

Optionally, enter the next hop IP address to be verified before being used. The no parameter deletes the next hop ID address.

Syntax
[no] verify-next-hop-ip <IP_address>

Context
You access this command from the conf-vrrp-vr-vapgroup context. You access this context from the conf-vrrp-group context that you enter by issuing the configure vrrp failover-group command from the main CLI and then the virtual-router (conf-vrrp-group context) command and vap-group (conf-vrrp-failover-vr context) commands. From this context, you can issue the following command: priority-delta (conf-vrrp-vr-verify-next-hop context) Use the priority-delta setting to help determine the failover action to take if the next-hop IP address cannot be reached.

Parameters
The following table lists the parameters used with this command. Parameter <IP_address> Description Specifies the next-hop IP address that the X-Series Platform must verify before using it.

Restrictions
Default Privilege Level: 15

Example
The following command places you in the conf-vrrp-group context in which you configure the virtual router for the VRRP failover group called vrrp_fw: CBS# configure vrrp failover-group vrrp_fw CBS(conf-vrrp-group)# This command configures a virtual router for the vrrp_fw failover group with a vrrp-id of 200 and associates the lan circuit with the virtual router.

XOS Command Reference Guide

573

CBS(conf-vrrp-group)# virtual-router vrrp-id 200 circuit lan CBS(conf-vrrp-failover-vr)# IPv4 This command assigns the fwvpn VAP group to the virtual router and an IP address of 192.168.2.103 with a mask of 24 in CIDR format. CBS(conf-vrrp-failover-vr)# vap-group fwvpn CBS(conf-vrrp-vr-vapgroup)# ip 192.168.2.104/24 CBS(conf-vrrp-vr-vapgroup) This command adds a verify-next-hop-IP value of 192.168.2.1 to the VAP group assigned to the vrrp_fw failover group. CBS(conf-vrrp-vr-vapgroup)# verify-next-hop-ip 192.168.2.1 CBS(conf-vrrp-vr-verify-next-hop)# IPv6 This command assigns the fwvpn VAP group to the virtual router and an IP address of fd00:1545:be72:e5af::cf33:54aa with a mask of 64 in CIDR format. CBS(conf-vrrp-failover-vr)# vap-group fwvpn CBS(conf-vrrp-vr-vapgroup)# ip fd00:1545:be72:e5af::cf33:54aa/64 CBS(conf-vrrp-vr-vapgroup) This command adds a verify-next-hop-IP value of fd00:1545:be72:e5af::cf33:1 to the VAP group assigned to the vrrp_fw failover group. CBS(conf-vrrp-vr-vapgroup)# verify-next-hop-ip fd00:1545:be72:e5af::cf33:1 CBS(conf-vrrp-vr-verify-next-hop)#

priority-delta (conf-vrrp-vr-verify-next-hop context)

Use priority-delta to decrement the failover groups VRRP priority whenever the next hop health check fails. The priority-delta value can be from 0 to 255. The default value is 1. The priority-delta is added back to the priority when the next hop address becomes reachable.

Syntax
priority-delta <delta_value>

Context
You access this command from the conf-vrrp-vr-verify-next-hop context. You access this context from the conf-vrrp-group context that you enter by issuing the configure vrrp failover-group command from the main CLI and then the virtual-router (conf-vrrp-group context), vap-group (conf-vrrp-failover-vr context), and verify-next-hop-ip (conf-vrrp-vr-vapgroup context) (IPv6 and IPv4) commands.

Commands for Configuring and Managing Multi-System High-Availability

574

Parameters
The following table lists the parameters used with this command. Parameter priority-delta <delta_value> Description Sets a priority-delta value from 0 to 255 that will be subtracted from the failover group priority when the link state of the interface is Down. The default value is 1. A value of 0 (zero) turns off priority-delta.

Restrictions
Default Privilege Level: 15

Example
The following command places you in the conf-vrrp-group context in which you configure the virtual router for the VRRP failover group called vrrp_fw: CBS# configure vrrp failover-group vrrp_fw CBS(conf-vrrp-group)# This command configures a virtual router for the vrrp_fw failover group with a vrrp-id of 200 and associates the virtual router with the lan circuit. CBS(conf-vrrp-group)# virtual-router vrrp-id 200 circuit lan CBS(conf-vrrp-failover-vr)# This command assigns the fwvpn VAP group to the virtual router and an IP address of 192.168.2.103 with a mask of 24 in CIDR format. CBS(conf-vrrp-failover-vr)# vap-group fwvpn CBS(conf-vrrp-vr-vapgroup)# ip 192.168.2.104/24 CBS(conf-vrrp-vr-vapgroup) This command adds a verify-next-hop-IP value of 192.168.2.1 and a priority-delta value of 105 to the VAP group assigned to the vrrp_fw failover group. CBS(conf-vrrp-vr-vapgroup)# verify-next-hop-ip 192.168.2.1 CBS(conf-vrrp-vr-verify-next-hop)# priority-delta 105

virtual-ip (conf-vrrp-vr-vapgroup context) (IPv6 and IPv4)

Assign a unique virtual IP address to the virtual routers on two chassis. The virtual IP address is active or up on the master failover group and is inactive or down on the other failover group. Upon failover, the virtual IP address associated with the virtual router on the other chassis becomes active or up as the failover group on that chassis becomes master and the virtual ip address on the chassis that was originally master (and is now backup) becomes inactive or down. The no parameter deletes the virtual IP address.

Syntax (IPv4)
[no] virtual-ip {<IP_address> <netmask> | <IP_address>/<1-32>} [<broadcast_IP_address>] [increment-per-vap <IP_address>] [[no] floating]

XOS Command Reference Guide

575

Syntax (IPv6)
[no] virtual-ip <IP_address>/<1-128> [no] virtual-ip

Context
You access this command from the conf-vrrp-vr-vapgroup context. You access this context from the conf-vrrp-group context that you enter by issuing the configure vrrp failover-group command from the main CLI and then the virtual-router (conf-vrrp-group context) command and vap-group (conf-vrrp-failover-vr context) commands.

Parameters
The following table lists the parameters used with this command. Parameter (IPv4) <IP_address> <netmask> | <IP_address>/<1-32> Description Assigns the specified virtual IP address to the virtual router that you are configuring. You must specify the subnet mask for the alias IP address. You can specify a subnet mask in dotted-quad format (for example, 10.15.3.5 255.255.0.0), or you can specify an IP network using CIDR notation (for example, 10.15.0.0/16). NOTE: You cannot specify the subnet mask, 0.0.0.0. If you specify an IP network using CIDR notation, you cannot use /0. <broadcast_IP_address> Assigns the specified virtual IP broadcast IP address to the virtual router for the VAP group that you are currently configuring. By default, XOS determines the virtual IP broadcast IP address for a circuit by the applying the subnet mask specified for the virtual IP address(es). NOTE: The broadcast IP must match the primary IP, VRRP IP, Virtual IP, and alias IP addresses assigned to a circuit for a VAP group.

Commands for Configuring and Managing Multi-System High-Availability

576

Parameter (IPv4) {<lowest_IP_address> <netmask> | <lowest_IP_address>/<1-32>} increment-per-vap <highest_IP_address>

Description Assigns the specified range of consecutive alias IP addresses to the VNDs that XOS creates for the virtual IP on the VAP group that you are configuring. When you specify this parameter, XOS assigns a unique virtual IP address to each VND. XOS assigns consecutive virtual IP addresses to consecutive VAP index numbers, with the lowest virtual IP address number assigned to VAP index number 1. You must specify the subnet mask for the lowest virtual IP address in the range. You can specify a subnet mask in dotted-quad format (for example, 10.15.3.5 255.255.0.0), or you can specify an IP network using CIDR notation (for example, 10.15.0.0/16). NOTE: You cannot specify the subnet mask, 0.0.0.0. If you specify an IP network using CIDR notation, you cannot use /0.

[no] floating

Assigns the virtual IP address to the master VAP, allowing traffic, cluster management, and synchronization communication to go directly to the master VAP. If a new master VAP is elected, the address floats (is assigned) to the new master. In a VRRP configuration, the floating parameter assigns the virtual IP address to the master VAP on the new master chassis in the event of a failover. NOTE: This parameter can be used only with an IPv4 address. NOTE: This parameter cannot be used with increment-per-vap. NOTE: Only one floating address can be used with any one circuit.

Parameter (IPv6) <IP_address>/<1-128>

Description Assigns the specified virtual IP address to the virtual router that you are configuring. You must specify the subnet mask for the alias IP address using CIDR notation (for example, fd00:1545:be72:e5af::cf33:54aa/64). NOTE: When using CIDR notation, you cannot use /0.

Restrictions
Default Privilege Level: 15 A primary, alias, VRRP, or virtual IP address assigned to a circuit cannot have the subnet mask, 0.0.0.0. If you specify an IP network for an IP address using CIDR notation, you cannot use /0. The host portion of a primary, alias, VRRP, or virtual IP address cannot contain 0s. The maximum number of virtual-ip addresses that can be configured on a given IP address is 99.

XOS Command Reference Guide

577

Example
The following command places you in the conf-vrrp-group context in which you configure the virtual router for the VRRP failover group called vrrp_fw: CBS# configure vrrp failover-group vrrp_fw CBS(conf-vrrp-group)# This command configures a virtual router for the vrrp_fw failover group with a vrrp-id of 200 and associates the lan circuit with the virtual router. CBS(conf-vrrp-group)# virtual-router vrrp-id 200 circuit lan CBS(conf-vrrp-failover-vr)# This command assigns the fwvpn VAP group to the virtual router and an IP address of 192.168.2.104 with a mask of 24 in CIDR format. CBS(conf-vrrp-failover-vr)# vap-group fwvpn CBS(conf-vrrp-vr-vapgroup)# virtual-ip 192.168.2.104/24 CBS(conf-vrrp-vr-vapgroup) This command assigns the fwvpn VAP group to the virtual router and an IP address of fd00:1545:be72:e5af::cf33:54aa with a mask of 64 in CIDR format. CBS(conf-vrrp-failover-vr)# vap-group fwvpn CBS(conf-vrrp-vr-vapgroup)# virtual-ip fd00:1545:be72:e5af::cf33:54aa/64 CBS(conf-vrrp-vr-vapgroup)

enable (conf-vrrp-group context)

Enables the failover group to be used in the VRRP configuration. The no parameter disables the failover group.

Syntax
[no] enable

Context
You access this command from the conf-vrrp-group context. You access this context from the main CLI context by issuing the configure vrrp failover-group command.

Restrictions
Default privilege level: 15

configure vrrp vap-group

This command configures VAP groups for high-availability (HA). Enabling VRRP for a VAP group is only useful when the VAP group is included in a failover group using the configure vrrp failover-group command. Use no to disable VRRP on the VAP group and reset the configuration parameters to their default settings. A VAP group with VRRP disabled will not fail over even when the VAP group is included in a failover group.

Commands for Configuring and Managing Multi-System High-Availability

578

Syntax
[no] configure vrrp vap-group <VAP_group_name>

Context
You access this command from the main CLI.

Parameters
The following table lists the parameters used with this command. Parameter vap-group <VAP_group_name> Description Specifies the VAP group to participate in high-availability.

Restrictions
Default privilege level: 15

Example
The following command enables the VAP group called vap_fw1 to participate in VRRP failovers and places you in the conf-vrrp-vap-group context in which you can configure VRRP parameters (for example, failover-group-list, hold-down-timer, and priority-delta) for that VAP group. CBS# configure vrrp vap-group vap_fw1 CBS(conf-vrrp-vap-group)#

active-vap-threshold (conf-vrrp-vap-group context)

Defines the minimum required number of active VAPs in a VAP group. The default value is 1. The no parameter deletes the active vap threshold.

Syntax
[no] active-vap-threshold <number_of_active_VAPs>

Context
You access this command from the conf-vrrp-vap-group context. You access this context from the main CLI context by issuing the configure vrrp vap-group command.

Parameters
The following table lists the parameters used with this command. Parameter <number_of_active_VAPs> Description This value sets the minimum number of required active VAPs from 1 to 10. The default value is 1.

XOS Command Reference Guide

579

Restrictions
Default privilege level: 15

Example
CBS(conf-vrrp-vap-group)# active-vap-threshold 2 CBS(conf-vrrp-vap-group)#

enable (conf-vrrp-vap-group context)

Enables the VAP group to be used in the VRRP configuration. The no parameter disables the VRRP for this VAP group.

Syntax
[no] enable

Context
You access this command from the conf-vrrp-vap-group context. You access this context from the main CLI context by issuing the configure vrrp vap-group command.

Restrictions
Default privilege level: 15

Example
The following command enables the VAP group to be used in the VRRP configuration. CBS(conf-vrrp-vap-group)# enable CBS(conf-vrrp-vap-group)#

failover-group-list (conf-vrrp-vap-group context)

By default, the VAP groups priority-delta does not affect any failover group. You can configure this VAP group to affect various failover groups whether or not the failover group includes this VAP group. The no parameter removes all failover groups from this list.

Syntax
[no] failover-group-list <VRRP_failover_group_name> [<VRRP_failover_group_name>] [<VRRP_failover_group_name>]

Context
You access this command from the conf-vrrp-vap-group context. You access this context from the main CLI context by issuing the configure vrrp vap-group command.

Commands for Configuring and Managing Multi-System High-Availability

580

Parameters
The following table lists the parameters used with this command. Parameter <VRRP_failover_group_name> [<VRRP_failover_group_name>] [<VRRP_failover_group_name>] Description The name of the first failover group that to be affected by this VAP group. The names of additional failover groups to be affected by this VAP group.

Restrictions
Default privilege level: 15

Example
The following command assigns 3 failover groups to the failover-group-list for this VAP group. CBS(conf-vrrp-vap-group)# failover-group-list vap_fw1 vap_fw2 vap_fw3 CBS(conf-vrrp-vap-group)#

hold-down-timer (conf-vrrp-vap-group context)

Number of seconds to wait before becoming VRRP master. Values range from 1 to 3600. The no parameter configures an immediate switch to becoming the VRRP master.

Syntax
[no] hold-down-timer <number_of_seconds>

Context
You access this command from the conf-vrrp-vap-group context. You access this context from the main CLI context by issuing the configure vrrp vap-group command.

Parameters
The following table lists the parameters used with this command. Parameter <number_of_seconds> Description Specifies the time seconds to wait to become the VRRP master. Values range from 1 to 3600 seconds.

Restrictions
Default privilege level: 15

XOS Command Reference Guide

581

Example
The following command sets the hold-down-timer to 10 seconds for the transition to becoming the VRRP master. CBS(conf-vrrp-vap-group)# hold-down-timer 10 CBS(conf-vrrp-vap-group)#

priority-delta (conf-vrrp-vap-group context)

Decrements the associated failover groups VRRP priority whenever the number of active VAPs in the VAP group is less than the number configured by active-vap-threshold. The priority-delta can be 0 to 255, which is the number subtracted from the VRRP priority. The default value is 1. The priority-delta is added back to the priority when the number of active VAPs is equal to or greater than the active-vap-threshold.

Syntax
priority-delta <delta_value>

Context
You access this command from the conf-vrrp-vap-group context. You access this context from the main CLI context by issuing the configure vrrp vap-group command.

Parameters
The following table lists the parameters used with this command. Parameter priority-delta <delta_value> Description Sets a priority-delta value between 0 and 255 that is subtracted from the failover group priority when the number of active VAPs in the group falls below the value configured in active-vap-threshold. The default value is 1. A value of 0 (zero) turns off priority-delta.

Restrictions
Default privilege level: 15

Example
The following command sets a priority-delta value of 105 for the associated VAP group. CBS(conf-vrrp-vap-group)# priority-delta 105 CBS(conf-vrrp-vap-group)#

Commands for Configuring and Managing Multi-System High-Availability

582

vrrp-relinquish-master
The name of the failover group that you want to relinquish master status.

Syntax
vrrp-relinquish-master <VRRP_failover_group>

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <VRRP_failover_group> Description The name of the failover group that you want to relinquish master status.

Restrictions
Default privilege level: 15

Example
The following command transfers the master status from the primary firewall failover group to the backup firewall failover group so that a technician can update the firewall policies on the VAP group in the primary failover group. CBS# vrrp-relinquish-master vrrp_fw1_primary CBS# After performing the firewall policy update on the VAP group in the primary failover group, the following command returns the master status to the primary failover group. CBS# vrrp-relinquish-master vrrp_fw2_backup CBS#

XOS Command Reference Guide

583

Commands for Configuring and Managing Multi-System High-Availability

584

9
Commands for Managing X-Series Platform Hardware and Software Upgrades and Maintenance
This chapter contains commands necessary to manage X-Series Platform hardware and software upgrades and maintenance. This chapter contains the following commands: automated-workflow-menu on page 586 automated-workflows on page 586 automated-workflows on page 586 automated-workflows on page 586 cp-disk-scheme on page 587 show cp-disk-scheme on page 588 configure cp-action disk-error (config context) on page 588 configure module on page 589 reload all on page 590 reload module on page 591 reload offline-cp on page 592 reset-cp-serial on page 592 reload vap-group on page 593 reset-configuration on page 593 sleep on page 594 upgrade on page 595 in-service (upgrade context) on page 596 batch-<n> (in-service-upgrade context) on page 596 batch-default (in-service-upgrade context) on page 597 clear-batches (in-service-upgrade context) on page 598 install (in-service-upgrade context) on page 598 show (in-service-upgrade context) on page 599 install (upgrade context) on page 600 remove (upgrade context) on page 601 show current-running-release (upgrade context) on page 601 show new-release (upgrade context) on page 602 show release (upgrade context) on page 602 verify-system (upgrade context) on page 603

XOS Command Reference Guide

585

automated-workflow-menu
The automated workflow menu provides access to an infrastructure in which scripts automate various processes. In XOS V9.5, these functional areas have been included in the menus: Upgrading XOS software and installing recommended firmware Preparing the system for a possible rollback Installing XOS firmware only Rolling back XOS software and firmware Verifying XOS software and firmware compatibility When you enter the automated-workflow-menu command, this menu appears on the screen: Welcome to the X-Series Platform Automated Workflow System! Version: 1.w.x-yz 1. 2. 3. 4. 5. Configure XOS... Upgrade XOS software and firmware... View system configuration and status... Applications... Custom...

Select a submenu to view available automated workflows. Enter x to exit or ? for help. Please Enter Selection: At any point during the process, you can enter a ? to obtain additional information.

automated-workflows
This command enables you to set parameters associated with the automated-workflow-menu infrastructure.

Syntax
automated-workflows purge-log-files

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter purge-log-files Description Purges the automated-workflow log files. A new AWS log file that contains the purge event is created.

Commands for Managing X-Series Platform Hardware and Software Upgrades and Maintenance

586

Restrictions
Default Privilege Level: 15

Example
This command removes the AWS log files. CBS# automated-workflows purge-log-files

show automated-workflow-progress
This command displays the progress of the current automated-workflow.

Syntax
show automated-workflow-progress

cp-disk-scheme
This command is used to select a different disk partitioning scheme than the current one. When you execute this command, you set the value of the configured scheme. After the next CPM reboot, the value that you configured is used to reconfigure the disk partitioning scheme. Use the show cp-disk-scheme command to view the current and configured scheme. Use the no parameter to set the value to the current scheme (cancels any setting).

Syntax
[no] cp-disk-scheme {80 | 120 | 250 | 500}

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter 80 | 120 | 250 | 500 Description Selects the specific partitioning scheme that you want.

Restrictions
Default Privilege Level: 15 The partitioning scheme that you select must be equal to or smaller than your CPM disk size. NOTE: Setting the scheme equal to the current scheme cancels any previous settings. The partitioning scheme that you select must be larger than the current partitioning scheme. After executing this command, a reboot is required.

XOS Command Reference Guide

587

Example
This command sets the configured partitioning scheme to 250 Gigabytes. CBS# cp-disk-scheme 250

show cp-disk-scheme
This command shows the current disk partitioning scheme and the configured partitioning scheme. To configure a disk partitioning scheme on the CPM-9600, use the cp-disk-scheme command.

Syntax
show cp-disk-scheme

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0

Example
CBS# show cp-disk-scheme Current scheme: 250GB Configured scheme: 500GB

configure cp-action disk-error (config context)

This command determines the action for each CPM to take when a critical disk error occurs.

Syntax
configure cp-action {cp1|cp2} disk-error {offline|none}

Context
You access this command from the configure context that you access from the main CLI context with the configure command.

Parameters
The following table lists the parameters used with this command. Parameter cp1 | cp2 offline none Description Selects the specific CPM. CPM will go offline when a critical disk error occurs. CPM will take no action when a critical disk error occurs.

Commands for Managing X-Series Platform Hardware and Software Upgrades and Maintenance

588

Restrictions
Default Privilege Level: 15 This command is not available on the X20 or X30 chassis.

Example
The following example forces CP1 to go offline when there is a critical disk-error. CBS(config)# cp-action cp1 disk-error offline

configure module
This command configures the administrative state of one or more modules (APMs, CPMs, and NPMs). NOTE: A CPM cannot be configured to disable or maintenance state.

Syntax
configure module <low> [<high>] {enable|disable|maintenance}

Context
You access this command from the configure context that you access from the main CLI context with the configure command.

Parameters
The following table lists the parameters used with this command. Parameter Module <low> Description Slot of the module to configure. Valid values are from 1 to 14. If the high parameter is not specified, this is the only module to be configured. Allows you to configure multiple modules. The low parameter specifies the first module (lowest number) and the high parameter specifies the last module (highest number). All modules in the range are configured. Valid values are from 1 to 14. Enables modules. Disables modules (APMs or NPMs only). Places modules on maintenance state (APMs or NPMs only).

Module <high>

enable disable maintenance

Restrictions
Default Privilege Level: 15

XOS Command Reference Guide

589

reload all
This command allows you to reload all modules in the X-Series Platform immediately or at a specified time. If the at or in parameters are not specified, the reload command acts immediately. IMPORTANT: If any modules are in the maintenance state and you do not supply the maintenance parameter, the reload all command asks you to verify that you want to reload the modules that are in the maintenance state. When you schedule a reload all, a warning message appears when any modules are in the maintenance state.

Syntax
reload all [[maintenance] [[at <hh:mm> <month> <day>] | [in <hh:mm>] [<reason>]]] | [cancel]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter all maintenance at <hh:mm> <month> <day> Description Loads all modules. Includes maintenance state modules when reloading. Schedules a reload for up to 24 days in the future. For example, if today is Nov. 13 then reload at 10:00 dec 5 will succeed, but reload at 10:00 dec 20 will fail. Schedules a reload in the specified number of hours and minutes. Text string explaining the reason for the reload. Spaces are not allowed. Cancels an existing scheduled reload.

in <hh:mm> <reason> cancel

Restrictions
Default Privilege Level: 15

Example
The following example reloads all modules in 2 hours and 30 minutes: CBS# reload all in 02:30 The following example cancels the reload of all modules. CBS# reload all cancel

Commands for Managing X-Series Platform Hardware and Software Upgrades and Maintenance

590

reload module
This command allows you to reload specific modules or a range of modules in the X-Series Platform immediately or at a specified time. If the at or in parameters are not specified, the reload module command acts immediately. IMPORTANT: If any modules are in the maintenance state and you do not supply the maintenance parameter, the reload module command displays a message to verify that you want to reload the modules that are in the maintenance state.

Syntax
reload module <low> [<high>] [[maintenance] [[at <hh:mm> <month> <day>] | [in <hh:mm>] [<reason>]]] | [cancel]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter module <low> Description Slot of the module to reload. Valid values are from 1 to 14. If the high parameter is not specified, this is the only module to be reloaded. Allows you to reload multiple modules. The low parameter specifies the first module (lowest number) and high specifies the last module (highest number). All modules in between are also reloaded. Valid values are from 1 to 14. Includes maintenance state modules when reloading. Schedules a reload for up to 24 days in the future. For example, if today is Nov. 13 then reload at 10:00 dec 5 will succeed, but reload at 10:00 dec 20 will fail. Schedules a reload in the specified number of hours and minutes. Text string explaining the reason for the reload. Spaces are not allowed. Cancels an existing scheduled reload.

module <high>

maintenance at <hh:mm> <month> <day>

in <hh:mm> <reason> cancel

Restrictions
Default Privilege Level: 15

Example
The following example reloads modules 2 through 6 in 2 hours and 30 minutes: CBS# reload module 2 6 in 02:30

XOS Command Reference Guide

591

reload offline-cp
This command allows you to reload an offline CPM in the X-Series Platform.

Syntax
reload offline-cp

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 15

Example
The following example reloads an offline CPM. CBS# reload offline-cp

reset-cp-serial
This command allows you to update the chassis serial number in the CPM flash if the CPM is inserted into a different chassis.

Syntax
reset-cp-serial

Context
You access this command from the main CLI context. This command is only available when a CPM goes offline after being inserted into a different chassis. You must reload the CPM after executing this command.

Restrictions
Default Privilege Level: 15 Applies to an offline CPM only

Example
The following example resets the serial number on an offline CPM. CBS# reset-cp-serial

Commands for Managing X-Series Platform Hardware and Software Upgrades and Maintenance

592

reload vap-group
This command allows you to reload a VAP group in the X-Series Platform. IMPORTANT: If any modules in the VAP group are in the maintenance state and you do not supply the maintenance parameter, the reload vap-group command displays a warning message.

Syntax
reload vap-group <VAP_group_name> [<1-63>][maintenance]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter vap-group <VAP_group_name> <1-63> maintenance Description Reloads a specific VAP group. VAP groups are reloaded immediately. Specifies the VAP in the VAP group. Includes maintenance state modules when reloading.

Restrictions
Default Privilege Level: 15

Example
The following example reloads VAP group group1. CBS# reload vap-group group1

reset-configuration
This command resets the configuration to the initial installation base, which includes deleting all VAPs. This is an interactive command and asks you if you are sure about re-booting the system. If the shutdown option is specified, the system shuts down after erasing the configuration, otherwise it reboots the system.

Syntax
reset-configuration [shutdown]

Context
You access this command from the main CLI context.

XOS Command Reference Guide

593

Parameters
The following table lists the parameters used with this command. Parameter shutdown Description Specifies to shut down the system rather than reboot after erasing the configuration.

Restrictions
Default Privilege Level: 15

sleep
This command pauses the X-Series Platform for a given number of seconds.

Syntax
sleep [<number_of_seconds>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <number_of_seconds> Description Number of seconds to pause the system. The range is 0 to 65535.

Restrictions
Default Privilege Level: 0

Commands for Managing X-Series Platform Hardware and Software Upgrades and Maintenance

594

upgrade
This command installs, removes, or displays available XOS software upgrade packages on the CPM. There are five major upgrade commands: in-service Installs XOS software upgrades in a manner that minimizes system disruption. Refer to in-service (upgrade context) on page 596 for details. install Installs a specified XOS software release package, which is located on the local system. remove Removes a specified XOS software release package from the local system. show Displays all the current releases located on the local system. verify-system Verifies whether the system can be upgraded to a specific release. NOTE: All upgrade operations are performed on the local system. Remote server upgrades are not supported.

Syntax
upgrade

Contexts and Subcommands

You access this command from the main CLI context. This command places you in the upgrade context in which you can perform upgrade tasks. You can access the following commands from this context: in-service (upgrade context) on page 596 install (upgrade context) on page 600 remove (upgrade context) on page 601 show current-running-release (upgrade context) on page 601 show new-release (upgrade context) on page 602 show release (upgrade context) on page 602 verify-system (upgrade context) on page 603

Inline Commands
The following table lists the CLI commands used inline with the upgrade command. Command in-service install remove show verify-system <release_number> Description Upgrade XOS from the local system with minimal service disruption. Installs an XOS release from the local system or Install Server. Removes a release from the local system. Displays all of the available releases on the local system. Verifies whether the system can be upgraded to the specified release. Specify the <release_number> in the format 9.x.x-yy.

XOS Command Reference Guide

595

Restrictions
Default Privilege Level: 15

in-service (upgrade context)

This command uses the redundancy capabilities of the system to upgrade modules to newer XOS software while preserving the operations of the system. Using this command, chassis modules are collected into batches, either manually or automatically by the system. Then the modules within each batch are upgraded to the new XOS software. Refer to the XOS Configuration Guide, In-Service Upgrades chapter for detailed upgrade instructions.

Syntax
in-service

Contexts and Subcommands

You access this command from the upgrade CLI context. This command places you in the in-service-upgrade context. You can access the following commands from this context: batch-<n> (in-service-upgrade context) on page 596 batch-default (in-service-upgrade context) on page 597 clear-batches (in-service-upgrade context) on page 598 install (in-service-upgrade context) on page 598 show (in-service-upgrade context) on page 599

Restrictions
Default Privilege Level: 15

batch-<n> (in-service-upgrade context)

This command assigns one or more modules to specific batches or uses the system default batch assignments calculated automatically by the Configuration Analyzer. To add multiple modules to the batch, specify any combination of the <slot_number>, <module_name>, and or <VAP_name>_<index_number> parameters to the batch.

Syntax
batch-<n> [<slot_number>] [<module_number>] [<VAP_name>_<index_number>]

Context
You access this command from the upgrade context and the command places you in the in-service-upgrade context. Access the upgrade context from the main CLI with the upgrade command.

Commands for Managing X-Series Platform Hardware and Software Upgrades and Maintenance

596

Parameters
The following table lists the parameters used with this command. Parameter batch-<n> <slot_number> <module_number> <VAP_name>_<index_number> Description The variable <n> specifies the batch number from 1 through 10. Specifies the slot number to include in the batch. Specifies the module number to include in the batch. Specifies the VAP name and VAP name index number to include in the batch.

Restrictions
Default Privilege Level: 15

Example
This example assigns the VAP group fenway_1 and np2 to batch-1: CBS(in-service-upgrade)# batch-1 fenway_1 np2 Batch1: fenway_1(3) np2(2)

batch-default (in-service-upgrade context)

This command resets the batches to the default batches.

Syntax
batch-default

Context
You access this command from the upgrade context and the command places you in the in-service-upgrade context. Access the upgrade context from the main CLI with the upgrade command.

Restrictions
Default Privilege Level: 15

Example
This example assigns the system calculated default batches to the in-service upgrade: CBS(in-service-upgrade)# batch-default

XOS Command Reference Guide

597

clear-batches (in-service-upgrade context)

This command clears all user-defined batches.

Syntax
clear-batches

Context
You access this command from the upgrade context and the command places you in the in-service-upgrade context. Access the upgrade context from the main CLI with the upgrade command.

Restrictions
Default Privilege Level: 15

Example
This example clears all user-defined batches: CBS(in-service-upgrade)# clear-batches

install (in-service-upgrade context)

The install command starts the upgrade process for a specific release and uses the optional non-interactive option uses default values for the upgrade process. <release_number> specifies the XOS release number to be installed.

Syntax
install <release_number> [non-interactive]

Context
You access this command from the upgrade context and the command places you in the in-service-upgrade context. Access the upgrade context from the main CLI with the upgrade command.

Parameters
The following table lists the parameters used with this command. Parameter <release_number> non-interactive Description Specifies the XOS release to be installed. Starts the upgrade process to use default values without interaction by the user.

Commands for Managing X-Series Platform Hardware and Software Upgrades and Maintenance

598

Restrictions
Default Privilege Level: 15

Example
Here is an example of the command for starting a non-interactive XOS V9.5.1 installation: CBS(in-service-upgrade)# install 9.5.1 non-interactive

show (in-service-upgrade context)

This command displays in service upgrade information.

Syntax
show [batches | default-batches | new-releases | progress | standby-modules]

Context
You access this command from the upgrade context and the command places you in the in-service-upgrade context. Access the upgrade context from the main CLI with the upgrade command.

Parameters
The following table lists the parameters used with this command. Parameter batches default-batches new-releases Description Displays user-defined batches. Displays the default in-service batches that are configured by the system. Displays all new releases on the local system or the install server. This parameter also displays the software version on offline CPMs. Displays the upgrade progress. Displays the standby and down modules that the system placed into default batches. These modules are moved first during the in-service upgrade. These modules cannot be reassigned to user-defined batches.

progress standby-modules

Restrictions
Default Privilege Level: 15

Example
Example of default batches as determined automatically by the XOS system. The show default-batches command shows the names and slot numbers of the modules and VAP groups the system has assigned to each batch:

XOS Command Reference Guide

599

CBS(in-service-upgrade)# show default-batches Batch1: fw_1(5) tmp_2(7) Batch2: np4(4) Batch3: np1(1) Batch4: bridge_1(10) fw_2(8) fw_3(9) tmp_3(11) tmp_1(6) In the above example, fw, bridge, and tmp are VAP group names. fw_1 is the first VAP in the fw VAP group. The values in parenthesis are slot numbers. This example shows the standby-modules, those modules that are moved first during the upgrade: CBS# upgrade in-service CBS(in-service-upgrade)# show standby-modules Standby Modules: ap4(6) ap5(7) ap6(8) ap8(10) ap9(11) ap10(12)

install (upgrade context)

This command installs a specified XOS software release package, which is located on the local system.

Syntax
install <release_number> You access this command from the upgrade CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <release_number> Description The release number for the XOS software package that you want to install from the local system.

Restrictions
Default Privilege Level: 15

Example
The following is an example of this command that installs an XOS release: CBS(upgrade)# install 9.5.1-xx

Commands for Managing X-Series Platform Hardware and Software Upgrades and Maintenance

600

remove (upgrade context)

This command removes the specified XOS software package indicated by the release number. The command removes the software from the local system without installing the software package. This command does not remove the currently installed software package.

Syntax
remove <release_number>

Context
You access this command from the upgrade CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <release_number> Description This parameter specifies the release number for the XOS software package that you want to remove. This does not remove the currently installed XOS version.

Restrictions
Default Privilege Level: 15

Example
The following is an example of this command that removes a down-level XOS release: CBS(upgrade)# remove 9.5.1-xx

show current-running-release (upgrade context)

This command displays the currently running XOS software release version. This command displays the software version for off-line CPMs.

Syntax
show current-running-release

Context
You access this command from the upgrade CLI context.

Restrictions
Default Privilege Level: 15

XOS Command Reference Guide

601

Example
The following is an example of this command: CBS(upgrade)# show current-running-release Crossbeam: 9.5.1-xx (current)

show new-release (upgrade context)

This command displays the new releases of the new XOS software release packages that are located on the local system and are available for installation.

Syntax
show new-release

Context
You access this command from the upgrade CLI context.

Restrictions
Default Privilege Level: 15

Example
The following is an example of this command: CBS(upgrade)# show new-release Crossbeam: 9.5.1-xx

show release (upgrade context)

Displays all the XOS software release packages that are located on the local system and are available for installation.

Format
show release

Context
You access this command from the upgrade CLI context.

Restrictions
Default Privilege Level: 15

Example
CBS(upgrade)# show release Crossbeam: 9.5.1-xx Crossbeam: 9.5.1-yy (current)

Commands for Managing X-Series Platform Hardware and Software Upgrades and Maintenance

602

verify-system (upgrade context)

Verifies whether the system can be upgraded to the specified release. If incompatibilities are detected, XOS displays error messages. Perform the required changes (if any) and then start the Automated Workflow System to perform the upgrade.

Format
verify-system <release_number>

Context
You access this command from the upgrade CLI context.

Restrictions
Default Privilege Level: 15

Example
In this example, the specified shar file was not found in the /usr/os/rpm/ directory on the system. CBS(upgrade)# verify-system 9.5.1-xx Wed Feb 23 14:23:52 2011 ERROR: Neither /usr/os/rpm/xos-upgradepack-A000-9.5.1-xx.shar nor /usr/os/rpm/xos-upgradepack-A000-9.5.1-xx.shar.gz exists

%MISC-ERR: System is NOT ready for upgrade Detail: Release 9.5.1-xx CBS(upgrade)#

XOS Command Reference Guide

603

Commands for Managing X-Series Platform Hardware and Software Upgrades and Maintenance

604

10
Commands for Managing XOS Configuration Files
This chapter contains commands for managing XOS configuration files. Commands for Managing Startup and Running Configuration Files on page 606 Commands for Displaying Startup and Running Configurations on page 611

XOS Command Reference Guide

605

Commands for Managing Startup and Running Configuration Files

This section contains the following command descriptions: copy running-config on page 606 copy startup-config on page 607 logout on page 609 reset-configuration on page 609

copy running-config
This command copies the running configuration to the startup configuration or to a file.

Syntax
copy running-config startup-config copy running-config {<path_file>} [-flat] [echo-password] [-sort] [include-default] [series-2 | series-6 | all-series] [vap-group <VAP_group_name>] [circuit <circuit_name>] [group-interface <group_interface_name>] [vrrp-failovergroup <vrrp_failover_group_name>] [interface] [ip-route] [system-ip-flow-rule] [system-non-ip-flow-rule] [exclude-wrp] [interface-internal <interface_internal_name>] [interface-status-group <interface_status_group_name>] [bridge-mode <circuit_name>] If you do not specify all-series, only the configuration parameters applicable to the current NPM Series-6 Mode will be copied to the file.

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter startup-config <path_file> -flat -sort echo-password include-default all-series series-2 Description Saves the running configuration as the startup configuration. Copies the configuration to a file. You must specify a full path and file name. Copies CLI commands with complete context. Sorts the output by VAP group and circuit name. Includes user-encrypted passwords. Includes configuration parameters that are still set to their default values. Includes the configuration components applicable to all NPM Modes. Includes the configuration components applicable to NPM Series-2 Mode.

Commands for Managing XOS Configuration Files

606

Parameter series-6 circuit <circuit_name> group-interface <group_interface_name> vrrp-failovergroup <vrrp_failover_group_name> interface ip-route system-ip-flow-rule system-non-ip-flow-rule exclude-wrp interface-internal <interface-internal-name> interface-status-group <interface-status-group-name> bridge-mode <circuit_name>

Description Includes the configuration components applicable to NPM Series-6 Mode. Copies the configuration settings for the specified circuit. Copies the configuration settings for the specified group interface. Copies the configuration settings for the specified VRRP failover group. Copies the configuration settings for single interfaces. Copies the IP route configuration details. Copies all configured system IP flow rules. Copies all configured system non-IP flow rules. Excludes all wrp circuits and references to them. Copies configuration entries for the specified interface-internal. Copies configuration entries for the specified interface-status-group. Copies configuration entries for the specified bridge-mode circuit.

Restrictions
Default Privilege Level: 15

copy startup-config
This command copies the startup configuration to a file.

Syntax
copy startup-config <path_file> [-flat] [echo-password] [-sort] [include-default] [series-2 | series-6 | all-series] [vap-group <VAP_group_name>] [circuit <circuit_name>] [group-interface <group_interface_name>] [vrrp-failovergroup <vrrp_failover_group_name>] [ip-route] [system-ip-flow-rule] [system-non-ip-flow-rule] [exclude-wrp] [interface-internal <interface_internal_name>] [interface-status-group <interface_status_group_name>] [bridge-mode <circuit_name>] [interface [10gigabitethernet <slot/port> | gigabitethernet <slot/port>]] If you do not specify all-series, only the configuration parameters applicable to the current NPM Series-6 Mode will be copied to the file.

Context
You access this command from the main CLI context.

XOS Command Reference Guide

607

Parameters
The following table lists the parameters used with this command. Parameter Parameter startup-config <path_file> -flat -sort echo-password include-default all-series series-2 series-6 circuit <circuit_name> group-interface <group_interface_name> vrrp-failovergroup <vrrp_failover_group_name> interface ip-route system-ip-flow-rule system-non-ip-flow-rule exclude-wrp interface-internal <interface-internal-name> interface-status-group <interface-status-group-name> bridge-mode <circuit_name> interface [10gigabitethernet <slot/port> | gigabitethernet <slot/port>] Description Description Saves the running configuration as the startup configuration. Copies the configuration to a file. You must specify a full path and file name. Copies CLI commands with complete context. Sorts the output by VAP group and circuit name. Includes user crypted passwords. Includes configuration parameters that are still set to their default values. Includes the configuration components applicable to all NPM Modes. Includes the configuration components applicable to NPM Series-2 Mode. Includes the configuration components applicable to NPM Series-6 Mode. Copies the configuration settings for the specified circuit. Copies the configuration settings for the specified group interface. Copies the configuration settings for the specified VRRP failover group. Copies the configuration settings for single interfaces. Copies the IP route configuration details. Copies all configured system IP flow rules. Copies all configured system non-IP flow rules. Excludes all wrp circuits and references to them. Copies configuration entries for the specified interface-internal. Copies configuration entries for the specified interface-status-group. Copies configuration entries for the specified bridge-mode circuit. Copies configuration entries for all interfaces. If you specify either gigabitethernet or 10gigabitethernet, all interfaces of that type are displayed. If you specify the slot and port number, only that specific interface is displayed.

Commands for Managing XOS Configuration Files

608

Restrictions
Default Privilege Level: 15

logout
This command logs the user out of the current CLI session from any context. As an option to logout of the root level, use the exit command.

Syntax
logout [save-config] [no-confirm]

Context
You access this command from any CLI context.

Parameters
The following table lists the parameters used with this command. Parameter save-config Description Copies the running configuration to the startup configuration, saving your configuration changes as part of the logout process. Allows the save and logout process to proceed without user confirmations being presented by using the default confirmation answers.

no-confirm

Restrictions
Default Privilege Level: 0 Default Privilege Level: logout save-config 15

reset-configuration
This command resets the configuration to the initial installation base, which includes deleting all VAPs. This is an interactive command and asks you if you are sure about re-booting the system. If the shutdown option is specified, the system shuts down after erasing the configuration, otherwise it reboots the system.

Syntax
reset-configuration [shutdown]

Context
You access this command from the main CLI context.

XOS Command Reference Guide

609

Parameters
The following table lists the parameters used with this command. Parameter shutdown Description Specifies to shut down the system rather than reboot after erasing the configuration.

Restrictions
Default Privilege Level: 15

Commands for Managing XOS Configuration Files

610

Commands for Displaying Startup and Running Configurations

This section contains the following command descriptions: grep on page 611 search on page 612 show running-config on page 613 show startup-config on page 616

grep
This command provides grep functionality for any show command executed from the root context. Use double quotes around the search term and the show command. Specify any grep options by using the -options parameter and enclose multiple grep options in either single quotes or double quotes.

Syntax
grep [-options <opt1> <optx>] <search_term> [<show_command>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter -options <opt1> through <optx> <search_term> <show_command> Description Use this parameter to invoke grep options. Specify one or more grep option. When specifying more than one option, use double quotes around the options. Specify the search term and use double quotes if using more than one term. Specify the related CLI show command and use double quotes when the command contains more than one word.

Restrictions
Default Privilege Level: 15

Example
Here is an example of the grep command that filters all case-insensitive references to system in the running-config file: CBS# grep -options -i system 'show running-config' system-identifier 2 system-internal-network 1.1.0.0/16 system-ip-flow-rule external CBS#

XOS Command Reference Guide

611

search
The search command provides a simple method to search for single terms within show command output. The show command can include multiple terms bounded by single or double-quotes. There are two options to -exclude terms and perform -case-sensitive searches.

Syntax
search [-exclude] [-case-sensitive] <single_search_term> <show_command>

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter -exclude -case-sensitive <search_term> Description Only lists non-matching search expression lines. Performs a case-sensitive search. By default, the search command does not consider case. This must be a single word search term. Valid characters are alphanumeric, underscore, period, exclamation point, tilde, open parenthesis, close parenthesis, forward slash, backward slash, plus sign, colon, and dash (with limitations). NOTE: The dash "-" character cannot be used as a prefix in the search term; for example, "-group" is not a valid search term, but "vap-" and "vap-group" are valid. <show_command> Any valid CLI show command can be searched and multiple term show commands must be bounded by single or double-quotes.

Restrictions
Default Privilege Level: 0

Example
The following is an example of a simple search for the VAP operating systems for each configured VAP group. CBS# search xslinux show running-config vap-group fw_1 xslinux_v5 vap-group fw_2 xslinux_v5 vap-group fw_3 xslinux_v3

Commands for Managing XOS Configuration Files

612

show running-config
This command displays the configuration settings for the current Series-6 NPM Mode. The configuration is listed in the form of CLI commands and their parameter values. By default, this command displays only a subset of the configuration settings (modified settings and certain default settings). To display default settings, use the include-default parameter. XOS V8.5 or greater maintains configuration information specific to both Series-2 and Series-6 operating modes for upgrade purposes only because Series-2 hardware is not supported in XOS V8.5 or greater. The Series-2 information is important to identify and reconfigure or remove any previously configured components. The series-2, series-6, and all-series flags can be used to filter the available information. The series-2 option displays aspects of the configuration that are valid and applicable in NPM Series-2 mode. The series-6 option displays aspects of the configuration that are valid and applicable in NPM Series-6 mode. The all-series option displays aspects of the configuration valid for both Series-2 and Series-6 modes. NOTE: In order to view the values of some parameters, such as mac-addr that has a system-reserved value, you must use the all-series flag. If you do not use one of the series flags, the current running NPM Mode series is assumed. NOTE: If you use show running-config with the series-2 or the series-6 option, and key criteria (listed below) do not apply to the selected NPM mode, the flow rules will not be displayed. Key criteria include the following items: Destination addresses Source addresses Destination ports Source ports Protocols Primary-action Series-6 mode does not support rate-limiter or hide-slot-originator. Flow rules with these settings are shown in a Series-6 display, but these parameters are hidden. NOTE: If you use configure no username admin to remove the default username, you will see this action as a configuration line when you show the running configuration.

Syntax
show running-config [-flat] [echo-password] [-sort] [include-default] [series-2 | series-6 | all-series] [vap-group <VAP_group_name>] [circuit <circuit_name>] [group-interface <group_interface_name>] [vrrp-failovergroup <vrrp_failover_group_name>] [ip-route] [system-ip-flow-rule] [system-non-ip-flow-rule] [exclude-wrp] [interface-internal <interface_internal_name>] [interface-status-group <interface_status_group_name>] [bridge-mode <circuit_name>] [interface [10gigabitethernet <slot/port> | gigabitethernet <slot/port>]]

XOS Command Reference Guide

613

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter -flat echo-password -sort include-default series-2 series-6 all-series vap-group <VAP_group_name> circuit <circuit_name> group-interface <group_interface_name> vrrp-failovergroup <vrrp_failover_group_name> ip-route system-ip-flow-rule system-non-ip-flow-rule exclude-wrp interface-internal <interface-internal-name> interface-status-group <interface-status-group-name> bridge-mode <circuit_name> interface [10gigabitethernet <slot/port> | gigabitethernet <slot/port>] Description Displays CLI commands with complete context. Includes user crypted passwords. Sorts the output by VAP group and circuit name. Includes configuration parameters that are still set to their default values. Displays configuration components applicable to series-2 NPM Mode. Displays configuration components applicable to series-6 NPM Mode. Displays configuration components for all NPM Modes. Displays configuration entries for the specified VAP group. Displays configuration entries for the specified circuit. Displays configuration entries for the specified group interface. Displays configuration entries for the specified VRRP failover group. Displays configured IP routes. Displays configured system IP flow rules. Displays configured system non IP flow rules. Excludes wrp circuits and all references to them. Displays configuration entries for the specified interface-internal. Displays configuration entries for the specified interface-status-group. Displays configuration entries for the specified bridge-mode circuit. Displays configuration entries for all interfaces. If you specify either gigabitethernet or 10gigabitethernet, all interfaces of that type are displayed. If you specify the slot and port number, only that specific interface is displayed.

Restrictions
Default Privilege Level: 15

Commands for Managing XOS Configuration Files

614

Example
The following abbreviated examples show differences in the output when using the series-2 and series-6 options. Refer to Example XOS Running Configuration File on page 901 for a complete example running-config file. The following output for show running-config series-6 contains information about the non-ip-flow-rule, which is valid in series-6 NMP Mode only: CBS# show running-config series-6 vap-group fw xslinux_v3 raid 0 vap-count 3 max-load-count 3 ap-list ap8 ap9 ap10 load-balance-vap-list 1 2 3 4 5 6 7 8 9 10 ip-flow-rule fw_lb action load-balance activate non-ip-flow-rule a45C action drop # vap-group fw1 xslinux_v3 vap-count 3 max-load-count 3 ap-list ap5 ap6 ap7 load-balance-vap-list 1 2 3 4 5 6 7 8 9 10 ip-flow-rule fw1_lb action load-balance activate non-ip-flow-rule 33_RA action drop The following abbreviated example shows the output of show running-config using the -flat option: CBS# show running-config -flat #Do not remove after this line # Last time the configuration was saved on Wed Feb 23 14:08:10.831535 2011 EST # Configuration generated by CLI on Wed Feb 23 14:23:52 2011 # CLI Version 9.5.1 [Feb 19 2011 02:15:42] (bldmgr) # Kit Number: xx #Do not remove above this line # configure # configure hostname docs-x45 cp1 configure ip domainname crossbeam configure ip telnet configure ip ftp configure system-identifier 2 configure system-internal-network 1.1.0.0/16 configure operating-mode single-np series-2 # configure access-list 1001 permit ip source-ip 0.0.0.0 255.255.255.255 destination-ip 0.0.0.0 255.255.255.255 configure access-list 1002 permit ip source-ip 0.0.0.0 255.255.255.255 destination-ip 0.0.0.0 255.255.255.255 #

XOS Command Reference Guide

615

show startup-config
This command displays the startup configuration. The startup configuration is used the next time the system starts. The configuration is displayed in the form of CLI commands. By default, this command displays only user-modified settings. To display all settings, including unmodified default settings, use the include-default parameter. XOS V8.5 or greater maintains configuration information specific to both Series-2 and Series-6 operating modes for upgrade purposes only because Series-2 hardware is not supported in XOS V8.5 or greater. The Series-2 information is important to identify and reconfigure or remove any previously configured components. The series-2, series-6, and all-series flags can be used to filter the available information. The series-2 option displays aspects of the configuration that are valid and applicable in NPM Series-2 mode. The series-6 option displays aspects of the configuration that are valid and applicable in NPM Series-6 mode. The all-series option displays aspects of the configuration valid for both Series-2 and Series-6 modes. NOTE: In order to view the values of some parameters, such as mac-addr that has a system-reserved value, you must use the all-series flag. If you do not use one of the series flags, the current running NPM Mode series is assumed. NOTE: If you use show startup-config with the series-2 or the series-6 option, and key criteria (listed below) do not apply to the selected NPM mode, the flow rules will not be displayed. For example, if you enter show startup-config series-6, and the flow rule contains a domain range, the flow rule will not be displayed because NPM Series-6 mode does not support domain ranges. Key criteria include the following items: Destination addresses Source addresses Destination ports Source ports Protocols Primary-action In the case of the following minor criteria, when they do not apply to a flow rule (based on the NPM mode you designated with the show startup-config command), only the non-applicable parameters are hidden, not the entire rule: Hide-slot-originator

Syntax
show startup-config [-flat] [echo-password] [-sort] [include-default] [series-2 | series-6 | all-series] [vap-group <VAP_group_name>] [circuit <circuit_name>] [group-interface <group_interface_name>] [vrrp-failovergroup <vrrp_failover_group_name>] [ip-route] [system-ip-flow-rule] [system-non-ip-flow-rule] [exclude-wrp] [interface-internal <interface_internal_name>] [interface-status-group <interface_status_group_name>] [bridge-mode <circuit_name>] [interface [10gigabitethernet <slot/port> | gigabitethernet <slot/port>]]

Commands for Managing XOS Configuration Files

616

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter -flat echo-password -sort include-default series-2 series-6 all-series vap-group <VAP_group_name> circuit <circuit_name> group-interface <group_interface_name> vrrp-failovergroup <vrrp_failover_group_name> ip-route system-ip-flow-rule system-non-ip-flow-rule exclude-wrp interface-internal <interface-internal-name> interface-status-group <interface-status-group-name> bridge-mode <circuit_name> interface [10gigabitethernet <slot/port> | gigabitethernet <slot/port>] Description Displays CLI commands with complete context. Includes user crypted passwords. Sorts the output by VAP group and circuit name. Includes configuration parameters that are still set to their default values. Displays configuration components applicable to series-2 NPM Mode. Displays configuration components applicable to series-6 NPM Mode. Displays configuration components for all NPM Modes. Displays configuration entries for the specified VAP group. Displays configuration entries for the specified circuit. Displays configuration entries for the specified group interface. Displays configuration entries for the specified VRRP failover group. Displays configured IP routes. Displays configured system IP flow rules. Displays configured system non IP flow rules. Excludes wrp circuits and all references to them. Displays configuration entries for the specified interface-internal. Displays configuration entries for the specified interface-status-group. Displays configuration entries for the specified bridge-mode circuit. Displays configuration entries for all interfaces. If you specify either gigabitethernet or 10gigabitethernet, all interfaces of that type are displayed. If you specify the slot and port number, only that specific interface is displayed.

Restrictions
Default Privilege Level: 15

XOS Command Reference Guide

617

Example
Refer to Example XOS Running Configuration File on page 901. The following is an example of this command: CBS# show startup-config -flat #Do not remove after this line # Last time the configuration was saved on Wed Feb 23 14:08:10.831535 2011 EST # Configuration generated by CLI on Wed Feb 23 14:23:52 2011 # CLI Version 9.5.1 [Feb 19 2011 02:15:42] (bldmgr) # Kit Number: xx #Do not remove above this line # configure # configure hostname docs-x45 cp1 configure ip domainname crossbeam configure ip telnet configure ip ftp configure system-identifier 2 configure system-internal-network 1.1.0.0/16 configure operating-mode single-np series-2 # configure access-list 1001 permit ip source-ip 0.0.0.0 255.255.255.255 destination-ip 0.0.0.0 255.255.255.255 configure access-list 1002 permit ip source-ip 0.0.0.0 255.255.255.255 destination-ip 0.0.0.0 255.255.255.255 # ntp server 192.168.1.101 # module 12 disable # username admin privilege 15 gui-level administrator # no timeout web-server web-timeout 65535 # alias wr 'copy running-config startup-config' # vap-group L3 xslinux_v3 vap-count 3 ap-list ap7 ap8 ap9 load-balance-vap-list 1 2 3 4 5 6 7 8 9 10 ip-flow-rule LB action load-balance activate vap-group IDS xslinux_v3 vap-count 3 ap-list ap7 ap8 ap9 load-balance-vap-list 1 2 3 4 5 6 7 8 9 10 ip-flow-rule IDS action load-balance activate vap-group FW xslinux_v3 vap-count 3 max-load-count 1 ap-list ap3 ap4 ap5

Commands for Managing XOS Configuration Files

618

load-balance-vap-list 1 2 3 4 5 6 7 8 9 10 ip-forwarding ip-flow-rule Slb action load-balance activate # dns server 192.168.1.102 dns server 192.168.1.102 vap-group IDS # dns search-name crossbeam.com dns search-name crossbeam.com vap-group IDS dns search-name lab.crossbeam.com vap-group IDS 0.0.0.0 255.255.255.255 destination-ip 192.168.1.0 0.0.255.255 . . # redundancy-interface master gigabitethernet 1/2 backup gigabitethernet 2/2 mac-usage master failovermode preemption-on # vrrp failover-group one failover-group-id 1 preemption priority 200 virtual-router vrrp-id 1 circuit intr320 vap-group FW virtual-ip 100.3.20.251/24 100.3.20.255 virtual-router vrrp-id 2 circuit intr420 vap-group FW virtual-ip 100.4.20.251/24 100.4.20.255 vrrp failover-group two failover-group-id 2 preemption priority 250 virtual-router vrrp-id 3 circuit mltvlan110 vap-group FW virtual-ip 100.1.10.251/24 100.1.10.255 virtual-router vrrp-id 4 circuit mltvlan210 vap-group FW virtual-ip 100.2.10.251/24 100.2.10.255 # ip route 79.0.0.0/24 78.0.0.100 vap-group FW circuit 78net ip route 80.0.0.0/24 78.0.0.100 vap-group FW circuit 78net ip route 192.168.66.0/24 192.168.74.1 vap-group FW circuit fwman ip route 100.10.10.0/24 100.1.10.100 vap-group FW circuit mltvlan110 ip route 100.20.10.0/24 100.2.10.100 vap-group FW circuit mltvlan210 ip route 100.30.20.0/24 100.3.20.100 vap-group FW circuit intr320 ip route 100.40.20.0/24 100.4.20.100 vap-group FW circuit intr420. end CBS#

XOS Command Reference Guide

619

Commands for Managing XOS Configuration Files

620

11
Advanced XOS Configuration Commands
This chapter contains XOS commands for advanced configuration tasks. This chapter contains the following commands: alias on page 622 configure alias on page 622 auto-promote on page 623 echo on page 624 exec on page 625 script on page 626 unix on page 626

XOS Command Reference Guide

621

alias
This command creates an alias text string for an existing command. This only applies for the current user and session. The alias supersedes the command. The no version of the command deletes the alias.

Syntax
[no] alias <alias_name> <alias_command_line>

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <alias_name> <alias_command_line> Description Specify a unique alias name. Specify the command to which the alias string is associated. Single strings containing a space must be placed inside quotation marks.

Restrictions
Default Privilege Level: 0

Example
This example uses the string protect to execute the configure vap-group firewall command. CBS# alias protect configure vap-group firewall

configure alias
This command creates an alias. The alias command supersedes the command and applies to all CLI users. The no parameter deletes the alias.

Syntax
configure [no] alias <alias_name> <alias_command_line>

Context
You access this command from the main CLI context.

Advanced XOS Configuration Commands

622

Parameters
The following table lists the parameters used with this command. Parameter <alias_name> <alias_command_line> Description Specify a unique name for the alias. Specify the command to which the alias string is associated. Single strings containing a space must be placed inside quotation marks.

Restrictions
Default Privilege Level: 15

auto-promote
This command is useful (for example) to copy and paste configuration commands from a source, such as the show running-config output, into a CLI session. If a command fails, because the current CLI context is incorrect for the commands format, the auto-promote feature allows the failed command to be retried at the parent mode. This retrying process continues until the command is successfully executed or the command fails at the root mode. The context changes to the context of the command associated with the alias. If the command fails at the root, the context does not change. Disabled by default, this command should be disabled again immediately after you are finished using it. To do so, use the no version of the command. The no version of the command does not allow commands to be executed from other than their designated context (normal CLI operation). NOTE: This command is valid only for the current CLI session.

Caution: Using the auto-promote command automatically selects all command defaults, and disables auto confirm functions of commands. The auto-promote command disables the enable more command, thus disabling the Press any key to continue prompts for each screen of output. Even more importantly, it automatically uses defaults to answer dangerous commands like reload vap-group and reset-configuration. Use this command with extreme caution, and be sure to disable it (no auto-promote) when it is not needed.

Syntax
[no] auto-promote

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0

XOS Command Reference Guide

623

Example
This example allows the show circuit command to be executed even though the CLI is in the config-vap-grp context. In this case, the CLI is returned to the Main context and the command is successfully executed. After the command is executed, the CLI returns to the current context. CBS# auto-promote CBS# configure vap-group fw CBS(config-vap-grp)# show circuit admin-status test Circuit Name : test Circuit-Id : 1026 Device Name : sideA Incoming Circuit Group : 1 Promiscuous Mode : no promiscuous Proxy ARP Enabled (true/false) : f IP Forwarding (true/false) : t ICMP Redirect (true/false) : f Hide VLAN Header (true/false) : f Reclassify NAT Flows (true/false) : f IP Flow Rule Priority : 21 IP Flow Rule No Failover (true/false) : f VAP Group : fw Verify Next Hop IP : Aggregation Mode : none Primary/Alias Index : primary Domain : 1 IP Address : 192.168.10.1/24 IP Broadcast Address : 192.168.10.255 Increment-per-vap Mode (true/false) : f New Flow Control (true/false) : t DHCP Relay (true/false) : f Default Egress Vlan Tag : N/A Replace Egress Vlan Tag : N/A MAC Address : 00:03:d2:e0:02:65 (system-reserved) MTU : 1500 Management Circuit (true/false) : f CBS(config-vap-grp)#

echo
This command echoes the text identified by <string> to your monitor.

Syntax
echo [<string>]

Context
You access this command from the main CLI context.

Advanced XOS Configuration Commands

624

Parameters
The following table lists the parameters used with this command. Parameter <string> Description String that is displayed on the screen.

Restrictions
Default Privilege Level: 0

exec
This command executes a CLI script file.

Syntax
exec [-echo] [prompt-on-error|continue-on-error|stop-on-error] [no-confirm] <file_name>

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter -echo prompt-on-error continue-on-error stop-on-error no-confirm <file-name> Description Displays the commands in the script file back to the terminal. Prompts you to continue after an error is encountered. The XOS CLI does not stop executing the script when an error is encountered. The XOS CLI stops executing the script when an error is encountered. This is the default. Executes the script without user input by using default values as necessary. Name of the CLI script to execute.

Restrictions
Default Privilege Level: 0

XOS Command Reference Guide

625

script
In addition to displaying output to the screen, this command saves CLI output to a file. After entering the script command, all commands you enter are saved to the file. Be aware that the commands you enter while in a script session also affects your running configuration. The no script command ends this session.

Syntax
[no] script <path_and_file>

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <path_and_file> Description Saves CLI output to a file.

Restrictions
Default Privilege Level: 0

unix
This command executes a UNIX command and returns to the CLI prompt or starts a UNIX session.

Syntax
unix [<command>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <command> Description Specifies the UNIX command to execute. If a command is not entered, the CLI prompt changes to a Linux shell prompt. Return to the CLI prompt by entering exit.

Restrictions
Default Privilege Level: 15

Advanced XOS Configuration Commands

626

12
Commands for Displaying XOS Configuration Settings
This chapter contains commands that display XOS configuration settings. Commands for Displaying All Configuration Settings on page 628 Commands for Displaying X-Series Platform Hardware and XOS Software Version Information on page 643 Commands for Displaying X-Series Platform Management Configuration Settings on page 647 Commands for Displaying X-Series Platform Management Interface Configuration Settings on page 665 Commands for Displaying User Account and User Access Configuration Settings on page 668 Commands for Displaying System Alarm and Logging Configuration Settings on page 674 Commands for Displaying CPM Redundancy Configuration Settings on page 681 Commands for Displaying VAP Group Configuration Settings on page 684 Commands for Displaying Flow Provisioning Configuration Settings on page 690 Commands for Displaying Circuits and Interface Configuration Settings on page 696 Commands for Displaying Multi-System High-Availability Configuration Settings on page 712 Commands for Displaying Hardware and Software Maintenance Configuration Settings on page 735 Commands for Displaying Advanced Configuration Settings on page 740 Commands for Displaying Console Display Configuration Settings on page 741

XOS Command Reference Guide

627

Commands for Displaying All Configuration Settings

This section contains the following commands: grep on page 628 search on page 629 show audit-trail on page 630 show history on page 632 show running-config on page 632 show startup-config on page 636 show vsx-configuration on page 639 show resource-statistics on page 641 clear resource-statistics on page 642

grep
This command provides grep functionality for any show command executed from the root context. Use double quotes around the search term and the show command. Use any grep options with the -options parameter and use double quotes around multiple grep options.

Syntax
grep [-options <opt1> <optx>] <search_term> [<show_command>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter -options <opt1> through <optx> <search_term> <show_command> Description Use this parameter to invoke grep options. Specify one or more grep option. When specifying more than one option, use double quotes around the options. Specify the search term and use double quotes if using more than one term. Specify the related CLI show command and use double quotes when the command contains more than one word.

Restrictions
Default Privilege Level: 15

Example
Here is an example of the grep command that filters all case-insensitive references to system in the running-config file:

Commands for Displaying XOS Configuration Settings

628

CBS# grep -options -i system 'show running-config' system-identifier 2 system-internal-network 1.1.0.0/16 system-ip-flow-rule external

search
The search command provides a simple method to search for single terms within show command output. The show command can include multiple terms bounded by single or double-quotes. There are two options to -exclude terms and perform -case-sensitive searches.

Syntax
search [-exclude] [-case-sensitive] <single_search_term> <show_command>

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter -exclude -case-sensitive <search_term> Description Only lists non-matching search expression lines. Performs a case-sensitive search. By default, the search command does not consider case. This must be a single word search term. Valid characters are alphanumeric, dash, underscore, period, exclamation point, tilde, open parenthesis, close parenthesis, forward slash, backward slash, plus sign, and colon. Any valid CLI show command can be searched and multiple term show commands must be bounded by single or double-quotes.

<show_command>

Restrictions
Default Privilege Level: 0

Example
The following is an example of a simple search for the VAP operating systems for each configured VAP group. CBS# search xslinux show running-config vap-group fw_1 xslinux_v5 vap-group fw_2 xslinux_v5_64 vap-group fw_3 xslinux_v3

XOS Command Reference Guide

629

show audit-trail
This command displays the entries in the audit-trail log file that match the specified filter criteria. If no filter criteria are specified, the command displays all entries in the audit-trail log file. The audit-trail process records an entry in the audit-trail log file each time a user issues a CLI command and each time the CLI starts one of the following processes: routing-protocol routing-protocol-service application application-remove application-update archive-vap-group NOTE: The audit-trail process does not record entries for CLI show commands. Audit-trail log file entries also include detailed information about the CLI warning and error messages (if any) that result from each CLI command entry.

Syntax
show audit-trail [<username>] [type {cli | web | both}] [chronological-order] [date [<month>] [<date>] [<year>] [<hh:mm:ss>]]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <username> type {cli | web | both} Description Specifies the username to match. The match is case-insensitive. Specifies commands issued by either CLI users, or Web interface users, or both. cli Displays only commands issued by CLI users. web Displays only commands issued by Web interface users. both Displays commands issued by users of both interfaces. chronological-order Displays the log with the most recent entries first. Default displays the oldest entries first.

Commands for Displaying XOS Configuration Settings

630

Parameter date

Description The date parameter takes the following arguments: <jan-dec> Three letter month name (lower-case). Default is jan. <1-31> Date of month. Default is 1. <2000-3000> Four digit year. Default is 2000. <hh:mm:ss> Time in hh:mm:ss 24-hour format. Default is 00:00:00. This parameter filters the output to display commands issued since the date specified. If an argument is omitted, the default is used. For best results, specify a month, date, and year.

Restrictions
Default Privilege Level: 0

Example
The following audit-trail output shows audit trail entries at the start and completion of the application command run. For the command: CBS# application fw1 vap-group ipf install Entries in the audit trail: Apr 5 18:10:16 omaha cli: application fw1 vap-group Apr 5 18:12:25 omaha cli: application fw1 vap-group USER: admin, COMMAND: CBS# application > ipf install #STARTED USER: admin, COMMAND: CBS# application > ipf install

If a command fails, the audit trail provides an error message and details about the error. In the following example, the configure circuit vap-group ip alias command failed. In addition to the Invalid value output, the console and audit trail outputs provide the following detail information: Detail: Conflict found with existing circuit cct, vap-group jack, primary-ip. CLI console: CBS# configure circuit cct CBS(conf-cct)# vap-group jack CBS(conf-cct-vapgroup)# ip 5.5.5.5/24 CBS(conf-cct-vapgroup-ip)# alias 5.5.5.5/24 %CONF-ERR: Invalid value Detail: Conflict found with existing circuit cct, vap-group jack, primary-ip CBS(conf-cct-vapgroup-ip)# CBS# show audit-trail /var/log/audit-trail Aug 29 18:22:14 earth cli: USER: admin, COMMAND: CBS# configure circuit > configure circuit cct Aug 29 18:22:17 earth cli: USER: admin, COMMAND: CBS# configure circuit vap-group > vap-group jack Aug 29 18:22:23 earth cli: USER: admin, COMMAND: CBS# configure circuit vap-group ip > ip 5.5.5.5/24 Aug 29 18:22:56 earth cli: USER: admin, COMMAND: CBS# configure circuit vap-group ip alias > alias 5.5.5.5/24 #Failure: CONF-ERR: Invalid value, Detail: Conflict found with existing circuit cct, vap-group jack, primary-ip

XOS Command Reference Guide

631

show history
This command displays the past several commands in the configurable history buffer that you entered during this session. The default history buffer includes 70 commands.

Syntax
show history

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0

show running-config
This command displays the configuration settings for the current Series-6 NPM Mode. The configuration is listed in the form of CLI commands and their parameter values. By default, this command displays only a subset of the configuration settings (modified settings and certain default settings). To display default settings, use the include-default parameter. XOS V8.5 or greater maintains configuration information specific to both Series-2 and Series-6 operating modes for upgrade purposes only because Series-2 hardware is not supported in XOS V8.5 or greater. The Series-2 information is important to identify and reconfigure or remove any previously configured components. The series-2, series-6, and all-series flags can be used to filter the available information. The series-2 option displays aspects of the configuration that are valid and applicable in NPM Series-2 mode. The series-6 option displays aspects of the configuration that are valid and applicable in NPM Series-6 mode. The all-series option displays aspects of the configuration valid for both Series-2 and Series-6 modes. NOTE: In order to view the values of some parameters, such as mac-addr that has a system-reserved value, you must use the all-series flag. If you do not use one of the series flags, the current running NPM Mode series is assumed. NOTE: Certain flow rules may not be displayed when using the series-2 or series-6 option. This occurs if a flow rule has a setting not applicable to that NPM mode. For example, if you enter show startup-config series-6, and the flow rule contains a domain range, the flow rule will not be displayed because NPM Series-6 mode does not support domain ranges. Key criteria include the following items: Destination addresses Source addresses Destination ports Source ports Protocols

Commands for Displaying XOS Configuration Settings

632

Domain Primary-action Series-6 mode does not support rate-limiter or hide-slot-originator. Flow rules with these settings are shown in a Series-6 display, but these parameters are hidden. NOTE: If you use configure no username admin to remove the default username, you will see this action as a configuration line when you show the running configuration.

Syntax
show running-config [-flat] [echo-password] [-sort] [include-default] [series-2 | series-6 | all-series] [vap-group <VAP_group_name>] [circuit <circuit_name>] [group-interface <group_interface_name>] [vrrp-failovergroup <vrrp_failover_group_name>] [ip-route] [system-ip-flow-rule] [system-non-ip-flow-rule] [exclude-wrp] [interface-internal <interface_internal_name>] [interface-status-group <interface_status_group_name>] [bridge-mode <circuit_name>] [interface [10gigabitethernet <slot/port> | gigabitethernet <slot/port>]]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter -flat echo-password -sort include-default series-2 series-6 all-series vap-group <VAP_group_name> circuit <circuit_name> group-interface <group_interface_name> vrrp-failovergroup <vrrp_failover_group_name> ip-route system-ip-flow-rule system-non-ip-flow-rule Description Displays CLI commands with complete context. Includes user-encrypted passwords. Sorts the output by VAP group and circuit name. Includes configuration parameters that are still set to their default values. Displays configuration components applicable to series-2 NPM Mode. Displays configuration components applicable to series-6 NPM Mode. Displays configuration components for all NPM Modes. Displays configuration entries for the specified VAP group. Displays configuration entries for the specified circuit. Displays configuration entries for the specified group interface. Displays configuration entries for the specified VRRP failover group. Displays configured IP routes. Displays configured system IP flow rules. Displays configured system non IP flow rules.

XOS Command Reference Guide

633

Parameter exclude-wrp interface-internal <interface_internal_name> interface-status-group <interface_status_group_name> bridge-mode <circuit_name> interface [10gigabitethernet <slot/port> | gigabitethernet <slot/port>]

Description Excludes wrp circuits and all references to them. Displays configuration entries for the specified interface-internal. Displays configuration entries for the specified interface-status-group. Displays configuration entries for the specified bridge-mode circuit. Displays configuration entries for all interfaces. If you specify either gigabitethernet or 10gigabitethernet, all interfaces of that type are displayed. If you specify the slot and port number, only that specific interface is displayed.

Restrictions
Default Privilege Level: 0

Example
The following abbreviated examples show differences in the output when using the series-2 and series-6 options. Refer to Example XOS Running Configuration File on page 901 for a complete example running-config file. The following output for show running-config series-6 contains information about the non-ip-flow-rule, which is valid in series-6 NMP Mode only: CBS# show running-config series-6 vap-group fw xslinux_v3 raid 0 vap-count 3 max-load-count 3 ap-list ap8 ap9 ap10 load-balance-vap-list 1 2 3 4 5 6 7 8 9 10 ip-flow-rule fw_lb action load-balance activate non-ip-flow-rule a45C action drop # vap-group fw1 xslinux_v3 vap-count 3 max-load-count 3 ap-list ap5 ap6 ap7 load-balance-vap-list 1 2 3 4 5 6 7 8 9 10 ip-flow-rule fw1_lb action load-balance activate non-ip-flow-rule 33_RA action drop

Commands for Displaying XOS Configuration Settings

634

The following abbreviated example shows the output of show running-config using the -flat option: CBS# show running-config -flat #Do not remove after this line # Last time the configuration was saved on Wed Feb 23 14:08:10.831535 2011 EST # Configuration generated by CLI on Wed Feb 23 14:23:52 2011 # CLI Version 9.5.1 [Feb 19 2011 02:15:42] (bldmgr) # Kit Number: xx #Do not remove above this line # configure # configure hostname docs-x45 cp1 configure ip domainname crossbeam configure ip telnet configure ip ftp configure system-identifier 2 configure system-internal-network 1.1.0.0/16 configure operating-mode single-np series-2 # configure access-list 1001 permit ip source-ip 0.0.0.0 255.255.255.255 destination-ip 0.0.0.0 255.255.255.255 configure access-list 1002 permit ip source-ip 0.0.0.0 255.255.255.255 destination-ip 0.0.0.0 255.255.255.255 #

XOS Command Reference Guide

635

show startup-config
This command displays the startup configuration. The startup configuration is used the next time the system starts. The configuration is displayed in the form of CLI commands. By default, this command displays only user-modified settings. To display all settings, including unmodified default settings, use the include-default parameter. XOS V8.5 or greater maintains configuration information specific to both Series-2 and Series-6 operating modes for upgrade purposes only because Series-2 hardware is not supported in XOS V8.5 or greater. The Series-2 information is important to identify and reconfigure or remove any previously configured components. The series-2, series-6, and all-series flags can be used to filter the available information. The series-2 option displays aspects of the configuration that are valid and applicable in NPM Series-2 mode. The series-6 option displays aspects of the configuration that are valid and applicable in NPM Series-6 mode. The all-series option displays aspects of the configuration valid for both Series-2 and Series-6 modes. NOTE: In order to view the values of some parameters, such as mac-addr that has a system-reserved value, you must use the all-series flag. If you do not use one of the series flags, the current running NPM Mode series is assumed. NOTE: If you use show startup-config with the series-2 or the series-6 option, and key criteria (listed below) do not apply to the selected NPM mode, the flow rules will not be displayed. For example, if you enter show startup-config series-6, and the flow rule contains a domain range, the flow rule will not be displayed because NPM Series-6 mode does not support domain ranges. Key criteria include the following items: Destination addresses Source addresses Destination ports Source ports Protocols Primary-action In the case of the following minor criteria, when they do not apply to a flow rule (based on the NPM mode you designated with the show startup-config command), only the non-applicable parameters are hidden, not the entire rule: Hide-slot-originator

Syntax
show startup-config [-flat] [echo-password] [-sort] [include-default] [series-2 | series-6 | all-series] [vap-group <VAP_group_name>] [circuit <circuit_name>] [group-interface <group_interface_name>] [vrrp-failovergroup <vrrp_failover_group_name>] [ip-route] [system-ip-flow-rule] [system-non-ip-flow-rule] [exclude-wrp] [interface-internal <interface_internal_name>] [interface-status-group <interface_status_group_name>] [bridge-mode <circuit_name>] [interface [10gigabitethernet <slot/port> | gigabitethernet <slot/port>]]

Commands for Displaying XOS Configuration Settings

636

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter -flat echo-password -sort include-default series-2 series-6 all-series vap-group <VAP_group_name> circuit <circuit_name> group-interface <group_interface_name> vrrp-failovergroup <vrrp_failover_group_name> ip-route system-ip-flow-rule system-non-ip-flow-rule exclude-wrp interface-internal <interface_internal_name> interface-status-group <interface_status_group_name> bridge-mode <circuit_name> interface [10gigabitethernet <slot/port> | gigabitethernet <slot/port>] Description Displays CLI commands with complete context. Includes user-encrypted passwords. Sorts the output by VAP group and circuit name. Includes configuration parameters that are still set to their default values. Displays configuration components applicable to series-2 NPM Mode. Displays configuration components applicable to series-6 NPM Mode. Displays configuration components for all NPM Modes. Displays configuration entries for the specified VAP group. Displays configuration entries for the specified circuit. Displays configuration entries for the specified group interface. Displays configuration entries for the specified VRRP failover group. Displays configured IP routes. Displays configured system IP flow rules. Displays configured system non IP flow rules. Excludes wrp circuits and all references to them. Displays configuration entries for the specified interface-internal. Displays configuration entries for the specified interface-status-group. Displays configuration entries for the specified bridge-mode circuit. Displays configuration entries for all interfaces. If you specify either gigabitethernet or 10gigabitethernet, all interfaces of that type are displayed. If you specify the slot and port number, only that specific interface is displayed.

Restrictions
Default Privilege Level: 15

XOS Command Reference Guide

637

Example
Refer to Example XOS Running Configuration File on page 901. The following is an example of this command: CBS# show startup-config -flat #Do not remove after this line # Last time the configuration was saved on Wed Feb 23 14:08:10.831535 2011 EST # Configuration generated by CLI on Wed Feb 23 14:23:52 2011 # CLI Version 9.5.1 [Feb 19 2011 02:15:42] (bldmgr) # Kit Number: xx #Do not remove above this line # configure # configure hostname docs-x45 cp1 configure ip domainname crossbeam configure ip telnet configure ip ftp configure system-identifier 2 configure system-internal-network 1.1.0.0/16 configure operating-mode single-np series-2 # configure access-list 1001 permit ip source-ip 0.0.0.0 255.255.255.255 destination-ip 0.0.0.0 255.255.255.255 configure access-list 1002 permit ip source-ip 0.0.0.0 255.255.255.255 destination-ip 0.0.0.0 255.255.255.255 # ntp server 192.168.1.101 # module 12 disable # username admin privilege 15 gui-level administrator # no timeout web-server web-timeout 65535 # alias wr 'copy running-config startup-config' # vap-group L3 xslinux_v3 vap-count 3 ap-list ap7 ap8 ap9 load-balance-vap-list 1 2 3 4 5 6 7 8 9 10 ip-flow-rule LB action load-balance activate vap-group IDS xslinux_v3 vap-count 3 ap-list ap7 ap8 ap9 load-balance-vap-list 1 2 3 4 5 6 7 8 9 10 ip-flow-rule IDS action load-balance activate vap-group FW xslinux_v3 vap-count 3 max-load-count 1 ap-list ap3 ap4 ap5

Commands for Displaying XOS Configuration Settings

638

load-balance-vap-list 1 2 3 4 5 6 7 8 9 10 ip-forwarding ip-flow-rule Slb action load-balance activate # dns server 192.168.1.102 dns server 192.168.1.102 vap-group IDS # dns search-name crossbeam.com dns search-name crossbeam.com vap-group IDS dns search-name lab.crossbeam.com vap-group IDS 0.0.0.0 255.255.255.255 destination-ip 192.168.1.0 0.0.255.255 . . # redundancy-interface master gigabitethernet 1/2 backup gigabitethernet 2/2 mac-usage master failovermode preemption-on # vrrp failover-group one failover-group-id 1 preemption priority 200 virtual-router vrrp-id 1 circuit intr320 vap-group FW virtual-ip 100.3.20.251/24 100.3.20.255 virtual-router vrrp-id 2 circuit intr420 vap-group FW virtual-ip 100.4.20.251/24 100.4.20.255 vrrp failover-group two failover-group-id 2 preemption priority 250 virtual-router vrrp-id 3 circuit mltvlan110 vap-group FW virtual-ip 100.1.10.251/24 100.1.10.255 virtual-router vrrp-id 4 circuit mltvlan210 vap-group FW virtual-ip 100.2.10.251/24 100.2.10.255 # ip route 79.0.0.0/24 78.0.0.100 vap-group FW circuit 78net ip route 80.0.0.0/24 78.0.0.100 vap-group FW circuit 78net ip route 192.168.66.0/24 192.168.74.1 vap-group FW circuit fwman ip route 100.10.10.0/24 100.1.10.100 vap-group FW circuit mltvlan110 ip route 100.20.10.0/24 100.2.10.100 vap-group FW circuit mltvlan210 ip route 100.30.20.0/24 100.3.20.100 vap-group FW circuit intr320 ip route 100.40.20.0/24 100.4.20.100 vap-group FW circuit intr420. end CBS#

show vsx-configuration
This command displays configuration settings modified by the Check Point VSX application, such as system IP flow rules, IP flow rules, circuits, and logical interfaces.

XOS Command Reference Guide

639

Syntax
show vsx-configuration [<vsx_name>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <vsx_name> Description Portion of VSX names to match.

Restrictions
Default Privilege Level: 15

Example
The following information shows an excerpt of the show vsx-configuration output: CBS# show vsx-configuration Displaying VSX Configuration of System IP Flow Rules Displaying VSX Configuration of IP Flow Rules ip-flow-rule vsx_dst_vs1_77_77_77_77_vsxb1 action load-balance priority 15 destination-addr 77.77.77.77 77.77.77.77 activate ip-flow-rule vsx_dst_vs2_10_10_2_1_vsxb1 action load-balance priority 15 destination-addr 10.10.2.1 10.10.2.1 activate Displaying VSX Configuration of Circuits circuit vsx_ckt_vsxb1_1_4_4001 circuit-id 1027 domain 501 device-name out.4001 vap-group vsxb1 ip-forwarding default-egress-vlan-tag 4001 circuit vsx_ckt_vsxb1_internal_l2l3_3001 circuit-id 1032 domain 502 internal device-name l2l3.3001 vap-group vsxb1 ip-forwarding default-egress-vlan-tag 3001 Displaying VSX Configuration of Logical Interfaces interface gigabitethernet 1/4

Commands for Displaying XOS Configuration Settings

640

logical outside circuit outside logical vsx_log_vsxb1_1_4_4001 ingress-vlan-tag 4001 4001 circuit vsx_ckt_vsxb1_1_4_4001 logical vsx_log_vsxb1_1_4_4002 ingress-vlan-tag 4002 4002 circuit vsx_ckt_vsxb1_1_4_4002

show resource-statistics
This command displays chassis-wide flow table utilization statistics in these categories: UDP flow entries TCP flow entries ICMP flow entries Other-IP flow entries Skip-port-protocol entries

Syntax
show resource-statistics [verbose] ([flow-table-limit] | [flow-table-usage]) [<np_module_name_list>] Use the clear resource-statistics command to clear the flow table utilization counters.

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter verbose flow-table-limit flow-table-usage <np_module_name_list> Description (Optional) Shows all active flow information Displays statistics on flow-table-limit Displays statistics on flow-table-usage Specifies any subset of the list of NPMs. Separate the list items with a space. Example: np1 np3 np4

Restrictions
Default Privilege Level: 0 Default Privilege Level: show resource-statistics flow-table-limit 15

XOS Command Reference Guide

641

Examples
CBS# show resource-statistics verbose flow-table-limit Slot 1 Uni-directional flows exceeding configured flow table limits: Excess flows since Dropped flows since last clear last clear ==================== ==================== UDP : 0 0 TCP : 0 0 ICMP : 0 0 Other-IP : 0 0 Last cleared: Never CBS# CBS# show resource-statistics verbose flow-table-usage np1 np3 Slot 1 Bi-directional flow entry usage: Active flows Total since last (% of flow table) clear ================== ====================== UDP : 0 ( 0%) 0 TCP : 0 ( 0%) 0 ICMP : 0 ( 0%) 0 Other-IP : 0 ( 0%) 0 Skip-port-protocol : 0 ( 0%) 0 Flow table size: 7134208 Last cleared: Never CBS# Available entries ========= 60% 75% 60% 55%

clear resource-statistics
This command clears the cumulative counters of the chassis-wide flow table utilization statistics. You must be an administrator (privilege level 15) to use this command.

Syntax
clear resource-statistics

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 15

Example
CBS# clear resource-statistics CBS#

Commands for Displaying XOS Configuration Settings

642

Commands for Displaying X-Series Platform Hardware and XOS Software Version Information
This section contains the following commands: show system on page 643 show version on page 644

show system
This command displays information about the system, such as: system name, location, contact info, hardware revision, software version, and so on.

Syntax
show system

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0

Example
The following is an example of this command that includes configured SNMP data for System-Name, System-Contact, System-Location, and System-Engine-ID: CBS# show system Copyright (c) 2000-2011 by Crossbeam Systems, Inc. All rights reserved. Version: CLI 9.5.1 [Feb 26 2011 02:12:22] (bldmgr) gcc: gcc version 2.96 20000731 (Linux 7.3 2.96-112) CVS_Label: XOS-9_5_1_0-20110226_1 System-Name System-Contact System-Location System-Engine-ID : : : : mail@crossbeam.com Rogers IT lab engine45

Chassis information: Part number: 003717, Serial Number: F6240016, Hardware Revision: E Slot 1 2 5 6 9 13 Board Type NP8600 NP8600 AP8650 AP9600 AP9600 CP9600 Ports 12 12 0 0 0 5 Part Num 003927 003927 004911 005682 005682 005962 Serial Num G7150499 G7150508 L845H046 P104N013 P104N034 N023J519 Hw Revision 8 8 8 AA AA AA Status Up Up Active Active Active Up

XOS Command Reference Guide

643

show version
This command displays the XOS software version, creation date, system image name, and kit number running on the primary CPM and displays basic hardware configuration information for the primary CPM. If you specify the detail parameter, the show version command also displays hardware and firmware information for each module installed in the X-Series Platform.

Syntax
show version [detail]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter detail Description Displays the hardware and firmware version information for each module installed in the X-Series Platform.

Restrictions
Default Privilege Level: 0

Example
The following is an example of the show version command. CBS# show version Copyright (c) 2000-2011 by Crossbeam Systems, Inc. Version: XOS 9.5.1 [Feb 26 2011 02:12:22] (bldmgr) CVS_Label: XOS-9_5_1_0-20110226_1 Kit_Number: xx All rights reserved.

CPU at 2327 Mhz processor with 16410064K bytes of memory 6755944K bytes of memory in use Uptime is 3 day(s) 17 hour(s) 43 min(s) 56 sec(s) Hard disk is 500(GB) Second Hard disk is 500(GB) Flash is not present The following is an example of the show version detail command. CBS# show version detail Copyright (c) 2000-2011 by Crossbeam Systems, Inc. All rights reserved. Version: XOS 9.5.1 [Feb 26 2011 02:12:22] (bldmgr) gcc: gcc version 2.96 20000731 (Linux 7.3 2.96-112) CVS_Label: XOS-9_5_1_0-20110226_1 Kit_Number: 37 CPU at 2327 Mhz processor with 16410064K bytes of memory

Commands for Displaying XOS Configuration Settings

644

6757472K bytes of memory in use Uptime is 3 day(s) 17 hour(s) 44 min(s) 57 sec(s) Hard disk is 500(GB) Second Hard disk is 500(GB) Flash is not present

Details per slot: Revision for slot 1 Boot Strap version Bootloader version Diagnostics version SysCtl FPGA version Focus FPGA version CPLD version Board version Board serial number Board type Board part number Revision for slot 2 Boot Strap version Bootloader version Diagnostics version SysCtl FPGA version Focus FPGA version CPLD version Board version Board serial number Board type Board part number Revision for slot 5 Boot Strap version Bootloader version Diagnostics version SysCtl FPGA version Focus FPGA version CPLD version Board version Board serial number Board type Board part number Revision for slot 6 Boot Strap version Bootloader version Diagnostics version SysCtl FPGA version Focus FPGA version CPLD version Board version Board serial number : : : : : : : : 1.8.0.0 1.8.0.2 0.4.0.14 0x10c 0x10c 0xc AA P104N013 : : : : : : : : : : 1.7.0.1 1.7.0.2 1.1.0.4 0x600 0x600 0x15 8 L845H046 AP8650 004911 : : : : : : : : : : 2.0.0.10 2.0.0.10 2.1.0.3 0x4 0xf 0x4 8 G7150508 NP8600 003927 : : : : : : : : : : 2.0.0.10 2.0.0.10 2.1.0.3 0x4 0xf 0x4 8 G7150499 NP8600 003927

XOS Command Reference Guide

645

Board type Board part number Revision for slot 9 Boot Strap version Bootloader version Diagnostics version SysCtl FPGA version Focus FPGA version CPLD version Board version Board serial number Board type Board part number Revision for slot 13 Boot Strap version Bootloader version Diagnostics version SysCtl FPGA version Focus FPGA version CPLD version Board version Board serial number Board type Board part number

: AP9600 : 005682

: : : : : : : : : :

1.8.0.0 1.8.0.2 0.4.0.14 0x10c 0x10c 0xc AA P104N034 AP9600 005682

: : : : : : : : : :

1.7.0.2 1.7.0.3 1.1.0.4 0x600 0x600 0x16 AA N023J519 CP9600 005962

Commands for Displaying XOS Configuration Settings

646

Commands for Displaying X-Series Platform Management Configuration Settings

This section contains the following commands: show arp on page 647 show neighbor-discovery (IPv6) on page 648 show dns-search-name on page 651 show dns-server on page 652 show hostname on page 652 show ip addresses on page 653 show ip default-network on page 653 show ip domainname on page 653 show ip forwarding on page 654 show ip ftp on page 654 show ip route on page 654 show ip ssh on page 656 show ip telnet on page 656 show ldap-parameters on page 657 show ldap-server on page 657 show cp-next-boot on page 658 show np-reload-timeout on page 658 show ntp-server on page 659 show operating-mode on page 660 show radius-server on page 660 show system-identifier on page 661 show system-internal-network on page 661 show timeout on page 662 show timezone on page 662 show web-server on page 662 show web-session on page 663 show web-wizard on page 664

show arp
This command displays entries in the ARP cache. You may provide a range of IP addresses to be displayed by specifying the low and high range. If one IP address is specified, only the entries in the ARP cache matching that IP address are displayed. You can also specify to only display dynamic entries. By default, all IP addresses in the ARP cache are displayed.

Syntax
show arp [<IP_addr_low> [<IP_addr_high>]] [dynamic]

Context
You access this command from any CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <IP_addr_low> <IP_addr_high> dynamic Description Display entries in the ARP cache for this IP address. Display entries in the ARP cache for all IP addresses between <IP_addr_low> and this IP address. Display dynamic ARP entries only.

XOS Command Reference Guide

647

Restrictions
Default Privilege Level: 0

Example
The following is an example of this command. CBS# show arp Module vsx_1 vsx_1 vsx_1 vsx_1 flo_1 flo_1 flo_1 flo_1 flo_1 flo_1 flo_1 flo_2 flo_2 flo_2 flo_2 flo_2 flo_2 flo_2 primarycpm primarycpm primarycpm primarycpm Address 1.1.200.20 192.168.71.211 7.7.7.2 192.168.71.161 192.168.71.186 9.9.9.2 192.168.71.202 172.16.10.10 1.1.200.102 1.1.200.20 192.168.71.161 1.1.200.101 172.16.10.10 192.168.71.186 1.1.200.20 192.168.71.161 9.9.9.1 192.168.71.201 192.168.71.40 192.168.71.1 1.1.200.104 1.1.200.4 Hardware Addr 00:03:d2:00:c8:0d 00:03:d2:e0:02:c8 00:03:d2:e0:07:c8 00:0c:29:78:a9:ab 00:0c:29:bd:4d:2d 00:03:d2:e0:06:c8 00:03:d2:e0:01:c8 00:0e:0c:4e:1f:84 00:03:d2:00:c8:09 00:03:d2:00:c8:0d 00:0c:29:78:a9:ab 00:03:d2:00:c8:08 00:0e:0c:4e:1f:84 00:0c:29:bd:4d:2d 00:03:d2:00:c8:0d 00:0c:29:78:a9:ab 00:03:d2:e0:06:c8 00:03:d2:e0:01:c8 00:03:d2:2f:54:1c 00:00:5e:00:00:47 00:03:d2:00:c8:06 00:03:d2:00:c8:04 Type dynamic static static dynamic dynamic static static dynamic dynamic dynamic dynamic dynamic dynamic dynamic dynamic dynamic static static dynamic dynamic dynamic dynamic Interface eth0 mgt sync mgt mgt sync mgt bint eth0 eth0 mgt eth0 bint mgt eth0 mgt sync mgt eth2 eth2 eth0 eth0

show neighbor-discovery (IPv6)

This command displays the entries in the neighbor discovery table, along with status information for each discovered node.

Syntax
show neighbor-discovery

Context
You access this command from the main CLI context.

Output
The following table describes the information provided in each row of the output. Row Heading Domain IP address Information Provided Displays the domain number associated with this neighbor entry. Displays the IP address of this neighbor entry.

Commands for Displaying XOS Configuration Settings

648

Row Heading State

Information Provided Displays the most recent state recorded in the neighbor discovery table. Possible values are: DELAY The neighbor is no longer known to be reachable, and traffic has recently been sent to the neighbor. Rather than probe the neighbor immediately, however, delay sending probes for a short while in order to give upper layer protocols a chance to provide reachability confirmation. INCOMPLETE Address resolution is in progress and the link-layer address of the neighbor has not yet been determined. PROBE The neighbor is no longer known to be reachable, and unicast Neighbor Solicitation probes are being sent to verify reachability. REACHABLE Roughly speaking, the neighbor is known to have been reachable recently (within tens of seconds ago). STALE The neighbor is no longer known to be reachable but until traffic is sent to the neighbor, no attempt should be made to verify its reachability. FAILED The neighbor has been declared unreachable. The system seeks an alternate path.

XOS Command Reference Guide

649

Row Heading Type

Information Provided Displays the type of link associated with this neighbor discovery table entry. Possible values are: asymmetric reachability - A link where non-reflexive and/or non-transitive reachability is part of normal operation. (Non- reflexive reachability means packets from A reach B but packets from B don't reach A. Non-transitive reachability means packets from A reach B, and packets from B reach C, but packets from A don't reach C.) Many radio links exhibit these properties. multicast - A link that supports a native mechanism at the link layer for sending packets to all (i.e., broadcast) or a subset of all neighbors. non-broadcast multi-access (NBMA) - A link to which more than two interfaces can attach, but that does not support a native form of multicast or broadcast (e.g., X.25, ATM, frame relay, etc.). point-to-point - A link that connects exactly two interfaces. A point-to-point link is assumed to have multicast capability and have a link-local address. shared media - A link that allows direct communication among a number of nodes, but attached nodes are configured in such a way that they do not have complete prefix information for all on-link destinations. That is, at the IP level, nodes on the same link may not know that they are neighbors; by default, they communicate through a router. Examples are large (switched) public data networks such as SMDS and B- ISDN. Also known as "large clouds". See [SH- MEDIA]. unicast One of these unicast address types: Global unicast address A conventional, publicly routable address, just like conventional IPv4 publicly routable addresses. Link-local address Similar to the private, non-routable addresses in IPv4 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). They are not meant to be routed, but confined to a single network segment. Link-local addresses mean you can easily throw together a temporary LAN, such as for conferences or meetings, or set up a permanent small LAN the easy way. Unique local address Meant for private addressing, with the addition of being unique, so that joining two subnets does not cause address collisions. Special addresses are loopback addresses, IPv4-address mapped spaces, and 6-to-4 addresses for crossing from an IPv4 network to an IPv6 network. variable MTU - A link that does not have a well-defined MTU (e.g., IEEE 802.5 token rings). Many links (e.g., Ethernet) have a standard MTU defined by the link- layer protocol or by the specific document describing how to run IP over the link layer.

Flags

If one or more flags are set, they indicate the type of neighbor. Possible values are: A dash or hyphen indicates that no flags are set. The type of neighbor is not specified. The word PROXY indicates that the neighbor is a proxy ARP device. The word ROUTER indicates that the neighbor is an IPv6 router.

HW Address

The MAC address associated with this neighbor discovery table entry.

Commands for Displaying XOS Configuration Settings

650

Row Heading Device

Information Provided The device name associated with this neighbor table entry.

Restrictions
Default Privilege Level: 0

Example
The following is an example of this command. CBS# show neighbor-discovery Neighbor Entry Module one_2 Domain 0 IP address 2002:1::3 State REACHABLE Type UNICAST Flags HW Address 00:03:d2:20:0c:69 Device enter Neighbor Entry Module one_2 Domain 0 IP address 2002:2::1 State REACHABLE Type UNICAST Flags HW Address 00:03:d2:1f:fb:b9 Device thru Neighbor Entry Module one_2 Domain 0 IP address fe80::203:d2ff:fe1f:fbb9 State STALE Type UNICAST Flags HW Address 00:03:d2:1f:fb:b9 Device thru

show dns-search-name
This command displays the configured DNS search name.

Syntax
show dns-search-name

Context
You access this command from the main CLI context.

XOS Command Reference Guide

651

Restrictions
Default Privilege Level: 0

Example
The following is an example of this command. CBS# show dns-search-name DNS Search Name VAP Group crossbeam.com

show dns-server
This command displays the configured DNS server.

Syntax
show dns-server

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0

Example
The following is an example of this command. CBS# show dns-server DNS Server Address VAP Group 10.1.2.89

show hostname
This command displays the hostname of the X-Series Platform.

Syntax
show hostname

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0

Commands for Displaying XOS Configuration Settings

652

Example
The following is an example of this command. CBS# show hostname CP1 Hostname : mars CP2 Hostname : mars

show ip addresses
This command displays IP addresses.

Syntax
show ip addresses

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0

show ip default-network
This command displays the IP default network configuration.

Syntax
show ip default-network

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0

show ip domainname
This command displays the domain name.

Syntax
show ip domainname

Context
You access this command from the main CLI context.

XOS Command Reference Guide

653

Restrictions
Default Privilege Level: 0

show ip forwarding
This command displays whether IP forwarding is enabled or disabled.

Syntax
show ip forwarding

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0

show ip ftp
This command displays whether the FTP server is enabled or disabled.

Syntax
show ip ftp

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0

show ip route
By default, this command displays all entries in the IP route table. If you specify a single destination IP address, this command queries all the VAP groups to find a matching route. The output displays three IP route table entries whose destination IP addresses best match the specified destination IP address as well as the management route. IP route table entry matches are ranked first by exact IP address matching, then by subnet mask matching, and then by metric matching. If you specify a range of destination IP addresses, this command displays all IP route table entries with destination IP addresses that match those in the specified range.

Commands for Displaying XOS Configuration Settings

654

Syntax
show ip route [<destination_IP> | <first_destination_IP> <last_destination_IP>] [sort_by_destination_address]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <destination_IP> Description Displays the three IP route table entries whose destination IP addresses that are on the same subnet as the specified destination IP address that most closely match the specified destination IP address. IP route table entry matches are ranked first by exact IP address matching, then by subnet mask matching, and then by metric matching. Displays all IP route table entries with destination IP addresses that match those in the specified range. Sorts the display by domain and destination address.

<first_destination_IP> <last_destination_IP> sort_by_destination_address

Restrictions
Default Privilege Level: 0

Example
NOTE: All example commands in this section display entries from the same systems IP route table. The command lists all of the systems IP route table entries: CBS(config)# show ip route Module fw_1 fw_1 ips_1 ips_1 primarycpm primarycpm primarycpm primarycpm Destination 192.168.74.0/24 1.1.0.0/16 192.168.74.0/24 1.1.0.0/16 192.168.74.0/24 1.1.0.0/16 127.0.0.0/8 0.0.0.0/0 Gateway 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 192.168.74.1 Metric 0 0 0 0 0 0 0 0 Device mgmt eth0 mgmt eth0 eth2 eth0 lo eth2

The following command displays each of the three IP route table entries that have the specified destination IP address, 192.168.74.0: CBS# show ip route 192.168.74.0 Module fw_1 ips_1 primarycpm Destination 192.168.74.0/24 192.168.74.0/24 192.168.74.0/24 Gateway 0.0.0.0 0.0.0.0 0.0.0.0 Metric 0 0 0 Device mgmt mgmt eth2

XOS Command Reference Guide

655

The following command displays each of the three IP route table entries that have a destination IP address that is on the same subnet as the specified IP address, 192.168.74.4: CBS# show ip route 192.168.74.4 Module fw_1 ips_1 primarycpm Destination 192.168.74.0/24 192.168.74.0/24 192.168.74.0/24 Gateway 0.0.0.0 0.0.0.0 0.0.0.0 Metric 0 0 0 Device mgmt mgmt eth2

NOTE: The above two commands have the same output because when you specify a single destination IP address with the show ip route command, the CLI displays the IP route table entries whose destination IP addresses best match the specified destination IP address. In the second example, there are no IP route table entries that match the specified destination IP address exactly, so the CLI displays the three best matches instead; these IP route table entries have destination IP addresses that are on the same subnet as the specified destination IP address.

show ip ssh
This command displays SSH server configuration information including the inactivity timeout setting (in minutes), and the number of authentication retries a user is allowed to make before being denied access to the system.

Syntax
show ip ssh

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0

Example
The following is a sample display. CBS# show ip ssh SSH Server Enabled (true/false) : t Login Timeout (seconds) : 120 Authentication Retry : 3 (1 row)

show ip telnet
This command displays whether the Telnet server is enabled or disabled.

Syntax
show ip telnet

Commands for Displaying XOS Configuration Settings

656

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0

show ldap-parameters
This command displays the Lightweight Directory Access Protocol (LDAP) server parameters.

Syntax
show ldap-parameters

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 15

Example
The following is an example of this command. CBS# show ldap-parameters LDAP Version LDAP Distinguished Names 3 1

show ldap-server
This command displays the Lightweight Directory Access Protocol (LDAP) server configuration.

Syntax
show ldap-server [<hostname> | <IP_address>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <hostname> | <IP_address> Description LDAP server DNS name or IP address. The default is to show all LDAP servers.

XOS Command Reference Guide

657

Restrictions
Default Privilege Level: 15

show cp-next-boot
This command displays the current and the next CPM boot distribution for each CPM.

Syntax
show cp-next-boot

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0

Example
The following is an example of this command. CBS# CP1: CP1: CP2: CP2: show cp-next-boot Current boot is D1 (9.5.1) Next boot is D1 (9.5.1) Slot 14 is inaccessible Slot 14 is inaccessible

show np-reload-timeout
This command displays the time interval, measured in seconds, that the system waits for an NPM to reload. If an NPM reload is not completed within the specified time interval, the system declares the NPM inaccessible and resets the slot. The default time interval is 300 seconds.

Syntax
show np-reload-timeout

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0

Commands for Displaying XOS Configuration Settings

658

Example
The following example shows the output of this command for a system configured with the default np-reload-timeout setting of 300 seconds: CBS# show np-reload-timeout NP Reload Timeout (seconds) 300 (1 row)

show np-reset-wait-time
Displays the time interval, measured in seconds, that the system waits for a heartbeat signal from an NPM before resetting it. The default time interval is 5 seconds. Use the configure np-reset-wait-time command to display the NPM reset timeout interval configured for the X-Series Platform.

Syntax
show np-reset-wait-time

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 15

show ntp-server
This command displays Network Time Protocol (NTP) server addresses, if configured.

Syntax
show ntp-server

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0

XOS Command Reference Guide

659

show operating-mode
This command displays the X-Series Platform configured and operational mode.

Syntax
show operating-mode

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 15

Example
The following is an example of this command: CBS# show operating-mode Chassis Type Configured Operating Mode Operational Mode Configured NPM Mode Operational NPM Mode : : : : : X80 dual-np dual-np series-6 series-6

show radius-server
This command displays the RADIUS host configuration on the X-Series Platform.

Syntax
show radius-server [<hostname>|<IP_address>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <hostname> <IP_address> Description Host name of RADIUS server host. IP address of RADIUS server host.

Restrictions
Default Privilege Level: 15

Commands for Displaying XOS Configuration Settings

660

show system-identifier
This command displays the identifier configured with the configure system-identifier command. If the system identifier has been changed, but the chassis has not yet been reloaded, there will be a difference in the display of the Operating System Identifier and the Configured System Identifier as shown below.

Syntax
show system-identifier

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 15

Example
CBS# configure system-identifier 5 CBS# show system-identifier Operating System Identifier Configured System Identifier 1 5

show system-internal-network
This command displays the configured and operational IP addresses and subnet masks for the control network.

Syntax
show system-internal-network

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 15

Example
The following example displays the output of this command. CBS# show system-internal-network Configured System Internal Network : 1.1.0.0/16 Operational System Internal Network : 1.1.0.0 Operational System Internal Netmask : 255.255.0.0 (1 row)

XOS Command Reference Guide

661

show timeout
This command displays the current CLI session idle timeout.

Syntax
show timeout

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0

show timezone
This command displays the system time zone configured for the X-Series Platform.

Syntax
show timezone

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0

Example
The following is an example of this command. CBS# show timezone Time Zone America/New_York

show web-server
This command displays whether the Web server is enabled or disabled.

Syntax
show web-server

Context
You access this command from the main CLI context.

Commands for Displaying XOS Configuration Settings

662

Restrictions
Default Privilege Level: 0

Example
The following is an example of this command. CBS# show web-server Web Server Enabled (true/false) : t

show web-session
This command displays web user sessions.

Syntax
show web-session

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0

Example
The following is an example of this command. CBS# show web-session User : admin GUI Access Level : Administrator Start Access Time : 2010-03-08 10:09:39.339501-04 Last Access Time : 2010-03-08 10:10:59.796468-04 User IP Addr : 10.2.1.126

XOS Command Reference Guide

663

show web-timeout
This command displays the XOS Web Session timeout value.

Syntax
show web-timeout

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0 This command is not available on the X20, X30, or X60 chassis.

Example
The following shows an example of this command. CBS# show web-timeout Web Session Timeout (minutes) : 20 (1 row)

show web-wizard
This command displays the XOS GUIs wizard setting.

Syntax
show web-wizard

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0 This command is not available on the X20, X30, or X60 chassis.

Example
The following shows an example of this command. CBS# show web-wizard Login Web Wizard View (true/false) : f (1 row)

Commands for Displaying XOS Configuration Settings

664

Commands for Displaying X-Series Platform Management Interface Configuration Settings

This section contains the following commands: show management on page 665 show management-ip-alias on page 666 show management-ip-nat on page 666 show access-list on page 667

show management
This command displays the management interface configuration of a specific port. Only the CPM ports are configured for management interfaces.

Syntax
show management {gigabitethernet <slot/port> | high-availability}

Context
You access this command from the main CLI context.

Inline Commands
The following table lists the CLI commands used inline with the show management command. Command gigabitethernet <slot/port> high-availability Description Displays the Gigabit Ethernet interface and the slot and port of the interface. Displays the configurations for the high-availability management port on each CPM.

Restrictions
Default Privilege Level: 0

Example
The following is a sample display: CBS# show management gigabitethernet 14/1 Gigabitethernet 14/1 is up Hardware address is 00:03:d2:10:09:08 MTU 1500 bytes, BW 1000 Mbits, half-duplex, auto-negotiation is enabled Last clearing of "show interface" counters never 1108362 packets input, 140561899 bytes Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 1 input errors, 0 CRC, 2 frame, 0 overrun, 0 ignored 1201989 packets output, 818440146 bytes, 2 underruns 2 output errors, 0 collisions

XOS Command Reference Guide

665

CBS# show management high-availability CP Module Auto Negotiate Enabled (true/false) Media Speed (Mbits) Duplex Mode cp1 t N/A N/A cp2 t N/A N/A (2 rows) High-availability port on slot 14 is up BW 1 Gigabit, full-duplex, auto-negotiation is disabled Last clearing of "show interface" counters Fri Sep 3 04:49:04 2010 PHY stats: Statistics on physical line Received: Total frames 0 (bytes 0) Total errors 0 Transmitted: Total frames 58 (bytes 3712) Total errors 0

show management-ip-alias
This command displays management IP aliases.

Syntax
show management-ip-alias

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0

show management-ip-nat
This command displays the NAT inside and outside configurations.

Syntax
show management-ip-nat

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0

Commands for Displaying XOS Configuration Settings

666

show access-list
This command displays configured access lists.

Syntax
show access-list [<list_number>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <list_number> Description Access list number. Valid values are 0 to 65535. Default is all.

Restrictions
Default Privilege Level: 15

Example
The following is an example of this command: CBS# show access-list Access List Access Protocol Source IP and Wildcard Destination IP and Wildcard Log Enable (true/false) Access List Access Protocol Source IP and Wildcard Destination IP and Wildcard Log Enable (true/false) : : : : : : : : : : : : 1001 permit ip 192.168.0.0 0.0.255.255 0.0.0.0 255.255.255.255 f 1002 permit ip 0.0.0.0 255.255.255.255 192.168.0.0 0.0.255.255 f

XOS Command Reference Guide

667

Commands for Displaying User Account and User Access Configuration Settings
This section contains the following commands: show lock-config on page 668 show snmp-user on page 668 show username on page 669 show usernames on page 670 show autocommand on page 671 show privilege on page 672 show tree include-privilege on page 673

show lock-config
This command displays information about the user who issued a lock-config command.

Syntax
show lock-config

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0

Example
The following is a sample display: CBS# show lock-config Configuration is locked by : admin User type : CLI (1 row)

show snmp-user
This command displays all SNMPv3 users or a specific user.

Syntax
show snmp-user [<username>]

Context
You access this command from the main CLI context.

Commands for Displaying XOS Configuration Settings

668

Parameters
The following table lists the parameters used with this command. Parameter <username> Description Name of an SNMPv3 user.

Restrictions
Default Privilege Level: 0

Example
This example displays the configuration for an SNMP user with the username of bob. The settings are all the default settings. CBS# show snmp-user Username Authentication Type Privacy Type OID (1 row) : : : : bob none none .iso

show username
This command displays information (username, CLI privilege level and GUI level) about the specified user. If no username is specified, the command displays information for the current user.

Syntax
show username [<username>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <username> Description User for whom the information is displayed.

Restrictions
Default Privilege Level: 0

Output
This command displays username information in the following format:

XOS Command Reference Guide

669

CBS# show username Username Assigned CLI Privilege Level Current CLI Privilege Level GUI Access Level Maxdays (1 row)

: : : : :

admin 15 15 Administrator 30

The following table describes the information provided in each column/row:. Column/Row Heading Username Assigned CLI Privilege Level Information Provided User name assigned to the user account. The CLI privilege level assigned to the user account. To execute a CLI command, a users CLI privilege level must be greater than or equal to the commands privilege level. Valid values are from 0-15. The default CLI privilege level for a new user account is 0. Current CLI Privilege Level GUI Access Level The CLI privilege level in effect for the current (logged on) user. This information is displayed only for the current user. The GUI privilege level assigned to the user account. unauthorized User cannot access the GUI at all. guest User has read-only access to the GUI. User can view current X-Series Platform configuration settings, but cannot change any settings using the GUI. network-operator User can view current X-Series Platform configuration settings and can change network connectivity configuration settings such as NPM interface configuration settings. service-operator User can view current X-Series Platform configuration settings and can change service provisioning configuration settings such as VAP group configuration settings. administrator User can view and change all current X-Series Platform configuration settings. Maxdays The maximum number of days that a user account password can remain valid before it expires. When a password expires, the user must change the password upon his/her next login. The default maxdays parameter value is 30 days. The valid range is 0 - 65355.

show usernames
This command displays information (username, privilege level, GUI access level, and maximum number of days before the password expires) about all users.

Syntax
show usernames

Commands for Displaying XOS Configuration Settings

670

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0

Example
The following is an example of this command: CBS# show usernames Username : admin Assigned CLI Privilege Level : 15 GUI Access Level : Administrator Maxdays : 30 Username : guest Assigned CLI Privilege Level : 15 GUI Access Level : Guest Maxdays : 30 (3 rows) For a description of the information provided, see show username on page 669.

show autocommand
This command displays the configured autocommand, which is a group of CLI commands to execute when the user logs in.

Syntax
show autocommand [<username>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <username> Description Username whose autocommand(s) will be displayed. Default is current user.

Restrictions
Default Privilege Level: 0

XOS Command Reference Guide

671

show privilege
This command displays privilege levels of a command and sub-command (up to 10 levels).

Syntax
show privilege <command> [<sub_command> ...]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <command> <sub_command> Description Command for which the privilege level is displayed. Sub-command for which privilege level is displayed.

Restrictions
Default Privilege Level: 0

Example
The following example shows a privilege level for the show ip route command. CBS# show privilege show ip route Command 'show ip route' at privilege level 0

Commands for Displaying XOS Configuration Settings

672

show tree include-privilege

This command displays a list of all commands in the CLI in a tree format.

Syntax
show tree [include-privilege]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter include-privilege Description Displays the privilege level required to execute that command after the commands name.

Restrictions
Default Privilege Level: 0

Example
The following shows partial output from the show tree include-privilege command: CBS# show tree include-privilege | +---alias (privilege 0) | +---application (privilege 15) | +---application-remove (privilege 15) | | | +---version (privilege 15) | | | +---release (privilege 15) | +--

XOS Command Reference Guide

673

Commands for Displaying System Alarm and Logging Configuration Settings

This section contains the following commands: show alarm-enabled on page 674 show facility-alarm on page 674 show snmp on page 676 show logging console on page 677 show logging setting on page 679 show logging server on page 679

show alarm-enabled
This command displays whether alarms are turned on or off.

Syntax
show alarm-enabled

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0

Example
The following is an example of this command: CBS# show alarm-enabled Alarm Name Enabled (true/false) power-supply t power-feed t (2 rows)

show facility-alarm
This command displays facility alarm settings.

Syntax
show facility-alarm

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0

Commands for Displaying XOS Configuration Settings

674

Example
The following is an example of this command. CBS# show facility-alarm Facility Name : cpu Lower Critical : 0 Percent Upper Critical : 99 Percent Lower Major : 0 Percent Upper Major : 90 Percent Lower Minor : 0 Percent Upper Minor : 80 Percent Facility Name Lower Critical Upper Critical Lower Major Upper Major Lower Minor Upper Minor Facility Name Lower Critical Upper Critical Lower Major Upper Major Lower Minor Upper Minor Facility Name Lower Critical Upper Critical Lower Major Upper Major Lower Minor Upper Minor Facility Name Lower Critical Upper Critical Lower Major Upper Major Lower Minor Upper Minor Facility Name Lower Critical Upper Critical Lower Major Upper Major Lower Minor Upper Minor Facility Name Lower Critical Upper Critical Lower Major Upper Major : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : cpu-core 0 Percent 99 Percent 0 Percent 90 Percent 0 Percent 80 Percent disk-usage-boot 0 Percent 97 Percent 0 Percent 80 Percent 0 Percent 70 Percent disk-usage-cbconfig 0 Percent 97 Percent 0 Percent 80 Percent 0 Percent 70 Percent disk-usage-mgmt 0 Percent 97 Percent 0 Percent 80 Percent 0 Percent 70 Percent disk-usage-root 0 Percent 97 Percent 0 Percent 80 Percent 0 Percent 70 Percent disk-usage-tftpboot 0 Percent 97 Percent 0 Percent 80 Percent

XOS Command Reference Guide

675

Lower Minor Upper Minor Facility Name Lower Critical Upper Critical Lower Major Upper Major Lower Minor Upper Minor Facility Name Lower Critical Upper Critical Lower Major Upper Major Lower Minor Upper Minor (9 rows) CBS#

: 0 Percent : 70 Percent : : : : : : : : : : : : : : disk-usage-var 0 Percent 97 Percent 0 Percent 80 Percent 0 Celsius 70 Percent free-memory N/A N/A 2 - threshold multiplier N/A 4 - threshold multiplier N/A

show snmp
This command displays the existing system location, contact information, and SNMP hosts or SNMP communities. If no parameter is specified, system information is displayed.

Syntax
show snmp [contact|engine-id|location|community|hosts|system]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter contact engine-id location community hosts Description SNMP contact information. Engine Identifier for this copy of SNMP. SNMP server location information. Community strings, IP address, and network mask. IP address, traps/inform configuration, security level, community string, and port number of the configured hosts for SNMP traps. SNMP system information, such as system name, contact, and location.

system

Commands for Displaying XOS Configuration Settings

676

Restrictions
Default Privilege Level: 0

show logging console

This command displays all Crossbeam event messages stored in the console log that have a severity level equal to or lower than the specified log level. If you do not specify a log level, this command displays event messages stored in the console log that have a severity level equal to or lower than log level 4, Warning. NOTE: Event message severity levels and log levels are numbered 0 - 7. However, level 0 (Emergency) is the highest severity level, while it is the lowest log level. Level 7 (Debugging) is the lowest severity level, while it is the highest log level. You can specify a log level by entering the log level number (0-7) or by entering the severity keyword that corresponds to the desired log level number (listed below). NOTE: The console log stores only the event messages that have a severity level equal to or less than the current console log level. (See configure logging console on page 148.) If the log level specified with the show logging console command is higher than the current console log level, the command displays all event messages stored in the console log.

Syntax
show logging console [level {<level_number> | emerg | alert | crit | error | warning | notice | info | debug}] [component <component_name>] [hostname <hostname>] [chronological-order] [<month>] [<date>] [<year>] [<time>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter level <level_number> Description Displays all event messages stored in the console log that have a severity level number equal to or lower than the log level, <level_number>. See parameter descriptions below for a list of severity level descriptions. Valid values are 0-7. Default is 4. level emerg Displays messages stored in the console log with severity level 0. Severity level 0 is Emergency, which indicates that the system is unstable. level alert Displays messages stored in the console log with severity levels 0 and 1. Severity level 1 is Alert, which indicates that immediate action is needed.

XOS Command Reference Guide

677

Parameter level crit

Description Displays messages stored in the console log with severity levels 0-2. Severity level 2 is Critical, which indicates a critical condition.

level error

Displays messages stored in the console log with severity levels 0-3. Severity level 3 is Error, which indicates an error condition.

warning

Displays messages stored in the console log with severity levels 0-4. Severity level 4 is Warning, which indicates a warning condition.

level notice

Displays messages stored in the console log with severity levels 0-5. Severity level 5 is Notification, which indicates that a significant event has occurred, but conditions remain normal.

level info

Displays messages stored in the console log with severity levels 0-6. Severity level 6 is Informational. Use these messages for information only.

level debug

Displays messages stored in the console log with severity levels 0-7. Severity level 7 is Debugging. Use these messages for debugging only.

component <component_name>

Filters the output of the show logging console command. Displays only the event messages whose component names match one of the following <component_name> values: cbsalarmmond CBS RMON Monitor cbscfgmgrd CBS Configuration Manager cbsd CBS Daemon cbsflowagentd CBS Flow Agent cbsflowcalcd CBS Flow Calculator cbshmonitord CBS Health Monitor cbsinitd CBS Initializer cbsstatsd CBS Statistic Collector cbssysctrld CBS System Controller cbsvfpcfgd CBS VAP Config Agent cli Command Line Interface init_cli CLI Initializer WEB CBS Graphic User Interface (GUI)

hostname <hostname>

Filters the output of the show logging console command. Displays only the event messages that originate from the module with the specified host name.

Commands for Displaying XOS Configuration Settings

678

Parameter chronological-order <month>

Description Displays event messages in reverse chronological order. Filters the output of the show logging console command. Displays messages only for events that occurred during the specified month. You must specify the month as a three-letter abbreviation. Default value is the current month if the <date>, <year>, or <time> parameter is specified.

<date>

Filters the output of the show logging console command. Displays messages only for events that occurred on the specified day of the month. Valid values are from 1 to 31. Default value is the current date if the <mon>, <year>, or <time> parameter is specified.

Restrictions
Default Privilege Level: 0

show logging setting

Displays the current log setting.

Syntax
show logging settings

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0

Example
Monitor Logging Level 4 (1 row) Logging Level 4 Logging Level Name warning Log Facility

show logging server

Displays the logging server configuration.

Syntax
show logging server <IP_address> <hostname>

XOS Command Reference Guide

679

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <IP_address> <hostname> Description IP address of logging (syslog) server. Hostname of logging (syslog) server.

Restrictions
Default Privilege Level: 0

Commands for Displaying XOS Configuration Settings

680

Commands for Displaying CPM Redundancy Configuration Settings

This section contains the following commands: show cp-redundancy on page 681 show cp-disk-error on page 682 show cp-unknown-state on page 682 show management-vip on page 683

show cp-redundancy
This command displays the configured action for each CPM in a CP redundancy configuration. NOTE: This command issues a warning message if an in-service upgrade (ISU) is in progress. If you get this message, please be aware that there will be a period of time during the ISU when both CPMs are listed as the primary CPM. This condition will be resolved when the upgrade is complete.

Syntax
show cp-redundancy

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0

Example
The following is an example of this commands output during normal operation. CBS# show cp-redundancy Administrative State: CP1 (this cp) is ELECTION CP2 (other cp) is ELECTION CP Redundancy is ENABLED Operational State: CP1 (this cp) is PRIMARY CP2 (other cp) is OFFLINE CP CP Redundancy is ENABLED The following is an example of this commands output during an ISU. CBS# show cp-redundancy WARNING: In-Service Upgrade Is in Progress Administrative State: CP1 (this cp) is ELECTION CP2 (other cp) is ELECTION CP Redundancy is ENABLED

XOS Command Reference Guide

681

Operational State: CP1 (this cp) is PRIMARY CP2 (other cp) is OFFLINE CP Redundancy is ENABLED Synchronization Status: Disk synchronization is 0% completed

show cp-disk-error
This command displays the currently configured CPM actions.

Syntax
show cp-disk-error

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 15 This command is not available on the X20 or X30 chassis.

show cp-unknown-state
This command displays the configured CPM actions.

Syntax
show cp-unknown-state

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 15 This command is not available on the X20 or X30 chassis.

Example
The following is an example of this command. CBS# show cp-unknown-state CP1: slot 13 is inaccessible CP2: Unknown CP setting is MONITOR

Commands for Displaying XOS Configuration Settings

682

show management-vip
This command displays the virtual IP addresses.

Syntax
show management-vip

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 15

Example
The following is a sample display: CBS# show management-vip Management Virtual IP 192.168.75.193 (1 row)

XOS Command Reference Guide

683

Commands for Displaying VAP Group Configuration Settings

This section contains the following commands: show archive-vap-group on page 684 show host on page 687 show kernel on page 687 show routing-protocol on page 688 show vap-group on page 688

show archive-vap-group
Displays information about VAP group archive. An archive is a backup copy of all the filesystems used by a particular VAP group at a particular time. By default, this command displays information about all archives created for VAP groups configured on the X-Series Platform. Use the vap-group parameter to display information only about archives created for the specified VAP group. Use the vap-group parameter with the archive parameter to display information only about the specified archive of the specified VAP group.

Syntax
show archive-vap-group [vap-group <VAP_group_name> [archive <archive_number>]]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter vap-group <VAP_group_name> Description Displays information only about the archives created for the specified VAP group. If you do not specify this parameter, the show archive-vap-group show command displays information about all archives created for all VAP groups configured on the X-Series Platform.

Commands for Displaying XOS Configuration Settings

684

Parameter archive <archive_number>

Description Displays information only about the specified archive created for the specified VAP group. You specify an archive using its archive number. NOTE: A VAP groups archives are numbered from 1 to n, where n is the number of archives created for a VAP group. The first archive that you create for a VAP group is archive number 1, the second is 2, etc. If you do not specify the archive parameter with the vap-group parameter, the show archive-vap-group command displays information about all archives created for the specified VAP group.

Output
This command displays archive information in the following format: VAP Group : <VAP_group_name> Archive Number : <archive_number> VAP Count : <VAP_count> VAP OS version : {xslinux_v3 | xslinux_v5 | xslinux_v5_64} XOS version : <XOS_version> Application : <application_name> Application Version : <application_version_identifier> Application Release : <application_release_number> Date : <archive_creation_date> Archive Location : {<archive_directory_on_CPM> | <URL_for_archive_directory_on_external_server>} Archive Size : <number_of_bytes> The following table describes the information provided in each column/row. Column/Row Heading VAP Group Archive Number Information Provided Name of the VAP group that was backed up to create the archive. Archive number that XOS assigned to the archive. XOS assigns the number 1 to the first archive that you create for a VAP group. XOS then increments the archive number by 1 for each subsequent archive that you create for the VAP group. For example, the second archive you create for a VAP group is archive number 2, and the third is archive number 3. VAP Count VAP OS version XOS version Application Number of VAPs in the archived VAP group at the time when the archive was created. VAP OS version running on the archived VAP group at the time when the archive was created. XOS version running on the X-Series Platform at the time when the archive was created. Name of the application running on the VAP group at the time when the archive was created.

XOS Command Reference Guide

685

Column/Row Heading Application Version Application Release Date Archive Location

Information Provided Version of the application running on the VAP group at the time when the archive was created. Release of the application running on the VAP group at the time when the archive was created. Day, date, and time at which the archive was created. If the archive is stored on the CPM, this field displays the full path to the directory in which the archive files are stored. If the archive is stored on an external server, this field displays the URL that can be used to access the archive files on the external server. NOTE: The show archive-vap-group command displays the location where the archive files were placed when the archive was created. If the archive files have been moved to another location, the show archive-vap-group command does not display the new location.

Archive Size

Total size of the contents of the archive directory, expressed in bytes.

Restrictions
Default Privilege Level: 0

Examples
Example 1: Displaying Information About an Archive Stored on the CPM The following command displays information about the first archive (archive number 1) that was created for the VAP group called testvapgroup; archive number 1 is stored on the CPM. CBS# show archive-vap-group vap-group testvapgroup archive 1 VAP Group : testvapgroup Archive Number : 1 VAP Count : 3 VAP OS version : xslinux_v3 XOS version : 9.5.1-xx Application : VPN-1 Power Application Version : NGXR65 Application Release : 1.0.2.0-5 Date : Wed Feb 23 14:23:52 EST 2011 Archive Location : /tftpboot/archives/testvapgroup/1 Archive Size : 419624 CBS#

Commands for Displaying XOS Configuration Settings

686

show host
This command displays hosts.

Syntax
show host

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0

show kernel
This command displays the current kernel version for a specified VAP group or all VAP groups.

Syntax
show kernel [vap-group <VAP_group_name>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <VAP_group_name> Description Name of a VAP group.

Restrictions
Default Privilege Level: 0

Example
The following is a sample display. CBS# show kernel vAP Group : firewall kernel : 2.6.18-53.el5

XOS Command Reference Guide

687

show routing-protocol
This command displays routing protocol configurations.

Syntax
show routing-protocol [rip | ospf | pim | bgp | ospf6 | ripng | nsm] [vap-group <VAP_group_name>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter rip ospf pim bgp ospf6 ripng Description Displays the Routing Information Protocol (RIP) configuration. Displays the Open Shortest Path First (OSPF) configuration. Displays the Protocol Independent Multicast configuration. Displays the Border Gateway Protocol configuration. Displays the Open Shortest Path First (OSPF) for IPv6 configuration. Displays the Routing Information Protocol (RIP) for IPv6 configuration. nsm vap-group <VAP_group_name> Displays the Network Services Module configuration. Displays the routing configuration for a specific VAP group.

Restrictions
Default Privilege Level: 0

show vap-group
This command displays configuration information for the specified VAP group. If you do not specify a VAP group, this command displays configuration information for all VAP groups.

Syntax
show vap-group [<VAP_group_name>]

Context
You access this command from the main CLI context.

Commands for Displaying XOS Configuration Settings

688

Parameters
The following table lists the parameters used with this command. Parameter <VAP_group_name> Description Name of a VAP group.

Restrictions
Default Privilege Level: 0

Example
This is an example configuration of a VAP group named ips. CBS# show vap-group ips VAP Group Operating System Load Priority Preemption Priority AP List VAP Count Max Load Count Max Reload Count Load Balance VAP List IP Forwarding (true/false) Delay Flow (seconds) Backup Mode Reload Timeout (seconds) RP Filter (true/false) Log Martians (true/false) DHCP Relay Server List RAID Jumbo Frame (true/false) Scatter Gather (true/false) Master HoldDown Timer (in seconds) Application Monitoring (true/false) IPv6 Enabled (true/false) IPv6 IP Forwarding (true/false) Fail to Host (true/false) Flow Proxy (true/false) Reset Wait Time (seconds) (1 row) : : : : : : : : : : : : : : : : : : : : : : : : : : ips xslinux_v5 0 0 ap6 ap7 ap8 2 2 3 1 2 f 0 none 300 f f none f f 0 t t f t t 5

XOS Command Reference Guide

689

Commands for Displaying Flow Provisioning Configuration Settings

This section contains the following commands: show check-flow-rule on page 690 show default-ip-flow-rule on page 690 show default-non-ip-flow-rule on page 691 show ip-flow-rule on page 692 show non-ip-flow on page 693 show system-ip-flow-rule on page 694 show system-non-ip-flow-rule on page 695

show check-flow-rule
This command displays whether IP flow rules will be checked for conflicts. The display consists of t for true or f for false.

Syntax
show check-flow-rule

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0

show default-ip-flow-rule
This command displays the default IP flow rule settings. NOTE: In Series-6 NPM mode, the Rate Limiter and Hide Slot Originator fields will be designated N/A, since the rate-limiter and hide-slot-originator parameters apply only to systems running in Series-2 NPM mode.

Syntax
show default-ip-flow-rule

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 15

Commands for Displaying XOS Configuration Settings

690

Example
The following is an example of this command when operating in Series-6 NPM mode: CBS# show default-ip-flow-rule Default IP Flow Rule: Source Addresses Source Ports Destination Addresses Destination Ports Protocols Domains Incoming Circuit Group (ICG) Priority Primary Action VAP Group Index In Group Rate Limiter Skip Protocol (t/f) Skip Port (t/f) Hide Slot Originator (t/f) Timeout Trace (t/f) Sync (t/f)

: : : : : : : : : : : : : : : : : :

0.0.0.0 - 255.255.255.255 0 - 65535 192.168.0.10 - 192.168.0.11 0 - 65535 0 - 255 1 - 1 1 21 dest-ip-based-load-balance ips N/A N/A t t N/A none f N/A

show default-non-ip-flow-rule
This command displays the default non-IP flow rule settings.

Syntax
show default-non-ip-flow-rule

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 15

Example
In the following example, MLT is used; a rule for LACP packets is initialized for the system: CBS# show running-config ... circuit mlt circuit-id 1025 vap-group VLAN # group-interface mlt mode multi-link circuit mlt gigabitethernet 1/1 gigabitethernet 2/1

XOS Command Reference Guide

691

CBS# show default-non-ip-flow-rule System Non IP Flow Rule : system generated multi-link flow (LACP) Encapsulation : ethernet Type : 34825 Action : broadcast Activate (true/false) : t (example shows 1 row)

show ip-flow-rule
This command displays the current parameter settings for all IP flow rules or displays the current parameter settings for the specified IP flow rule. This command displays only the IP flow rules that have valid settings for the destination-port, source-port, destination-ip, source-ip, protocol, domain, and primary-action parameters. IP flow rules with invalid settings for these parameters are not displayed.

Syntax
show ip-flow-rule [<IP_flow_rule>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <IP_flow_rule> Description Displays the current parameter settings only for the specified IP flow rule. By default, the show ip-flow-rule command displays the current parameter settings for all IP flow rules.

Restrictions
Default Privilege Level: 15

Example
The following is an example of this command run on a system operating in Series-6 NPM mode: CBS# show ip-flow-rule IP Flow Rule VAP Group Destination Address Destination Address High Destination Port Destination Port High Source Address Source Address High : : : : : : : : allthings TAP 0.0.0.0 255.255.255.255 0 65535 0.0.0.0 255.255.255.255

Commands for Displaying XOS Configuration Settings

692

Source Port Source Port High Incoming Circuit Group Protocol Protocol High Domain Domain High Action Activate (true/false) Priority Skip Protocol (true/false) Skip Port (true/false) Skip Port Protocol (true/false) Timeout Trace (true/false)

: : : : : : : : : : : : : : :

0 65535 1 1 255 1 4095 load-balance t 10 t t t auto f

show non-ip-flow
This command displays any VAP non-ip-flow rules configured.

Syntax
show non-ip-flow [<flow_rule_name>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter [<flow_rule_name>] Description The name of the flow rule. If you do not specify the name of a non-IP flow rule, the command displays all non-IP flow rules.

Restrictions
Default Privilege Level: 15

Example
The following is an example using the show non-ip-flow command to display defined non-ip-flow rules. CBS# show non-ip-flow Non IP Flow Rule VAP Group Encapsulation Type Action Activate (true/false) Core Assignment (1 row) : : : : : : : test TAP ethernet 1600 broadcast t random-single-core

XOS Command Reference Guide

693

show system-ip-flow-rule
This command displays the current parameter settings for all system IP flow rules or displays the current parameter settings for the specified system IP flow rule. This command displays only the system IP flow rules that have valid settings for the destination-port, source-port, destination-ip, source-ip, protocol, domain, and primary-action parameters. System IP flow rules with invalid settings for these parameters are not displayed.

Syntax
show system-ip-flow-rule [<IP_flow_rule_id>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <IP_flow_rule_id> Description Displays the current parameter settings only for the specified system IP flow rule. By default, the show system-ip-flow-rule command displays the current parameter settings for all system IP flow rules.

Restrictions
Default Privilege Level: 15

Example
The following is an example of this command run on a system operating in Series-6 NPM mode: CBS# show system-ip-flow-rule System IP Flow Rule Destination Address Destination Address High Destination Port Destination Port High Source Address Source Address High Source Port Source Port High Incoming Circuit Group Protocol Protocol High Domain Domain High Action Activate (true/false) Priority : : : : : : : : : : : : : : : : : myrule 0.0.0.0 255.255.255.255 0 65535 0.0.0.0 255.255.255.255 0 65535 1 1 255 1 4095 drop f 10

Commands for Displaying XOS Configuration Settings

694

Skip Protocol (true/false) Skip Port (true/false) Skip Port Protocol (true/false) Timeout

: : : :

t t t auto

show system-non-ip-flow-rule
This command displays the system non-IP flow rules.

Syntax
show system-non-ip-flow-rule [<non_IP_flow_rule_name>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <non_IP_flow_rule_name> Description Specifies the flow rule to display.

Restrictions
Default Privilege Level: 15

Example
The following is an example of this command: CBS# show system-non-ip-flow-rule System Non IP Flow Rule : myrule Encapsulation : snap Type : any Action : drop Activate (true/false) : f (1 row)

XOS Command Reference Guide

695

Commands for Displaying Circuits and Interface Configuration Settings

This section contains the following commands: show bridge-mode on page 696 show circuit on page 697 show incoming-circuit-group-name on page 698 show group-interface on page 699 show interface on page 700 show interface-status-group on page 705 show ip-mapping on page 706 show redundancy-interface on page 707 show status-grouping on page 707 show vlan on page 708 show acl-interface on page 708 show acl-interface-mapping on page 710

show bridge-mode
This command displays a bridge-mode circuit and its members.

Syntax
show bridge-mode [<circuit_name>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <circuit_name> Description Name of a circuit configured for bridge mode. Default is all circuits configured for bridge mode.

Restrictions
Default Privilege Level: 0

Example
CBS# show bridge-mode Bridge Mode Name Mode Member Circuit Bridge Mode Name Mode : bridge66mode : bridge : int66 : vlan66bridge : bridge

Commands for Displaying XOS Configuration Settings

696

show circuit
This command displays circuit information for one or all circuits. The command includes a parameter that shows the status of the circuit. The Aggregation Mode field displays whether the circuit is a part of a multi-link, bridge, or transparent group interface. If not a member of a group interface, none is displayed.

Syntax
show circuit <circuit-name>[admin-status | status]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <circuit_name> status admin-status Description Name of a specific circuit. Default is all circuits. Displays statistical information relating to a circuit. Default. Displays circuit configuration information.

Restrictions
Default Privilege Level: 0

Example
The following example shows the output of the status parameter. CBS# show circuit outside status Module ips_1 ips_2 Circuit outside outside In In In Out Out Out IP Address Packets Errors Drops Packets Errors Drops 10.37.0.1 28401561 0 0 28422779 0 0 10.37.0.1 28401543 0 0 28422559 0 0

The following example shows the output of the admin-status parameter. CBS# show circuit outside admin-status Circuit Name : Circuit-Id : Device Name : Incoming Circuit Group : Promiscuous Mode : Proxy ARP Enabled (true/false) : IP Forwarding (true/false) : ICMP Redirect (true/false) : Reclassify NAT Flows (true/false) : IP Flow Rule Priority : IP Flow Rule No Failover (true/false) : bint 1027 bint 1 no promiscuous f f f f 21 f

XOS Command Reference Guide

697

VAP Group Verify Next Hop IP Aggregation Mode Domain New Flow Control (true/false) DHCP Relay (true/false) Default Egress Vlan Tag Hide VLAN Header (true/false) Replace Egress Vlan Tag MAC Address MTU Management Circuit (true/false) Enable (true/false) Primary Type IP Address IP Broadcast Address Increment-per-vap Mode (true/false) Alias Index IP Address IP Broadcast Address Increment-per-vap Mode (true/false) Floating (true/false)

: : : : : : : : : : : : : : : : : : : : : :

flo none 1 t f N/A N/A N/A 00:03:d2:e0:0c:c8 (system-reserved) 1500 f t primary 192.168.10.1/24 192.168.10.255 f 1 100.100.100.44/24 100.100.100.255 f t

show incoming-circuit-group-name
This command displays all incoming circuit groups, giving the number and name of each one. To configure a name for an incoming circuit group, use the configure incoming-circuit-group-name command.

Syntax
show incoming-circuit-group-name

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0

Example
CBS# show incoming-circuit-group-name ICG Number ICG Name 3 icg3 4 icg4 5 icg5 (3 rows)

Commands for Displaying XOS Configuration Settings

698

show group-interface
This command displays the configurations of all group interfaces, or displays only the configuration of the specified group interface. This command displays only the parameter settings that are applicable to each group interfaces physical interface type. IMPORTANT: This command shows how the group interface was configured, not the current state of the group interface. To view the current state, use the show interface command for each interface in the group.

Syntax
show group-interface [<group_name>] [stats | status]

Context
You access this command from the main CLI context.

Inline Commands
The following table lists the CLI commands used inline with the show group-interface command. Command stats status Description Displays the operational group interface status. Displays the group interface status.

Parameters
The following table lists the parameters used with this command. Parameter <group_name> Description Displays only the configuration of the specified group interface. By default, the show group-interface command displays the configurations of all group interfaces.

Restrictions
Default Privilege Level: 15

Example
The following is an example display of group interface firewall1. No parameters have been set for this group interface. CBS# show group-interface firewall1 Group Name Mode Mode Circuit Interface Internal Circuit Status Grouping (true/false) Interface Type : : : : : : firewall1 none

f gigabitethernet

XOS Command Reference Guide

699

Enable (true/false) Auto Negotiate Enabled (true/false) Media Speed (Mbits) Duplex Mode Pause Frame (true/false) (2 rows)

: : : : :

t t auto auto t

NOTE: If Mode is None, the group interface is not yet fully configured or functional. You still need to select a mode. The following is an example display of group interface firewall3. This group interface type is Gigabit Ethernet. There are three individual interfaces assigned to this group, and one of those individual interfaces is disabled. CBS# show group-interface firewall3 Group Name : firewall3 Mode : multi-link Mode Circuit : cct2 Interface Type : gigabitethernet Enable (true/false) : t MAC Address : 00:05:d2:10:0a:7e Auto Negotiate Enabled (true/false) : f Media Speed (Mbits) : 100 Duplex Mode : full Pause Frame (true/false) : t Included Group : Physical Interface (Device) [en/disable] : gigabitethernet 2/1 [enable] Physical Interface (Device) [en/disable] : gigabitethernet 2/2 [enable] Physical Interface (Device) [en/disable] : gigabitethernet 2/3 [disable] Example of show group-interface status: Group Name (Status) gi1 (down) (1 row) Interface (Status) gigabitethernet 1/1 (down) Auto-Neg. enabled Speed auto Duplex auto

show interface
This command displays the current state for a physical interface. If no interface is specified, status is displayed for all physical interfaces. The detail parameter displays verbose information, and allows you to specify additional parameters to filter the verbose output to display only data for the physical line, IPv4, IPv6, or non-IPv4 frame types, interface type, or to display data for a specific interface. The IP frame type parameters apply only to NPM interfaces. With the exception of management interfaces, the MTU setting is defined at the circuit level. Use show circuit to display the MTU.

Syntax
show interface [detail [phy] [ipv4] [ipv6] [non-ipv4] [gigabitethernet <slot/port> | 10gigabitethernet <slot/port>]] show interface [gigabitethernet <slot/port> | 10gigabitethernet <slot/port>] [high-availability]

Context
You access this command from the main CLI context.

Commands for Displaying XOS Configuration Settings

700

Parameters
The following table lists the parameters used with this command. Parameter detail Description Displays verbose information, including a reason for dropped packets. The detail parameter is ignored for management interfaces. The detail parameter supports the following parameters as filters. (Used only following the detail parameter) Displays the verbose status of all physical interfaces. This is the default. (Used only following the detail parameter) Displays the verbose status of all physical lines. When this parameter is followed by the 10gigabitethernet or gigabitethernet parameter, it displays the status for only the specified interface type, or for the interface specified by <slot/port>. (Used only following the detail parameter) Displays the verbose status for IPv4 frames on all NPM interfaces. When this parameter is followed by the 10gigabitethernet or gigabitethernet parameter, it displays the status for only the specified interface type, or for the interface specified by <slot/port>. (Used only following the detail parameter) Displays the verbose status for IPv6 frames on all NPM interfaces. When this parameter is followed by the 10gigabitethernet or gigabitethernet parameter, it displays the status for only the specified interface type, or for the interface specified by <slot/port>. (Used only following the detail parameter) Displays the verbose status for non-IPv4 frames, including IPv6 frames, on all NPM interfaces. When this parameter is followed by the 10gigabitethernet or gigabitethernet parameter, it displays the status for only the specified interface type, or for the interface specified by <slot/port>. Displays the status of 10 Gigabit Ethernet interfaces only. Displays the verbose status when used following the detail parameter. If you specify 10gigabitethernet, all interfaces of that type are displayed. If you specify the slot and port number, only that specific interface is displayed. [detail] gigabitethernet <slot/port> Displays the status of Gigabit Ethernet interfaces only. Displays the verbose status when used following the detail parameter. If you specify gigabitethernet, all interfaces of that type are displayed. If you specify the slot and port number, only that specific interface is displayed. high-availability Displays the status of the High Availability port on the primary CPM.

detail all detail phy

detail ipv4

detail ipv6

detail non-ipv4

[detail] 10gigabitethernet <slot/port>

XOS Command Reference Guide

701

Output
The output for the show interface detail command has the following format: show interface detail gigabitethernet 2/1 Gigabitethernet 2/1 is up Interface is in use Hardware address is N/A SFP info: phy_present|phy_good Media Type: Copper, Vendor Name: Methode Elec. MTU N/A, BW 100 Mbits, full-duplex, auto-negotiation is enabled Last clearing of "show interface" counters never PHY stats: Statistics on physical line Received: Total frames 2069898 (bytes 200033630) Broadcast frames 1546455 Undersized frames 0 Oversized frames 0 Throttles 0 Total errors 0 Frame check sequence (FCS) errors 0 Frame errors 0 Overrun errors 0 Ignored errors 0 Transmitted: Total frames 381705 (bytes 345098116) Underrun errors 0 Total errors 0 Collisions 0 IPv4 stats: Statistics for IPv4 frames Received frames 1304125 (rate 0 fps) Transmitted frames 381705 (rate 0 fps) Dropped frames (and rate per minute): Bad V4 header 41 (rate 0 fpm) Un-configured circuit 23 (rate 0 fpm) Provision table full 0 (rate 0 fpm) Table configuration error 0 (rate 0 fpm) Packet processing capacity 0 (rate 0 fpm) Interface down 19 (rate 0 fpm) Invalid internal route 0 (rate 0 fpm) Mismatched L2 entry 218 (rate 0 fpm) Mismatched L3 entry 0 (rate 0 fpm) Early NFI reinjection 0 (rate 0 epm) Mismatched L2 route 0 (rate 0 fpm) L3 policy action 6 (rate 0 fpm) Mismatched L3 route 0 (rate 0 fpm) Unavailable master 0 (rate 0 fpm) Mismatched index for action pass-to-vap 1304 (rate 0 fpm) Unavailable lb-vector 0 (rate 0 fpm) Empty vap-group 365 (rate 0 fpm) NFI (New Flow Initiation) Events (and rate): New flow 7514 (rate 0 eps) Internal route change 3534 (rate 0 eps) External route change 4 (rate 0 eps) Frame Validation Failure Stats (and rate per minute) Invalid IP/TCP frame 0 (rate 0 fpm)

Commands for Displaying XOS Configuration Settings

702

Invalid IP/TCP frame dropped IPv6 stats: Statistics for IPv6 frames Received frames Transmitted frames

0 (rate 0 fpm)

2351477 (rate 0 fps) 841633 (rate 0 fps)

Non-IPv4 (incl. IPv6) stats: Statistics for Non-IPv4 Frames Received frames 765501 (rate 1 fps) Transmitted frames 10726 (rate 0 fps) Dropped frames (and rate per minute): Un-configured circuit 0 (rate 0 fpm) Mismatched L2 policy 3706 (rate 0 fpm) Policy action 0 (rate 0 fpm) Interface down 8 (rate 0 fpm) Empty vap-group 0 (rate 0 fpm) The following table describes the information provided in each column and or row. Column/Row Heading SFP Info MTU and Phy stats IP Stats: Statistics for IP Frames Received Frames Transmitted Frames Reasons for Dropped IP Frames Bad V4 Header Un-configured circuit Provision table full The IPv4 header type or the header length is wrong. The circuit is not configured for the incoming VLAN and port to process the packet. Packets for new flows are dropped because the provision table was full. The provision table holds new flows during flow setup. Internal NPU configuration error Traffic exceeded the packet processing capacity of the NPU. The state of the interface was down. Unexpected route information in the NPU. The L2 policy did not match the incoming packet. The L3 policy did not match the incoming packet. When new flow initiation (NFI) packets are injected before the flow is established in the NPU. The NPM was unable to establish an L2 flow to the APM. A Layer-3 policy is programmed to drop the packet. The NPM was unable to establish an L3 flow to the APM. The number of IP data packets received at the network processing unit (NPU) from the external interfaces. Number of IP data packets transmitted from the NPU to the external interfaces. Information Provided Provides hardware and configuration information for the SFP. This information is the same information produced by the command ifconfig.

Table configuration error Packet processing capacity Interface down Invalid internal route Mismatched L2 entry Mismatched L3 entry Early NFI Reinjection Mismatched L2 route L3 policy action Mismatched L3 route

XOS Command Reference Guide

703

Column/Row Heading Unavailable master Mismatched index for action pass-to-vap Unavailable lb-vector

Information Provided When a policy is programmed to pass-to-master and a master VAP is not available, the packet is dropped. When a policy is programmed to pass to index and the VAP with the specified index is not available, the packet is dropped. When a policy is programmed to load balance and the VAP member for the load balanced flow is unavailable, the packet is dropped. When a policy is set to broadcast and there are no VAP members available. The number of packets that resulted in new flow processing on the NPU. The flow can exist in the control processor, but the 5-tuple entry does not exist in the NPU. When a VAP member or application goes down, the processor flow software initiates the internal route change. When an external route changes, the packet fails the ingress point validation and the result is that a new flow is initiated.

Empty vap-group New flow

Internal route change External route change Non-IP Stats: Statistics for Non-IP Frames Received frames Transmitted frames Reasons for Dropped Non-IP Frames Un-configured circuit Mismatched L2 policy Policy action Interface down Empty vap-group

Number of non-IP data packets received at the NPU from the external interfaces. Number of non-IP data packets transmitted from the NPU to the external interfaces.

The circuit is not configured for the incoming VLAN and port to process the packet. The L2 policy did not match the incoming non-IP packet. The L2 policy is programmed to drop the packet. The state of the interface was down. When a policy is set to broadcast and there are no VAP members available.

The output of the show interface high-availability command has the following format: CBS# show CP Module cp1 cp2 (2 rows) interface high-availability Auto Negotiate Enabled (true/false) Media Speed (Mbits) Duplex Mode t auto auto t auto auto

High-availability port on slot 14 is up BW 1 Gigabit, full-duplex, auto-negotiation is disabled Last clearing of "show interface" counters Fri Sep 3 04:54:25 2010 PHY stats: Statistics on physical line Received: Total frames 0 (bytes 0) Total errors 0 Transmitted: Total frames 367 (bytes 28146)

Commands for Displaying XOS Configuration Settings

704

Total errors 0

Restrictions
Default Privilege Level: 0

show interface-status-group
This command displays the status of all interface-status-groups or of the interface-status-group that you specify.

Syntax
show interface-status-group [<interface_status_group_name>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <interface_status_group_name> Description Displays only the configuration of the specified interface-status-group. By default, the show interface-status-group command displays a list of all interface-status-groups.

Restrictions
Default Privilege Level: 15

Example
The following is an example output of the show interface-status-group command. CBS# show interface-status-group Interface Status Group : isg1 Group Interface : my_grp Interface Status Group : isg2 Group Interface : group1 Individual Interface : gigabitethernet 1/1 (2 rows)

XOS Command Reference Guide

705

show ip-mapping
This command displays interfaces and their associated IP address mapping.

Syntax
show ip-mapping [record-format] [verbose]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter record-format verbose Description Displays data in record (name : value) format. Displays data that includes VAP group information.

Restrictions
Default Privilege Level: 0

Example
The following is a sample display. CBS# show ip-mapping Interface Name prefix: (p) Physical Interface. (g) Group Interface. (i) Interface Internal. Logical Type: logical-all handles all traffic. non-vlan handles non-vlan traffic. Range indicates high/low vlan tag Interface Name alias) Logical Logical Type Circuit isatap_cct mgt mgt rswtrf sn test_group trf new_isatap Domain Address (* denotes 1 1 1 1 1 1 1 1 2002::3 - 2002::3 1.10.1.10 - 1.10.1.15 2.2.2.30 - 2.2.2.33 2.2.20.10 - 2.2.20.10 10.30.3.1 - 10.30.3.5 0.0.0.0 - 0.0.0.0 10.20.2.1 - 10.20.2.1 0.0.0.0 - 0.0.0.0

(p) gigabitethernet 2/4 (p) gigabitethernet 2/8 (8 rows)

trflog gig28

non-vlan non-vlan

Commands for Displaying XOS Configuration Settings

706

show redundancy-interface
This command displays the backup/master pairs for interface redundancy. This command also displays status.

Syntax
show redundancy-interface

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0

Example
CBS# show redundancy-interface Master Intf Backup Intf Active Intf ------------------------------gig 1/10 gig 4/10 Master MacUsage -------master FailOverMode -----------preemption-on

show status-grouping
This command displays the status and physical interfaces that comprise a group interface configured with the configure group-interface command.

Syntax
show status-grouping [<group_interface_name>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <group_interface_name> Description Displays the status of the specific group interface. Default is to display all group interfaces.

Restrictions
Default Privilege Level: 0

XOS Command Reference Guide

707

Example
The following is shows that there are three physical interfaces in a group interface named ipsonly. CBS# show status-grouping ipsonly Group Interface : ipsonly Interface : gigabitethernet 2/1 Status : Up Group Interface Interface Status Group Interface Interface Status (3 rows) : ipsonly : gigabitethernet 2/2 : Up : ipsonly : gigabitethernet 2/4 : Up

show vlan
This command displays VLAN information.

Syntax
show vlan

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0

Example
The following is an example of this command. CBS# show vlan Interface gigabitethernet gigabitethernet gigabitethernet gigabitethernet (4 rows) Logical Line mlt1 all 1 mlt2 all 3 mlt1 all 2 mlt2 all 4 Ingress Range all all all all Circuit c1 1027 c2 1029 c1 1028 c2 1030 Def. Egress Tag 0 0 0 0

1/1 1/2 2/1 2/2

show acl-interface
Displays the packet filtering criteria defined for all access control list (ACL) filters configured on the X-Series Platform, or displays only the packet filtering criteria defined for the specified ACL filter. See configure acl-interface on page 524 for information about configuring an ACL filter.

Commands for Displaying XOS Configuration Settings

708

Syntax
show acl-interface [<ACL_interface_name>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <ACL_interface_name> Description Displays only the packet filtering criteria defined for the specified ACL filter.

Output
The output for this command has the following format: ACL Interface : VLAN/Mask (in decimal): Source MAC/Mask : Destination MAC/Mask : Ethernet Type/Mask : Direction : testacl2 0x000 / 0x000 (0 / 0) 00:00:00:00:00:00 / 00:00:00:00:00:00 00:00:00:00:00:00 / 00:00:00:00:00:00 0x0000 / 0x0000 ingess-only

The following table describes the information provided in each column/row. Column/Row Heading ACL Interface VLAN/Mask (in decimal) Source MAC/Mask Destination MAC/Mask Ethernet Type/Mask Direction Information Provided Displays the name of the ACL Interface. Displays the source VLAN and mask in hex and decimal for the ACL Interface. Displays the source MAC address and mask for the ACL Interface. This applies to the ingress direction only. Displays the destination MAC address and mask for the ACL Interface. This applies to the ingress direction only. Displays the Ethernet type and mask for the ACL Interface. Displays the direction for the ACL Interface as ingress-only or egress-only.

Restrictions
Default Privilege Level: 15

XOS Command Reference Guide

709

Example
The following example shows an ACL interface testmirroracl configured with a source-mac address and mask of 01:02:03:00:00:00 / ff:ff:ff:ff:ff:ff and a destination-mac address of 00:00:00:01:02:03 / ff:ff:ff:ff:ff:ff. CBS# show acl-interface testmirroracl ACL Interface : testmirroracl VLAN/Mask (in decimal) : 0x000 / 0x000 (0 / 0) Source MAC/Mask : 01:02:03:00:00:00 / ff:ff:ff:ff:ff:ff Destination MAC/Mask : 00:00:00:01:02:03 / ff:ff:ff:ff:ff:ff Ethernet Type/Mask : 0x0000 / 0x0000 Direction : ingress-only (1 row)

show acl-interface-mapping
Displays a list of the access control lists (ACLs) assigned to each individual interface and each group interface configured on the X-Series Platform, and displays the action configured for each ACL on each interface. For each ACL interface configuration, this command displays the individual or group interface name, the ACL filter name, and the action defined for the ACL on the individual or group interface. See configure acl-interface on page 524 for information about configuring an ACL for an individual physical interface or a group interface.

Syntax
show acl-interface-mapping

Context
You access this command from the main CLI context.

Output
The output for this command has the following format: Primary (interface/group) 10gigabitethernet 1/12 gigabitethernet 1/5 gigabitethernet 1/2 gigabitethernet 1/2 (3 rows) ACL Interface testacl test2 testacl testacl2 action drop mirror drop drop Destination interface gigabitethernet 1/6

The following table describes the information provided in each column/row. Column/Row Heading Primary (interface/group) ACL Interface Information Provided Displays the physical interface and port on which the ACL interface is configured. Displays the name of the ACL filter configured for the primary interface.

Commands for Displaying XOS Configuration Settings

710

Column/Row Heading action

Information Provided Displays the configured action capture, drop, mirror, or pass-through. NOTE: The capture action directs the matching traffic to the eth2 interface on the NPM.

Destination interface

Displays the destination interface for mirror and pass-through actions.

Restrictions
Default Privilege Level: 15

Example
The following example displays show acl-interface-mapping output for a single ACL interface on the gigabitethernet 1/1 port named testmirroracl with an action to drop traffic that matches the ACL filter criteria: CBS# show acl-interface-mapping Primary (interface/group) ACL Interface gigabitethernet 1/1 testmirroracl (1 row) action drop Destination interface

XOS Command Reference Guide

711

Commands for Displaying Multi-System High-Availability Configuration Settings

This section contains the following commands: show remote-box on page 712 show vrrp on page 713 show vrrp circuit-ip on page 714 show vrrp detail-status on page 718 show vrrp failover-group on page 720 show vrrp monitor-circuit on page 722 show vrrp monitor-interfaces on page 724 show vrrp monitor-group-interfaces on page 726 show vrrp status on page 727 show vrrp vap-group on page 729 show vrrp verify-next-hop on page 730 show vrrp virtual-router on page 732

show remote-box
This command displays the system ID and addresses of any remote systems configured with this system in a VRRP configuration. Optionally, you can specify the system-identifier of a remote system. Use the ? option to see a list of currently configured remote systems.

Syntax
show remote-box [<remote_box_ID>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <remote_box_ID> Description A number from 1 through 255, representing the system-identifier of the remote-box.

Output
The following table explains the information provided in the output from the show remote-box command. Column Heading Remote IP Local Intf Local IP Status Description The IP address of the interface on the remote-box. The local interface that is used to access the remote IP address. The IP address of the local interface that is used to access the remote IP address. The status of the connection to the remote box (Active or Standby).

Commands for Displaying XOS Configuration Settings

712

Column Heading Time In State Link Qual

Description The amount of time that the current Status (Active or Standby) has been true. The quality of the link between the local and remote boxes. If the link has been connected for some time, the value of link quality is 100. If the link is disconnected for some time, the value is reset to 0. When the link is reconnected, the value increases over time to the maximum value of 100. If a link connection is intermittent, the value that appears will be somewhere between 0 and 100.

Restrictions
Default Privilege Level: 15

Example
The following is an example of this command: CBS# show remote-box 22 Local System ID: 85 Remote System ID: 22 Remote IP Local Intf Local IP 192.168.211.89 14/1 192.168.211.85 1.1.89.20 HA port 1.1.85.20 (2 rows)

Status Active Standby

Time In State 0 days, 00:00 0 days, 00:00

Link Qual 100 100

show vrrp
This command displays basic configuration and status information for each VRRP failover group configured on the system. This command also displays VRRP status.

Syntax
show vrrp

Context
You access this command from the main CLI context.

Output
The output for this command has the following format: Priority is Actual/Configured FG-ID Priority 1 100/100 2 150/150 3 150/150 (3 rows) Status Master Master Master Preempt on off on Master Sys ID 1 1 1 Master Priority 100 150 150

XOS Command Reference Guide

713

The following table describes the information provided in each column/row. Column/Row Heading FG-ID Priority Status Information Provided Failover group ID number. Failover group priority (actual/configured). Failover group status. Possible values are: master Failover group is in master mode. backup Failover group is in backup mode. down Failover group is not functioning. init Failover group is initializing. Preempt Master Sys ID Master Priority Indicates whether preemption is enabled (on) or disabled (off) for each failover group. System ID assigned to the master system. Current priority of the failover group on the master system.

Restrictions
Default Privilege Level: 0

Example
The following example shows the output of this command: CBS# show vrrp Priority is Actual/Configured FG-ID Priority 1 200/200 2 250/250 (2 rows) Status Master Master Preempt on on Master Sys ID 62 62 Master Priority 200 250

show vrrp circuit-ip

This command displays the VRRP configuration and current status of all circuits, or displays the VRRP configuration and current state of the circuits assigned to the specified failover group or virtual router.

Syntax
show vrrp circuit-ip [<failover_group_name>] [vrrp-id <virtual_router_ID_number>]

Context
You access this command from the main CLI context.

Commands for Displaying XOS Configuration Settings

714

Parameters
The following table lists the parameters used with this command. Parameter <failover_group_name> vrrp-id <virtual_router_ID_number> Description Displays the VRRP configurations for all circuits in the specified failover group. Displays the VRRP configuration for the circuit assigned to the specified virtual router.

Output
The output for this command has the following format: Failover Group Failover Group ID VRRP State VRRP ID Circuit Name VAP Group IP Address Interface (State) Group Interface (State) : : : : : : : : : chetire 4 Backup 112 gig15 fw 192.203.10.100/24 192.203.10.255 (Virtual) gigabitethernet 1/5 (Up), gigabitethernet 1/6 (Up) gig15_16 (Up)

The following table describes the information provided in each column/row. Column/Row Heading Failover Group Failover Group ID VRRP State Information Provided Failover group name. Failover group ID number. Current state of the failover group: backup Failover group is in backup mode. down Failover group is not functioning. init Failover group is initializing. master Failover group is in master mode. unknown System cannot determine the state of the failover group. VRRP ID Circuit Name VAP Group IP Address Virtual router ID number. Name of the circuit mapped to the virtual router. Name of the VAP group mapped to the virtual router. Displays the IP address assigned to the circuit for the VAP group mapped to the VIrtual Router, and indicates whether this IP address is the Primary Address for the circuit. If there is no IP address assigned to the circuit for the VAP group mapped to the virtual router, the IP Address field displays the text, IP-less.

XOS Command Reference Guide

715

Column/Row Heading Interface (State)

Information Provided Displays the interface type, slot/port, and state of the physical interface to which the circuit is assigned. If the circuit is assigned to a group interface, Interface (State) displays the interface type, slot/port, and state of each physical interface that belongs to the group interface. Each physical interface can be in one of the following states: Up - The interface is functioning normally. Down - The interface is not functioning. Admin. Down - The administrator has used the CLI to manually disable the individual interface or the group interface. Unknown - System cannot determine the state of the interface.

Group Interface (State)

Displays the name and state of the group interface to which the circuit is assigned. The group interface can be in one of the following states: Up - The group interface is functioning normally. Down - The group interface is not functioning. Admin. Down - The administrator has used the CLI to manually disable the group interface. Unknown - System cannot determine the state of the group interface.

Restrictions
Default Privilege Level: 15

Commands for Displaying XOS Configuration Settings

716

Example
The following example shows four circuits mapped to VAP group vsxb1, which is part of failover group vrrp_vsx. CBS# show vrrp circuit-ip vrrp_vsx VAP Group : vsxb1 IP Address : 10.10.2.1 255.255.255.0 10.10.2.255 (Primary) Interface (State) : gigabitethernet 1/2 (Up), gigabitethernet 1/3 (Up), gigabitethernet 4/2 (Up), gigabitethernet 4/3 (Up) Group Interface (State) : inside (Up) Failover Group : vrrp_vsx Failover Group ID : 200 VRRP State : Master VRRP ID : 1000 Circuit Name : vsx_ckt_vsxb1_internal_l2l3_3003 VAP Group : vsxb1 IP Address : 10.10.3.1 255.255.255.0 10.10.3.255 (Primary) Interface (State) : gigabitethernet 1/2 (Up), gigabitethernet 1/3 (Up), gigabitethernet 4/2 (Up), gigabitethernet 4/3 (Up) Group Interface (State) : inside (Up) Failover Group : vrrp_vsx Failover Group ID : 200 VRRP State : Master VRRP ID : 1008 Circuit Name : vsx_ckt_vsxb1_internal_l2l3_3004 VAP Group : vsxb1 IP Address : 10.10.4.1 255.255.255.0 10.10.4.255 (Primary) Interface (State) : gigabitethernet 1/2 (Up), gigabitethernet 1/3 (Up), gigabitethernet 4/2 (Up), gigabitethernet 4/3 (Up) Group Interface (State) : inside (Up) Failover Group : vrrp_vsx Failover Group ID : 200 VRRP State : Master VRRP ID : 1003 Circuit Name : vsx_ckt_vsxb1_internal_l2l3_3005 VAP Group : vsxb1 IP Address : 10.10.5.1 255.255.255.0 10.10.5.255 (Primary) Interface (State) : gigabitethernet 1/2 (Up), gigabitethernet 1/3 (Up), gigabitethernet 4/2 (Up), gigabitethernet 4/3 (Up) Group Interface (State) : inside (Up) Failover Group : vrrp_vsx Failover Group ID : 200 VRRP State : Master VRRP ID : 1004 Circuit Name : vsx_ckt_vsxb1_internal_l2l3_3006 VAP Group : vsxb1 IP Address : IP-less (Primary) Interface (State) : gigabitethernet 1/2 (Up), gigabitethernet 1/3 (Up), gigabitethernet 4/2 (Up), gigabitethernet 4/3 (Up) Group Interface (State) : inside (Up) (5 rows)

XOS Command Reference Guide

717

show vrrp detail-status

This command displays the following information for each component of the systems VRRP configuration or for each component of the specified failover group: Failover group ID Failover group status: master, backup, down, or init Failover group priority (actual/configured) VRRP component's configured priority-delta value Status of priority-delta: in effect, not in effect, or unknown next hop status VRRP component type: virtual router, monitored interface, monitored circuit, VAP group, next hop More detailed information about the VRRP component

Syntax
show vrrp detail-status [<failover_group_name>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <failover_group_name> Description Displays information only for the components of the specified failover group.

Output
The output for this command has the following format: FG_ID 1 1 1 1 Status Backup Backup Backup Backup Priority 99/101 99/101 99/101 99/101 Delta 2 2 1 -2 Type vr vr mc vg Component gig14/101 gig13/100 dummy fw

The following table describes the information provided in each column/row. Column/Row Heading FG_ID Status Information Provided Failover group ID number Failover group status. Possible values are: master Failover group is in master mode. backup Failover group is in backup mode. down Failover group is not functioning. init Failover group is initializing.

Commands for Displaying XOS Configuration Settings

718

Column/Row Heading Priority Delta

Information Provided Failover group priority (actual/configured). The number shown in this column is the VRRP component's configured priority-delta value. The number is displayed differently depending on the status of the priority-delta: Number is positive Components priority-delta is not in effect, as the component is functioning normally. Number is negative Components priority-delta is in effect, as the component has failed. The failover groups priority has been decremented by the components priority-delta value. Star symbol (*) appears after the number Next hop status is unknown. (See the XOS Configuration Guide for more details on this status.)

Type

VRRP component type. Possible values are: vr virtual router mi Monitored interface mg Monitored group interface mc Monitored circuit vg VAP group nh Next hop

Component

Detailed information about the VRRP component. The contents of this field depend on the VRRP component type: virtual router Field displays circuit name/ID number for the virtual router. Monitored interface Field displays the monitored interface name. Monitored group interface Field displays the monitored group interface name Monitored circuit Field displays the monitored circuit name. VAP group Field displays the VAP group name. Next hop Field displays verify-next-hop IP address/ID number for the VIrtual Router.

Restrictions
Default Privilege Level: 15

XOS Command Reference Guide

719

Example
The following example shows the output of the show vrrp detail-status command run on an X-Series Platform configured as the backup system for VRRP failover group 200. CBS# show vrrp detail-status FG_ID Status Priority Delta 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1* 200 Backup 198/198 50 (21 rows) Type vr vr vr vr vr vr vr vr vr vr vr vr vr vr vr nh vg Component vsx_ckt_vsxb2_wrp448/33 vsx_ckt_vsxb2_internal_l2l3_3006/32 vsx_ckt_vsxb2_wrp384/31 vsx_ckt_vsxb2_internal_l2l3_3005/30 vsx_ckt_vsxb2_wrp320/29 vsx_ckt_vsxb2_internal_l2l3_3004/28 vsx_ckt_vsxb2_wrp256/27 vsx_ckt_vsxb2_internal_l2l3_3003/26 vsx_ckt_vsxb2_wrp192/25 vsx_ckt_vsxb2_internal_l2l3_3002/24 vsx_ckt_vsxb2_wrp128/23 vsx_ckt_vsxb2_internal_l2l3_3001/22 vsx_ckt_vsxb2_outside_4001/21 l2l3/20 outside/10 10.10.1.10/22 vsxb2

show vrrp failover-group

This command displays the VRRP configuration of the specified failover group or displays the VRRP configuration of all failover groups.

Syntax
show vrrp failover-group [<failover_group_name>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <failover_group_name> Description Displays the configuration for the specified failover group. Default is to display the configuration for all failover groups.

Commands for Displaying XOS Configuration Settings

720

Output
The output for this command has the following format: Failover Group Failover Group ID Advertisement Interval (seconds) Preemption (true/false) Enabled (true/false) Configured Priority Actual Priority Virtual Router IDs Monitored Circuits Monitored Group Interfaces OSPF Cost Increment (Circuits) VAP Groups (failover-group) VAP Groups (failover-group-list) State Time of Last State Change: Reason for Last State change: : : : : : : : : : : : : : : : : odin 1 1 t t 101 101 100, 101 dummy gig15_55 fw fw Master Fri Sep 3 04:47:53 2010 Timed out waiting for master

The following table describes the information provided in each column/row. Column/Row Heading Failover Group Failover Group ID Advertisement Interval (seconds) Preemption (true/false) Enabled (true/false) Configured Priority Information Provided Displays the failover group name. Displays the failover group ID. Displays the number of seconds between VRRP advertisements. Displays the preemption status. Displays the configuration status (enabled or disabled) for the failover group. The configured priority is the VRRP priority that you set for the failover group. If the configured priority is not the same as the actual priority, a failure caused a priority-delta to decrement the priority. The actual priority is the current VRRP priority value. If the actual priority is not the same as the configured priority, a failure caused a priority-delta to decrement the priority. Displays the virtual router ID. Displays the circuits that VRRP monitors in the configured virtual routers. Displays the group interfaces that VRRP monitors in the configured virtual routers. Displays the OSPF cost increment associated for the configured circuits. Displays the VAP groups associated with the failover group. Displays the VAP groups associated with the failover group list.

Actual Priority

Virtual Router IDs Monitored Circuits Monitored Group Interfaces OSPF Cost Increment (Circuits) VAP Groups (failover-group) VAP Groups (failover-group-list)

XOS Command Reference Guide

721

Column/Row Heading State

Information Provided The State is the state of the failover group, which can be one of the following: backup Failover group is in backup mode. down Failover group is not functioning. init Failover group is initializing. master Failover group is in master mode. unknown System cannot determine the state of the failover group

Time of Last State Change Reason for Last State Change

The date and time of the most recent change in the State parameter. The reason for the most recent change in the State parameter. Possible reasons include: Initializing Priority is 255 Priority is 0 Priority higher than remote box <remote_box_id> Remote box <remote_box_id> has higher priority Timed out waiting for master Master <remote_box_id> has lower priority, but preemption is disabled Preempted by remote box <remote_box_id> Relinquished by user VRRP failover group is disabled No valid virtual routers configured

Restrictions
Default Privilege Level: 0

show vrrp monitor-circuit

This command displays the VRRP configuration and current status of all monitored circuits, or displays the VRRP configuration and current status of all monitored circuits that belong to the specified failover group.

Syntax
show vrrp monitor-circuit [<failover_group_name>]

Context
You access this command from the main CLI context.

Commands for Displaying XOS Configuration Settings

722

Parameters
The following table lists the parameters used with this command. Parameter <failover_group_name> Description Displays only the monitored circuits for the specified failover group.

Output
The output for this command has the following format: Failover Group Failover Group ID Circuit Interface (State) Priority Delta (1 row) : : : : : odin 1 dummy gigabitethernet 1/2 (Up) 1

The following table describes the information provided in each column/row. Column/Row Heading Failover Group Failover Group ID Circuit Interface (State) Information Provided Displays the monitored circuits failover group name. Displays the monitored circuits failover group ID number. Displays the name of the monitored circuit. Displays the interface type, slot/port, and state of the physical interface to which the monitored circuit is assigned. If the monitored circuit is assigned to a group interface, Interface (State) displays the interface type, slot/port, and state of each physical interface that belongs to the group interface. Each physical interface can be in one of the following states: Up - The interface is functioning normally. Down - The interface is not functioning. Admin. Down - The administrator has used the CLI to manually disable the individual interface or the group interface. Unknown - System cannot determine the state of the interface.

XOS Command Reference Guide

723

Column/Row Heading Group Interface (State)

Information Provided Displays the name and state of the group interface to which the monitored circuit is assigned, along with these parameters: Distributing Ports Threshold - The number of ports that must be in the active distributing state to prevent the subtraction of the priority-delta value from virtual router. Distributing Ports Number - The number of ports that are currently in the active distributing state. The group interface can be in one of the following states: Up - The group interface is functioning normally. Down - The group interface is not functioning. Admin. Down - The administrator has used the CLI to manually disable the group interface. Unknown - System cannot determine the state of the group interface.

Priority Delta

Displays the monitored circuits configured priority-delta value. If the Interface (State) or Group Interface (State) is Down, Admin. Down, or Unknown, the failover groups priority has been decremented by the Priority Delta.

Restrictions
Default Privilege Level: 15

Example
The following is an example of this command. CBS# show vrrp monitor-circuit Failover Group : vrrp_vsx Failover Group ID : 200 Circuit : vsx_ckt_vsxb2_l2l3_3005 Interface (State) : gigabitethernet 1/2 (Up), gigabitethernet 1/3 (Up), gigabitethernet 2/2 (Up), gigabitethernet 2/3 (Up) Group Interface (State) : l2l3 (Up) Priority Delta : 25 (1 row)

show vrrp monitor-interfaces

This command displays the VRRP configuration and current status of all monitored interfaces or displays the VRRP configuration and current status of all monitored interfaces assigned to circuits that belong to the specified failover group.

Syntax
show vrrp monitor-interfaces [<failover_group_name>]

Commands for Displaying XOS Configuration Settings

724

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <failover_group_name> Description Displays only the monitored interfaces for the specified failover group.

Output
The output for this command has the following format: Failover Group Failover Group ID Interface Interface State Priority Delta (1 row) : : : : : vosem 8 gigabitethernet 2/2 Up 2

The following table describes the information provided in each column/row. Column/Row Heading Failover Group Failover Group ID Interface Interface State Information Provided Failover group name. Failover group ID number. Interface being monitored. Current state of the monitored interface. Possible values are: Up Interface is functioning. Down Interface is not functioning. Unknown Interface may or may not be functioning. Admin. Down - The administrator has used the CLI to manually disable the interface. Priority Delta Monitored interfaces configured priority-delta value. If the Interface State is Down, Admin. Down, or Unknown, the failover groups priority has been decremented by the Priority Delta.

Restrictions
Default Privilege Level: 15

XOS Command Reference Guide

725

Example
The following is an example of this command. CBS# show vrrp monitor-interfaces Failover Group : vrrp_vsx Failover Group ID : 200 Interface : gigabitethernet 1/2 Interface State : Up Priority Delta : 1 Failover Group : vrrp_vsx Failover Group ID : 200 Interface : gigabitethernet 1/3 Interface State : Up Priority Delta : 1 Failover Group : vrrp_vsx Failover Group ID : 200 Interface : gigabitethernet 4/2 Interface State : Up Priority Delta : 1 Failover Group : vrrp_vsx Failover Group ID : 200 Interface : gigabitethernet 4/3 Interface State : Up Priority Delta : 1 (4 rows)

show vrrp monitor-group-interfaces

This command displays the VRRP configuration and current status of all monitored group-interfaces or displays the VRRP configuration and current status of all monitored group-interfaces assigned to circuits that belong to the specified failover group.

Syntax
show vrrp monitor-group-interfaces [<failover_group_name>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <failover_group_name> Description Displays only the monitored group-interfaces for the specified failover group.

Commands for Displaying XOS Configuration Settings

726

Output
The output for this command has the following format: CBS# show vrrp monitor-group-interfaces Failover Group : tri Failover Group ID : 3 Group Interface (State) : gig15_16 (Up) Interface (State) : gigabitethernet 1/5 (Up), gigabitethernet 1/6 (Up) Priority Delta : 5 Distributing Port Threshold : 2 Distributing Interfaces : 2 (1 row) The following table describes the information provided in each column/row. Column/Row Heading Failover Group Failover Group ID Group Interface (State) Interface (State) Information Provided Failover group name. Failover group ID number. Group interface being monitored with the current state of the group interface in parentheses Current state of each of the interfaces that are included in the monitored-group-interface. Possible values are: Up Interface is functioning. Down Interface is not functioning. Unknown Interface may or may not be functioning. Admin. Down - The administrator has used the CLI to manually disable the interface. Priority Delta VRRP reduces the VRRP priority of the failover-group by this value whenever the number of active distributing ports for the group interface falls below the configured Distributing Port Threshold value. The minimum number of ports in the active distributing state required for the group interface. When the number of active distributing ports is less than this value, VRRP decrements the failover group VRRP priority by the priority-delta value. The number of interfaces that are currently in the active distributing state in the group interface. Whenever this number falls below the Distributing Port Threshold value, the Priority Delta value is subtracted from the failover group VRRP priority.

Distributing Port Threshold

Distributing Interfaces

show vrrp status

This command displays the high-level status of the systems VRRP configuration. You can choose to display only those failover groups with a specific state. Note that if the failover groups Actual and Configured VRRP priorities are not the same, there is a failure. To find the details of the failure, use the other show vrrp commands for that failover group or virtual router ID.

XOS Command Reference Guide

727

Syntax
show vrrp status [<failover_group_id>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <failover_group_name> Description Displays only the monitored circuits for the specified failover group.

Output
The output for this command has the following format: Priority is Actual/Configured FG-ID Priority 1 100/100 2 150/150 3 150/150 (3 rows) Status Backup Backup Backup Preempt on off on Master Sys ID 0 0 0 Master Priority 0 0 0

The following table describes the information provided in each column/row. Column/Row Heading FG-ID Priority Status Information Provided Failover group ID number. Failover group priority (actual/configured). Failover group status. Possible values are: master Failover group is in master mode. backup Failover group is in backup mode. down Failover group is not functioning. init Failover group is initializing. Preempt Master Sys ID Master Priority Indicates whether preemption is enabled (on) or disabled (off) for each failover group. System ID assigned to the master system. Current priority of the failover group on the master system.

Restrictions
Default Privilege Level: 0

Commands for Displaying XOS Configuration Settings

728

Example
The following is an example of this command: CBS# show vrrp status Group ID Priority VR ID Device Name 1 101 / 101 100 gig21 1 101 / 101 100 gig21 1 101 / 101 101 gig22 1 101 / 101 101 gig22 2 0 / 100 200 gig21 2 0 / 100 200 gig21 2 0 / 100 201 gig22 2 0 / 100 201 gig22 (8 rows) Priority is Actual/Configured Status Master Master Master Master Backup Backup Backup Backup

show vrrp vap-group

This command displays the VRRP configuration for all VAP groups or a specific VAP group. Only those VAP groups configured for VRRP are displayed.

Syntax
show vrrp vap-group [<VAP_group_name>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <VAP_group_name> Description Existing VAP group.

Output
The output for this command has the following format: VAP Group Enable (true/false) Hold Down Timer Priority Delta Active Slot Threshold Active VAPs Failover Group List : : : : : : : L2 t 120 51 2 2 fg1 fg2

XOS Command Reference Guide

729

The following table describes the information provided in each column/row. Column/Row Heading VAP Group Enable (true/false) Hold Down Timer Priority Delta Information Provided Displays the name of the VAP group assigned to the virtual router. Displays the status of the VAP group in the virtual-router. Number of seconds to wait before becoming VRRP master. The value that the priority will be decremented if the VAP group does not meet the minimum criteria for the VRRP configuration. The minimum number of slots required for the VAP group. When the number of active VAPs is less than this value, VRRP decrements the failover groups VRRP priority by the priority-delta value. The Active VAPs field show the number of VAPs that are currently active in the VAP group. If this number is less than the Active Slot Threshold value, then the Priority Delta value has been subtracted from the failover groups VRRP priority. Displays the failover groups that are participating in the VRRP configuration.

Active Slot Threshold

Active VAPs

Failover Group List

Restrictions
Default Privilege Level: 15

Example
The following is an example of this command. CBS# show vrrp vap-group VAP Group : cb1ids Enable (true/false) : t Hold Down Timer : 100 Priority Delta : 2 Active Slot Threshold : 3 Active VAPs : 4 Failover Group List : failoverfw

show vrrp verify-next-hop

This command displays the next hop addresses that can affect a failover groups VRRP priority should they become unreachable.

Syntax
show vrrp verify-next-hop [<failover_group_name>] [vrrp-id <virtual_router_id>]

Context
You access this command from the main CLI context.

Commands for Displaying XOS Configuration Settings

730

Parameters
The following table lists the parameters used with this command. Parameter <failover_group_name> vrrp-id <virtual_router_id> Description Displays only the configuration for the specified failover group. If not specified, all virtual routers are displayed. Existing virtual router Identifier. Values are 1-4096.

Output
The output for this command has the following format: Failover Group : 3 VRRP ID : 6 Circuit Name : c12Bottom VAP Group : fwv5 Verify Next Hop IP : 192.168.1.156 Priority Delta : 77 State : Reachable The following table describes the information provided in each column/row. Column/Row Heading Failover Group VRRP ID Circuit Name VAP Group Verify Next Hop IP Priority Delta State Information Provided Displays the virtual routers failover group name. Displays the virtual router ID number. Displays the name of the circuit mapped to the virtual router. Displays the name of the VAP group assigned to the virtual router. Displays the specified IP address for the next hop check. If the next hop IP address is unreachable, the failover groups priority will be decremented by the Priority Delta. The State can be Reachable, Unreachable, or Unknown. If the State is Unreachable or Unknown, the Priority Delta value has been subtracted from the failover groups VRRP priority.

Restrictions
Default Privilege Level: 15

XOS Command Reference Guide

731

Example
The following is an example. CBS# show vrrp verify-next-hop Failover Group VRRP ID Circuit Name VAP Group Verify Next Hop IP Priority Delta State : : : : : : : failoverfw 62 vlan602 cb1fw 192.168.19.71 2 Reachable

show vrrp virtual-router

This command displays the VRRP configuration for all virtual routers, displays the VRRP configuration for the virtual routers assigned to the specified failover group, or displays the VRRP configuration for the specified virtual router.

Syntax
show vrrp virtual-router [<failover_group_name>] [vrrp-id <virtual_router_ID>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <failover_group_name> vrrp-id <virtual_router_ID> Description Displays the VRRP configurations only for the virtual routers that belong to the specified failover group. Displays the VRRP configuration only for the specified virtual router.

Output
The output for this command has the following format: Failover Group Failover Group ID VRRP State Virtual Router ID Circuit Name Priority Delta Backup Stay Up (true/false) MAC Usage VAP Group Interface (State) Group Interface (State) : : : : : : : : : : : fg2 2 Backup 4 WanOut 10 t vrrp-mac fwv5 10gigabitethernet 1/10 (Up) group1 (Up)

Commands for Displaying XOS Configuration Settings

732

The following table describes the information provided in each column/row. Column/Row Heading Failover Group Failover Group ID VRRP State Information Provided Displays the virtual routers failover group name. Displays the virtual routers failover group ID number. Current state of the failover group: backup Failover group is in backup mode. down Failover group is not functioning. init Failover group is initializing. master Failover group is in master mode. unknown System cannot determine the state of the failover group. Virtual Router ID Circuit Name Priority Delta Displays the virtual router ID number. Displays the name of the circuit mapped to the virtual router. Displays the virtual routers configured priority-delta value. If the Interface (State) or Group Interface (State) is Down, Admin. Down, or Unknown, the failover groups priority has been decremented by the Priority Delta. Indicates whether the backup-stay-up parameter is enabled (t) or disabled (f) for the virtual router. Displays the mac-usage parameter setting for the virtual router. Displays the name of the VAP group assigned to the virtual router. Displays the interface type, slot/port, and state of the physical interface to which the virtual routers circuit is assigned. If the virtual routers circuit is assigned to a group interface, Interface (State) displays the interface type, slot/port, and state of each physical interface that belongs to the group interface. Each physical interface can be in one of the following states: Up - The interface is functioning normally. Down - The interface is not functioning. Admin. Down - The administrator has used the CLI to manually disable the individual interface or the group interface. Unknown - System cannot determine the state of the interface.

Backup Stay Up (true/false) MAC Usage VAP Group Interface (State)

XOS Command Reference Guide

733

Column/Row Heading Group Interface (State)

Information Provided Displays the name and state of the group interface to which the monitored circuit is assigned. The group interface can be in one of the following states: Up - The group interface is functioning normally. Down - The group interface is not functioning. Admin. Down - The administrator has used the CLI to manually disable the group interface. Unknown - System cannot determine the state of the group interface.

Restrictions
Default Privilege Level: 15

Example
The following is an example. CBS# show vrrp virtual-router vrrp-id 1014 Failover Group : vrrp_vsx Failover Group ID : 200 VRRP State : Backup Virtual Router ID : 1014 Circuit Name : vsx_ckt_vsxb2_l2l3_3333 Priority Delta : 1 Backup Stay Up (true/false) : t MAC Usage : vrrp-mac VAP Group : vsxb2 Interface (State) : gigabitethernet 1/2 (Up), gigabitethernet 1/3 (Up), gigabitethernet 2/2 (Up), gigabitethernet 2/3 (Up) Group Interface (State) : l2l3 (Up) (1 row)

Commands for Displaying XOS Configuration Settings

734

Commands for Displaying Hardware and Software Maintenance Configuration Settings

This section contains the following commands: show module admin-state on page 735 show module status on page 736 show reload on page 739

show module admin-state

This command displays the current administrative state enabled, disabled, or maintenance for all modules in an X-Series Platform. The admin-state cannot be used with any other parameter.

Syntax
show module admin-state

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter admin-state Description Displays administrative status (enabled, disabled, or maintenance) for each module.

Restrictions
Default Privilege Level: 0

XOS Command Reference Guide

735

Example
The following is an example using show module admin-state to see the status for all modules in an X80. CBS# show module admin-state Slot Number Administrative Status 1 Enable 2 Enable 3 Enable 4 Disable 5 Enable 6 Enable 7 Enable 8 Enable 9 Enable 10 Enable 11 Enable 12 Enable 13 Enable 14 Enable (14 rows)

show module status

Show module status displays hardware details for modules installed in an X-Series Platform. If a specific module is not specified with status, the show command applies to all modules. If no value is specified, the status of all parameters measured on all modules are displayed except reachability.

Syntax
show module status [np1|np2|np3|np4|cp1|cp2|ap1|ap2|ap3|ap4|ap5|ap6|ap7|ap8|ap9|ap10] [voltage|temperature|type|revision|serial|link|memory|leds|disk|duart| reachability|acceleration-card|eth-daughter-card]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter np1 - np4 cp1 or cp2 ap1 - ap10 voltage temperature type Description Displays specific NPMs in the X-Series Platform. Displays specific CPMs in the X-Series Platform. Displays specific APMs in the X-Series Platform. Displays the voltage measured on each module in volts. Displays the temperatures measured on each module in degrees celsius. Displays the module type.

Commands for Displaying XOS Configuration Settings

736

Parameter revision serial link memory leds disk

Description Displays the module hardware revision. Displays the module serial number. Displays the status of links attached to the module specified (UP/DOWN). Displays the status of memory devices on the specified module in KB. Displays whether the LEDs on the modules are ON or OFF. Displays slot, number, size, errors, and RAID status information about disk drives installed on the CPMs and APMs. NOTE: Use this parameter to check for dual drives before configuring RAID.

duart reachability acceleration-card eth-daughter-card

Displays the status of the DUAL UART (serial ports) if connected to the specified module (UP/DOWN). Displays the modules reachable from the specified slot through the control and data plane. Displays the presence of an Accelerated Crypto Engine (ACE) card, used for VPN acceleration, on an APM. Displays the presence of an Ethernet daughter card on an APM.

Output
The output for this command has the following format: NA = Not Available, DP = Data Plane, CP = Control Plane cp = Control Processor, ap = Application Processor, np = Network Processor Slot 1: Board Type Board Part Number Board Serial Number Board Revision Control FPGA Revision Focus FPGA Revision Board OCODE Dual-CPU Capacity CPU Presence CPU2 Presence CPU Voltage 3.3v Supply 2.5v Supply 1.8v Supply 1.8v NP6 Octeon DDR 1.2v NP6 EZChip Core 1.8v NP6 EZChip DDR 1.5v NP6 EZChip XGMII/RGMII 1.2v NP6 XBPRC Ethernet Switch Voltage CPU Temperature

NP8620 005331 G834L008 2 0x3 0xDB1C A000 Not Available Present Not Present 1.10(V) 3.32(V) 2.50(V) 1.79(V) 1.79(V) 1.18(V) 1.79(V) 1.47(V) 1.19(V) 1.24(V) 42(C)

XOS Command Reference Guide

737

Intake Air Temperature FPGA Temperature Exhaust Air Temperature SDRAM 1 Size SDRAM 2 Size SDRAM 3 Size SDRAM 4 Size Total Memory Used Memory Free Memory Active LED Standby LED Failure LED Control Bus A Control Bus B np1/np1 Link np1/np2 Link np1/ap1 Link np1/ap2 Link np1/ap3 Link np1/ap4 Link np1/ap5 Link np1/ap6 Link np1/ap7 Link np1/ap8 Link np1/ap9 Link np1/ap10 Link np1/cp2 Link gigabitethernet 1/1 gigabitethernet 1/2 gigabitethernet 1/3 gigabitethernet 1/4 gigabitethernet 1/5 gigabitethernet 1/6 gigabitethernet 1/7 gigabitethernet 1/8 gigabitethernet 1/9 gigabitethernet 1/10

28(C) 43(C) 32(C) 1048576(KB) 0(KB) 1048576(KB) 0(KB) 2097152(KB) 1772372(KB) 324780(KB) On Off Off Up Up Up Up Down Down Down Down Down Down Down Down Down Down Up Down Down Down Down Down Down Down Down Down Down

Restrictions
Default Privilege Level: 0

Commands for Displaying XOS Configuration Settings

738

Example
The following command displays the voltage levels for np1 in an X-Series Platform: CBS# show module status np1 voltage NA = Not Available, DP = Data Plane, CP = Control Plane cp = Control Processor, ap = Application Processor, np = Network Processor

Slot 1: CPU Voltage 3.3v Supply 2.5v Supply 1.8v Supply 1.8v NP6 Octeon 1.2v NP6 EZChip 1.8v NP6 EZChip 1.5v NP6 EZChip 1.2v NP6 XBPRC Ethernet Switch

DDR Core DDR XGMII/RGMII Voltage

1.10(V) 3.32(V) 2.50(V) 1.79(V) 1.79(V) 1.18(V) 1.78(V) 1.47(V) 1.19(V) 1.25(V)

show reload
This command displays scheduled reload information.

Syntax
show reload

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 15

XOS Command Reference Guide

739

Commands for Displaying Advanced Configuration Settings

This section contains the following commands: show auto-promote on page 740 show alias on page 740

show auto-promote
This command displays the auto promote state.

Syntax
show auto-promote

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0

Example
The following is an example of this command. CBS# show auto-promote auto-promote enabled

show alias
This command displays all configured alias commands.

Syntax
show alias

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0

Example
The following is an example of this command. CBS# show alias wr copy running-config startup-config

Commands for Displaying XOS Configuration Settings

740

Commands for Displaying Console Display Configuration Settings

This section contains the following commands: show terminal history on page 741

show terminal history

This command displays the number of command lines set to be recorded by the system.

Syntax
show terminal history

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0

XOS Command Reference Guide

741

Commands for Displaying XOS Configuration Settings

742

13
Using swatch Scripts for System Monitoring
The XOS Swatch Dynamic Display Tool (Swatch) is a Linux tool designed to display dynamically-changing data on a terminal screen in a customized display format. The Swatch tool runs from the UNIX prompt and the XOS CLI. This chapter contains the following sections: Introducing swatch Scripts on page 743 Using swatch Scripts on page 745

Introducing swatch Scripts

XOS provides 17 swatch scripts for monitoring the X-Series Platform. Refer to the XOS Configuration Guide for information on modifying or creating swatch scripts and for instructions on running the swatch scripts from the UNIX prompt. There are no parameters for the swatch command. Instead, the swatch command displays a menu. Each menu item runs swatch with a predefined configuration file to display specific information. Each swatch script contains one or more screens that you can access by entering the screen number. To start a swatch script, enter the number of the menu item, or enter x to exit from the menu and return to the CLI prompt. After you select a menu item, press h for a list of the swatch screen controls.

Syntax
swatch

Context
You access this command from the main CLI context.

XOS Command Reference Guide

743

From the swatch menu, you can access the following swatch scripts: APM Switched Data Path Statistics (apmdevstats.swc) on page 745 APM Interface Statistics (apmdevstats_slot.swc) on page 747 APM Firewall Statistics (apmfwstats.swc) on page 748 APM Firewall Statistics by Slot (apmfwstats_slot.swc) on page 749 APM IP, ICMP, TCP, and UDP Statistics (apmsnmpstats.swc) on page 750 Crossbeam Daemon Status Script (cbsinitdstats.swc) on page 754 NPM Fabric Packet Statistics (fabricstats.swc) on page 754 NPM Flow Calculation Statistics (flowcalcstats.swc) on page 757 Flow Assignment and Scheduling Statistics (flowsched.swc) on page 757 Group Interface Statistics (groupintstats.swc) on page 758 CPU Activity for the APM and CPM (health_cpubsy.swc) on page 759 CPU Load, Utilization, and Memory Information (health_cpumem.swc) on page 760 CPU and Board Temperature (health_temp.swc) on page 761 Module Uptime Statistics (moduleuptime.swc) on page 761 Local Network Interface Statistics (netifstats.swc) on page 762 NPM Interface Statistics (npmdevstats.swc) on page 762 NPM VDF Status (npmfragstats.swc) on page 764

Restrictions
Default Privilege Level: 15

Example
Here is an example of the swatch menu: CBS# swatch 1. apmdevstats.swc 2. apmdevstats_slot.swc 3. apmfwstats.swc 4. apmfwstats_slot.swc 5. apmsnmpstats.swc 6. cbsinitdstats.swc 7. fabricstats.swc 8. flowcalcstats.swc 9. flowsched.swc 10. groupintstats.swc 11. health_cpubsy.swc 12. health_cpumem.swc 13. health_temp.swc 14. moduleuptime.swc 15. netifstats.swc 16. npmdevstats.swc 17. npmfragstats.swc X. Exit <1 - 17> [X]:

Using swatch Scripts for System Monitoring

744

Using swatch Scripts

After starting a swatch script, the following case-sensitive commands are available: Key <space> s c C u U r R d Action Pauses and resumes dynamic screen updates. Performs a single update. Clears the counters on the active screen. Clears the counters on all screens in the swatch script. Restores the counters on the active screen. Restores the counters on all screens in the swatch script. Resets the data items on the active screen. Resets the data items on all screens in the swatch script. After running a command from the swatch menu, you can enter d to create a file containing the output of the command. The help associated with the swatch menu now indicates the name of the file and its location. Example: Help: Key Action ------------------------------------------------. . . d dump this screen to file /tmp/<screen-name>.scr . . q | Q quit + 00-99 h l q|Q Advances the display to the next screen. Moves the display to the previous screen. Advances the display to the screen number. If there are more than nine screens, use the Enter key to end. Displays the help text. Displays the screen list. Exits the swatch script and returns to the list of swatch scripts.

APM Switched Data Path Statistics (apmdevstats.swc)

This swatch script displays APM interface packet statistics for the switched data paths on the X-Series Platform backplane. The script displays statistics and rates for each switched data path. Swatch Screen List

XOS Command Reference Guide

745

1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13: 14: 15: 16:

APM APM APM APM APM APM APM APM APM APM APM APM APM APM APM APM

Interface Interface Interface Interface Interface Interface Interface Interface Interface Interface Interface Interface Interface Interface Interface Interface

Statistics for sdp0 Rates Statistics for Statistics for sdp1 Rates Statistics for Statistics for sdp2 Rates Statistics for Statistics for sdp3 Rates Statistics for Statistics for sdp4 Rates Statistics for Statistics for sdp5 Rates Statistics for Statistics for sdp6 Rates Statistics for Statistics for sdp7 Rates Statistics for

sdp0 sdp1 sdp2 sdp3 sdp4 sdp5 sdp6 sdp7

APM Interface Statistics for sdpx

APM Interface Statistics for sdp0 Slot ---2 3 4 5 6 VAP -----N/A fenway_1 garden_1 N/A N/A Status -----N/A up up N/A N/A TxPkts ------2092755 1983555 TxDrops ------0 0 TxErrs -----0 0 RxPkts RxDrops -------- ------1759858 1669958 0 0 RxErrs -----0 0

APM Interface Rates Statistics for sdpx

APM Interface Rates Statistics for sdp0 TxPktRate TxDataRate RxPktRate RxDataRate Slot VAP (Kpps) (Mbps) (Kpps) (Mbps) ---- ---------- ---------- ---------- ---------- ---------2 N/A 3 fenway_1 0.498 1.860 0.411 2.571 4 garden_1 0.498 1.860 0.410 2.567 5 N/A 6 N/A

Total:

0.996

3.720

0.821

5.137

Using swatch Scripts for System Monitoring

746

APM Interface Statistics (apmdevstats_slot.swc)

This swatch script displays interface statistics and rates for all interfaces in the X-Series Platform. Swatch Screen List 1: Interface Statistics for fenway_1 on Slot 3 2: Interface Rates Statistics for fenway_1 on Slot 3

Interface Statistics for <VAP_member_index_number> on Slot x

Interface Statistics for fenway_1 on Slot 3 Interface TxPkts TxDrops TxErrors RxPkts RxDrops RxErrors --------- ---------- ---------- ---------- ---------- ---------- ---------eth1 181227 0 0 199780 0 0 eth0 0 0 0 0 0 0 lo 8 0 0 8 0 0 sdp0 2140855 0 0 1800430 0 0 sdp1 0 0 0 0 0 0 sdp2 0 0 0 0 0 0 sdp3 0 0 0 0 0 0 sdp4 2492 0 0 2416 0 0 sdp5 28 0 0 26 0 0 sdp6 0 0 0 0 0 0 sdp7 0 0 0 0 0 0 vnd0 2140769 0 0 1800221 0 0 sit0 0 0 0 0 0 0 vnd4096 0 0 0 0 0 0 intbr 1268 0 0 1308 0 0 intbrvlan 14 0 0 33 0 0 ins 1296 1 0 1310 0 0 insvlan30 28 1 0 0 0 0

XOS Command Reference Guide

747

Interface Rates Statistics for <VAP_member_index_number) on Slot X

Interface Rates Statistics for fenway_1 on Slot 3 TxPktRate TxDataRate RxPktRate RxDataRate Interface (Kpps) (Mbps) (Kpps) (Mbps) --------- ---------- ---------- ---------- ---------eth1 0.033 0.059 0.037 0.039 eth0 0.000 0.000 0.000 0.000 lo 0.000 0.000 0.000 0.000 sdp0 0.479 1.848 0.408 2.560 sdp1 0.000 0.000 0.000 0.000 sdp2 0.000 0.000 0.000 0.000 sdp3 0.000 0.000 0.000 0.000 sdp4 0.002 0.002 0.002 0.002 sdp5 0.000 0.000 0.000 0.000 sdp6 0.000 0.000 0.000 0.000 sdp7 0.000 0.000 0.000 0.000 vnd0 0.479 1.821 0.408 2.511 sit0 0.000 0.000 0.000 0.000 vnd4096 0.000 0.000 0.000 0.000 intbr 0.001 0.001 0.001 0.001 intbrvlan 0.000 0.000 0.000 0.000 ins 0.001 0.001 0.001 0.001 insvlan30 0.000 0.000 0.000 0.000

APM Firewall Statistics (apmfwstats.swc)

This swatch script displays firewall statistics. Swatch Screen List 1: Firewall Packet Statistics per APM Slot 2: Firewall Packet Rates per APM Slot

Firewall Packet Statistics per APM Slot

Firewall Packet Statistics per APM Slot Item fenway_1 garden_1 ---------------- ---------- ---------- SDP Rx Drops 0 0 - SDP Rx Errors 0 0 = SDP Rx Pkts 1839628 1749746 > VND Rx Pkts = FW Total In - FW Drop In - FW Reject In = FW Accept In = FW Total Out - FW Drop Out - FW Reject Out = FW Accept Out = VND Tx Pkts < SDP Tx Pkts 2187369 2078116 - SDP Tx Drops 0 0 - SDP Tx Errors 0 0

Using swatch Scripts for System Monitoring

748

Firewall Packet Rates per APM Slot

Firewall Packet Rates per APM Slot Item fenway_1 garden_1 ---------------- ---------- ---------- SDP Rx Drops 0.000 0.000 - SDP Rx Errors 0.000 0.000 = SDP Rx Pkts 0.288 0.288 > VND Rx Pkts = FW Total In - FW Drop In - FW Reject In = FW Accept In = FW Total Out - FW Drop Out - FW Reject Out = FW Accept Out = VND Tx Pkts < SDP Tx Pkts 0.345 0.346 - SDP Tx Drops 0.000 0.000 - SDP Tx Errors 0.000 0.000

APM Firewall Statistics by Slot (apmfwstats_slot.swc)

This swatch script displays firewall statistics and rates by slot. Swatch Screen List 1: 2: 3: 4: Checkpoint Checkpoint Checkpoint Checkpoint FW-1 FW-1 FW-1 FW-1 Statistics for fenway_1 on Slot 3 Statistics for garden_1 on Slot 4 Rates Statistics for fenway_1 on Slot 3 Rates Statistics for garden_1 on Slot 4

Application FW Statistics for <VAP_group_member_index_number> on Slot x

Checkpoint FW-1 Statistics for fenway_1 on Slot 3 Interface -------------Total | OutAccept OutDrop OutReject OutLog | InAccept InDrop InReject InLog | --------- ------- --------- ------ | -------- ------ -------- ----| |

Application FW Rates Statistics for <VAP_group_member_index_number> on Slot x

Checkpoint FW-1 Rates Statistics for fenway_1 on Slot 3 | OutAccept OutDrop OutReject OutLog | InAccept InDrop InReject InLog | (Kpps) (Kpps) (Kpps) (Kpps) | (Kpps) (Kpps) (Kpps) (Kpps) | --------- ------- --------- ------ | -------- ------ -------- ----| |

Interface -------------Total

XOS Command Reference Guide

749

APM IP, ICMP, TCP, and UDP Statistics (apmsnmpstats.swc)

This script displays IP, ICMP, TCP, and UDP statistics and rates for the APMs in the X-Series Platform. Swatch Screen List 1: 2: 3: 4: 5: 6: 7: 8: IP ICMP TCP UDP IP Statistics (packets per second) ICMP Statistics (packets per second) TCP Statistics (packets per second) UDP Statistics (packets per second)

IP Statistics (packet counts)

IP Statistics (packet counts) Slot 3 Slot 4 Label fenway_1 garden_1 ---------------- ---------- ---------Forwarding 1 1 DefaultTTL 64 64 InReceives 142503 137324 InHdrErrors 0 0 InAddrErrors 0 0 ForwDatagrams 0 0 InUnknownProtos 0 0 InDiscards 0 0 InDelivers 142499 137321 OutRequests 130613 125485 OutDiscards 0 0 OutNoRoutes 0 0 ReasmTimeout 0 0 ReasmReqds 0 0 ReasmOKs 0 0 ReasmFails 0 0 FragOKs 769 729 FragFails 0 0 FragCreates 2148 2039

Using swatch Scripts for System Monitoring

750

ICMP Statistics (packet counts)

ICMP Statistics (packet counts) Slot 3 Slot 4 Label fenway_1 garden_1 ---------------- ---------- ---------InMsgs 2934 0 InErrors 0 0 InDestUnreachs 0 0 InTimeExcds 0 0 InParmProbs 0 0 InSrcQuenchs 0 0 InRedirects 0 0 InEchos 2934 0 InEchoReps 0 0 InTimestamps 0 0 InTimestampReps 0 0 InAddrMasks 0 0 InAddrMaskReps 0 0 OutMsgs 2934 0 OutErrors 0 0 OutDestUnreachs 0 0 OutTimeExcds 0 0 OutParmProbs 0 0 OutSrcQuenchs 0 0 OutRedirects 0 0 OutEchos 0 0 OutEchoReps 2934 0 OutTimestamps 0 0 OutTimestampReps 0 0 OutAddrMasks 0 0 OutAddrMaskReps 0 0

TCP Statistics (packet counts)

TCP Statistics (packet counts) Slot 3 Slot 4 Label fenway_1 garden_1 ---------------- ---------- ---------RtoAlgorithm 1 1 RtoMin 200 200 RtoMax 120000 120000 MaxConn 1844674407 1844674407 ActiveOpens 36 36 PassiveOpens 15 15 AttemptFails 15 15 EstabResets 1 1 CurrEstab 5 5 InSegs 125658 123162 OutSegs 96883 95550 RetransSegs 1 0 InErrs 0 0 OutRsts 0 0

XOS Command Reference Guide

751

UDP Statistics (packet counts)

UDP Statistics (packet counts) Slot 3 Slot 4 Label fenway_1 garden_1 ---------------- ---------- ---------InDatagrams 14854 14594 NoPorts 0 0 InErrors 0 0 OutDatagrams 31619 30600

IP Statistics (packets per second)

IP Statistics (packets per second) Slot 3 Slot 4 Label fenway_1 garden_1 ---------------- ---------- ---------InReceives 14.998 13.998 InHdrErrors 0.000 0.000 InAddrErrors 0.000 0.000 ForwDatagrams 0.000 0.000 InUnknownProtos 0.000 0.000 InDiscards 0.000 0.000 InDelivers 14.998 13.998 OutRequests 18.498 17.998 OutDiscards 0.000 0.000 OutNoRoutes 0.000 0.000 ReasmTimeout 0.000 0.000 ReasmReqds 0.000 0.000 ReasmOKs 0.000 0.000 ReasmFails 0.000 0.000 FragOKs 0.500 0.500 FragFails 0.000 0.000 FragCreates 1.500 1.500

Using swatch Scripts for System Monitoring

752

ICMP Statistics (packets per second)

ICMP Statistics (packets per second) Slot 3 Slot 4 Label fenway_1 garden_1 ---------------- ---------- ---------InMsgs 2.000 0.000 InErrors 0.000 0.000 InDestUnreachs 0.000 0.000 InTimeExcds 0.000 0.000 InParmProbs 0.000 0.000 InSrcQuenchs 0.000 0.000 InRedirects 0.000 0.000 InEchos 2.000 0.000 InEchoReps 0.000 0.000 InTimestamps 0.000 0.000 InTimestampReps 0.000 0.000 InAddrMasks 0.000 0.000 InAddrMaskReps 0.000 0.000 OutMsgs 2.000 0.000 OutErrors 0.000 0.000 OutDestUnreachs 0.000 0.000 OutTimeExcds 0.000 0.000 OutParmProbs 0.000 0.000 OutSrcQuenchs 0.000 0.000 OutRedirects 0.000 0.000 OutEchos 0.000 0.000 OutEchoReps 2.000 0.000 OutTimestamps 0.000 0.000 OutTimestampReps 0.000 0.000 OutAddrMasks 0.000 0.000 OutAddrMaskReps 0.000 0.000

TCP Statistics (packets per second)

TCP Statistics (packets per second) Slot 3 Slot 4 Label fenway_1 garden_1 ---------------- ---------- ---------ActiveOpens 0.000 0.000 PassiveOpens 0.000 0.000 AttemptFails 0.000 0.000 EstabResets 0.000 0.000 CurrEstab 0.000 0.000 InSegs 11.273 12.194 OutSegs 12.253 13.169 RetransSegs 0.000 0.000 InErrs 0.000 0.000 OutRsts 0.000 0.000

XOS Command Reference Guide

753

UDP Statistics (packets per second)

UDP Statistics (packets per second) Slot 3 Slot 4 Label fenway_1 garden_1 ---------------- ---------- ---------InDatagrams 0.980 0.976 NoPorts 0.000 0.000 InErrors 0.000 0.000 OutDatagrams 4.411 4.390

Crossbeam Daemon Status Script (cbsinitdstats.swc)

This script displays a list of Crossbeam daemons and their status that are running on the X-Series Platform. Swatch Screen List 1: daemon_status

Crossbeam Daemon Status

Time: Wed Mar 24 12:03:59 2010 Status -----DAEMON_STATE_RUNNING DAEMON_STATE_RUNNING DAEMON_STATE_RUNNING DAEMON_STATE_RUNNING DAEMON_STATE_RUNNING DAEMON_STATE_RUNNING DAEMON_STATE_RUNNING DAEMON_STATE_RUNNING DAEMON_STATE_RUNNING DAEMON_STATE_RUNNING DAEMON_STATE_RUNNING DAEMON_STATE_RUNNING DAEMON_STATE_RUNNING DAEMON_STATE_RUNNING DAEMON_STATE_RUNNING DAEMON_STATE_RUNNING DAEMON_STATE_RUNNING DAEMON_STATE_RUNNING DAEMON_STATE_RUNNING Daemon Name ----------daemon.cbsalarmmond daemon.cbscfgmgrd daemon.cbsd daemon.cbsflowcalcd daemon.cbshagentd daemon.cbshmonitord daemon.cbsstatsd daemon.cbssysctrld daemon.cbsirmd daemon.cbs_upgraded daemon.bootdiagd daemon.cbsfwcfgmgrd daemon.cbsoopsd daemon.cbsmgmthad daemon.tomcat5 daemon.cbsactivemqd daemon.cbsalarmmgrd daemon.cbsalarmlogrd daemon.cbshshimd

NPM Fabric Packet Statistics (fabricstats.swc)

This script displays NPM statistics and rates for the switched data path fabric on the dataplane in the X-Series Platform. Swatch Screen List 1: NPM Fabric Packet Statistics 2: NPM Fabric Packet Rates Statistics 3: NPM Fabric Packet Rates Peaks

Using swatch Scripts for System Monitoring

754

4: NPM Fabric Byte Count Statistics 5: NPM Fabric Byte Rates Statistics 6: NPM Fabric Byte Rates Peaks

NPM Fabric Packet Statistics

NPM Fabric Packet Statistics --- NPM1 Slot TxPkts --------1 2030267 2 94792123 3 986085 4 940641 5 0 6 0 7 2069053 --- NPM2 Slot TxPkts --------1 94771226 2 2030274 3 982581 4 937917 5 0 6 0 7 2069047

RxPkts -----2030245 94771046 950461 904904 0 0 24359529

RxPkts -----94792275 2030274 946262 902751 0 0 24359737

NPM Fabric Packet Rates Statistics

NPM Fabric Packet Rates Statistics --- NPM1 Slot TxPktRate (Kpps) ---- --------1 0.002 2 0.253 3 0.268 4 0.268 5 0.000 6 0.000 7 0.008 --- NPM2 Slot TxPktRate (Kpps) ---- --------1 0.126 2 0.005 3 0.134 4 0.265 5 0.000 6 0.000 7 0.016

RxPktRate (Kpps) --------0.002 0.253 0.261 0.259 0.000 0.000 0.036

RxPktRate (Kpps) --------0.126 0.005 0.132 0.257 0.000 0.000 0.066

NPM Fabric Packet Rates Peaks

NPM Fabric Packet Rates Peaks --- NPM1 Slot TxPktRatePeak (Kpps) ---- ------------1 0.005 2 0.253 3 0.270 4 0.270 5 0.000 6 0.000 7 0.016 --- NPM2 Slot TxPktRatePeak (Kpps) ---- ------------1 0.253 2 0.005 3 0.268 4 0.268 5 0.000 6 0.000 7 0.016

RxPktRatePeak (Kpps) ------------0.005 0.253 0.262 0.261 0.000 0.000 0.066

RxPktRatePeak (Kpps) ------------0.253 0.005 0.258 0.258 0.000 0.000 0.066

XOS Command Reference Guide

755

NPM Fabric Byte Count Statistics

NPM Fabric Byte Count Statistics --- NPM1 Slot TxBytes ---------1 194919168 2 4294967295 3 775129274 4 738657550 5 0 6 0 7 197572076 --- NPM2 Slot TxBytes ---------1 4294967295 2 194919840 3 774667950 4 739154614 5 0 6 0 7 197570500

RxBytes ------194917056 4294967295 540022530 514382032 0 0 1656567924

RxBytes ------4294967295 194919840 539659910 515033874 0 0 1656576356

NPM Fabric Byte Rates Statistics

NPM Fabric Byte Rates Statistics --- NPM1 Slot TxByteRate (Kbps) ---- ---------1 0.528 2 0.000 3 208.610 4 104.682 5 0.000 6 0.000 7 1.208 --- NPM2 Slot TxByteRate (Kbps) ---- ---------1 0.000 2 0.239 3 207.850 4 207.918 5 0.000 6 0.000 7 0.577

RxByteRate (Kbps) ---------0.528 0.000 145.232 73.205 0.000 0.000 4.079

RxByteRate (Kbps) ---------0.000 0.239 144.820 144.820 0.000 0.000 2.030

NPM Fabric Byte Rates Peaks

NPM Fabric Byte Rates Peaks --- NPM1 Slot TxByteRatePeak (Kbps) ---- -------------1 0.528 2 0.000 3 210.219 4 209.321 5 0.000 6 0.000 7 1.282 --- NPM2 Slot TxByteRatePeak (Kbps) ---- -------------1 0.000 2 0.531 3 210.005 4 209.924 5 0.000 6 0.000 7 1.282

RxByteRatePeak (Kbps) -------------0.528 0.000 146.528 145.903 0.000 0.000 4.510

RxByteRatePeak (Kbps) -------------0.000 0.531 146.274 145.865 0.000 0.000 4.510

Using swatch Scripts for System Monitoring

756

NPM Flow Calculation Statistics (flowcalcstats.swc)

This swatch script displays information on flow calculation statistics for the X-Series Platform. Swatch Screen List 1: flow_scheduling

CBS Flow Calculation Statistics

cbsflowcalc statistical information Time: Wed Mar 24 12:22:45 2010 New Flow Cpu Mem KB/sec Prbab'ty Load Pct Pct recv xmit -------- ------ --- --- ------ -----100 313 0 3 313 226 100 313 0 3 313 226

Slot VAP Name ---- -------3 fenway_1 4 garden_1

Flow Assignment and Scheduling Statistics (flowsched.swc)

This swatch script displays which member of a VAP Group is eligible for the next flow assignment in the X-Series Platform. Swatch Screen List 1: Flow Assigned to APs 2: Active Flow Entries Assigned to APs 3: Flow Scheduling Calculation Data

Flow Assigned to APMs

Flow Assigned to APs Time: Wed Mar 24 18:47:31 2010

AP Slot VAP Name ---------- ---------3 fenway_1 4 garden_1 Total

NP1 Flows --------4 2 6

NP2 Flows --------0 0 0

Tot Flows --------4 2 6

Active Flow Entries Assigned to APMs

Active Flow Entries Assigned to APs Time: Wed Mar 24 18:47:41 2010 NP1 NP2 AP Slot VAP Name New Rate Aged Rate New Rate Aged Rate ---------- ---------- --------- --------- --------- --------3 fenway_1 0 0 0 0 4 garden_1 0 0 0 0 Total 0 0 0 0

XOS Command Reference Guide

757

Flow Scheduling Calculation Data

Flow Scheduling Calculation Data Time: Wed Mar 24 18:47:55 2010 CPU Mem TxRate RxRate AP Slot VAP Name FSFreq Load Util Util (KB/sec) (KB/sec) ---------- ---------- ---------- ----- ----- ----- ---------- ---------3 fenway_1 100 313 0.0 3.0 226.0 313.0 4 garden_1 100 313 0.0 3.0 226.0 313.0

Group Interface Statistics (groupintstats.swc)

This swatch script displays statistics for group interface members in the X-Series Platform. Swatch Screen List 1: NPM Group Interface Statistics 2: NPM Packet Rates Statistics 3: NPM Data Rates Statistics

NPM Group Interface Statistics

NPM Group Interface Statistics Interface Stat TxPkts TxDrops TxErrors RxPkts RxDrops RxErrors ------------- ---- ------ ------- -------- ------ ------- -------bridge up 1853 0 0 3245 0 0 ---GigaEth1/1 up 1853 0 0 3245 0 0

NPM Packet Rate Statistics

NPM Packet Rates Statistics Tx Packet Rate (Kpps) ---------0.001 0.001 Tx Packet Rx Packet Rate Peak Rate (Kpps) (Kpps) ---------- --------0.001 0.001 0.001 0.001 Rx Packet Rate Peak (Kpps) ----------0.002 0.002

Interface ------------bridge ---GigaEth1/1

Stat ---up up

NPM Data Rates Statistics

NPM Data Rates Statistics Tx Data Rate (Mbps) ----------0.001 0.001 Tx Data Rate Peak (Mbps) ------------0.001 0.001 Rx Data Rate (Mbps) -----------0.001 0.001 Rx Data Rate Peak (Mbps) -----------0.002 0.002

Interface Stat ----------- -----bridge up ---GigaEth1/1 up

Using swatch Scripts for System Monitoring

758

CPU Activity for the APM and CPM (health_cpubsy.swc)

This script displays CPU activity for the APMs and CPMs that are installed in the X-Series Platform. Swatch Screen List 1: APM CPU Activity 2: CPM CPU Activity

APM CPU Activity

APM CPU Activity Slot CPU User Nice System Idle Irq Softirq Iowait ---- ----- --------- --------- --------- --------- --------- --------- --------3 Total 0.0 0.0 0.0 97.4 1.6 0.8 0.0 CPU0 0.0 0.0 0.0 100.0 0.0 0.0 0.0 CPU1 0.0 0.0 0.0 100.0 0.0 0.0 0.0 CPU2 0.0 0.0 0.0 98.5 1.0 0.4 0.0 CPU3 0.0 0.0 0.0 97.7 1.8 0.4 0.0 CPU4 0.0 0.0 0.0 100.0 0.0 0.0 0.0 CPU5 0.0 0.0 0.0 100.0 0.0 0.0 0.0 CPU6 0.0 0.0 0.0 98.9 0.6 0.4 0.0 CPU7 0.0 0.0 0.0 98.9 0.6 0.4 0.0 ---- ----- --------- --------- --------- --------- --------- --------- --------4 Total 0.0 0.0 0.0 98.3 1.1 0.4 0.0 CPU0 0.0 0.0 0.2 99.5 0.0 0.2 0.0 CPU1 0.0 0.0 0.0 96.3 3.0 0.6 0.0 CPU2 0.0 0.0 0.0 97.9 1.4 0.6 0.0 CPU3 0.0 0.0 0.0 96.0 2.8 1.0 0.0 CPU4 0.0 0.0 0.0 100.0 0.0 0.0 0.0 CPU5 0.0 0.0 0.0 100.0 0.0 0.0 0.0 CPU6 0.0 0.0 0.0 98.7 1.0 0.2 0.0 CPU7 0.0 0.0 0.0 98.3 1.2 0.4 0.0 ---- ----- --------- --------- --------- --------- --------- --------- ---------

CPM CPU Activity

CPM CPU Activity Slot CPU User Nice System Idle Irq Softirq Iowait ---- ----- --------- --------- --------- --------- --------- --------- --------7 CPU0 0.2 0.0 0.1 99.5 0.0 0.0 0.0 ---- ----- --------- --------- --------- --------- --------- --------- ---------

XOS Command Reference Guide

759

CPU Load, Utilization, and Memory Information (health_cpumem.swc)

This swatch script displays CPU load, utilization, and memory information for each physical slot in the X-Series Platform. Swatch Screen List 1: APM CPU Activity 2: CPM CPU Activity

CPU Load / Memory Info

CPU Load / Memory Info CPULoad CPULoad CPULoad CPULoad UpTime CPUSpd MemTotal MemUsed MemFree Slot 1-min 5-min 15-min 1-min Pk (Second) (MHz) (KBytes) (KBytes) (KBytes) ---- ------- ------- ------- -------- -------- ------ -------- -------- -------1 15.00 15.00 15.00 15.00 487597 550 2097152 1779964 317188 2 6.00 6.00 6.00 6.00 487595 600 2097152 1770144 327008 3 0.00 0.00 0.00 0.00 5164 2327 8313072 299152 8013920 4 0.00 0.00 0.00 0.00 4940 2327 8313072 302500 8010572 5 6 7 0.22 0.25 0.26 0.22 487686 1995 1026520 956080 70440 8 9 10 11 12 13 14

CPU Utilization / Memory Info

CPU Utilization / Memory Info CpuUtil CpuUtil CpuUtil CpuUtil Slot 1-min 5-min 15-min 1-min Pk ---- ------- ------- ------- -------1 0.67 0.71 0.67 0.67 2 1.23 1.23 1.23 1.25 3 0.78 1.00 1.00 0.78 4 1.61 1.53 1.53 1.65 5 6 7 0.35 0.87 0.44 0.73 8 9 10 11 12 13 14 UpTime (sec) -----487627 487625 5194 4970 CPUSpd MemTotal MemUsed MemFree (MHz) (KBytes) (KBytes) (KBytes) ------ -------- ------- -------550 2097152 1779964 317188 600 2097152 1770144 327008 2327 8313072 298532 8014540 2327 8313072 302500 8010572

487727

1995

1026520

955000

71520

Using swatch Scripts for System Monitoring

760

CPU and Board Temperature (health_temp.swc)

This swatch script displays CPU and Board minimum, maximum, and current temperature information for the X-Series Platform. Swatch Screen List 1: CPU / Board Temperatures (in Celsius)

CPU and Board Temperatures (in Celsius)

CPU / Board Temperatures (in Celsius) Curr Min Max Curr Min Max Brd Brd Slot CPU1 CPU1 CPU1 CPU2 CPU2 CPU2 In Out ---- ---- ---- ---- ---- ---- ---- ---- ---1 53 53 53 30 32 2 43 43 43 29 37 3 29 29 29 31 31 31 27 33 4 31 31 31 31 31 31 27 34 5 6 7 36 36 36 31 37 8 9 10 11 12 13 14 Chassis Temp = 26 degrees, Celsius

Module Uptime Statistics (moduleuptime.swc)

This swatch script displays the Linux uptime for the APM and NPM modules in the X-Series Platform. Swatch Screen List 1: uptime

Uptime for NPM and APM Slots

Uptime for NPM and APM Slots Slot Name ---- ---------1 2 3 4 npm1 npm2 fenway_1 garden_1 UpTime -----------------up 5 days, 15:28 up 5 days, 15:28 up 1:27 up 1:23 Users ------CPU Load Average -----------------15.00, 15.00, 15.00 6.00, 6.00, 6.00 0.00, 0.00, 0.00 0.00, 0.00, 0.00

0 users 0 users

XOS Command Reference Guide

761

Local Network Interface Statistics (netifstats.swc)

This swatch script displays packet statistics for the local network interfaces in the X-Series Platform. Swatch Screen List 1: Local Network Interface Statistics 2: Local Network Interface Rates Statistics

Local Network Interface Statistics

Local Network Interface Statistics Device TxPkts TxDrops TxErrors RxPkts RxDrops RxErrors --------- ---------- ---------- ---------- ---------- ---------- ---------lo 1151810 0 0 1151810 0 0 eth2 6796 0 0 2637686 0 0 eth3 0 0 0 0 0 0 eth1 3087650 0 0 5895180 0 0 eth0 0 0 0 0 0 0 sdp0 92975318 0 0 4148727 0 0 sdp1 0 0 0 0 0 0 sdp2 0 0 0 0 0 0 sdp3 0 0 0 0 0 0 vnd0 92979993 0 0 4148727 0 0

Local Network Interface Rates Statistics

Local Network Interface Rates Statistics TxPktRate TxDataRate RxPktRate RxDataRate Device (Kpps) (Mbps) (Kpps) (Mbps) --------- ---------- ---------- ---------- ---------lo 0.001 0.013 0.001 0.013 eth2 0.000 0.001 0.000 0.000 eth3 0.000 0.000 0.000 0.000 eth1 0.006 0.006 0.028 0.032 eth0 0.000 0.000 0.000 0.000 sdp0 0.107 0.062 0.025 0.015 sdp1 0.000 0.000 0.000 0.000 sdp2 0.000 0.000 0.000 0.000 sdp3 0.000 0.000 0.000 0.000 vnd0 0.107 0.052 0.025 0.015

NPM Interface Statistics (npmdevstats.swc)

This swatch script displays packet statistics for the NPM physical interfaces in the X-Series Platform. Swatch Screen List 1: NPM Interface Statistics 2: NPM Packet Rates Statistics 3: NPM Data Rates Statistics

Using swatch Scripts for System Monitoring

762

NPM Interface Statistics

NPM Interface Statistics Interface ----------GigaEth1/1 GigaEth1/2 GigaEth1/3 GigaEth1/4 GigaEth1/5 GigaEth1/6 GigaEth1/7 GigaEth1/8 GigaEth1/9 GigaEth1/10 GigaEth1/11 GigaEth1/12 GigaEth2/1 GigaEth2/2 GigaEth2/3 GigaEth2/4 GigaEth2/5 GigaEth2/6 GigaEth2/7 GigaEth2/8 GigaEth2/9 GigaEth2/10 Stat TxPkts TxDrops TxErrors ---- ---------- --------- ---------up 2150 0 0 up 2213 0 0 down 0 0 0 down 0 0 0 down 0 0 0 down 0 0 0 down 0 0 0 up 0 0 0 down 0 0 0 down 0 0 0 down 0 0 0 down 0 0 0 down 0 0 0 down 0 0 0 down 0 0 0 down 0 0 0 down 0 0 0 down 0 0 0 down 0 0 0 down 0 0 0 down 0 0 0 down 0 0 0 RxPkts RxDrops RxErrors -------- --------- ---------3698 0 0 3540 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2937384 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

NPM Packet Rate Statistics

NPM Packet Rates Statistics Tx Packet Rate Interface Stat (Kpps) ----------- ---- ----------GigaEth1/1 up 0.000 GigaEth1/2 up 0.000 GigaEth1/3 down 0.000 GigaEth1/4 down 0.000 GigaEth1/5 down 0.000 GigaEth1/6 down 0.000 GigaEth1/7 down 0.000 GigaEth1/8 up 0.000 GigaEth1/9 down 0.000 GigaEth1/10 down 0.000 10GEth1/11 down 0.000 10GEth1/12 down 0.000 GigaEth2/1 down 0.000 GigaEth2/2 down 0.000 GigaEth2/3 down 0.000 GigaEth2/4 down 0.000 GigaEth2/5 down 0.000 GigaEth2/6 down 0.000 GigaEth2/7 down 0.000 GigaEth2/8 down 0.000 GigaEth2/9 down 0.000 GigaEth2/10 down 0.000 Tx Packet Rate Peak (Kpps) ---------0.001 0.001 0.000 0.000 0.000 0.000 0.000 0.001 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 Rx Packet Rate (Kpps) ---------0.001 0.001 0.000 0.000 0.000 0.000 0.000 0.001 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 Rx Packet Rate Peak (Kpps) ----------0.002 0.002 0.000 0.000 0.000 0.000 0.000 0.003 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000

XOS Command Reference Guide

763

NPM Data Rate Statistics

NPM Data Rates Statistics Tx Data Rate (Kpps) ----------0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 Tx Data Rate Peak (Kpps) ---------0.001 0.001 0.000 0.000 0.000 0.000 0.000 0.001 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 Rx Data Rate (Kpps) ---------0.001 0.001 0.000 0.000 0.000 0.000 0.000 0.001 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 Rx Data Rate Peak (Kpps) ----------0.002 0.002 0.000 0.000 0.000 0.000 0.000 0.003 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000

Interface ----------GigaEth1/1 GigaEth1/2 GigaEth1/3 GigaEth1/4 GigaEth1/5 GigaEth1/6 GigaEth1/7 GigaEth1/8 GigaEth1/9 GigaEth1/10 10GEth1/11 10GEth1/12 GigaEth2/1 GigaEth2/2 GigaEth2/3 GigaEth2/4 GigaEth2/5 GigaEth2/6 GigaEth2/7 GigaEth2/8 GigaEth2/9 GigaEth2/10

Stat ---up up down down down down down up down down down down down down down down down down down down down down

NPM VDF Status (npmfragstats.swc)

This swatch script displays packet fragmentation statistics for each NPM in a chassis. The output contains the same information as the CLI command show vdf-status module np1 np2 np3 np4, but in a table format. If any NPM does not exist, no data appear in the corresponding column. show vdf-status module np1 np2 np3 np4 Virtual DeFragmentation (VDF) Statistics ---------------------------------------Fragment statistics Fragments received Fragments processed Fragments dropped Fragment queue limit Fragment overlap check Overlap protection on Head of Packet (HOP) Fragment pool depletion Packet pool depletion Invalid fragment Packet statistics Packets processed Packets dropped NP1 ---0 0 0 0 0 0 0 0 0 0 0 NP2 ---0 0 0 0 0 0 0 0 0 0 0 NP3 ---NP4 ----

Using swatch Scripts for System Monitoring

764

14
Commands for Troubleshooting
This chapter contains commands that display troubleshooting information for data collection and diagnostics. Commands for Troubleshooting XOS Configuration Settings on page 765 Commands for Troubleshooting X-Series Platform Hardware and Software on page 769 Commands for Troubleshooting X-Series Platform Network Connectivity on page 804 Commands for Troubleshooting VAPs, VAP Groups, and Applications on page 852 Commands for Troubleshooting Multi-System High-Availability Issues on page 858 Commands for Providing Troubleshooting Information to Crossbeam Customer Support on page 880 Commands for Crossbeam Customer Support Use on page 890

Commands for Troubleshooting XOS Configuration Settings

This section contains the following commands: audit-trail on page 765 show audit-trail on page 766 show history on page 768 validate-configuration on page 768

audit-trail
This command sends a text message to the audit-trail log file. If you are using spaces, you must enclose the string in quotes ( ).

Syntax
audit-trail <text-message>

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0

Example
This example sends the text, this is a test, to the audit-trail log. CBS# audit-trail this is a test

XOS Command Reference Guide

765

show audit-trail
This command displays the entries in the audit-trail log file that match the specified filter criteria. If no filter criteria are specified, the command displays all entries in the audit-trail log file. The audit-trail process records an entry in the audit-trail log file each time a user issues a CLI command that affects the system configuration and each time the CLI starts one of the following processes: routing-protocol routing-protocol-service application application-remove application-update archive-vap-group NOTE: The audit-trail process does not record entries for CLI show commands. Audit-trail log file entries also include detailed information about the CLI warning and error messages (if any) that result from each CLI command entry.

Syntax
show audit-trail [<username>] [type {cli | web | both}] [chronological-order] [date [<month>] [<date>] [<year>] [<hh:mm:ss>]]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <username> type {cli | web | both} Description Specifies the username to match. Specifies commands issued by either CLI users, or Web interface users, or both. cli Displays only commands issued by CLI users. web Displays only commands issued by Web interface users. both Displays commands issued by users of both interfaces. chronological-order Displays the log with the most recent entries first. Default displays the oldest entries first.

Commands for Troubleshooting

766

Parameter date

Description The date parameter takes the following arguments: <jan-dec> Three letter month name (lower-case). Default is jan. <1-31> Date of month. Default is 1. <2000-3000> Four digit year. Default is 2000. <hh:mm:ss> Time in hh:mm:ss 24-hour format. Default is 00:00:00. This parameter filters the output to display commands issued since the date specified. If an argument is omitted, the default is used. For best results, specify a month, date, and year.

Restrictions
Default Privilege Level: 0

Example
The following audit-trail output shows audit trail entries at the start and completion of the application command run. For the command: CBS# application fw1 vap-group ipf install Entries in the audit trail: Apr 5 18:10:16 omaha cli: application fw1 vap-group Apr 5 18:12:25 omaha cli: application fw1 vap-group USER: admin, COMMAND: CBS# application > ipf install #STARTED USER: admin, COMMAND: CBS# application > ipf install

If a command fails, the audit trail provides an error message and details about the error. In the following example, the configure circuit vap-group ip alias command failed. In addition to the Invalid value output, the console and audit trail outputs provide the following detail information: Detail: Conflict found with existing circuit cct, vap-group jack, primary-ip. CLI console: CBS# configure circuit cct CBS(conf-cct)# vap-group jack CBS(conf-cct-vapgroup)# ip 5.5.5.5/24 CBS(conf-cct-vapgroup-ip)# alias 5.5.5.5/24 %CONF-ERR: Invalid value Detail: Conflict found with existing circuit cct, vap-group jack, primary-ip CBS(conf-cct-vapgroup-ip)# CBS# show audit-trail /var/log/audit-trail Aug 29 18:22:14 earth cli: USER: admin, COMMAND: CBS# configure circuit > configure circuit cct Aug 29 18:22:17 earth cli: USER: admin, COMMAND: CBS# configure circuit vap-group > vap-group jack Aug 29 18:22:23 earth cli: USER: admin, COMMAND: CBS# configure circuit vap-group ip > ip 5.5.5.5/24 Aug 29 18:22:56 earth cli: USER: admin, COMMAND: CBS# configure circuit vap-group ip alias > alias 5.5.5.5/24 #Failure: CONF-ERR: Invalid value, Detail: Conflict found with existing circuit cct, vap-group jack, primary-ip

XOS Command Reference Guide

767

show history
This command displays the past several commands in the configurable history buffer that you entered during this session. The default history buffer includes 70 commands.

Syntax
show history

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0

validate-configuration
This command validates the completeness of the CLI configuration and displays any incomplete configuration.

Syntax
validate-configuration

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 15

Example
For example: CBS# validate-configuration #Start Configuration Validation # # No access-list configured # No management interface configured # No vap-group configured # No circuit configured # No interface configured # #End Configuration Validation

Commands for Troubleshooting

768

Commands for Troubleshooting X-Series Platform Hardware and Software

This section contains the following commands: show alarms on page 769 clear alarms on page 778 show calendar on page 779 show chassis on page 780 show cpu on page 782 show current-release on page 784 show current-running-release (upgrade context) on page 785 show disk-usage on page 785 show environment on page 786 show heartbeat on page 788 show logging console on page 791 show module admin-state on page 793 show module status on page 794 show release (upgrade context) on page 797 show rmon on page 798 show snmp on page 798 show ssh-session on page 799 show switch-data-path on page 800 show system on page 801 show traplog on page 802 show web-session on page 803 who on page 803

show alarms
Use this command to display currently active alarms or an alarm history that includes both active and past alarms. Use the active parameter to display currently active alarms. Use the history parameter to display all alarms. If you use the active parameter, this command displays an active alarm status summary. If you specify one or more of the minor, major, or critical filters, this command displays the active alarm status summary, followed by a list of the conditions that triggered active alarms of each specified severity. If you use the history parameter, this command displays a list of the conditions that triggered both active and past alarms, with the most recent alarms appearing first. The alarm history includes up to 1000 alarms. The show alarms command supports a number of additional parameters to filter the output, and a verbose parameter to display additional detail, including suggested repair actions. NOTE: Some alarms can be configured by setting threshold values to determine when it is a minor, major, or critical alarm. Other alarms use a non-configurable system value to determine whether or not the chassis is operating normally. For information on configuring alarm values, see Commands for Configuring System Alarms and Logs on page 124. You can also use the model parameter to display the XOS alarms model. The alarms model provides detailed information about every alarm that can be raised on an X-Series platform.

Syntax
show alarms {active | history | model}

XOS Command Reference Guide

769

The following parameters are used to filter the output of the active and history parameters: show alarms active [critical] [major] [minor] [source <module_or_component>] [verbose] [id {<id#> | <lowest_id#> <highest_id#>} | date mmm dd yyyy [hh:mm:ss]] show alarms history [critical] [major] [minor] [info] [clear] [source <module_or_component>] [verbose] [id {<id#> | <lowest_id#> <highest_id#>} | date mmm dd yyyy [hh:mm:ss]] The following parameter displays the alarms model: show alarms model

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter active Description Displays a summary table of the active alarms. When used without other parameters, the active parameter displays only the summary table. Displays a list of the active and past alarms. The alarm history includes the most recent 1000 alarms. Displays the alarm model, which provides information about all alarms supported by XOS. Optional. Filters the output of the show alarms active or show alarms history command to display the items that caused critical alarms. Optional. Filters the output of the show alarms active or show alarms history command to display the items that caused major alarms. Optional. Filters the output of the show alarms active or show alarms history command to display the items that caused minor alarms. Optional. Filters the output of the show alarms history command to display the informational alarms. Optional. Filters the output of the show alarms history command to display the Clear alarms. A severity of Clear indicates that the alarm has been cleared. Alarms are automatically cleared by the system if the condition that generated the alarm no longer exists, or if the alarm has been superseded by a later alarm. Some alarms can be cleared by an administrator, using the clear alarms command.

history model critical

major

minor

info clear

Commands for Troubleshooting

770

Parameter source <module_or_component>

Description Optional. Filters the output of the show alarms active or show alarms history command to display the alarms that originated from the specified module or component. Valid module and component names are: apN - an APM, where N is any number from 1 to 10 cpN - a CPM, where N is 1 or 2 npN - an NPM, where N is any number from 1 to 4 uprfan - upper fan tray lwrfan - lower fan tray feedA, feedB - power feeds pwrN - a power suppy, where N is any number from 1 to 4 pwrA, pwrB - a power supply bayN - a power supply bay, where N is any number from 1 to 4

verbose

Optional. Changes the format in which the CLI displays the output to display all available information for the specified alarm or alarms. Optional. Filters the output of the show alarms active or show alarms history command to display the items specified by the ID matching criteria. Specify a single ID to display a single alarm. Specify a beginning ID (lowest number) and an ending ID (highest number) to display alarms within the range of IDs. NOTE: Do not use the id parameter in a command that also includes the date parameter. If the date parameter is used, it overrides the id parameter.

id {<id#> | <lowest_id#> <highest_id#>}

date <mmm_dd_yyyy> <hh_mm_ss>

Optional. Filters the output of the show alarms active or show alarms history command to display the alarms that occurred since the specified date. To further filter the output, you can specify a time. Specify the date in the format mmm dd yyyy. For example, entering nov 30 2010 retrieves alarms that occurred on or after that date. NOTE: The mmm part of the date parameter must be entered in lower-case. Optionally, specify a time in the format hh:mm:ss. For example, entering aug 31 2010 10:48:00 retrieves alarms that occurred on or after 10:48:00 AM of that date. NOTE: The date parameter must be the last parameter used in the show alarms command. Do not use the id parameter in a command that also includes the date parameter. The date parameter overrides the id parameter.

XOS Command Reference Guide

771

Restrictions
Default Privilege Level: 0

Output
The output of the show alarms active command has the following format when used without additional parameters: CBS# show alarms active Active Alarms Summary: Source -----cp1 uprfan lwrfan Total Critical -------0 0 0 0 Major ----0 1 1 2 Minor ----1 0 0 1

You can filter the output of the show alarms active command by using one or more additional parameters. The following example displays active alarms that have severities of critical, major, or minor: CBS# show alarms active critical major minor Active Alarms Summary: Source -----cp2 np1 uprfan Total Critical -------1 0 0 1 Major ----3 0 1 4 Minor ----0 2 0 2

* indicates an alarm that can be cleared with the 'clear alarms' CLI command Critical: ID -43 Major: ID -96 *95 94 69 Minor: ID -83 82 CBS# Date ---Nov 11 09:28:00 Nov 11 09:27:50 Source -----np1 np1 Description ----------Link down 1/5 Link down 1/4 Date ---Nov 11 Nov 11 Nov 11 Nov 10 Source -----cp2 cp2 cp2 uprfan Description ----------Failover group xyz priority 49 Failover group xyz status master No remote box configured Fan tray mismatch Date ---Nov 4 07:01:03 Source -----cp2 Description ----------APM Memory mismatch slot: 3

16:02:43 15:34:16 15:34:10 09:18:23

Commands for Troubleshooting

772

The output of the show alarms history command has the following format when used without additional parameters: CBS# show alarms history ID -425 424 423 422 421 420 Date ---Oct Oct Oct Oct Oct Oct Severity -------Minor Clear Minor Info Major Minor Source -----bay1 pwrA cp1 system lwrfan np1 Description ----------Power supply missing Power supply failure Firmware mismatch slot: 1,5,13 New system alarm level (major) Fan tray mismatch Flow table median threshold(tcp)

7 7 7 7 7 7

17:20:10 17:01:23 11:01:20 10:44:59 10:43:54 10:35:59

You can filter the output of the show alarms history command by using one or more additional parameters. The following example displays all alarms that have severities of critical, major, or minor, and occurred on cp1: CBS# show alarms history critical major minor source cp1 ID -11 9 8 7 4 Date ---Jun 22 Jun 22 Jun 22 Jun 22 Jun 22 Severity -------Major Critical Minor Critical Minor Source -----cp1 cp1 cp1 cp1 cp1 Description ----------CPU core utilization Memory misconfiguration Hard disk error Disk 1 Disk utilization (98%) /boot Firmware mismatch slot: 1,5

14:06:50 14:06:40 14:06:34 14:06:31 14:06:30

The following table describes the information provided in each column and or row. Column/Row Heading ID Date Severity Information Provided The unique ID number of the alarm. The date and time at which the alarm occurred. The severity status of the alarm. Values are: Critical - Represents an imminent impact to system stability or performance. Attend to critical alarms immediately. Major - Represents a potentially serious impact to system stability or performance. Investigate major alarms immediately. Minor - Represents a minor impact to system stability or performance. Although less serious, conditions causing minor alarms should be corrected or monitored. Info - (History) Presents information about a change in the system, for example, a state change in a module. No action is required. Clear - (History) Indicates that the alarm has been cleared. Alarms are automatically cleared by the system if the condition that generated the alarm no longer exists, or if the alarm has been superseded by a later alarm. Some alarms can be cleared by an administrator, using the clear alarms command.

XOS Command Reference Guide

773

Column/Row Heading Source

Information Provided The source of the alarm. Possible alarm sources are: apN - an APM, where N is any number from 1 to 10 cpN - a CPM, where N is 1 or 2 npN - an NPM, where N is any number from 1 to 4 uprfan - upper fan tray lwrfan - lower fan tray feedA, feedB - power feeds pwrN - a power suppy, where N is any number from 1 to 4 pwrA, pwrB - a power supply bayN - a power supply bay, where N is any number from 1 to 4

Description

A brief description of the alarm. Use the verbose parameter to see a more detailed description and suggested repair actions.

Verbose output
The output of the show alarms command with the verbose parameter has the following format: CBS# show alarms history id 150 verbose ================================================================================ Alarm Id : 150 Brief Description : Disk utilization (91%) /tftpboot Date : Tue Oct 5 13:09:03 2010 Severity : Major Alarm Name : diskUtilizationTftpBootExceeded Alarm Source : cp1 Slot : slot 13 Module : cp1 Disk : disk 1 Partition : partition /tftpboot Parameters : Percent : 91% Information : Probable Cause : Storage Capacity Problem Event Type : Equipment Alarm User Clearable : false Extended Description : Disk utilization on the /tftpboot partition is : above the configured limit. Repair Action : From the Unix prompt, change directory to the : partition, and run the "du" (disk usage) command. : Look for large files that can be safely removed, : for example, obsolete VAP images or obsolete files : in the user home directories. Contact customer : support if you need help identifying unused files. -------------------------------------------------------------------------------================================================================================

Commands for Troubleshooting

774

The following table describes the information provided in each column and or row. Column/Row Heading Alarm Id Brief Description Date Severity Information Provided The unique ID number of the alarm. A summary description of the alarm. The date and time at which the alarm occurred. The severity status of the alarm. Values are: Critical - Represents an imminent impact to system stability or performance. Attend to critical alarms immediately. Major - Represents a potentially serious impact to system stability or performance. Investigate major alarms immediately. Minor - Represents a potential impact to system stability or performance. Although less serious, conditions causing minor alarms should be corrected or monitored. Info - (History) Presents information about the system, for example, a state change in a module. No action required. Clear - (History) Indicates that the alarm has been cleared. Alarms are automatically cleared by the system if the condition that generated the alarm no longer exists, or if the alarm has been superseded by a later alarm. Some alarms can be cleared by an administrator, using the clear alarms command. Correlation Id Clearing Agent Refers to an alarm that was cleared or replaced by the current alarm. Indicates the ID of the original alarm. (Appears in alarms with a severity of Clear.) Clearing Agent displays one of the following values for a Clear alarm: System - indicates the alarm was cleared automatically by the system. If the alarm was cleared by a subsequent alarm, XOS displays the alarm ID. Login name - indicates the administrator who cleared the alarm. Alarm Name Alarm Source The name of the alarm in the XOS alarms model. One or more items that indicate the source of the alarm. Alarm Source describes the physical and logical hierarchy of the module or component that generated the alarm. One or more values that provide information about the alarm, for example a temperature, percentage, or threshold value.

Parameters

XOS Command Reference Guide

775

Column/Row Heading Information

Information Provided Additional information about the alarm Probable Cause - Description of the probable cause of the alarm; for example, Storage Capacity Problem or Temperature Unacceptable (ITU-T compliant) Event Type - The type of alarm; for example Equipment Alarm or Environmental Alarm (ITU-T compliant) User Clearable - Indicates whether an administrator can clear the alarm by using the clear alarms command. Extended Description - A detailed description of the condition that caused the alarm Repair Action - Suggestions for verifying and correcting the condition that caused the alarm

Model Output
The output of the show alarms model command has the following format: CBS# show alarms model Alarm Name Managed Objects : : : Parameters : : : : : : : : : Information : Default Severity : Probable Cause : Event Type : User Clearable : Brief Format : Extended Description : : Repair Action : : : Targets : : : applicationDown Slot Module APP CPM Host Name APP CPM IP Address APP Name APP New State APP Old State APP Release APP VAP Group Name APP VAP Index APP Version minor Out Of Service Processing Error Alarm false Application down The application running on the specified APM is down. Verify the state of the application on the APM (use GEM System view). Restart the application if necessary. GEM LOG SNMP

The following table describes the information provided in each column and or row. Column/Row Heading Alarm Name Information Provided The name of the alarm in the XOS alarms model.

Commands for Troubleshooting

776

Column/Row Heading Managed Objects Parameters Information

Information Provided The hierarchy of modules or components that indicate the source of the alarm. One or more values that provide information about the alarm, for example a temperature, percentage, or threshold value. Additional information about the alarm Default Severity - The severity status of the alarm. Values are: Critical - Represents an imminent impact to system stability or performance. Attend to critical alarms immediately. Major - Represents a potentially serious impact to system stability or performance. Investigate major alarms immediately. Minor - Represents a potential impact to system stability or performance. Although less serious, conditions causing minor alarms should be corrected or monitored. Info - (History) Presents information about the system, for example, a state change in a module. No action required. Clear - (History) Indicates that the alarm has been cleared. Alarms are automatically cleared by the system if the condition that generated the alarm no longer exists, or if the alarm has been superseded by a later alarm. Some alarms can be cleared by an administrator, using the clear alarms command. Probable Cause - An ITU-T compliant description of the probable cause of the alarm; for example, Storage Capacity Problem or Temperature Unacceptable. Event Type - The type of alarm; for example Equipment Alarm or Environmental Alarm (ITU-T compliant). User Clearable - Indicates whether an administrator can clear the alarm by using the clear alarms command. Brief Format - A brief description of the alarm that may include the parameters used to display values that triggered the alarm. Extended Description - A detailed description of the condition that caused the alarm. Repair Action - Suggestions for verifying and correcting the condition that caused the alarm.

Targets

The interfaces to which the alarm data is sent. Alarms are sent to the XOS GEM user interface, to the XOS syslog files, and as SNMP traps.

XOS Command Reference Guide

777

clear alarms
This command clears user-clearable alarms from the active alarms table. You must be an administrator (privilege level 15) to use this command. Active alarms that can be cleared by using the clear alarms command are indicated by an asterisk in the ID column of the output of the show alarms active command when used with one or more parameters. NOTE: You must use at least one parameter with the show alarms active command to see this output. Otherwise the show alarms active command displays only the summary table. In this example, alarm with ID 95 is user-clearable. ID -96 *95 94 69 Date ---Nov 11 Nov 11 Nov 11 Nov 10 Source -----cp2 cp2 cp2 uprfan Description ----------Failover group xyz priority 49 Failover group xyz status master No remote box configured Fan tray mismatch

16:02:43 15:34:16 15:34:10 09:18:23

Cleared alarms remain in the alarms history, and can be viewed by executing the show alarms history CLI command. NOTE: The system also clears alarms automatically, either because the condition that generated the alarm no longer exists, or because the alarm has been superseded by a later alarm.

Syntax
clear alarms {id {<id#> | <lowest_id#> <highest_id#>} | all}

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter id {<id#> | <lowest_id#> <highest_id#>} Description Clears the items specified by the ID matching criteria. Specify a single ID to clear a single alarm. Specify a beginning ID (lowest number) and an ending ID (highest number) to clear alarms within the range of IDs. all Clears all user-clearable alarms.

Restrictions
Default Privilege Level: 15

Example
The following command clears the user-clearable alarm with ID 95.

Commands for Troubleshooting

778

CBS# clear alarms id 95 CBS# A new alarm (ID 97) appears in the alarms history with a severity of Clear. The cleared alarm (ID 95) remains in the alarm history. CBS# show alarms history ID -97 96 95 Date ---Nov 12 18:38:48 Nov 11 16:02:43 Nov 11 15:34:16 Severity -------Clear Major Major Source -----cp2 cp2 cp2 Description ----------Failover group xyz status master Failover group xyz priority 49 Failover group xyz status master

In the new alarm, the Correlation ID references the original alarm (ID 95), and the Clearing Agent is admin, the user who cleared the original alarm. CBS# show alarms history id 97 verbose ================================================================================ Alarm Id : 97 Brief Description : Failover group xyz status master Date : Fri Nov 12 18:38:48 2010 Severity : Clear Correlation ID : 95 Clearing Agent : admin Alarm Name : vrrpFailGroupStatusChange Alarm Source : cp2 Slot : slot 7 Module : cp2 VRRP Failover Group : Vrrp Failover Group 44 Parameters : Group Name : xyz Group Old Status : down Group New Status : master Group Change Reason : Timed out waiting for master Information : Probable Cause : Failover Occurred Event Type : Environmental Alarm User Clearable : true Extended Description : The VRRP status of the failover group has changed, : which may indicate that a VRRP failover has : occurred. Repair Action : Use the CLI commands "show vrrp failover-group" and : "show vrrp detail-status" to view the status of the : failover group. Investigate the reason for the : status change and correct any issues. -------------------------------------------------------------------------------================================================================================ CBS#

show calendar
This command displays the system calendar.

Syntax
show calendar

XOS Command Reference Guide

779

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0

Example
The following is an example of this command: CBS# show calendar Tue Apr 06 08:52:31 2010

show chassis
This command displays the current status of the chassis and all modules present in the chassis. NOTE: Each VAP group can contain only APM-8650s or only APM-8600s. Use the show chassis command to obtain each modules name and model. Then, use the configure vap-group <VAP_group_name> ap-list command to add only APM-8650s or only APM-8600s to the VAP group.

Syntax
show chassis

Context
You access this command from the main CLI context.

Parameters
The following table describes the information provided in each column/row. Column/Row Heading Slot Present Module Name Module Type Information Provided Chassis slot number. Indicates whether or not a module is present in the slot. Name of module or n/a if a module is not present in the slot. Type (model) of module or n/a if a module is not present in the slot.

Commands for Troubleshooting

780

Column/Row Heading Status

Information Provided Operational status of the module. Status can be one of the following: Active Applies only to APMs. Indicates that the APM is UP and is ready to receive traffic. Standby Applies only to APMs. Indicates that the APM is functioning as a Standby VAP. Up Module is functioning normally. For APMs, the Up status indicates that the module is functioning, but it is not yet ready to receive traffic. Initializing Module is initializing. Booting Module is booting up. AwaitingBoot Module is getting ready to boot up. Diagnostic Module is running hardware diagnostics. Maintenance Module is running in maintenance mode. Offline Applies only to CPMs. Indicates that the CPM is offline. CrashDumping Module is crashing and is sending information to a log file that you can use to debug the crash. Down Module is not functioning. Unavailable Module is unavailable. Unknown System is unable to determine the status of the module. n/a Module is not present in the slot.

Uptime

Amount of time the module has spent in the Up state.

Restrictions
Default Privilege Level: 0

Example
The following example is output for this command:

XOS Command Reference Guide

781

CBS# show chassis Chassis Status for X80: Power Type: AC-3 1G Backplane Support: Yes 1G Backplane Capability for Slots 3 and 4: Yes Chassis Revision: C2 Chassis Serial Number: G808F008 Chassis Part Number: 004360 Chassis OCODE: A000 Slot Present Module Name Module Type 1 No n/a n/a 2 Yes np2 NP8600 3 No n/a n/a 4 No n/a n/a 5 Yes ap3 AP9600 6 No n/a n/a 7 Yes ap5 AP8600 8 Yes ap6 AP8600 9 No n/a n/a 10 No n/a n/a 11 No n/a n/a 12 No n/a n/a 13 Yes cp1 CP8600 14 No n/a n/a

Status n/a Up n/a n/a Active n/a Standby Standby n/a n/a n/a n/a Up n/a

Uptime 13 days, 04:11

5 days, 00:58 6 days, 00:28 5 days, 05:27

13 days, 04:14

show cpu
This command displays the CPU load and utilization average information for the last 1, 5, and 15 minutes on all modules in the system, and displays other statistics for each CPU. Use parameters to display only the specified types of information.

Syntax
show cpu [utilization-average] [load-average] [statistics]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter utilization-average load-average statistics Description Displays CPU utilization averages. Displays CPU load average. Displays additional CPU statistics.

Commands for Troubleshooting

782

Restrictions
Default Privilege Level: 0

Example
The following is an example of this command: CBS# show cpu CPU utilization average for np1: for last 1 minute: 0.59 for last 5 minutes: 0.57 for last 15 minutes: 0.59 CPU utilization average for np2: for last 1 minute: 0.66 for last 5 minutes: 0.62 for last 15 minutes: 0.63 CPU utilization average for ap1: for last 1 minute: 0.03 for last 5 minutes: 0.33 for last 15 minutes: 0.12 CPU utilization average for ap2: for last 1 minute: 0.00 for last 5 minutes: 0.08 for last 15 minutes: 0.07 CPU utilization average for cp1: for last 1 minute: 100.00 for last 5 minutes: 100.00 for last 15 minutes: 100.00

CPU load average for np1: for last 1 minute: 15.00 for last 5 minutes: 15.00 for last 15 minutes: 15.00 CPU load average for np2: for last 1 minute: 15.00 for last 5 minutes: 15.00 for last 15 minutes: 15.00 CPU load average for ap1: for last 1 minute: 0.00 for last 5 minutes: 0.00 for last 15 minutes: 0.00 CPU load average for ap2: for last 1 minute: 0.00 for last 5 minutes: 0.00 for last 15 minutes: 0.00 CPU load average for cp1: for last 1 minute: 42.99 for last 5 minutes: 42.97

XOS Command Reference Guide

783

for last 15 minutes: 42.85 Slot Module CPU User Nice Syst Idle Irq SfIrq Iowt ---- ------ ----- ----- ----- ----- ----- ----- ----- ----3 ap1 CPU 0.0 0.0 0.0 100.0 0.0 0.0 0.0 3 ap1 CPU0 0.0 0.0 0.0 100.0 0.1 0.1 0.0 3 ap1 CPU1 0.0 0.0 0.0 100.0 0.0 0.0 0.0 Slot Module CPU User Nice Syst Idle Irq SfIrq Iowt ---- ------ ----- ----- ----- ----- ----- ----- ----- ----4 ap2 CPU 0.0 0.0 0.0 100.0 0.0 0.0 0.0 4 ap2 CPU0 0.0 0.0 0.0 100.0 0.0 0.0 0.0 4 ap2 CPU1 0.0 0.0 0.0 100.0 0.0 0.0 0.0 Slot Module CPU User Nice Syst Idle Irq SfIrq Iowt ---- ------ ----- ----- ----- ----- ----- ----- ----- ----13 cp1 CPU 0.1 0.0 0.0 0.0 0.0 0.1 98.4

show current-release
This command displays the currently loaded XOS software release version. This command displays the software version for off-line CPMs.

Syntax
show current-release [verify-rpm]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter verify-rpm Description Verifies the consistency of installed rpms.

Restrictions
Default Privilege Level: 0

Example
The following is an example of this command: CBS# show current-release Copyright (c) 2000-2011 by Crossbeam Systems, Inc. All rights reserved. Version: XOS 9.5.1 [Feb 26 2011 02:12:22] (bldmgr) gcc: gcc version 2.96 20000731 (Linux 7.3 2.96-112) CVS_Label: XOS-9_5_1_0-20110226_1 Kit_Number: xx

Commands for Troubleshooting

784

show current-running-release (upgrade context)

This command displays the currently running XOS software release version. This command displays the software version for off-line CPMs.

Syntax
show current-running-release

Context
You access this command from the upgrade CLI context.

Restrictions
Default Privilege Level: 15

Example
The following is an example of this command: CBS(upgrade)# show current-running-release Crossbeam: 9.5.1-xx (current)

show disk-usage
This command displays disk usage statistics for the root partition and for the /, /boot, /cbconfig, /tftpboot, and /mgmt partitions on the CPM. The system collects disk usage information from the four CPM disk usage facility alarm sensors (one alarm sensor for each partition) once a day.

Syntax
show disk-usage [history]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter history Description Displays disk usage statistics for the past several days.

Restrictions
Default Privilege Level: 15

XOS Command Reference Guide

785

Example
The following is an example of this command: CBS# show disk-usage ====================================================================== Top Disk Users Report for Thu Mar 17 17:25:18 EDT 2011 ====================================================================== Filesystem /dev/md5 /dev/md1 /dev/drbd0 /dev/drbd1 /dev/drbd2 1K-blocks 7882448 102672 1971472 210121168 2011792 Used Available Use% Mounted on 4129128 3352908 56% / 7804 89652 9% /boot 233560 1637768 13% /cbconfig 8318236 191129372 5% /tftpboot 162060 1747540 9% /mgmt

show environment
This command displays the current chassis status for temperatures, power supplies, LEDs, fans, and power feeds. If no parameters are specified, all parameters measured on the chassis are displayed.

Syntax
show environment [temperatures|power-supply|leds|fans|feeds]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter temperatures power-supply leds fans feeds Description Displays the temperature measured by the sensor on the fan tray. Displays whether power-supplies are present or not. Displays whether the LEDs on the chassis are on or off. Displays the status of fan-trays (present/not-present) and individual fans (on/off). Displays whether the power feeds are present or not.

Restrictions
Default Privilege Level: 0

Commands for Troubleshooting

786

Example
The following is an example of this command: CBS# show environment Environmental Statistics: Temperature readings: Chassis temperature measured at 17(C) LED status: Critical LED is OFF Major LED is OFF Minor LED is ON Power Type: Power Type is AC Power Power Power Power Power Power Power Power Power Power Supply status: Supply has Failed supply Bay 1 Present supply Bay 1 is Operational supply Bay 2 Not Present supply Bay 3 Not Present supply Bay 4 Present supply Bay 4 has Failed Feed status: Feed is Operational

Upper Fan Tray Status: Upper Fan Tray Revision Is C Upper Fan Tray Serial Number Is B24700200 Upper Fan Tray Part Number Is 000350 Upper Fan Tray Present Upper Fan Tray is Compatible Fan 1 Is OK Fan 2 Is OK Fan 3 Is OK Fan 4 Is OK Fan 5 Is OK Fan 6 Is OK Fan 7 Is OK Fan 8 Is OK Fan 9 Is OK Lower Fan Tray Status: Lower Fan Tray Revision Is C Lower Fan Tray Serial Number Is B31600442 Lower Fan Tray Part Number Is 001911 Lower Fan Tray Present Lower Fan Tray is Compatible Fan 1 Is OK Fan 2 Is OK Fan 3 Is OK Fan 4 Is OK Fan 5 Is OK Fan 6 Is OK

XOS Command Reference Guide

787

show heartbeat
This command displays the link quality between all modules or to specified modules. Each active module in an X-Series chassis sends out four heartbeat signals every second.

Syntax
show heartbeat [cp1] [cp2] [ap1] [ap2] [ap3] [ap4] [ap5] [ap6] [ap7] [ap8] [ap9] [ap10] [np1] [np2] [np3] [np4]

Context
You access this command from the main CLI context.

Output
In the output from this command, the first column contains these items: X-Series Chassis X45 Control Buses CB A CB B X20, X30, and X60 CB A CB B Data Planes DP A DP B DP A1 DP A2 DP B1 DP B2 X40, X80, and X80-S CB A CB B DP A DP B DP C DP D The data are presented as follows: Percent - On a given bus or data plane, 100% indicates that all heartbeats were received during the most recent time period. Lower percentages indicate that some heartbeats were not received. NA - Indicates that the link is unconnected or that no heartbeats have been received. An unconnected link means that the slot is empty or that the module in the slot is not in the Active or Up state.

Parameters
The following table lists the parameters used with this command. Parameter cp1 cp2 ap1 ap2 ap3 Description Heartbeats received by CP1 Heartbeats received by CP2 Heartbeats received by AP1 Heartbeats received by AP2 Heartbeats received by AP3

Commands for Troubleshooting

788

Parameter ap4 ap5 ap6 ap7 ap8 ap9 ap10 np1 np2 np3 np4

Description Heartbeats received by AP4 Heartbeats received by AP5 Heartbeats received by AP6 Heartbeats received by AP7 Heartbeats received by AP8 Heartbeats received by AP9 Heartbeats received by AP10 Heartbeats received by NP1 Heartbeats received by NP2 Heartbeats received by NP3 Heartbeats received by NP4

Restrictions
Default Privilege Level: 0

Example
The following example shows the output of show heartbeat for cp2 on an X80 system. CBS# show heartbeat Link Quality TO: 14 FROM 1 2 ON ports CB A: NA NA CB B: NA 100% DP A: NA NA DP B: NA 100% DP C: NA NA DP D: NA NA cp2 3 NA NA NA NA NA NA 4 NA NA NA NA NA NA 5 NA 100% NA NA NA NA 6 NA NA NA NA NA NA 7 NA 100% NA NA NA NA 8 NA NA NA NA NA NA 9 NA NA NA NA NA NA 10 NA NA NA NA NA NA 11 NA NA NA NA NA NA 12 NA NA NA NA NA NA 13 NA NA NA NA NA NA 14 NA NA NA NA NA NA

XOS Command Reference Guide

789

The following example shows the output of the show heartbeat command on an X60 with no module specified. CBS# show heartbeat Link Quality TO: 1 FROM 1 2 ON ports CB A: NA NA CB B: NA 100% DP A1: 100% 100% DP A2: NA NA DP B1: NA NA DP B2: NA NA Link Quality TO: 2 FROM 1 2 ON ports CB A: NA NA CB B: 100% NA DP A1: NA NA DP A2: NA NA DP B1: 100% 100% DP B2: NA NA Link Quality TO: 3 FROM 1 2 ON ports CB A: NA NA CB B: 100% 100% DP A1: NA NA DP A2: NA NA DP B1: NA NA DP B2: NA NA Link Quality TO: 4 FROM 1 2 ON ports CB A: NA NA CB B: 100% 100% DP A1: 100% NA DP A2: 100% NA DP B1: NA 100% DP B2: NA 100% Link Quality TO: 5 FROM 1 2 ON ports CB A: NA NA CB B: 100% 100% DP A1: 100% NA DP A2: 100% NA DP B1: NA 100% DP B2: NA 100%

3 NA 100% NA NA NA NA

4 NA 100% 100% 100% NA NA

5 NA 100% 100% 100% NA NA

6 NA 100% 100% 100% NA NA

7 NA 100% 100% NA NA NA

3 NA 100% NA NA NA NA

4 NA 100% NA NA 100% 100%

5 NA 100% NA NA 100% 100%

6 NA 100% NA NA 100% 100%

7 NA 100% NA NA 100% NA

3 NA NA NA NA NA NA

4 NA 100% NA NA NA NA

5 NA 100% NA NA NA NA

6 NA 100% NA NA NA NA

7 NA 100% NA NA NA NA

3 NA 100% NA NA NA NA

4 NA NA NA NA NA NA

5 NA 100% 100% 100% 100% 100%

6 NA 100% 100% 100% 100% 100%

7 NA 100% 100% NA 100% NA

3 NA 100% NA NA NA NA

4 NA 100% 100% 100% 100% 100%

5 NA NA NA NA NA NA

6 NA 100% 100% 100% 100% 100%

7 NA 100% 100% NA 100% NA

Commands for Troubleshooting

790

Link Quality TO: 6 FROM 1 2 ON ports CB A: NA NA CB B: 100% 100% DP A1: 100% NA DP A2: 100% NA DP B1: NA 100% DP B2: NA 100% Link Quality TO: 7 FROM 1 2 ON ports CB A: NA NA CB B: 100% 100% DP A1: 100% NA DP A2: NA NA DP B1: NA 100% DP B2: NA NA CBS#

3 NA 100% NA NA NA NA

4 NA 100% 100% 100% 100% 100%

5 NA 100% 100% 100% 100% 100%

6 NA NA NA NA NA NA

7 NA 100% 100% NA 100% NA

3 NA 100% NA NA NA NA

4 NA 100% 100% NA 100% NA

5 NA 100% 100% NA 100% NA

6 NA 100% 100% NA 100% NA

7 NA NA NA NA NA NA

show logging console

This command displays all Crossbeam event messages stored in the console log that have a severity level equal to or lower than the specified log level. If you do not specify a log level, this command displays event messages stored in the console log that have a severity level equal to or lower than log level 4, Warning. NOTE: Event message severity levels and log levels are numbered 0 - 7. However, level 0 (Emergency) is the highest severity level, while it is the lowest log level. Level 7 (Debugging) is the lowest severity level, while it is the highest log level. You can specify a log level by entering the log level number (0-7) or by entering the severity keyword that corresponds to the desired log level number (listed below). NOTE: The console log stores only the event messages that have a severity level equal to or less than the current console log level. (See configure logging console on page 148.) If the log level specified with the show logging console command is higher than the current console log level, the command displays all event messages stored in the console log.

Syntax
show logging console [level {<level_number> | emerg | alert | crit | error | warning | notice | info | debug}] [component <component_name>] [hostname <hostname>] [chronological-order] [<month>] [<date>] [<year>] [<time>]

Context
You access this command from the main CLI context.

XOS Command Reference Guide

791

Parameters
The following table lists the parameters used with this command. Parameter level <level_number> Description Displays all event messages stored in the console log that have a severity level number equal to or lower than the log level, <level_number>. See parameter descriptions below for a list of severity level descriptions. Valid values are 0-7. Default is 4. level emerg Displays messages stored in the console log with severity level 0. Severity level 0 is Emergency, which indicates that the system is unstable. level alert Displays messages stored in the console log with severity levels 0 and 1. Severity level 1 is Alert, which indicates that immediate action is needed. level crit Displays messages stored in the console log with severity levels 0-2. Severity level 2 is Critical, which indicates a critical condition. level error Displays messages stored in the console log with severity levels 0-3. Severity level 3 is Error, which indicates an error condition. warning Displays messages stored in the console log with severity levels 0-4. Severity level 4 is Warning, which indicates a warning condition. level notice Displays messages stored in the console log with severity levels 0-5. Severity level 5 is Notification, which indicates that a significant event has occurred, but conditions remain normal. level info Displays messages stored in the console log with severity levels 0-6. Severity level 6 is Informational. Use these messages for information only. level debug Displays messages stored in the console log with severity levels 0-7. Severity level 7 is Debugging. Use these messages for debugging only.

Commands for Troubleshooting

792

Parameter component <component_name>

Description Filters the output of the show logging console command. Displays only the event messages whose component names match one of the following <component_name> values: cbsalarmmond CBS RMON Monitor cbscfgmgrd CBS Configuration Manager cbsd CBS Daemon cbsflowagentd CBS Flow Agent cbsflowcalcd CBS Flow Calculator cbshmonitord CBS Health Monitor cbsinitd CBS Initializer cbsstatsd CBS Statistic Collector cbssysctrld CBS System Controller cbsvfpcfgd CBS VAP Config Agent cli Command Line Interface init_cli CLI Initializer WEB CBS Graphic User Interface (GUI)

hostname <hostname>

Filters the output of the show logging console command. Displays only the event messages that originate from the module with the specified host name. Displays event messages in reverse chronological order. Filters the output of the show logging console command. Displays messages only for events that occurred during the specified month. You must specify the month as a three-letter abbreviation. Default value is the current month if the <date>, <year>, or <time> parameter is specified.

chronological-order <month>

<date>

Filters the output of the show logging console command. Displays messages only for events that occurred on the specified day of the month. Valid values are from 1 to 31. Default value is the current date if the <mon>, <year>, or <time> parameter is specified.

Restrictions Default Privilege Level: 0

show module admin-state

This command displays the current administrative state enabled, disabled, or maintenance for all modules in an X-Series Platform. The admin-state cannot be used with any other parameter.

XOS Command Reference Guide

793

Syntax
show module admin-state

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter admin-state Description Displays administrative status (enabled, disabled, or maintenance) for each module.

Restrictions
Default Privilege Level: 0

Example
The following is an example using show module admin-state to see the status for all modules in an X80. CBS# show module admin-state Slot Number Administrative Status 1 Enable 2 Enable 3 Enable 4 Disable 5 Enable 6 Enable 7 Enable 8 Enable 9 Enable 10 Enable 11 Enable 12 Enable 13 Enable 14 Enable (14 rows)

show module status

Show module status displays hardware details for modules installed in an X-Series Platform. If a specific module is not specified with status, the show command applies to all modules. If no value is specified, the status of all parameters measured on all modules are displayed except reachability.

Syntax
show module status [np1|np2|np3|np4|cp1|cp2|ap1|ap2|ap3|ap4|ap5|ap6|ap7|ap8|ap9|ap10] [voltage|temperature|type|revision|serial|link|memory|leds|disk|duart| reachability|acceleration-card|eth-daughter-card]

Commands for Troubleshooting

794

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter np1 - np4 cp1 or cp2 ap1 - ap10 voltage temperature type revision serial link memory leds disk Description Displays specific NPMs in the X-Series Platform. Displays specific CPMs in the X-Series Platform. Displays specific APMs in the X-Series Platform. Displays the voltage measured on each module in volts. Displays the temperatures measured on each module in degrees celsius. Displays the module type. Displays the module hardware revision. Displays the module serial number. Displays the status of links attached to the module specified (UP/DOWN). Displays the status of memory devices on the specified module in KB. Displays whether the LEDs on the modules are ON or OFF. Displays slot, number, size, errors, and RAID status information about disk drives installed on the CPMs and APMs. NOTE: Use this parameter to check for dual drives before configuring RAID. duart reachability acceleration-card eth-daughter-card Displays the status of the DUAL UART (serial ports) if connected to the specified module (UP/DOWN). Displays the modules reachable from the specified slot through the control and data plane. Displays the presence of an Accelerated Crypto Engine (ACE) card, used for VPN acceleration, on an APM. Displays the presence of an Ethernet daughter card on an APM.

Output
The output for this command has the following format: NA = Not Available, DP = Data Plane, CP = Control Plane cp = Control Processor, ap = Application Processor, np = Network Processor Slot 1: Board Type Board Part Number

NP8620 005331

XOS Command Reference Guide

795

Board Serial Number Board Revision Control FPGA Revision Focus FPGA Revision Board OCODE Dual-CPU Capacity CPU Presence CPU2 Presence CPU Voltage 3.3v Supply 2.5v Supply 1.8v Supply 1.8v NP6 Octeon DDR 1.2v NP6 EZChip Core 1.8v NP6 EZChip DDR 1.5v NP6 EZChip XGMII/RGMII 1.2v NP6 XBPRC Ethernet Switch Voltage CPU Temperature Intake Air Temperature FPGA Temperature Exhaust Air Temperature SDRAM 1 Size SDRAM 2 Size SDRAM 3 Size SDRAM 4 Size Total Memory Used Memory Free Memory Shared Memory Buffers Memory Cached Memory Memory Utilization Total High Memory Free High Memory Total Low Memory Free Low Memory Active LED Standby LED Failure LED Control Bus A Control Bus B np1/ Link np1/np2 Link np1/ap1 Link np1/ap2 Link np1/ap3 Link np1/ap4 Link np1/ap5 Link np1/ap6 Link np1/ap7 Link np1/ap8 Link np1/ap9 Link np1/ap10 Link np1/cp2 Link gigabitethernet 1/1 gigabitethernet 1/2 gigabitethernet 1/3

G834L008 2 0x3 0xDB1C A000 Not Available Present Not Present 1.10(V) 3.32(V) 2.50(V) 1.79(V) 1.79(V) 1.18(V) 1.79(V) 1.47(V) 1.19(V) 1.24(V) 42(C) 28(C) 43(C) 32(C) 1048576(KB) 0(KB) 1048576(KB) 0(KB) 2097152(KB) 1772372(KB) 324780(KB) 0(KB) 0(KB) 79068(KB) 81.09% 0(KB) 0(KB) 0(KB) 0(KB) On Off Off Up Up Up Up Down Down Down Down Down Down Down Down Down Down Up Down Down Down

Commands for Troubleshooting

796

gigabitethernet 1/4 gigabitethernet 1/5 gigabitethernet 1/6 gigabitethernet 1/7 gigabitethernet 1/8 gigabitethernet 1/9 gigabitethernet 1/10 CPU Speed CPU Up Time Threshold

Down Down Down Down Down Down Down 550 MHz 76389 secs

Restrictions
Default Privilege Level: 0

Example
The following command displays the voltage levels for np1 in an X-Series Platform: CBS# show module status np1 voltage NA = Not Available, DP = Data Plane, CP = Control Plane cp = Control Processor, ap = Application Processor, np = Network Processor

Slot 1: CPU Voltage 3.3v Supply 2.5v Supply 1.8v Supply 1.8v NP6 Octeon 1.2v NP6 EZChip 1.8v NP6 EZChip 1.5v NP6 EZChip 1.2v NP6 XBPRC Ethernet Switch

DDR Core DDR XGMII/RGMII Voltage

1.10(V) 3.32(V) 2.50(V) 1.79(V) 1.79(V) 1.18(V) 1.78(V) 1.47(V) 1.19(V) 1.25(V)

show release (upgrade context)

This command displays all available releases on the local system. This command will even display the software version for off-line CPMs.

Syntax
show release

Context
You access this command from the upgrade CLI context.

Restrictions
Default Privilege Level: 15

XOS Command Reference Guide

797

Example
CBS# upgrade show release Crossbeam: 9.5.1-xx Crossbeam: 9.5.1-yy (current)

show rmon
This command displays the current RMON agent status.

Syntax
show rmon [alarms | events | log]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter alarms events log Description Displays the RMON alarm table (default). Displays the RMON event table. Displays list of RMON events that have been logged.

Restrictions
Default Privilege Level: 0

Example
The following is an example of the RMON events display: CBS# show rmon Event Number Event Type Community Last Time Sent Owner Description events : 65000 : Log_n_trap : public : 00:00 : system : Disk Usage Crossed Upper Threshold

show snmp
This command displays the existing system location, contact information, and SNMP hosts or SNMP communities. If no parameter is specified, system information is displayed.

Syntax
show snmp [contact | engine-id | location | community | hosts | system]

Commands for Troubleshooting

798

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter contact engine-id location community hosts Description SNMP contact information. Engine Identifier for this copy of SNMP. SNMP server location information. Community strings, IP address, and network mask. IP address, traps/inform configuration, security level, community string, and port number of the configured hosts for SNMP traps. SNMP system information, such as system name, contact, and location.

system

Restrictions
Default Privilege Level: 0

show ssh-session
Lists all ssh sessions established to the X-Series Platform.

Syntax
show ssh-session

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0

Example
The following is example output of the show ssh-session command: Session Identifier 19275 19392 24260 24272 7422 (5 rows) Remote Address 192.168.1.160 192.168.1.160 192.168.1.160 192.168.1.160 192.168.1.160 Username admin admin admin admin admin

XOS Command Reference Guide

799

show switch-data-path
This command displays switch data path statistics for each APM and CPM.

Syntax
show switch-data-path

Context
You access this command from the main CLI context. The following table describes the information provided in each column/row. Column/Row Heading Slot Mod SDPx In Packets Errors Drops Out Packets Errors Drops Information Provided Physical slot number Module type Switch data path number (sdp0 sdp7) Number of packets received Number of packets received with errors Number of packets dropped during reception Number of packets transmitted Number of errors occurring during transmission Number of packets dropped during transmission

NOTE: The output for each module includes a total line that adds all of the statistics across all SDPs for that module. The total line appears after the individual SPD lines for that module. See the example for details.

Restrictions
Default Privilege Level: 0

Example
The following is an example of this command: CBS# show switch-data-path In Slot Mod SDPx Packets 5 VAP 0 68924632 5 VAP 1 8141 5 VAP 2 4918 5 VAP 3 3494 5 VAP total 68941185 6 VAP 0 69175814 6 VAP 1 19376 6 VAP 2 0 6 VAP 3 0 6 VAP total 69195190 8 VAP 0 157042359 In Errors 0 0 0 0 0 0 0 0 0 0 0 In Drops 0 0 0 0 0 0 0 0 0 0 0 Out Packets 15335954 15196503 15202006 15203418 60937881 60920931 2929 12 0 60923872 36700424 Out Errors 0 0 0 0 0 0 0 0 0 0 0 Out Drops 0 0 0 0 0 0 0 0 0 0 0

Commands for Troubleshooting

800

8 8 8 8 8 8 8 8 9 9 9 9 9 9 9 9 9 13 13 13 13 13

VAP VAP VAP VAP VAP VAP VAP VAP VAP VAP VAP VAP VAP VAP VAP VAP VAP CP CP CP CP CP

1 2 3 4 5 6 7 total 0 1 2 3 4 5 6 7 total 0 1 2 3 total

102288199 95230406 95359152 107456912 104381580 89192465 104532946 855484019 64451065 5043 3581 3098 9291201 3524 2949 3105 73763566 6631094 0 0 0 6631094

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

26237621 52243981 55730905 55798419 57114440 62689669 55764149 402279608 49283608 12496123 17892 30967 75174 20795 4266019 38905 66229483 13467209 0 0 0 13467209

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

show system
This command displays information about the system, such as: system name, location, contact info, hardware revision, software version, and so on.

Syntax
show system

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0

Example
CBS# show system Copyright (c) 2000-2011 by Crossbeam Systems, Inc. All rights reserved. Version: CLI 9.5.1 [Feb 26 2011 02:12:22] (bldmgr) gcc: gcc version 2.96 20000731 (Linux 7.3 2.96-112) CVS_Label: XOS-9_5_1_0-20110226_1 Chassis information: Part number: 003717, Serial Number: F6240016, Hardware Revision: E Slot 1 2 5 6 Board Type NP8600 NP8600 AP8650 AP9600 Ports 12 12 0 0 Part Num 003927 003927 004911 005682 Serial Num G7150499 G7150508 L845H046 P104N013 Hw Revision 8 8 8 AA Status Up Up Active Active

XOS Command Reference Guide

801

9 13 CBS#

AP9600 CP9600

0 5

005682 005962

P104N034 N023J519

AA AA

Active Up

show traplog
This command displays the log of the last 100 SNMP traps.

Syntax
show traplog

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0

Example
The following is a partial example of this command: CBS# show traplog Trap Description : Trap OID : sysUpTime : Time & Date : Num of variables : Variable 1 : Variable 2 : Other Variables : cbsHwModuleStatusChanged .1.3.6.1.4.1.6848.4.1.14 00:01:05 2010-06-21 10:12:39.51 1 cbsHwModuleStatus.5 = standby(5)

Trap Description Trap OID sysUpTime Time & Date Num of variables Variable 1 Variable 2 Other Variables

: : : : : : : :

cbsHwModuleStatusChanged .1.3.6.1.4.1.6848.4.1.14 00:00:38 2010-06-21 10:12:12.51 1 cbsHwModuleStatus.7 = standby(5)

Trap Description Trap OID sysUpTime Time & Date Num of variables Variable 1 Variable 2 Other Variables

: : : : : : : :

cbsHwModuleStatusChanged .1.3.6.1.4.1.6848.4.1.14 00:00:34 2010-06-21 10:12:08.52 1 cbsHwModuleStatus.2 = up(4)

Commands for Troubleshooting

802

show web-session
This command displays Web user sessions.

Syntax
show web-session

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0

Example
The following is an example of this command: CBS# show web-session User : admin GUI Access Level : Administrator Start Access Time : 2010-03-09 10:09:39.339501-04 Last Access Time : 2010-03-09 10:10:59.796468-04 User IP Addr : 192.168.1.126

who
This command displays the users currently logged on to the X-Series Platform.

Syntax
who

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0

XOS Command Reference Guide

803

Commands for Troubleshooting X-Series Platform Network Connectivity

This section contains the following commands: ping on page 804 show arp on page 805 show neighbor-discovery (IPv6) on page 805 show circuit on page 808 show flow active on page 810 show flow-path active on page 823 show flow distribution on page 835 show group-interface on page 837 show interface on page 838 show internal-ip on page 843 show netstat on page 845 show redundancy-interface on page 845 show vdf-status on page 846 clear vdf-status on page 849 show veth-stats on page 850

ping
This command tests network connectivity from this system to the specified IP address. This command originates from the CPM if the VAP group is not specified.

Syntax
ping [vap-group <vap-group> [<vap-index>]] {<ip-address>|<hostname>} [-c][-i][-s][-t]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <vap-group> <vap-index> <ip-address> <hostname> -c -i -s -t Description VAP group for the VAP that the ping is originated from. Specific VAP in the VAP group. IP address of the host to ping. Name of the host to ping. Number of packets sent. Default value is 5, with a range of 1 to 100. Number of seconds to wait between sending packets. Default is 1 with a range of 1 to 100. Packet size in bytes. Default is 56, with a range of 56 to 1024. Time-To-Live in hop (router) count. Default is 2, with a range of 1 to 100.

Commands for Troubleshooting

804

Restrictions
Default Privilege Level: 0

show arp
This command displays entries in the ARP cache. You may provide a range of IP addresses to be displayed by specifying the low and high range. If one IP address is specified, only the entries in the ARP cache matching that IP address are displayed. You can also specify to only display dynamic entries. By default, all IP addresses in the ARP cache are displayed.

Syntax
show arp [<IP_addr_low> [<IP_addr_high>]] [dynamic]

Context
You access this command from any CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <IP_addr_low> <IP_addr_high> dynamic Description Display entries in the ARP cache for this IP address. Display entries in the ARP cache for all IP addresses between <IP_addr_low> and this IP address. Display dynamic ARP entries only.

Restrictions
Default Privilege Level: 0

Example
CBS# show arp Module primarycpm primarycpm Address 1.1.2.32 192.168.64.1 Hardware Addr Type Interface 00:03:d2:00:02:02 dynamic eth0 00:00:5e:00:00:40 dynamic eth2

show neighbor-discovery (IPv6)

This command displays the entries in the neighbor discovery table, along with status information for each discovered node.

Syntax
show neighbor-discovery

XOS Command Reference Guide

805

Context
You access this command from the main CLI context.

Output
The following table describes the information provided in each row of the output. Row Heading Domain IP address State Information Provided Displays the domain number associated with this neighbor entry. Displays the IP address of this neighbor entry. Displays the most recent state recorded in the neighbor discovery table. Possible values are: DELAY The neighbor is no longer known to be reachable, and traffic has recently been sent to the neighbor. Rather than probe the neighbor immediately, however, delay sending probes for a short while in order to give upper layer protocols a chance to provide reachability confirmation. INCOMPLETE Address resolution is in progress and the link-layer address of the neighbor has not yet been determined. PROBE The neighbor is no longer known to be reachable, and unicast Neighbor Solicitation probes are being sent to verify reachability. REACHABLE Roughly speaking, the neighbor is known to have been reachable recently (within tens of seconds ago). STALE The neighbor is no longer known to be reachable but until traffic is sent to the neighbor, no attempt should be made to verify its reachability. FAILED The neighbor has been declared unreachable. The system seeks an alternate path.

Commands for Troubleshooting

806

Row Heading Type

Information Provided Displays the type of link associated with this neighbor discovery table entry. Possible values are: asymmetric reachability - A link where non-reflexive and/or non-transitive reachability is part of normal operation. (Non- reflexive reachability means packets from A reach B but packets from B don't reach A. Non-transitive reachability means packets from A reach B, and packets from B reach C, but packets from A don't reach C.) Many radio links exhibit these properties. multicast - A link that supports a native mechanism at the link layer for sending packets to all (i.e., broadcast) or a subset of all neighbors. non-broadcast multi-access (NBMA) - A link to which more than two interfaces can attach, but that does not support a native form of multicast or broadcast (e.g., X.25, ATM, frame relay, etc.). point-to-point - A link that connects exactly two interfaces. A point-to-point link is assumed to have multicast capability and have a link-local address. shared media - A link that allows direct communication among a number of nodes, but attached nodes are configured in such a way that they do not have complete prefix information for all on-link destinations. That is, at the IP level, nodes on the same link may not know that they are neighbors; by default, they communicate through a router. Examples are large (switched) public data networks such as SMDS and B- ISDN. Also known as "large clouds". See [SH- MEDIA]. unicast One of these unicast address types: Global unicast address A conventional, publicly routable address, just like conventional IPv4 publicly routable addresses. Link-local address Similar to the private, non-routable addresses in IPv4 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). They are not meant to be routed, but confined to a single network segment. Link-local addresses mean you can easily throw together a temporary LAN, such as for conferences or meetings, or set up a permanent small LAN the easy way. Unique local address Meant for private addressing, with the addition of being unique, so that joining two subnets does not cause address collisions. Special addresses are loopback addresses, IPv4-address mapped spaces, and 6to4 addresses for crossing from an IPv4 network to an IPv6 network. variable MTU - A link that does not have a well-defined MTU (e.g., IEEE 802.5 token rings). Many links (e.g., Ethernet) have a standard MTU defined by the link- layer protocol or by the specific document describing how to run IP over the link layer.

Flags

If one or more flags are set, they indicate the type of neighbor. Possible values are: A dash or hyphen indicates that no flags are set. The type of neighbor is not specified. The word PROXY indicates that the neighbor is a proxy ARP device. The word ROUTER indicates that the neighbor is an IPv6 router.

HW Address

The MAC address associated with this neighbor discovery table entry.

XOS Command Reference Guide

807

Row Heading Device

Information Provided The device name associated with this neighbor table entry.

Restrictions
Default Privilege Level: 0

Example
The following is an example of this command. CBS# show neighbor-discovery Neighbor Entry Module one_2 Domain 0 IP address 2002:1::3 State REACHABLE Type UNICAST Flags HW Address 00:03:d2:20:0c:69 Device enter Neighbor Entry Module one_2 Domain 0 IP address 2002:2::1 State REACHABLE Type UNICAST Flags HW Address 00:03:d2:1f:fb:b9 Device thru Neighbor Entry Module one_2 Domain 0 IP address fe80::203:d2ff:fe1f:fbb9 State STALE Type UNICAST Flags HW Address 00:03:d2:1f:fb:b9 Device thru

show circuit
This command displays circuit information for one or all circuits. The Aggregation Mode field displays whether the circuit is a part of a multi-link, bridge, or transparent group interface. If not a member of a group interface, none is displayed.

Syntax
show circuit <circuit_name> [admin-status | status]

Context
You access this command from the main CLI context.

Commands for Troubleshooting

808

Parameters
The following table lists the parameters used with this command. Parameter <circuit_name> status admin-status Description Name of a specific circuit. Default is all circuits. Displays statistical information relating to a circuit. Default. Displays circuit configuration information.

Restrictions
Default Privilege Level: 0

Example
The following example shows the output of the status parameter. CBS# show circuit outside status Module ips_1 ips_2 Circuit outside outside In In In Out Out Out IP Address Packets Errors Drops Packets Errors Drops 10.37.0.1 28401561 0 0 28422779 0 0 10.37.0.1 28401543 0 0 28422559 0 0

The following example shows the output of the admin-status parameter. CBS# show circuit outside admin-status Circuit Name : Circuit-Id : Device Name : Incoming Circuit Group : Promiscuous Mode : Proxy ARP Enabled (true/false) : IP Forwarding (true/false) : ICMP Redirect (true/false) : Reclassify NAT Flows (true/false) : IP Flow Rule Priority : IP Flow Rule No Failover (true/false) : VAP Group : Verify Next Hop IP : Aggregation Mode : Domain : New Flow Control (true/false) : DHCP Relay (true/false) : Default Egress Vlan Tag : Hide VLAN Header (true/false) : Replace Egress Vlan Tag : MAC Address : MTU : Management Circuit (true/false) : Enable (true/false) : Primary Type : IP Address : IP Broadcast Address : Increment-per-vap Mode (true/false) : bint 1027 bint 1 no promiscuous f f f f 21 f flo none 1 t f N/A N/A N/A 00:03:d2:e0:0c:c8 (system-reserved) 1500 f t primary 192.168.10.1/24 192.168.10.255 f

XOS Command Reference Guide

809

show flow active

Displays information currently stored in the Active Flow Table (AFT) on the Network Processor Modules (NPMs) running on the X-Series Platform. NOTE: Refer to the XOS Configuration Guide for more information about Active Flow Tables on NPMs. Use this command to determine whether flows are arriving on the NPMs and to determine whether the NPMs are dropping those flows or sending them on to virtual application processor (VAP) groups configured on the X-Series Platform. You can use the verbose parameter to change the format in which the CLI displays the output of the command and to display additional information about each active flow. See Verbose Output on page 817 for a detailed description of the verbose output of this command. By default, this commands output is static; the CLI displays the current state of the active flows that exist when you issue the command and does not display updated information when the state of an existing flow changes or when a new flow arrives on the X-Series Platform. Use the poll parameter to continuously poll the NPMs and display updated information at regular intervals. Use this parameter to continuously monitor traffic over time, observing changes in the states of existing flows and obtaining information about new flows that arrive on the X-Series Platform. NOTE: Press Ctrl-y to stop updating the command output and return to the CLI prompt. By default, this command displays information about all active flows. You can use one or more of the following parameters to filter the command output to display information only about the active flows that match the criteria that you specify with the parameters: source-address destination-address source-port destination-port protocol domain circuit-id module master-npm fast-path-only verbose poll sort validated validation-pending no-validation

By default, this command lists the active flows in the order in which they appear in the AFT. Use the sort parameter to sort the list of flows, as described in Parameters on page 811.

Commands for Troubleshooting

810

Syntax
show flow active [source-address {<IP_address> | <lowest_IP_address> <highest_IP_address>}] [destination-address {<IP_address> | <lowest_IP_address> <highest_IP_address>}] [source-port {<port_number> | <lowest_port_number> <highest_port_number>}] [destination-port {<port_number> | <lowest_port_number> <highest_port_number>}] [protocol {<protocol_number> | <lowest_protocol_number> <highest_protocol_number>}] [domain {<domain_ID_number> | <lowest_domain_ID_number> <highest_domain_ID_number>}] [circuit-id {<circuit_ID_number> | <lowest_circuit_ID_number> <highest_circuit_ID_number>}] [module {<npm_slot_number> | <lowest_npm_slot_number> <highest_npm_slot_number>}] [master-npm {<npm_slot_number> | <lowest_npm_slot_number> <highest_npm_slot_number>}] [fast-path-only] [verbose] [poll <polling_interval>] [sort] [validated] [validation-pending] [no-validation]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter source-address {<IP_address> | <lowest_IP_address> <highest_IP_address>} Description Filters the command output using the specified source IP address matching criteria. Specify a single IP address to display information only about active flows that have the specified source IP address. Specify a range of IP addresses to display information only about active flows whose source IP addresses are within the specified range. destination-address {<IP_address> | <lowest_IP_address> <highest_IP_address>} Filters the command output using the specified destination IP address matching criteria. Specify a single IP address to display information only about active flows that have the specified destination IP address. Specify a range of IP addresses to display information only about active flows whose destination IP addresses are within the specified range. source-port {<port_number> | <lowest_port_number> <highest_port_number>} Filters the command output using the specified source port matching criteria. Specify a single port number to display information only about active flows that have the specified source port number. Specify a range of port numbers to display information only about active flows whose source port numbers are within the specified range.

XOS Command Reference Guide

811

Parameter destination-port {<port_number> | <lowest_port_number> <highest_port_number>}

Description Filters the command output using the specified destination port matching criteria. Specify a single port number to display information only about active flows that have the specified destination port number. Specify a range of port numbers to display information only about active flows whose destination port numbers are within the specified range.

protocol {<protocol_number> | <lowest_protocol_number> <highest_protocol_number>}

Filters the command output using the specified protocol matching criteria. Specify a single protocol number to display information only about active flows that have the specified protocol number. Specify a range of protocol numbers to display information only about active flows whose protocol numbers are within the specified range.

domain {<domain_ID_number> | <lowest_domain_ID_number> <highest_domain_ID_number>}

Filters the command output using the specified domain matching criteria. Specify a single domain ID number to display information only about active flows received on circuits with the specified domain ID number. Specify a range of domain ID numbers to display information only about active flows received on circuits whose domain ID numbers are within the specified range. Use the show circuit command to display the domain ID numbers assigned to circuits configured on the X-Series Platform NOTE: By default, XOS assigns all new circuits to domain number 1. You can assign a circuit to a different domain by specifying the domain parameter with the configure circuit command. If you assign a single domain ID to all of the circuits configured for a VAP group, you can use the show flow active command to monitor the status of all of the flows that arrive on that VAP group. This is particularly useful when monitoring flows that pass through multiple, serialized VAP groups, since you can assign a unique domain ID to each VAP groups circuits.

Commands for Troubleshooting

812

Parameter circuit-id {<circuit_ID_number> | <lowest_circuit_ID_number> <highest_circuit_ID_number>}

Description Filters the command output using the specified circuit ID matching criteria. Specify a single circuit ID number to display information only about active flows received on the circuit with the specified circuit ID number. Specify a range of circuit ID numbers to display information only about active flows received on the circuits whose circuit ID numbers are within the specified range. Use the show circuit command to display the circuit ID numbers assigned to circuits configured on the X-Series Platform NOTE: XOS assigns a default circuit ID number to every new circuit. You can assign a new circuit ID number to a circuit by specifying the circuit-id parameter with the configure circuit command.

module {<npm_slot_number> | <lowest_npm_slot_number> <highest_npm_slot_number>}

Filters the command output using the specified originating NPM matching criteria. Specify a single NPM slot number to display information only about active flows that originate on the NPM with the specified slot number. Specify a range of NPM slot numbers to display information only about active flows that originate on the NPMs whose slot numbers are within the specified range.

master-npm {<npm_slot_number> | <lowest_npm_slot_number> <highest_npm_slot_number>}

Filters the command output using the specified master NPM matching criteria. Specify a single NPM slot number to display information only about active flows whose master NPM has the specified slot number. Specify a range of NPM slot numbers to display information only about active flows whose master NPM has a slot number within the specified range.

fast-path-only

Filters the command output to display information only about active flows that originate on an NPM and are processed using the Fast Path. NOTE: Refer to the XOS Configuration Guide for more information about Fast Path flow processing.

verbose

Changes the format in which the CLI displays the output of the command and displays additional information about flows sent to a VAP in a VAP group. See Default Output on page 814 for more details.

poll <polling_interval>

Polls the NPMs continuously and displays updated information every <polling_interval> seconds. NOTE: Press Ctrl-y to stop polling the NPMs and return to the CLI prompt. Valid values for <polling_interval> are from 1-3600.

XOS Command Reference Guide

813

Parameter sort

Description Sorts the list of active flows that the command displays, using the following criteria, in the order shown. The CLI sorts the list of flows: 1. 2. 3. 4. 5. first by destination IP address then by source IP address then by protocol number then by destination port then by source port

validated validation-pending no-validation

Displays flows that have been validated by TCP flow setup validation scheme. Displays flows that are subject to validation but have not yet been validated by TCP flow setup validation scheme. Displays flows not are not subject to the TCP flow setup validation scheme. This includes non-TCP flows.

Default Output
By default, the show flow active command displays information in a table, using the following format: .

Module <NPM_or_VAP_name1>

Source <IP>:<port>

Destination <IP>:<port>

Prot <#>

Dom

TTI/MAX

<ID#> <mm:ss>/<mm :ss> rx packets

Modules <VAP_name1>, <VAP_name2> ... rx circuit <ID#> Master <NPM_name> <#> <NPM_or_VAP_name2> <IP>:<port> <IP>:<port> {Re-routing | Drop(<drop_reason_ID>)} rx circuit <ID#> Master <NPM_name>

Fast Path {Y|N} <#>

<ID#> <mm:ss>/<mm :ss> rx packets <#>

Fast Path {Y|N}

The format shown in the entry for <NPM_or_VAP_name1> is used if the flow is received by an NPM or VAP and then transferred to a VAP for processing. The format shown in the entry for <NPM_or_VAP_name2> is used if the flow is received by an NPM or VAP and then rerouted to an external system or dropped.

Commands for Troubleshooting

814

The following table describes the information provided in each column/row/field in the command output. Column/Row Heading or Field Module <NPM_or_VAP_nameN> Information Provided Name of the NPM or VAP from which the flow originates. An NPM name has the format: np<NPM_slot_number> Use the show chassis command to display the module names assigned to the NPMs installed in the X-Series Platform. A VAP name has the format: <VAP_group_name>_<VAP_index_number> Use the show ap-vap-mapping command to display the index numbers assigned to the VAPs in each VAP group configured on the X-Series Platform. Source <IP>:<port> Destination <IP>:<port> Prot <#> Dom <ID#> TTI/MAX <mm:ss>/<mm:ss> Domain ID number assigned to the circuit on which the originating NPM or VAP receives the flow. TTI Time to idle: the amount of time that the flow can remain idle before the NPM deletes that flow from the AFT MAX Maximum idle time: the maximum amount of time that the flow be idle before the NPM deletes that flow from the AFT Both TTI and MAX are displayed in minutes and seconds, using the format, mm:ss. For example, 8 minutes and 7 seconds has the format, 08:07. TTI is equal to MAX when the flow is active. When the flow becomes idle, TTI begins to count down to 00:00. If TTI reaches 00:00 before the flow becomes active again, the NPM deletes the flow from the AFT. Modules <VAP_name1>, <VAP_name2> ... Name(s) of the VAPs to which the originating NPM or VAP transfers the flow. Destination IP address and destination port number for the flow. Numeric identifier for the protocol that the flow uses. Source IP address and source port number for the flow.

XOS Command Reference Guide

815

Column/Row Heading or Field

Information Provided

{Re-routing | Drop(<drop_reason_ID>)} Indicates one of the following: Re-routing Originating NPM or VAP re-routes the flow to an external system. Drop(<drop_reason_ID>) Originating NPM or VAP drops the flow for the reason specified by <drop_reason_ID>. Possible values for <drop_reason_ID> are: No L2 policy match The destination MAC address in the packet did not match the MAC address of any VND on the circuit on which the packet entered the system. NOTE: Circuit information is not displayed for flows with this drop reason ID. No L3 policy match There are no IP flow rules that apply to this layer 3 flow. NOTE: Circuit information is not displayed for flows with this drop reason ID. L3 drop policy This layer 3 flow matches the conditions defined in the packet matching criteria for an IP flow rule configured with the action, drop. PS2Master failed A VAP group IP flow rule configured with the action, pass-to-master, or a system-level IP flow rule with the action, pass-to-masters, applies to this flow. The NPM attempted to send this flow to one or more master VAPs, but the operation failed because none of the master VAPs were in the Active state. PS2IDX failed A VAP group IP flow rule configured with the action, pass-to-vap, applies to this flow. The NPM attempted to send this flow to the appropriate VAP, but the operation failed because the VAP was not in the Active state. Load-balance failed A VAP group IP flow rule configured with the action, load-balance, applies to this flow. The NPM attempted to load balance this flow across the VAPs in the appropriate VAP group, but the operation failed because there were no active VAPs in the group or because there were no VAPs in the VAP groups load-balance VAP list. Broadcast failed A flow rule configured with the action, broadcast, applies to this flow. The NPM attempted to broadcast this flow to all VAPs in one VAP group or to all VAPs in all VAP groups, but the operation failed because none of the VAPs to which the NPM sent the flow were in the Active state. No Reason One or more flow rules were successfully applied to this flow, and none of those IP flow rules are configured with the action, drop.

Commands for Troubleshooting

816

Column/Row Heading or Field rx circuit <ID#>

Information Provided Circuit ID number assigned to the circuit on which the flow is received. Use the show circuit command to display the circuit ID numbers assigned to the circuits configured on the X-Series Platform.

Master <NPM_name> Fast Path {Y|N}

Master NPM assigned to the flow. Fast Path Y Indicates that the flow originates on an NPM and that the NPM and processes the flow using the Fast Path. NOTE: Refer to the XOS Configuration Guide for more information about Fast Path flow processing.

rx packets <#>

Number of packets that the originating NPM or VAP has received as part of this flow.

Verbose Output
The verbose output for this command has the following format: <NPM_or_VAP_Name1> Source Addr <IP_address>, Destination Addr <IP_address> Protocol <prot_name> (<#>), Dest Port {<#> | <port_prot>(<#>)}, Source Port {<#> | <port_prot>(<#>)}, Domain <ID#> TTI <tti_mm:ss> out of <max_mm:ss> configured Modules <VAP_name1>, <VAP_name2> ... Rx Available Slots <VAP_name1>, <VAP_name2> ... Ageout <#_of_seconds> rx circuit <ID#> Master <NPM_name> Fast Path {Y|N} rx packets <#> <NPM_or_VAP_Name2> Source Addr <IP_address>, Destination Addr <IP_address> Protocol <prot_name> (<#>), Dest Port {<#> | <port_prot>(<#>)}, Source Port {<#> | <port_prot>(<#>)}, Domain <ID#> TTI <tti_mm:ss> out of <max_mm:ss> configured {Re-routing | Drop(<drop_reason_ID>)} Rx Available Slots <VAP_name1>, <VAP_name2> ... Ageout <#_of_seconds> rx circuit <ID#> Master <NPM_name> Fast Path {Y|N} rx packets <#> The format shown in the entry for <NPM_or_VAP_name1> is used if the flow is received by an NPM or VAP and then transferred to a VAP for processing. The format shown in the entry for <NPM_or_VAP_name2> is used if the flow is received by an NPM or VAP and then rerouted to an external system or dropped.

XOS Command Reference Guide

817

The following table describes the information provided in each column/row/field in the command output. Column/Row Heading or Field <NPM_or_VAP_nameN> Information Provided Name of the NPM or VAP from which the flow originates. An NPM name has the format: np<NPM_slot_number> Use the show chassis command to display the module names assigned to the NPMs installed in the X-Series Platform. A VAP name has the format: <VAP_group_name>_<VAP_index_number> Use the show ap-vap-mapping command to display the index numbers assigned to the VAPs in each VAP group configured on the X-Series Platform. Source Addr <IP_address> Destination Addr <IP_address> Protocol <prot_name> (<#>) Source IP address for the flow. Destination IP address for the flow. Name of the protocol that the flow uses and the numeric identifier for that protocol. For example, if the flow uses UDP, this field displays: Protocol udp (17) Dest Port {<#> | <port_prot>(<#>)} Destination port number for the flow or destination port protocol and port number for the flow. NOTE: Destination port protocol appears only if the destination port has a standard protocol. For example, if the destination port is 80, this field displays: Dest Port http (80) Source Port {<#> | <port_prot>(<#>)} Source port number for the flow or source port protocol and port number for the flow. NOTE: Source port protocol appears only if the source port has a standard protocol. For example, if the source port is 80, this field displays: Dest Port http (80) Domain <ID#> Domain ID number assigned to the circuit on which the originating NPM or VAP receives the flow.

Commands for Troubleshooting

818

Column/Row Heading or Field TTI <tti_mm:ss> out of <max_mm:ss> configured

Information Provided <tti_mm:ss> Time to idle (TTI): the amount of time that the flow can remain idle before the NPM deletes that flow from the AFT <max_mm:ss> Maximum idle time: the maximum amount of time that the flow be idle before the NPM deletes that flow from the AFT Both TTI and maximum idle time are displayed in minutes and seconds, using the format, mm:ss. For example, 8 minutes and 7 seconds has the format, 08:07. TTI is equal to maximum idle time when the flow is active. When the flow becomes idle, TTI begins to count down to 00:00. If TTI reaches 00:00 before the flow becomes active again, the NPM deletes the flow from the AFT.

Modules <VAP_name1>, <VAP_name2> ...

Name(s) of the VAPs to which the originating NPM or VAP transfers the flow.

XOS Command Reference Guide

819

Column/Row Heading or Field

Information Provided

{Re-routing | Drop(<drop_reason_ID>)} Indicates one of the following: Re-routing Originating NPM or VAP re-routes the flow to an external system. Drop(<drop_reason_ID>) Originating NPM or VAP drops the flow for the reason specified by <drop_reason_ID>. Possible values for <drop_reason_ID> are: No L2 policy match The destination MAC address in the packet did not match the MAC address of any VND on the circuit on which the packet entered the system. NOTE: Circuit information is not displayed for flows with this drop reason ID. No L3 policy match There are no IP flow rules that apply to this layer 3 flow. NOTE: Circuit information is not displayed for flows with this drop reason ID. L3 drop policy This layer 3 flow matches the conditions defined in the packet matching criteria for an IP flow rule configured with the action, drop. PS2Master failed A VAP group IP flow rule configured with the action, pass-to-master, or a system-level IP flow rule with the action, pass-to-masters, applies to this flow. The NPM attempted to send this flow to one or more master VAPs, but the operation failed because none of the master VAPs were in the Active state. PS2IDX failed A VAP group IP flow rule configured with the action, pass-to-vap, applies to this flow. The NPM attempted to send this flow to the appropriate VAP, but the operation failed because the VAP was not in the Active state. Load-balance failed A VAP group IP flow rule configured with the action, load-balance, applies to this flow. The NPM attempted to load balance this flow across the VAPs in the appropriate VAP group, but the operation failed because there were no active VAPs in the group or because there were no VAPs in the VAP groups load-balance VAP list. Broadcast failed A flow rule configured with the action, broadcast, applies to this flow. The NPM attempted to broadcast this flow to all VAPs in one VAP group or to all VAPs in all VAP groups, but the operation failed because none of the VAPs to which the NPM sent the flow were in the Active state. No Reason One or more flow rules were successfully applied to this flow, and none of those IP flow rules are configured with the action, drop.

Commands for Troubleshooting

820

Column/Row Heading or Field Rx Available Slots <VAP_name1>, <VAP_name2> ... Ageout <#_of_seconds> rx circuit <ID#>

Information Provided VAPs available to receive packets. Number of seconds the flow will remain in the active flow table. Circuit ID number assigned to the circuit on which the flow is received. Use the show circuit command to display the circuit ID numbers assigned to the circuits configured on the X-Series Platform.

Master <NPM_name> Fast Path {Y|N}

Master NPM assigned to the flow. Fast Path Y Indicates that the flow originates on an NPM and that the NPM and processes the flow using the Fast Path. NOTE: Refer to the XOS Configuration Guide for more information about Fast Path flow processing.

rx packets <#>

Number of packets that the originating NPM or VAP has received as part of this flow.

Restrictions
Default Privilege Level: 0

Examples
Example 1: Displaying all Active Flows Using the Default Command Output Format The following command displays information about all active flows on an X-Series Platform on which a VAP group called testvapgroup is currently running a firewall application: CBS# show flow active This command may take a few minutes. Module testvapgroup_1 Source 0.0.0.0:8116 Do you want to continue? <Y or N> [Y]: Y Destination 3.3.3.0:8116 Prot 17 Dom 1 TTI/MAX 01:00/01:00

Modules testvapgroup_2, testvapgroup_3 rx circuit 1026 Master np1 Fast Path N testvapgroup_2 Drop(No reason) rx circuit 1026 np3 3.3.3.6:0 Master np1 224.0.0.22:0 Fast Path N

rx packets 732 6 1 00:25/00:30

rx packets 0 1 09:12/10:00

192.168.5.1:257 192.168.5.4:397 6 Fast Path Y

Modules testvapgroup_1 rx circuit 1025 Master np1 CBS#

rx packets 24

XOS Command Reference Guide

821

Example 2: Filtering the Default Command Output Format The following command displays information only about the active flows using protocol 17: CBS# show flow active protocol 17 This command may take a few minutes. Module testvapgroup_1 Source 0.0.0.0:8116 Do you want to continue? <Y or N> [Y]: Y Destination 3.3.3.0:8116 Prot 17 Dom 1 TTI/MAX 01:00/01:00

Modules testvapgroup_2, testvapgroup_3 rx circuit 1026 Master np1 Fast Path N CBS#

rx packets 732

Example 3: Displaying all Active Flows Using the Verbose Command Output Format The following command displays information about all active flows on an X-Series Platform on which a VAP group called testvapgroup is currently running a firewall application: CBS# show flow active verbose This command may take a few minutes. Do you want to continue? <Y or N> [Y]: Y

testvapgroup_1 Source Addr 0.0.0.0, Destination Addr 3.3.3.0 Protocol udp (17), Dest Port 8116, Source Port 8116, Domain 1 TTI 01:00 out of 01:00 configured Modules testvapgroup_2, testvapgroup_3 Rx Available Slots testvapgroup_1 Ageout 60 rx circuit 1026 Master np1 Fast Path N rx packets 856 testvapgroup_1 Source Addr 3.3.3.6, Destination Addr 224.0.0.22 Protocol tcp (6), Dest Port 0, Source Port 0, Domain 1 TTI 00:15 out of 00:30 configured Drop(No reason) rx circuit 1026 Master np1 Fast Path N rx packets 0 np3 Source Addr 192.168.5.1, Destination Addr 192.168.5.4:397 Protocol tcp (6), Dest Port 397, Source Port 257, Domain 1 TTI 10:00 out of 10:00 configured Modules testvapgroup_1 Rx Available Slots testvapgroup_2, testvapgroup_3 Ageout 88 rx circuit 1025 Master np1 Fast Path Y rx packets 934 CBS#

Commands for Troubleshooting

822

show flow-path active

Displays the flow paths for the active flows that the X-Series Platform is currently processing. A flow path is the path that a flow takes when it goes through the X-Series Platform. A flow path has the following basic elements: Flow classification information source and destination IP addresses, source and destination port numbers, protocol number, and domain ID number Network Processor Module (NPM) on which the active flow enters the X-Series Platform Circuit(s) on which the active flow enters an active virtual application processor (VAP) group(s) Active VAP(s) that processes the flow NPM interface on which the active flow leaves the X-Series Platform By default, this command displays information only about the initial entry path and the final egress NPM interface for each flow. That is, the command displays information only about the NPM, circuit, and VAP on which the flow first enters the X-Series Platform and the NPM interface on which the flow exits the X-Series Platform. Use the default command output to determine whether NPMs are dropping flows when they arrive on the X-Series Platform, to make sure traffic is successfully passing through the X-Series Platform, and to determine where the NPM sends flows that it does not drop. Use the verbose parameter to display information about the full path for each active flow, from the ingress NPM to the egress NPM interface. Use this parameter to monitor flows when: The flows pass through more than one VAP group configured on the X-Series Platform. The flows pass through a VAP group that is configured with separate circuits and NPM interfaces for ingress and egress traffic. NOTE: See Verbose Output on page 817 for a detailed description of the verbose output of this command. By default, this commands output is static; the CLI displays the current flow paths for the active flows that exist when you issue the command and does not display updated information when the state of an existing flow changes or when a new flow arrives on the X-Series Platform. Use the poll parameter to continuously poll the NPMs and display updated information at regular intervals. Use this parameter to continuously monitor traffic over time, observing changes in the states of existing flows and obtaining flow path information for new flows that arrive on the X-Series Platform. NOTE: Press Ctrl-y to stop updating the command output and return to the CLI prompt. By default, this command displays flow path information for all active flows. You can use one or more of the following parameters to filter the command output to display flow path information only for active flows that match the criteria that you specify with the parameters: source-address destination-address source-port destination-port protocol domain circuit-id module master-npm fast-path-only

By default, this command lists the active flows in the order in which they appear in the AFT. Use the sort parameter to sort the list of flows, as described in Parameters on page 824.

XOS Command Reference Guide

823

Syntax
show flow-path active [verbose] [poll <polling_interval>] [source-address {<IP_address> | <lowest_IP_address> <highest_IP_address>}] [destination-address {<IP_address> | <lowest_IP_address> <highest_IP_address>}] [source-port {<port_number> | <lowest_port_number> <highest_port_number>}] [destination-port {<port_number> | <lowest_port_number> <highest_port_number>}] [protocol {<protocol_number> | <lowest_protocol_number> <highest_protocol_number>}] [domain {<domain_ID_number> | <lowest_domain_ID_number> <highest_domain_ID_number>}] [circuit-id {<circuit_ID_number> | <lowest_circuit_ID_number> <highest_circuit_ID_number>}] [module {<npm_slot_number> | <lowest_npm_slot_number> <highest_npm_slot_number>}] [master-npm {<npm_slot_number> | <lowest_npm_slot_number> <highest_npm_slot_number>}] [sort]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter verbose Description Changes the format in which the CLI displays the output of the command and displays information about the full path for each active flow, from ingress NPM interface to egress NPM interface. See Default Output on page 827 for more details. poll <polling_interval> Polls the NPMs continuously and displays updated information every <polling_interval> seconds. NOTE: Press Ctrl-y to stop polling the NPMs and return to the CLI prompt. Valid values for <polling_interval> are from 1-3600. source-address {<IP_address> | <lowest_IP_address> <highest_IP_address>} Filters the command output using the specified source IP address matching criteria. Specify a single IP address to display flow path information only for active flows that have the specified source IP address. Specify a range of IP addresses to display flow path information only for active flows whose source IP addresses are within the specified range.

Commands for Troubleshooting

824

Parameter destination-address {<IP_address> | <lowest_IP_address> <highest_IP_address>}

Description Filters the command output using the specified destination IP address matching criteria. Specify a single IP address to display flow path information only for active flows that have the specified destination IP address. Specify a range of IP addresses to display flow path information only for active flows whose destination IP addresses are within the specified range.

source-port {<port_number> | <lowest_port_number> <highest_port_number>}

Filters the command output using the specified source port matching criteria. Specify a single port number to display flow path information only for active flows that have the specified source port number. Specify a range of port numbers to display flow path information only for active flows whose source port numbers are within the specified range.

destination-port {<port_number> | <lowest_port_number> <highest_port_number>}

Filters the command output using the specified destination port matching criteria. Specify a single port number to display flow path information only for active flows that have the specified destination port number. Specify a range of port numbers to display flow path information only for active flows whose destination port numbers are within the specified range.

protocol {<protocol_number> | <lowest_protocol_number> <highest_protocol_number>}

Filters the command output using the specified protocol matching criteria. Specify a single protocol number to display flow path information only for active flows that have the specified protocol number. Specify a range of protocol numbers to display flow path information only for active flows whose protocol numbers are within the specified range.

XOS Command Reference Guide

825

Parameter domain {<domain_ID_number> | <lowest_domain_ID_number> <highest_domain_ID_number>}

Description Filters the command output using the specified domain matching criteria. Specify a single domain ID number to display flow path information only for active flows received on circuits with the specified domain ID number. Specify a range of domain ID numbers to display flow path information only for active flows received on circuits whose domain ID numbers are within the specified range. Use the show circuit command to display the domain ID numbers assigned to circuits configured on the X-Series Platform NOTE: By default, XOS assigns all new circuits to domain number 1. You can assign a circuit to a different domain by specifying the domain parameter with the configure circuit command. If you assign a single domain ID to all of the circuits configured for a VAP group, you can use the show flow-path active command to monitor the status of all of the flows that pass through that VAP group. This is particularly useful when monitoring flows that pass through multiple, serialized VAP groups, since you can assign a unique domain ID to each VAP groups circuits.

circuit-id {<circuit_ID_number> | <lowest_circuit_ID_number> <highest_circuit_ID_number>}

Filters the command output using the specified circuit ID matching criteria. Specify a single circuit ID number to display flow path information only for active flows received on the circuit with the specified circuit ID number. Specify a range of circuit ID numbers to display flow path information only for active flows received on the circuits whose circuit ID numbers are within the specified range. Use the show circuit command to display the circuit ID numbers assigned to circuits configured on the X-Series Platform NOTE: XOS assigns a default circuit ID number to every new circuit. You can assign a new circuit ID number to a circuit by specifying the circuit-id parameter with the configure circuit command.

module {<npm_slot_number> | <lowest_npm_slot_number> <highest_npm_slot_number>}

Filters the command output using the specified originating NPM matching criteria. Specify a single NPM slot number to display flow path information only for active flows that originate on the NPM with the specified slot number. Specify a range of NPM slot numbers to display information only about active flows that originate on the NPMs whose slot numbers are within the specified range.

Commands for Troubleshooting

826

Parameter master-npm {<npm_slot_number> | <lowest_npm_slot_number> <highest_npm_slot_number>}

Description Filters the command output using the specified master NPM matching criteria. Specify a single NPM slot number to display flow path information only for active flows whose master NPM has the specified slot number. Specify a range of NPM slot numbers to display flow path information only for active flows whose master NPM has a slot number within the specified range.

sort

Sorts the list of active flow paths that the command displays, using the following criteria, in the order shown. The CLI sorts the list of flow paths: 1. 2. 3. 4. 5. first by destination IP address then by source IP address then by protocol number then by destination port then by source port

Default Output
By default, the show flow-path active command displays information in a table, using the following format:

Module <NPM_name1>

Source:port <IP>:<port>

Destination:port <IP>:<port>

Prot <#>

Dom <ID#>

rx circuit <ID#> rx active <VAP_name> [rx passive] tx_port <slot>_<port> master <NPM_name> <NPM_name2> <IP>:<port> <IP>:<port> <#> <ID#>

rx circuit <ID#> master <NPM_name>

Drop(<drop_reason>)

The output has the format shown in the entry for <NPM_name1> if the originating NPM transfers the flow to a VAP for processing. The output has the format shown in the entry for <NPM_name2> if the originating NPM drops the flow. The following table describes the information provided in each column/row/field in the command output. Column/Row Heading or Field Module <NPM_nameN> Information Provided Name of the NPM from which the flow originates. An NPM name has the format: np<NPM_slot_number> Use the show chassis command to display the module names assigned to the NPMs installed in the X-Series Platform.

XOS Command Reference Guide

827

Column/Row Heading or Field Source:port <IP>:<port> Destination:port <IP>:<port> Prot <#> Dom <ID#> rx circuit <ID#>

Information Provided Source IP address and source port number for the flow.

Destination IP address and destination port number for the flow. Numeric identifier for the protocol that the flow uses.

Domain ID number assigned to the first circuit on which the flow enters an active VAP group. Circuit ID number assigned to the first circuit on which the flow enters an active VAP group. Use the show circuit command to display the circuit ID numbers assigned to the circuits configured on the X-Series Platform.

rx active <VAP_name> [rx passive]

Name of the first active VAP that receives the flow. If a Tap is configured on the circuit on which the flow enters the active VAP group, the name of the TAP appears in the rx_passive field. If no tap is configured, this field is blank. NOTE: A VAP name has the format: <VAP_group_name>_<VAP_Index_Number> Use the show ap-vap-mapping command to display the index numbers assigned to the VAPs in each VAP group configured on the X-Series Platform.

tx_port <slot>_<port>

NPM slot number and port number for the NPM interface on which the flow exits the X-Series Platform. Use the verbose parameter with the show ip-mapping command to determine which NPM interfaces are mapped to circuit IP addresses configured for an active VAP group.

Commands for Troubleshooting

828

Column/Row Heading or Field Drop(<drop_reason_ID>)

Information Provided Indicates that the originating NPM drops the flow for the reason specified by <drop_reason_ID>. Possible values for <drop_reason_ID> are: No L2 policy match There are no non-IP flow rules that apply to this layer 2 flow. NOTE: Circuit information is not displayed for flows with this drop reason ID. No L3 policy match There are no IP flow rules that apply to this layer 3 flow. NOTE: Circuit information is not displayed for flows with this drop reason ID. L3 drop policy This layer 3 flow matches the conditions defined in the packet matching criteria for an IP flow rule configured with the action, drop. PS2Master failed A VAP group IP flow rule configured with the action, pass-to-master, or a system-level IP flow rule with the action, pass-to-masters, applies to this flow. The NPM attempted to send this flow to one or more master VAPs, but the operation failed because none of the master VAPs were in the Active state. PS2IDX failed A VAP group IP flow rule configured with the action, pass-to-vap, applies to this flow. The NPM attempted to send this flow to the appropriate VAP, but the operation failed because the VAP was not in the Active state. Load-balance failed A VAP group IP flow rule configured with the action, load-balance, applies to this flow. The NPM attempted to load balance this flow across the VAPs in the appropriate VAP group, but the operation failed because there were no active VAPs in the group or because there were no VAPs in the VAP groups load-balance VAP list. Broadcast failed A flow rule configured with the action, broadcast, applies to this flow. The NPM attempted to broadcast this flow to all VAPs in one VAP group or to all VAPs in all VAP groups, but the operation failed because none of the VAPs to which the NPM sent the flow were in the Active state. No Reason One or more flow rules were successfully applied to this flow, and none of those IP flow rules are configured with the action, drop.

Master <NPM_name>

Master NPM assigned to the flow.

XOS Command Reference Guide

829

Verbose Output
The verbose output for this command has the following format: <NPM_Name1> Source Addr <IP_address>, Destination Addr <IP_address> Protocol <prot_name> (<#>), Dest Port {<#> | <port_prot>(<#>)}, Source Port {<#> | <port_prot>(<#>)}, Domain <ID#> rx circuit <ID#1> rx active <VAP_name1> [rx passive] rx circuit <ID#2> rx active <VAP_name2> [rx passive] ... rx circuit <ID#N> rx active <VAP_nameN> [rx passive] rx circuit <ID#NPM> rx active <NPM_name> [rx passive] tx_port <slot>_<port> master <NPM_name> <NPM_or_VAP_Name2> Source Addr <IP_address>, Destination Addr <IP_address> Protocol <prot_name> (<#>), Dest Port {<#> | <port_prot>(<#>)}, Source Port {<#> | <port_prot>(<#>)}, Domain <ID#> rx circuit <ID#1> Drop(<drop_reason>) master <NPM_name> The format shown in the entry for <NPM_or_VAP_name1> is used if the flow is received by an NPM or VAP and then transferred to a VAP for processing. The format shown in the entry for <NPM_or_VAP_name2> is used if the flow is received by an NPM or VAP and then rerouted to an external system or dropped. The following table describes the information provided in each column/row/field in the command output. Column/Row Heading or Field <NPM_nameN> Information Provided Name of the NPM from which the flow originates. An NPM name has the format: np<NPM_slot_number> Use the show chassis command to display the module names assigned to the NPMs installed in the X-Series Platform. Source Addr <IP_address> Destination Addr <IP_address> Protocol <prot_name> (<#>) Source IP address for the flow. Destination IP address for the flow. Name of the protocol that the flow uses and the numeric identifier for that protocol. For example, if the flow uses UDP, this field displays: Protocol udp (17) Dest Port {<#> | <port_prot>(<#>)} Destination port number for the flow or destination port protocol and port number for the flow. NOTE: Destination port protocol appears only if the destination port has a standard protocol. For example, if the destination port is 80, this field displays: Dest Port http (80)

Commands for Troubleshooting

830

Column/Row Heading or Field Source Port {<#> | <port_prot>(<#>)}

Information Provided Source port number for the flow or source port protocol and port number for the flow. NOTE: Source port protocol appears only if the source port has a standard protocol. For example, if the source port is 80, this field displays: Dest Port http (80)

Domain <ID#> rx circuit <ID#1> rx active <VAP_name1> [rx passive] rx circuit <ID#2> rx active <VAP_name2> [rx passive] ... rx circuit <ID#N> rx active <VAP_nameN> [rx passive]

Domain ID number assigned to the first circuit on which the flow enters an active VAP group. Sequence of paths that the flow uses to enter an active VAP group on the X-Series Platform and then pass through one or more additional active VAP groups. The paths are listed in the order in which the active VAP groups configured on the X-Series Platform receive and process the flow. The CLI displays the following information about each path that the flow uses to pass through an active VAP group before arriving at its final egress interface on the NPM: rx circuit <ID#N> Circuit ID number assigned to the circuit on which the flow enters the active VAP group. Use the show circuit command to display the circuit ID numbers assigned to the circuits configured on the X-Series Platform. Use the verbose parameter with the show ip-mapping command to determine which NPM interfaces are mapped to the circuit IP addresses configured for a VAP group. rx active <VAP_nameN> Name of the active VAP that receives the flow. A VAP name has the format: <VAP_group_name>_<VAP_Index_Number> Use the show ap-vap-mapping command to display the index numbers assigned to the VAPs in each VAP group configured on the X-Series Platform. rx passive If a Tap is configured on the circuit on which the flow enters the active VAP group, the name of the TAP appears in the rx_passive field. If no tap is configured, this field is blank.

XOS Command Reference Guide

831

Column/Row Heading or Field rx circuit <ID#NPM> rx active <NPM_name> [rx passive]

Information Provided Path that the flow uses to arrive at its egress interface on the NPM. The egress interface is the physical interface that the flow uses to exit the X-Series Platform. The CLI displays the following information about this path: rx circuit <ID#NPM> Circuit ID number assigned to the circuit mapped to the egress interface on the NPM. NOTE: This circuit is mapped to the last VAP group that the flow passes through before exiting the X-Series Platform. Use the show circuit command to display the circuit ID numbers assigned to the circuits configured on the X-Series Platform. Use the verbose parameter with the show ip-mapping command to determine which NPM interfaces are mapped to the circuit IP addresses configured for a VAP group. rx active <NPM_name> Name of the NPM from which the flow exits the X-Series Platform. A VAP name has the format: <VAP_group_name>_<VAP_Index_Number> Use the show ap-vap-mapping command to display the index numbers assigned to the VAPs in each VAP group configured on the X-Series Platform. rx passive This field contains the name of a Tap if one is configured on the circuit mapped to the flows egress interface on the NPM. If no Tap is configured, this field is blank.

tx_port

<slot>_<port>

NPM slot number and port number for the NPM interface on which the flow exits the X-Series Platform. NOTE: This interface is mapped to a circuit that is mapped to the last VAP group that the flow passes through before exiting the X-Series Platform. Use the show circuit command to display the circuit ID numbers assigned to the circuits configured on the X-Series Platform. Use the verbose parameter with the show ip-mapping command to determine which NPM interfaces are mapped to the circuit IP addresses configured for a VAP group.

Commands for Troubleshooting

832

Column/Row Heading or Field Drop(<drop_reason_ID>)

Information Provided Indicates that the originating NPM drops the flow for the reason specified by <drop_reason_ID>. Possible values for <drop_reason_ID> are: No L2 policy match There are no non-IP flow rules that apply to this layer 2 flow. NOTE: Circuit information is not displayed for flows with this drop reason ID. No L3 policy match There are no IP flow rules that apply to this layer 3 flow. NOTE: Circuit information is not displayed for flows with this drop reason ID. L3 drop policy This layer 3 flow matches the conditions defined in the packet matching criteria for an IP flow rule configured with the action, drop. PS2Master failed A VAP group IP flow rule configured with the action, pass-to-master, or a system-level IP flow rule with the action, pass-to-masters, applies to this flow. The NPM attempted to send this flow to one or more master VAPs, but the operation failed because none of the master VAPs were in the Active state. PS2IDX failed A VAP group IP flow rule configured with the action, pass-to-vap, applies to this flow. The NPM attempted to send this flow to the appropriate VAP, but the operation failed because the VAP was not in the Active state. Load-balance failed A VAP group IP flow rule configured with the action, load-balance, applies to this flow. The NPM attempted to load balance this flow across the VAPs in the appropriate VAP group, but the operation failed because there were no active VAPs in the group or because there were no VAPs in the VAP groups load-balance VAP list. Broadcast failed A flow rule configured with the action, broadcast, applies to this flow. The NPM attempted to broadcast this flow to all VAPs in one VAP group or to all VAPs in all VAP groups, but the operation failed because none of the VAPs to which the NPM sent the flow were in the Active state. No Reason One or more flow rules were successfully applied to this flow, and none of those IP flow rules are configured with the action, drop.

Master <NPM_name>

Master NPM assigned to the flow.

Restrictions
Default Privilege Level: 15

XOS Command Reference Guide

833

Examples
Example 1: Displaying all Active Flow Paths Using the Default Command Output Format The following command displays the initial entry path and the egress NPM interface for every active flow that the X-Series Platform is currently processing. In this example, a VAP group called testvapgroup is currently configured on the X-Series Platform and is running a firewall application. CBS# show flow-path active This command may take a few minutes. Module np2 Source:port 172.16.10.100:2009 Do you want to continue? <Y or N> [Y]: Y Destination:port 172.16.20.240:80 rx passive Prot 6 Dom 1

rx circuit 1027 rx active testvapgroup_2 tx_port 4_2 master np2 np4 172.16.20.240:80

172.16.10.144:53814 rx passive

rx circuit 1028 rx active testvapgroup_1 tx_port 2_2 master np2 np2 rx circuit 1029 master np2 CBS# 172.16.10.207:31754 Drop(PS2IDX failed)

172.16.20.240:80

Example 2: Filtering the Default Command Output Format The following command displays initial entry path and egress NPM interface information only for the active flows whose source port number is 80: CBS# show flow-path active source-port 80 This command may take a few minutes. Module np4 Source:port 172.16.20.240:80 Do you want to continue? <Y or N> [Y]: Y Destination:port 172.16.10.144:53814 rx passive Prot 6 Dom 1

rx circuit 1028 rx active testvapgroup_1 tx_port 2_2 master np2 CBS#

Example 3: Displaying all Active Flow Paths Using the Verbose Command Output Format The following command displays the complete flow path for every active flow that the X-Series Platform is currently processing. In this example, a VAP group called testvapgroup is currently configured on the X-Series Platform and is running a firewall application. CBS# show flow-path active verbose This command may take a few minutes. np4 Do you want to continue? <Y or N> [Y]: Y

Source Addr 172.16.10.100, Destination Addr 172.16.20.240 Protocol tcp (6), Dest Port http(80), Source Port 2009, Domain 1

Commands for Troubleshooting

834

rx circuit 1027 rx active testvapgroup_2 rx passive rx circuit 1030 rx active np2 rx passive tx_port 2_2 master np2 np2 Source Addr 172.16.20.240, Destination Addr 172.16.10.144 Protocol tcp (6), Dest Port 53814, Source Port http(80), Domain 1 rx circuit 1028 rx active testvapgroup_1 rx passive rx circuit 1031 rx active np4 rx passive tx_port 4_2 master np2 np2 Source Addr 172.16.10.207, Destination Addr 172.16.20.240 Protocol tcp (6), Dest Port http(80), Source Port 31754, Domain 1 rx circuit 1029 Drop(PS2IDX failed) master np2 CBS#

show flow distribution

Displays the number of flows that each Network Processor Module (NPM) installed in the X-Series Platform has assigned to each virtual application processor (VAP) in each VAP group configured on the X-Series Platform, and displays the rates at which each NPM assigns new and existing flows to each VAP. Use this command to determine whether flows are being load balanced across all members of a VAP group and to monitor the number of flows that each VAP group is processing. By default, this command lists the NPM-to-VAP flow assignments in the order in which the NPMs assign the flows to VAPs in a VAP group. Use the sort parameter to sort the list of NPM-to-VAP flow assignments by VAP group name or by APM slot number.

Syntax
show flow distribution [sort {vap-group | apm-slot}]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter sort {vap-group | apm-slot} Description Sorts the list of VAP flow assignments. Use one of the following keywords to specify the method used to sort the list: vap-group Sorts the list of VAP flow assignments first by VAP group name, then by VAP index number, and then by APM slot number. apm-slot Sorts the list of VAP flow assignments first by APM slot number, then by VAP group name, and then by VAP index number.

XOS Command Reference Guide

835

Output
This command displays information in a table, using the following format. The command output shows the number of flows that each NPM assigns to each VAP in each VAP group. NOTE: Table entries appear only for the NPMs that are actually installed in the X-Series Platform. New Flows Rate ============= <Delta_#flows> <Delta_#flows> <Delta_#flows> <Delta_#flows> <Delta_#flows> <Delta_#flows> <Delta_#flows> <Delta_#flows> Aged Flows Rate ============= <Delta_#flows> <Delta_#flows> <Delta_#flows> <Delta_#flows> <Delta_#flows> <Delta_#flows> <Delta_#flows> <Delta_#flows> Flows ===== <#> <#> <#> <#> <#> <#> <#> <#>

NP np1 np2 np3 np4 np1 np2 np3 np4 ...

Uptime <#> days, <#> days, <#> days, <#> days, <#> days, <#> days, <#> days, <#> days,

<hh:mm> <hh:mm> <hh:mm> <hh:mm> <hh:mm> <hh:mm> <hh:mm> <hh:mm>

Slot <AP#> <AP#> <AP#> <AP#> <AP#> <AP#> <AP#> <AP#>

VAP <name1> <name1> <name1> <name1> <name2> <name2> <name2> <name2>

The following table describes the information provided in each column/row. Column/Row Heading NP Information Provided Name of the NPM that assigns flows to a VAP. Use the show chassis command to display the NPM names assigned to the NPMs installed in your X-Series Platform. Uptime Amount of time that the NPM has been in the UP state, in days, hours, and minutes. Hours and minutes are expressed in the format: mm:ss. For example, 9 hours and 7 minutes is 09:07. Slot VAP Slot number for the APM assigned to the VAP to which the NPM assigns flows. Name of the VAP to which the NPM assigns flows. A VAP name has the format: <VAP_group_name>_<VAP_Index_Number> Use the show ap-vap-mapping command to display the index numbers assigned to the VAPs in each VAP group configured on the X-Series Platform. New Flows Rate Aged Flows Rate Flows The change in the number of new flows that the NPM assigns to the VAP, since the past second. The change in the number of existing flows that the NPM assigns to the VAP, since the past second. Total number of flows that the NPM currently assigns to the VAP.

Restrictions
Default Privilege Level: 0

Commands for Troubleshooting

836

Examples
Example 1: Default Command Output The following command displays the number of flows that each Network Processor Module (NPM) installed in the X-Series Platform has assigned to each VAP in each VAP group configured on the X-Series Platform, and display the rates at which each NPM assigns new and existing flows to each VAP. There are two VAP groups configured on this X-Series Platform one called cp, which has three VAPs, and one called iss, which has two VAPs. CBS# sho flow distribution Rate calculation is enabled New Flows Aged Flows Rate Rate ========== ========== 1465 521 505 183 1358 524 447 192 2122 766 702 288 1380 532 466 184 2081 811 716 271 Flows ========= 8939 3100 8744 3040 13201 4526 8734 2983 13194 4575

NP np1 np4 np1 np4 np1 np4 np1 np4 np1 np4 CBS#

1 1 1 1 1 1 1 1 1 1

Uptime Slot VAP days, 19:22 6 cp_1 days, 19:22 6 cp_1 days, 19:22 7 cp_2 days, 19:22 7 cp_2 days, 19:22 10 iss_1 days, 19:22 10 iss_1 days, 19:22 11 cp_3 days, 19:22 11 cp_3 days, 19:22 12 iss_2 days, 19:22 12 iss_2

show group-interface
This command displays the configurations of all group interfaces, or displays only the configuration of the specified group interface. This command displays only the parameter settings that are applicable to each group interfaces physical interface type. This command shows how the group interface was configured, not the current state of the group interface. To view the current state, use the show interface on page 838 command for each interface in the group.

Syntax
show group-interface [<group_name>][stats][status]

Context
You access this command from the main CLI context.

Inline Commands
The following table lists the CLI commands used inline with the show group-interface command. Command stats status Description Displays the operational group interface status. Displays the group interface status.

XOS Command Reference Guide

837

Parameters
The following table lists the parameters used with this command. Parameter <group_name> Description Displays only the configuration of the specified group interface. By default, the show group-interface command displays the configurations of all group interfaces.

Restrictions
Default Privilege Level: 15

Example
The following is an example display of group interface testgrpint. CBS# show group-interface testgrpint Group Name Mode Mode Circuit Traffic Cleaning Validation: Interface Type Enable (true/false) Auto Negotiate Enabled (true/false) Media Speed (Mbits) Duplex Mode Pause Frame (true/false) Physical Interface (Device) [en/disable] Physical Interface (Device) [en/disable] Logical Interface (Circuit) (v101) (1 row) : : : : : : : : : : : : : testgrpint multi-link new_cct2 gigabitethernet t t auto auto t gigabitethernet 1/2 [enable] gigabitethernet 1/3 [enable] log2 ingress-vlan-tag 101 101

NOTE: If Mode is None, the group interface is not yet fully configured or functional. You still need to select a mode.

show interface
This command displays the current state for a physical interface. If no interface is specified, status is displayed for all physical interfaces. The detail parameter displays verbose information, and allows you to specify additional parameters to filter the verbose output to display only data for the physical line, IPv4, IPv6, or non-IPv4 frame types, interface type, or to display data for a specific interface. The IP frame type parameters apply only to NPM interfaces. With the exception of management interfaces, the MTU setting is defined at the circuit level. Use show circuit to display the MTU.

Commands for Troubleshooting

838

Syntax
show interface [detail [phy] [ipv4] [ipv6] [non-ipv4] [gigabitethernet <slot/port> | 10gigabitethernet <slot/port>]] show interface [gigabitethernet <slot/port> | 10gigabitethernet <slot/port>] [high-availability]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter detail Description Displays verbose information, including a reason for dropped packets. The detail parameter is ignored for management interfaces. The detail parameter supports the following parameters as filters. (Used only following the detail parameter) Displays the verbose status of all physical interfaces. This is the default. (Used only following the detail parameter) Displays the verbose status of all physical lines. When this parameter is followed by the 10gigabitethernet or gigabitethernet parameter, it displays the status for only the specified interface type, or for the interface specified by <slot/port>. (Used only following the detail parameter) Displays the verbose status for IPv4 frames on all NPM interfaces. When this parameter is followed by the 10gigabitethernet or gigabitethernet parameter, it displays the status for only the specified interface type, or for the interface specified by <slot/port>. (Used only following the detail parameter) Displays the verbose status for IPv6 frames on all NPM interfaces. When this parameter is followed by the 10gigabitethernet or gigabitethernet parameter, it displays the status for only the specified interface type, or for the interface specified by <slot/port>. (Used only following the detail parameter) Displays the verbose status for non-IPv4 frames, including IPv6 frames, on all NPM interfaces. When this parameter is followed by the 10gigabitethernet or gigabitethernet parameter, it displays the status for only the specified interface type, or for the interface specified by <slot/port>.

detail all detail phy

detail ipv4

detail ipv6

detail non-ipv4

XOS Command Reference Guide

839

Parameter [detail] 10gigabitethernet <slot/port>

Description Displays the status of 10 Gigabit Ethernet interfaces only. Displays the verbose status when used following the detail parameter. If you specify 10gigabitethernet, all interfaces of that type are displayed. If you specify the slot and port number, only that specific interface is displayed.

[detail] gigabitethernet <slot/port>

Displays the status of Gigabit Ethernet interfaces only. Displays the verbose status when used following the detail parameter. If you specify gigabitethernet, all interfaces of that type are displayed. If you specify the slot and port number, only that specific interface is displayed.

high-availability

Displays the status of the High Availability port on the primary CPM.

Output
The output for the show interface detail command has the following format: show interface detail gigabitethernet 2/1 Gigabitethernet 2/1 is up Interface is in use Hardware address is N/A SFP info: phy_present|phy_good Media Type: Copper, Vendor Name: Methode Elec. MTU N/A, BW 100 Mbits, full-duplex, auto-negotiation is enabled Last clearing of "show interface" counters never PHY stats: Statistics on physical line Received: Total frames 2069898 (bytes 200033630) Broadcast frames 1546455 Undersized frames 0 Oversized frames 0 Throttles 0 Total errors 0 Frame check sequence (FCS) errors 0 Frame errors 0 Overrun errors 0 Ignored errors 0 Transmitted: Total frames 381705 (bytes 345098116) Underrun errors 0 Total errors 0 Collisions 0 IPv4 stats: Statistics for IPv4 frames Received frames Transmitted frames Dropped frames (and rate per minute): Bad V4 header Un-configured circuit Provision table full

1304125 (rate 0 fps) 381705 (rate 0 fps) 41 (rate 0 fpm) 23 (rate 0 fpm) 0 (rate 0 fpm)

Commands for Troubleshooting

840

Table configuration error 0 (rate 0 fpm) Packet processing capacity 0 (rate 0 fpm) Interface down 19 (rate 0 fpm) Invalid internal route 0 (rate 0 fpm) Mismatched L2 entry 218 (rate 0 fpm) Mismatched L3 entry 0 (rate 0 fpm) Early NFI reinjection 0 (rate 0 epm) Mismatched L2 route 0 (rate 0 fpm) L3 policy action 6 (rate 0 fpm) Mismatched L3 route 0 (rate 0 fpm) Unavailable master 0 (rate 0 fpm) Mismatched index for action pass-to-vap 1304 (rate 0 fpm) Unavailable lb-vector 0 (rate 0 fpm) Empty vap-group 365 (rate 0 fpm) NFI (New Flow Initiation) Events (and rate): New flow 7514 (rate 0 eps) Internal route change 3534 (rate 0 eps) External route change 4 (rate 0 eps) Frame Validation Failure Stats (and rate per minute) Invalid IP/TCP frame 0 (rate 0 fpm) Invalid IP/TCP frame dropped 0 (rate 0 fpm) IPv6 stats: Statistics for IPv6 frames Received frames Transmitted frames

2351477 (rate 0 fps) 841633 (rate 0 fps)

Non-IPv4 (incl. IPv6) stats: Statistics for Non-IPv4 Frames Received frames 765501 (rate 1 fps) Transmitted frames 10726 (rate 0 fps) Dropped frames (and rate per minute): Un-configured circuit 0 (rate 0 fpm) Mismatched L2 policy 3706 (rate 0 fpm) Policy action 0 (rate 0 fpm) Interface down 8 (rate 0 fpm) Empty vap-group 0 (rate 0 fpm) The following table describes the information provided in each column and or row. Column/Row Heading SFP Info MTU and Phy stats IP Stats: Statistics for IP Frames Received Frames Transmitted Frames Reasons for Dropped IP Frames Bad V4 Header Un-configured circuit The IPv4 header type or the header length is wrong. The circuit is not configured for the incoming VLAN and port to process the packet. The number of IP data packets received at the network processing unit (NPU) from the external interfaces. Number of IP data packets transmitted from the NPU to the external interfaces. Information Provided Provides hardware and configuration information for the SFP. This information is the same information produced by the command ifconfig.

XOS Command Reference Guide

841

Column/Row Heading Provision table full

Information Provided Packets for new flows are dropped because the provision table was full. The provision table holds new flows during flow setup. Internal NPU configuration error Traffic exceeded the packet processing capacity of the NPU. The state of the interface was down. Unexpected route information in the NPU. The L2 policy did not match the incoming packet. The L3 policy did not match the incoming packet. When new flow initiation (NFI) packets are injected before the flow is established in the NPU. The NPM was unable to establish an L2 flow to the APM. A Layer-3 policy is programmed to drop the packet. The NPM was unable to establish an L3 flow to the APM. When a policy is programmed to pass-to-master and a master VAP is not available, the packet is dropped. When a policy is programmed to pass to index and the VAP with the specified index is not available, the packet is dropped. When a policy is programmed to load balance and the VAP member for the load balanced flow is unavailable, the packet is dropped. When a policy is set to broadcast and there are no VAP members available. The number of packets that resulted in new flow processing on the NPU. The flow can exist in the control processor, but the 5-tuple entry does not exist in the NPU. When a VAP member or application goes down, the processor flow software initiates the internal route change. When an external route changes, the packet fails the ingress point validation and the result is that a new flow is initiated.

Table configuration error Packet processing capacity Interface down Invalid internal route Mismatched L2 entry Mismatched L3 entry Early NFI Reinjection Mismatched L2 route L3 policy action Mismatched L3 route Unavailable master Mismatched index for action pass-to-vap Unavailable lb-vector

Empty vap-group New flow

Internal route change External route change Non-IP Stats: Statistics for Non-IP Frames Received frames Transmitted frames Reasons for Dropped Non-IP Frames Un-configured circuit Mismatched L2 policy Policy action Interface down

Number of non-IP data packets received at the NPU from the external interfaces. Number of non-IP data packets transmitted from the NPU to the external interfaces.

The circuit is not configured for the incoming VLAN and port to process the packet. The L2 policy did not match the incoming non-IP packet. The L2 policy is programmed to drop the packet. The state of the interface was down.

Commands for Troubleshooting

842

Column/Row Heading Empty vap-group

Information Provided When a policy is set to broadcast and there are no VAP members available.

The output of the show interface high-availability command has the following format: CBS# show CP Module cp1 cp2 (2 rows) interface high-availability Auto Negotiate Enabled (true/false) Media Speed (Mbits) Duplex Mode t auto auto t auto auto

High-availability port on slot 14 is up BW 1 Gigabit, full-duplex, auto-negotiation is disabled Last clearing of "show interface" counters Fri Sep 3 04:54:25 2010 PHY stats: Statistics on physical line Received: Total frames 0 (bytes 0) Total errors 0 Transmitted: Total frames 367 (bytes 28146) Total errors 0

Restrictions
Default Privilege Level: 0

show internal-ip
This command displays the module name, operational state, and internal IP address of each CPM and VAP installed in the X-Series Platform.

Syntax
show internal-ip

Context
You access this command from the main CLI context.

Output
The output for this command has the following format: Module Name CP2 npm1 (2 rows) State PRIMARY CP Down Internal IP Address 1.1.2.20 1.1.2.1

The following table describes the information provided in each column/row. Column/Row Heading Module Name Information Provided Name of module or n/a if a module is not present in the slot.

XOS Command Reference Guide

843

Column/Row Heading State

Information Provided Operational state of the module. State can be one of the following: Active Applies only to APMs. Indicates that the APM is UP and is ready to receive traffic. AwaitingBoot Module is getting ready to boot up. Booting Module is booting up. CrashDumping Module is crashing and is sending information to a log file that you can use to debug the crash. Diagnostic Module is running hardware diagnostics. Down Module is not functioning. Initializing Module is initializing. Maintenance Module is running in maintenance mode. Offline Applies only to CPMs. Indicates that a secondary CPM is present in the chassis, but that CPM is currently offline. Standby Applies only to APMs. Indicates that the APM is functioning as a Standby VAP. Unavailable Module is unavailable. Unknown System is unable to determine the status of the module. Up Module is functioning normally. For APMs, the Up status indicates that the module is functioning, but it is not yet ready to receive traffic. n/a Module is not present in the slot.

Internal IP Address

Internal IP address assigned to the module.

Restrictions
Default Privilege Level: 0

Example
The following is an example of this command: CBS# show internal-ip Module Name State CP1 PRIMARY CP flo_1 Active flo_2 Active npm1 Down npm2 Up npm3 Down npm4 Up fwa_1 Active fwa_2 Active Internal IP Address 1.1.200.20 1.1.200.101 1.1.200.102 1.1.200.1 1.1.200.2 1.1.200.3 1.1.200.4 1.1.200.103 1.1.200.104

Commands for Troubleshooting

844

show netstat
This command displays the current active network connections and list statistics for various protocols in TCP/IP for the specified domains or VAPs range. By default, the statistics for TCP, UDP, IP, and ICMP protocols for all domains and VAPs are displayed.

Syntax
show netstat [tcp | udp | ip | icmp | stats | arp | interface | management | process | route]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter tcp, udp, ip, and icmp arp stats interface management process route Description Specify which protocol statistics are displayed. Displays the ARP cache. Displays statistics for TCP, UDP, IP, and ICMP protocols. This is the default. Displays the interface statistics. Displays statistics for the management interface. Displays statistics for current processes. Displays IP routing information.

Restrictions
Default Privilege Level: 0

show redundancy-interface
This command displays the backup/master pairs for interface redundancy.

Syntax
show redundancy-interface

Context
You access this command from the main CLI context.

Restrictions
Default Privilege Level: 0

XOS Command Reference Guide

845

Example
CBS# show redundancy-interface Master Intf Backup Intf Active Intf ------------------------------gig 1/10 gig 4/10 Master MacUsage -------master FailOverMode -----------preemption-on

show vdf-status
This command displays the virtual defragmentation (VDF) statistics reported by NPM-8600s, NPM-8620s, NPM-8650s, APM-8600s, and APM-8650s. By default, this command displays information about all NPMs, APMs, and VAP groups. You can use one of the following parameters to filter the command output to display information about specific modules or VAP groups. module VAP-group VAP-group-member NOTE: If the you have used the clear vdf-statistics command during the current session, the Last cleared field in the output from show vdf-status has a time stamp. Otherwise is shows Never.

Syntax
show vdf-status [verbose] [[module <module_name>] | [vap-group <VAP_group_name>] | [vap-group-member <VAP_group_name>]]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter verbose module Description (Optional) Displays detailed virtual defragmentation (VDF) statistics about the modules and VAP groups. (Optional) Displays VDF statistics for the specified modules. For APMs, displays VDF statistics for the VAP that runs on each of the specified APMs. Specify a module (APM or NPM) or list of modules separated by spaces for which VDF statistics are to be displayed. An NPM name has the format: np<NPM_number> An APM name has the format: ap<APM_number> Use the show chassis command to display the module names assigned to the NPMs and APMs installed in the X-Series Platform.

Commands for Troubleshooting

846

Parameter vap-group

Description (Optional) Displays the aggregate statistics for all members of the VAP group. Specify the name of a VAP group for which the VDF status is to be displayed.

vap-group-member

(Optional) Displays statistics for the member VAPs in the VAP group separately. Specify the name of a VAP group for whose members the VDF status is to be displayed.

Restrictions
Default Privilege Level: 0

Default Output
By default, the show vdf-status command displays VDF statistics in the following format: CBS# show vdf-status Virtual DeFragmentation (VDF) statistics reported by np1: Fragment statistics Fragments received : 0 Fragments processed : 0 Fragments dropped : 0 Fragment queue limit : 0 Fragment overlap check : 0 Overlap protection on Head of Packet (HOP) : 0 Fragment pool depletion : 0 Packet pool depletion : 0 Invalid fragment : 0 Packet statistics Packets processed : 0 Packets dropped : 0 Last cleared: Never Virtual DeFragmentation (VDF) statistics reported by vsx_1: Fragment statistics Fragments received : 0 Fragments processed : 0 Fragments dropped : 0 Packet statistics Packets dropped : 0 Last cleared: Never Virtual DeFragmentation (VDF) statistics reported by fw1_1: Fragment statistics Fragments received : 0 Fragments processed : 0 Fragments dropped : 0 Packet statistics Packets dropped : 0 Last cleared: Never

XOS Command Reference Guide

847

Verbose Output
The following example shows the verbose output of the show vdf-status command: CBS# show vdf-status verbose Virtual DeFragmentation (VDF) statistics reported Fragment statistics Fragments received Fragments processed Fragments dropped Fragment queue limit Fragment overlap check Overlap protection on Head of Packet (HOP) Fragment pool depletion Packet pool depletion Invalid fragment In-flight fragments Maximum in-flight fragments Duplicate End of Packet (EOP) EOP last byte below last byte seen Multiple HOP fragments Fragments pruned by overlap protection on HOP Packet statistics Packets processed Packets dropped In-flight packets Maximum in-flight packets Packets with fragment-offset overlapping Packet tracking restarts by IP-ID validation Packet reassembly timeouts Last cleared: Never by np1: : : : : : : : : : : : : : : : : : : : : : : 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

Virtual DeFragmentation (VDF) statistics reported by vsx_1: Fragment statistics Fragments received : 0 Fragments processed : 0 Fragments dropped : 0 In-flight fragments : 0 Maximum in-flight fragments : 0 Packet statistics Packets dropped : 0 In-flight packets : 0 Maximum in-flight packets : 0 Last cleared: Never Virtual DeFragmentation (VDF) statistics reported by fw1_1: Fragment statistics Fragments received : 0 Fragments processed : 0 Fragments dropped : 0 In-flight fragments : 0 Maximum in-flight fragments : 0 Packet statistics Packets dropped : 0 In-flight packets : 0 Maximum in-flight packets : 0 Last cleared: Never

Commands for Troubleshooting

848

clear vdf-status
This command clears the virtual defragmentation (VDF) statistics counters on NPMs and APMs. By default, this command clears information about all NPMs, APMs, and VAP groups. You can use one of the following parameters to selectively clear information for specific modules or VAP groups. module VAP-group-member NOTE: The statistics are cleared for the current session only and are note cleared on the module.

Syntax
clear vdf-status [module <module_name>] [vap-group-member <VAP_group_name>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter module Description (Optional) Clears VDF statistics for the specified modules. Specify a module (APM or NPM) or list of modules separated by spaces for which VDF statistics are to be cleared. An NPM name has the format: np<NPM_number> An APM name has the format: ap<APM_number> Use the show chassis command to display the module names assigned to the NPMs and APMs installed in the X-Series Platform. vap-group-member (Optional) Clears VDF statistics for all member VAPs in the specified VAP group. Specify the name of a VAP group to clear the VDF status for all member VAPs.

Restrictions
Default Privilege Level: 15

Example
The following command clears the virtual defragmentation statistics counters for all modules: CBS# clear vdf-status The following command clears the virtual defragmentation statistics counters for an NPM and an APM:

XOS Command Reference Guide

849

CBS# clear vdf-status module np2 ap3 The following command clears the virtual defragmentation statistics counters for all member VAPs in a VAP group: CBS# clear vdf-status vap-group-member <VAP_group_name>

show veth-stats
This command displays virtual interface (VETH) statistics, used in group interfaces.

Syntax
show veth-stats

Context
You access this command from the main CLI context.

Output
The output for this command has the following format: Reporting Module Load Balance State Slot/Port Circuit Name Local Key Partner Key Partner Sys. Priority Partner ID TX State RX State Check Frequency Local Oper. State Partner Oper. State fw_1 Selected 1/5 testcct 0x0b00 0x001a 1 00:13:72:ee:0e:04 Distributing Current Slow Periodic LACP Activity, Aggregation, Synchronization, Collecting, Distributing LACP Activity, Aggregation, Synchronization, Collecting, Distributing

The following table describes the information provided in each column/row. Column/Row Heading Reporting Module Load Balance State Slot/Port Circuit Name Local Key Partner Key Information Provided Displays the VAP group member. Displays the status of the port. An unselected state indicates a down port. Displays the NPM module and port. Displays the circuit that the LACP link is associated with. The LACP key for the local circuit. The LACP key for the remote interface.

Commands for Troubleshooting

850

Column/Row Heading Partner Sys. Priority

Information Provided The priority assigned to the partner system. The value is determined by management or administration policy. The range is 1 65535. The ID of the remote interface. The transmit status of the LACP link. The receive status of the LACP link. Displays the frequency of the LACP link check. Displays the local operating state for LACP activity. Displays the partners operating state for LACP activity. Displays a value assigned by the management or administration policy on a partner system used for establishing LACP connections.

Partner ID TX State RX State Check Frequency Local Oper. State Partner Oper. State Partner Priority

Restrictions
Default Privilege Level: 0

XOS Command Reference Guide

851

Commands for Troubleshooting VAPs, VAP Groups, and Applications

This section contains the following commands: show ap-vap-mapping on page 852 show application on page 854 show application vap-group on page 855

show ap-vap-mapping
This command displays the X-Series Platforms APM-to-VAP mapping information. This command also displays each VAPs APM operational status, IP address, VAP group name, index number, and master VAP status.

Syntax
show ap-vap-mapping

Context
You access this command from the main CLI context.

Output
The output for this command has the following format: Module Slot AP7 9 AP8 10 AP9 11 (5 rows) Status Active Active Active VAP IP Address 1.1.246.103 1.1.246.104 1.1.246.105 VAP Group fw fw fw Index 1 2 3 Master (true/false) false true false

The following table describes the information provided in each column/row. Column/Row Heading Module Slot Information Provided APM module name. APM slot number.

Commands for Troubleshooting

852

Column/Row Heading Status

Information Provided Operational status of the APM. Status can be one of the following: Active APM is functioning and is ready to receive traffic. AwaitingBoot APM is getting ready to boot up. Booting APM is booting up. CrashDumping APM is crashing and is sending information to a log file that you can use to debug the crash. Diagnostic APM is running hardware diagnostics. Initializing APM is initializing. Maintenance APM is running in maintenance mode. Standby APM is UP and is being used as a standby VAP. Unavailable APM is unavailable. Unknown System is unable to determine the status of the module. Up APM is functioning, but is not yet ready to receive traffic. NOTE: If a VAP is DOWN, it does not appear in the list displayed by the show ap-vap-mapping command.

VAP IP Address VAP Group Index Master

IP address assigned to the VAP. Name of the VAP group to which the VAP belongs. VAP index number. Current Master status of the VAP: true VAP is the Master VAP for the VAP group. false VAP is not the Master VAP for the VAP group.

Restrictions
Default Privilege Level: 0

Example
The following is an example of this command: CBS# show ap-vap-mapping Module Slot Status VAP IP Address VAP Group Index Master (true/false) AP3 5 Active 1.1.0.101 l2 1 true AP4 6 Active 1.1.0.102 fw 1 true AP7 9 Active 1.1.0.103 fw 2 false (3 rows)

XOS Command Reference Guide

853

show application
Displays information about the applications loaded onto the CPM on the X-Series Platform.

Syntax
show application

Context
You access this command from the main CLI context.

Output
This command displays information about each application loaded on the X-Series Platform, using the following format: App ID Name Version Release CBI Version : : : : : <application_identifier> <application_name> <application_version> <application_release_number> <CBI_version_number>

The following table describes the information provided in each column/row. Column/Row Heading App ID Information Provided Application identifier that Crossbeam has assigned to the application. When you use a CLI command to perform an operation on a specific application, you specify the application identifier as an argument to the CLI command. For example, to install Check Point VPN-1 Power NGX R65 on a VAP group, you specify the application identifier, vpn1, with the following command: CBS# application vpn1 version NGXR65 vap-group <VAP_group_name> install Name Version Release Application name. Application version. Application release number. NOTE: This row does not appear for applications that are installed using Application Development Framework (ADF) RPMs. CBI Version Version number assigned to the Crossbeam Installer (CBI) package used to install the application on a VAP group. NOTE: This row does not appear for applications that are installed using RPMs.

Restrictions
Default Privilege Level: 0

Commands for Troubleshooting

854

Example
The following command shows information about the two applications that are currently loaded on the CPM in an X-Series Platform: CBS# show application App ID : issprovg Name : IBM Proventia Network IPS Version : 2.0 Release : 1 CBI Version : 1.1.0.0 App ID Name Version Release CBI Version : : : : : vpn1 VPN-1 Power NGXR65 1.0.2.0-5 1.0.2.0

show application vap-group

Displays information about the applications installed on all VAP groups configured on the X-Series Platform, or displays information about the application installed on the specified VAP group.

Syntax
show application vap-group [<VAP_group_name>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <VAP_group_name> Description Displays information about the application installed on the VAP group with the specified VAP group name. If you do not specify this parameter, the show application vap-group command displays information about all applications installed on VAP groups configured on the X-Series Platform.

XOS Command Reference Guide

855

Output
This command displays information about the application installed on a VAP group using the following format: VAP Group : App ID : Name : Version : Release : Start on Boot : App Monitor : App State (<VAP_group_name>_1): App State (<VAP_group_name>_2): .... App State (<VAP_group_name>_n): <VAP_group_name> <application_identifier> {<application_name> | N/A} <application_version> {<application_release_number> | N/A} {yes | no} {on | off} {Up | Down | Initializing | Not Monitored} {Up | Down | Initializing | Not Monitored} {Up | Down | Initializing | Not Monitored}

The following table describes the information provided in each column/row. Column/Row Heading VAP Group App ID Information Provided Name of the VAP group on which the application is installed. Application identifier that Crossbeam has assigned to the application. When you use a CLI command to perform an operation on a specific application, you specify the application identifier as an argument to the CLI command. For example, to install Check Point VPN-1 Power NGX R65 on a VAP group, you specify the application identifier, vpn1, with the following command: CBS# application vpn1 version NGXR65 vap-group <VAP_group_name> install Name Application name. NOTE: N/A indicates that the application is installed using an RPM. Version Release Application version. Application release number. NOTE: N/A indicates that the application is installed using an RPM. Start on Boot Indicates whether the application automatically starts running when you boot up the VAP group: on Application automatically starts up when you boot up the VAP group. off You must manually start up the application each time you boot up the VAP group.

Commands for Troubleshooting

856

Column/Row Heading App Monitor

Information Provided Indicates whether application monitoring is enabled (on) or disabled (off) on the VAP group on which the application is installed. By default, application monitoring is enabled (on). See application-monitor (config-vap-group context) on page 198 for more information about application monitoring and for instructions on enabling and disabling application monitoring on a VAP group.

App State (<VAP_group_name>_n)

Indicates the current state of the application on the VAP with the VAP index number n. The show application vap-group command displays the current state of the application on each VAP on which an application is installed. Possible application states are: Up Application is running on the VAP. Down Application is not running on the VAP, but the APM on which the VAP is loaded is functional. Initializing The APM on which the VAP will load is rebooting. Not Monitored Application monitoring is disabled on the VAP group on which the application is installed. Therefore, XOS is unable to determine the current state of the application on any VAP. NOTE: These rows appear only for VAPs that are currently loaded onto APMs. NOTE: For applications that are installed using RPMs, this row has the format: <VAP_group_name>_n

Restrictions
Default Privilege Level: 0

Example
The following command shows information about the firewall application running on the VAP group called testvapgroup: CBS# show application vap-group testvapgroup VAP Group : testvapgroup App ID : vpn1 Name : VPN-1 Power Version : NGXR65 Release : 1.0.2.0-5 Start on Boot : yes App Monitor : on App State (testvapgroup_1) : Up App State (testvapgroup_2) : Up App State (testvapgroup_3) : Up CBS#

XOS Command Reference Guide

857

Commands for Troubleshooting Multi-System High-Availability Issues

This section contains the following commands: show remote-box on page 858 show vrrp on page 859 show vrrp circuit-ip on page 860 show vrrp detail-status on page 863 show vrrp failover-group on page 865 show vrrp monitor-circuit on page 868 show vrrp monitor-interfaces on page 870 show vrrp monitor-group-interfaces on page 871 show vrrp status on page 873 show vrrp vap-group on page 874 show vrrp verify-next-hop on page 875 show vrrp virtual-router on page 877

show remote-box
This command displays the system ID and addresses of any remote systems configured with this system in a VRRP configuration. Optionally, you can specify the system-identifier of a remote system. Use the ? option to see a list of currently configured remote systems.

Syntax
show remote-box [<remote_box_ID>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <remote_box_ID> Description A number from 1 through 255, representing the system-identifier of the remote-box.

Output
The following table explains the information provided in the output from the show remote-box command. Column Heading Remote IP Local Intf Local IP Status Description The IP address of the interface on the remote-box. The local interface that is used to access the remote IP address. The IP address of the local interface that is used to access the remote IP address. The status of the connection to the remote box (Active or Standby).

Commands for Troubleshooting

858

Column Heading Time In State Link Qual

Description The amount of time that the current Status (Active or Standby) has been true. The quality of the link between the local and remote boxes. If the link has been connected for some time, the value of link quality is 100. If the link is disconnected for some time, the value is reset to 0. When the link is reconnected, the value increases over time to the maximum value of 100. If a link connection is intermittent, the value that appears will be somewhere between 0 and 100.

Restrictions
Default Privilege Level: 15

Example
The following is an example of this command: CBS# show remote-box 22 Local System ID: 85 Remote System ID: 22 Remote IP Local Intf Local IP 192.168.211.89 14/1 192.168.211.85 1.1.89.20 HA port 1.1.85.20 (2 rows)

Status Active Standby

Time In State 0 days, 00:00 0 days, 00:00

Link Qual 100 100

show vrrp
This command displays basic configuration and status information for each VRRP failover group configured on the system.

Syntax
show vrrp

Context
You access this command from the main CLI context.

Output
The output for this command has the following format: Priority is Actual/Configured FG-ID Priority 1 100/100 2 150/150 3 150/150 (3 rows) Status Master Master Master Preempt on off on Master Sys ID 1 1 1 Master Priority 100 150 150

XOS Command Reference Guide

859

The following table describes the information provided in each column/row. Column/Row Heading FG-ID Priority Status Information Provided Failover group ID number. Failover group priority (actual/configured). Failover group status. Possible values are: master Failover group is in master mode. backup Failover group is in backup mode. down Failover group is not functioning. init Failover group is initializing. Preempt Master Sys ID Master Priority Indicates whether preemption is enabled (on) or disabled (off) for each failover group. System ID assigned to the master system. Current priority of the failover group on the master system.

Restrictions
Default Privilege Level: 0

Example
The following example shows the output of this command: CBS# show vrrp Priority is Actual/Configured FG-ID Priority 1 200/200 2 250/250 (2 rows) Status Master Master Preempt on on Master Sys ID 62 62 Master Priority 200 250

show vrrp circuit-ip

This command displays the VRRP configuration and current status of all circuits, or displays the VRRP configuration and current state of the circuits assigned to the specified failover group or virtual router.

Syntax
show vrrp circuit-ip [<failover_group_name>] [vrrp-id <virtual_router_ID>]

Context
You access this command from the main CLI context.

Commands for Troubleshooting

860

Parameters
The following table lists the parameters used with this command. Parameter <failover-group-name> vrrp-id <virtual_router_ID> Description Displays the VRRP configurations for all circuits in the specified failover group. Displays the VRRP configuration for the circuit assigned to the specified virtual router.

Output
The output for this command has the following format: Failover Group Failover Group ID VRRP State VRRP ID Circuit Name VAP Group IP Address Interface (State) Group Interface (State) : : : : : : : : : chetire 4 Backup 112 gig15 fw 192.203.10.100/24 192.203.10.255 (Virtual) gigabitethernet 1/5 (Up), gigabitethernet 1/6 (Up) gig15_16 (Up)

The following table describes the information provided in each column/row. Column/Row Heading Failover Group Failover Group ID VRRP State Information Provided Failover group name. Failover group ID number. Current state of the failover group: backup Failover group is in backup mode. down Failover group is not functioning. init Failover group is initializing. master Failover group is in master mode. unknown System cannot determine the state of the failover group. VRRP ID Circuit Name VAP Group IP Address Virtual router ID number. Name of the circuit mapped to the virtual router. Name of the VAP group mapped to the virtual router. Displays the IP address assigned to the circuit for the VAP group mapped to the VIrtual Router, and indicates whether this IP address is the Primary Address for the circuit. If there is no IP address assigned to the circuit for the VAP group mapped to the virtual router, the IP Address field displays the text, IP-less.

XOS Command Reference Guide

861

Column/Row Heading Interface (State)

Information Provided Displays the interface type, slot/port, and state of the physical interface to which the circuit is assigned. If the circuit is assigned to a group interface, Interface (State) displays the interface type, slot/port, and state of each physical interface that belongs to the group interface. Each physical interface can be in one of the following states: Up - The interface is functioning normally. Down - The interface is not functioning. Admin. Down - The administrator has used the CLI to manually disable the individual interface or the group interface. Unknown - System cannot determine the state of the interface.

Group Interface (State)

Displays the name and state of the group interface to which the circuit is assigned. The group interface can be in one of the following states: Up - The group interface is functioning normally. Down - The group interface is not functioning. Admin. Down - The administrator has used the CLI to manually disable the group interface. Unknown - System cannot determine the state of the group interface.

Restrictions
Default Privilege Level: 15

Example
The following example shows four circuits mapped to VAP group vsxb1, which is part of failover group vrrp_vsx. CBS# show vrrp circuit-ip vrrp_vsx VAP Group : vsxb1 IP Address : 10.10.2.1 255.255.255.0 10.10.2.255 (Primary) Interface (State) : gigabitethernet 1/2 (Up), gigabitethernet 1/3 (Up), gigabitethernet 4/2 (Up), gigabitethernet 4/3 (Up) Group Interface (State) : inside (Up) Failover Group : vrrp_vsx Failover Group ID : 200 VRRP State : Master VRRP ID : 1000 Circuit Name : vsx_ckt_vsxb1_internal_l2l3_3003 VAP Group : vsxb1 IP Address : 10.10.3.1 255.255.255.0 10.10.3.255 (Primary) Interface (State) : gigabitethernet 1/2 (Up), gigabitethernet 1/3 (Up), gigabitethernet 4/2 (Up), gigabitethernet 4/3 (Up) Group Interface (State) : inside (Up) Failover Group : vrrp_vsx Failover Group ID : 200

Commands for Troubleshooting

862

VRRP State : Master VRRP ID : 1008 Circuit Name : vsx_ckt_vsxb1_internal_l2l3_3004 VAP Group : vsxb1 IP Address : 10.10.4.1 255.255.255.0 10.10.4.255 (Primary) Interface (State) : gigabitethernet 1/2 (Up), gigabitethernet 1/3 (Up), gigabitethernet 4/2 (Up), gigabitethernet 4/3 (Up) Group Interface (State) : inside (Up) Failover Group : vrrp_vsx Failover Group ID : 200 VRRP State : Master VRRP ID : 1003 Circuit Name : vsx_ckt_vsxb1_internal_l2l3_3005 VAP Group : vsxb1 IP Address : 10.10.5.1 255.255.255.0 10.10.5.255 (Primary) Interface (State) : gigabitethernet 1/2 (Up), gigabitethernet 1/3 (Up), gigabitethernet 4/2 (Up), gigabitethernet 4/3 (Up) Group Interface (State) : inside (Up) Failover Group : vrrp_vsx Failover Group ID : 200 VRRP State : Master VRRP ID : 1004 Circuit Name : vsx_ckt_vsxb1_internal_l2l3_3006 VAP Group : vsxb1 IP Address : IP-less (Primary) Interface (State) : gigabitethernet 1/2 (Up), gigabitethernet 1/3 (Up), gigabitethernet 4/2 (Up), gigabitethernet 4/3 (Up) Group Interface (State) : inside (Up) (5 rows)

show vrrp detail-status

This command displays the following information for each component of the systems VRRP configuration or for each component of the specified failover group: Failover group ID Failover group status: master, backup, down, or init Failover group priority (actual/configured) VRRP component's configured priority-delta value Status of priority-delta: in effect, not in effect, or unknown next hop status VRRP component type: virtual router, monitored interface, monitored circuit, VAP group, next hop More detailed information about the VRRP component

Syntax
show vrrp detail-status [<failover_group_name>]

Context
You access this command from the main CLI context.

XOS Command Reference Guide

863

Parameters
The following table lists the parameters used with this command. Parameter <failover_group_name> Description Displays information only for the components of the specified failover group.

Output
The output for this command has the following format: FG_ID 1 1 1 1 Status Backup Backup Backup Backup Priority 99/101 99/101 99/101 99/101 Delta 2 2 1 -2 Type vr vr mc vg Component gig14/101 gig13/100 dummy fw

The following table describes the information provided in each column/row. Column/Row Heading FG_ID Status Information Provided Failover group ID number Failover group status. Possible values are: master Failover group is in master mode. backup Failover group is in backup mode. down Failover group is not functioning. init Failover group is initializing. Priority Delta Failover group priority (actual/configured). The number shown in this column is the VRRP component's configured priority-delta value. The number is displayed differently depending on the status of the priority-delta: Number is positive Components priority-delta is not in effect, as the component is functioning normally. Number is negative Components priority-delta is in effect, as the component has failed. The failover groups priority has been decremented by the components priority-delta value. Star symbol (*) appears after the number Next hop status is unknown. (See the XOS Configuration Guide for more details on this status.) Type VRRP component type. Possible values are: vr virtual router mi Monitored interface mc Monitored circuit vg VAP group nh Next hop

Commands for Troubleshooting

864

Column/Row Heading Component

Information Provided Detailed information about the VRRP component. The contents of this field depend on the VRRP component type: virtual router Field displays circuit name/ID number for the virtual router. Monitored interface Field displays the monitored interface name. Monitored circuit Field displays the monitored circuit name. VAP group Field displays the VAP group name. If the VAP groups active-vap-threshold value is configured, the Component field displays that value in parenthesis after the VAP group name. Next hop Field displays verify-next-hop IP address/ID number for the VIrtual Router.

Restrictions
Default Privilege Level: 15

Example
The following example shows the output of the show vrrp detail-status command run on an X-Series Platform configured as the backup system for VRRP failover group 200. CBS# show vrrp detail-status FG_ID Status Priority Delta 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1* 200 Backup 198/198 50 (21 rows) Type vr vr vr vr vr vr vr vr vr vr vr vr vr vr vr nh vg Component vsx_ckt_vsxb2_wrp448/33 vsx_ckt_vsxb2_internal_l2l3_3006/32 vsx_ckt_vsxb2_wrp384/31 vsx_ckt_vsxb2_internal_l2l3_3005/30 vsx_ckt_vsxb2_wrp320/29 vsx_ckt_vsxb2_internal_l2l3_3004/28 vsx_ckt_vsxb2_wrp256/27 vsx_ckt_vsxb2_internal_l2l3_3003/26 vsx_ckt_vsxb2_wrp192/25 vsx_ckt_vsxb2_internal_l2l3_3002/24 vsx_ckt_vsxb2_wrp128/23 vsx_ckt_vsxb2_internal_l2l3_3001/22 vsx_ckt_vsxb2_outside_4001/21 l2l3/20 outside/10 10.10.1.10/22 vsxb2

show vrrp failover-group

This command displays the VRRP configuration of the specified failover group or displays the VRRP configuration of all failover groups.

XOS Command Reference Guide

865

Syntax
show vrrp failover-group [<failover_group_name>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <failover_group_name> Description Displays the configuration for the specified failover group. Default is to display the configuration for all failover groups.

Output
The output for this command has the following format: Failover Group Failover Group ID Advertisement Interval (seconds) Preemption (true/false) Enabled (true/false) Configured Priority Actual Priority Virtual Router IDs Monitored Circuits Monitored Group Interfaces OSPF Cost Increment (Circuits) VAP Groups (failover-group) VAP Groups (failover-group-list) State Time of Last State Change: Reason for Last State change: : : : : : : : : : : : : : : : : odin 1 1 t t 101 101 100, 101 dummy gig15_55 fw fw Master Fri Sep 3 04:47:53 2010 Timed out waiting for master

The following table describes the information provided in each column/row. Column/Row Heading Failover Group Failover Group ID Advertisement Interval (seconds) Preemption (true/false) Enabled (true/false) Configured Priority Information Provided Displays the failover group name. Displays the failover group ID. Displays the number of seconds between VRRP advertisements. Displays the preemption status. Displays the configuration status (enabled or disabled) for the failover group. The configured priority is the VRRP priority that you set for the failover group. If the configured priority is not the same as the actual priority, a failure caused a priority-delta to decrement the priority.

Commands for Troubleshooting

866

Column/Row Heading Actual Priority

Information Provided The actual priority is the current VRRP priority value. If the actual priority is not the same as the configured priority, a failure caused a priority-delta to decrement the priority. Displays the virtual router ID. Displays the circuits that VRRP monitors in the configured virtual routers. Displays the group interfaces that VRRP monitors in the configured virtual routers. Displays the OSPF cost increment associated for the configured circuits. Displays the VAP groups associated with the failover group. Displays the VAP groups associated with the failover group list. The State is the state of the failover group, which can be one of the following: backup Failover group is in backup mode. down Failover group is not functioning. init Failover group is initializing. master Failover group is in master mode. unknown System cannot determine the state of the failover group

Virtual Router IDs Monitored Circuits Monitored Group Interfaces OSPF Cost Increment (Circuits) VAP Groups (failover-group) VAP Groups (failover-group-list) State

Time of Last State Change Reason for Last State Change

The date and time of the most recent change in the State parameter. The reason for the most recent change in the State parameter. Possible reasons include: Initializing Priority is 255 Priority is 0 Priority higher than remote box <remote_box_id> Remote box <remote_box_id> has higher priority Timed out waiting for master Master <remote_box_id> has lower priority, but preemption is disabled Preempted by remote box <remote_box_id> Relinquished by user VRRP failover group is disabled No valid virtual routers configured

Restrictions
Default Privilege Level: 0

XOS Command Reference Guide

867

show vrrp monitor-circuit

This command displays the VRRP configuration and current status of all monitored circuits, or displays the VRRP configuration and current status of all monitored circuits that belong to the specified failover group.

Syntax
show vrrp monitor-circuit [<failover_group_name>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <failover_group_name> Description Displays only the monitored circuits for the specified failover group.

Output
The output for this command has the following format: Failover Group Failover Group ID Circuit Interface (State) Priority Delta (1 row) : : : : : odin 1 dummy gigabitethernet 1/2 (Up) 1

The following table describes the information provided in each column/row. Column/Row Heading Failover Group Failover Group ID Circuit Information Provided Displays the monitored circuits failover group name. Displays the monitored circuits failover group ID number. Displays the name of the monitored circuit.

Commands for Troubleshooting

868

Column/Row Heading Interface (State)

Information Provided Displays the interface type, slot/port, and state of the physical interface to which the monitored circuit is assigned. If the monitored circuit is assigned to a group interface, Interface (State) displays the interface type, slot/port, and state of each physical interface that belongs to the group interface. Each physical interface can be in one of the following states: Up - The interface is functioning normally. Down - The interface is not functioning. Admin. Down - The administrator has used the CLI to manually disable the individual interface or the group interface. Unknown - System cannot determine the state of the interface.

Group Interface (State)

Displays the name and state of the group interface to which the monitored circuit is assigned. The group interface can be in one of the following states: Up - The group interface is functioning normally. Down - The group interface is not functioning. Admin. Down - The administrator has used the CLI to manually disable the group interface. Unknown - System cannot determine the state of the group interface.

Priority Delta

Displays the monitored circuits configured priority-delta value. If the Interface (State) or Group Interface (State) is Down, Admin. Down, or Unknown, the failover groups priority has been decremented by the Priority Delta.

Restrictions
Default Privilege Level: 15

Example
The following is an example of this command: CBS# show vrrp monitor-circuit Failover Group : vrrp_vsx Failover Group ID : 200 Circuit : vsx_ckt_vsxb2_l2l3_3005 Interface (State) : gigabitethernet 1/2 (Up), gigabitethernet 1/3 (Up), gigabitethernet 2/2 (Up), gigabitethernet 2/3 (Up) Group Interface (State) : l2l3 (Up) Priority Delta : 25 (1 row)

XOS Command Reference Guide

869

show vrrp monitor-interfaces

This command displays the VRRP configuration and current status of all monitored interfaces or displays the VRRP configuration and current status of all monitored interfaces assigned to circuits that belong to the specified failover group.

Syntax
show vrrp monitor-interfaces [<failover_group_name>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <failover_group_name> Description Displays only the monitored interfaces for the specified failover group.

Output
The output for this command has the following format: Failover Group Failover Group ID Interface Interface State Priority Delta (1 row) : : : : : vosem 8 gigabitethernet 2/2 Up 2

The following table describes the information provided in each column/row. Column/Row Heading Failover Group Failover Group ID Interface Interface State Information Provided Failover group name. Failover group ID number. Interface being monitored. Current state of the monitored interface. Possible values are: Up Interface is functioning. Down Interface is not functioning. Unknown Interface may or may not be functioning. Admin. Down - The administrator has used the CLI to manually disable the interface. Priority Delta Monitored interfaces configured priority-delta value. If the Interface State is Down, Admin. Down, or Unknown, the failover groups priority has been decremented by the Priority Delta.

Commands for Troubleshooting

870

Restrictions
Default Privilege Level: 15

Example
The following is an example of this command: CBS# show vrrp monitor-interfaces Failover Group : vrrp_vsx Failover Group ID : 200 Interface : gigabitethernet 1/2 Interface State : Up Priority Delta : 1 Failover Group : vrrp_vsx Failover Group ID : 200 Interface : gigabitethernet 1/3 Interface State : Up Priority Delta : 1 Failover Group : vrrp_vsx Failover Group ID : 200 Interface : gigabitethernet 4/2 Interface State : Up Priority Delta : 1 Failover Group : vrrp_vsx Failover Group ID : 200 Interface : gigabitethernet 4/3 Interface State : Up Priority Delta : 1 (4 rows)

show vrrp monitor-group-interfaces

This command displays the VRRP configuration and current status of all monitored group-interfaces or displays the VRRP configuration and current status of all monitored group-interfaces assigned to circuits that belong to the specified failover group.

Syntax
show vrrp monitor-group-interfaces [<failover_group_name>]

Context
You access this command from the main CLI context.

XOS Command Reference Guide

871

Parameters
The following table lists the parameters used with this command. Parameter <failover_group_name> Description Displays only the monitored group-interfaces for the specified failover group.

Output
The output for this command has the following format: CBS# show vrrp monitor-group-interfaces Failover Group : tri Failover Group ID : 3 Group Interface (State) : gig15_16 (Up) Interface (State) : gigabitethernet 1/5 (Up), gigabitethernet 1/6 (Up) Priority Delta : 5 Distributing Port Threshold : 2 Distributing Interfaces : 2 (1 row) The following table describes the information provided in each column/row. Column/Row Heading Failover Group Failover Group ID Group Interface (State) Interface (State) Information Provided Failover group name. Failover group ID number. Group interface being monitored with the current state of the group interface in parentheses Current state of each of the interfaces that are included in the monitored-group-interface. Possible values are: Up Interface is functioning. Down Interface is not functioning. Unknown Interface may or may not be functioning. Admin. Down - The administrator has used the CLI to manually disable the interface. Priority Delta VRRP reduces the VRRP priority of the failover-group by this value whenever the number of active distributing ports for the group interface falls below the configured Distributing Port Threshold value. The minimum number of ports in the active distributing state required for the group interface. When the number of active distributing ports is less than this value, VRRP decrements the failover group VRRP priority by the priority-delta value. The number of interfaces that are currently in the active distributing state in the group interface. Whenever this number falls below the Distributing Port Threshold value, the Priority Delta value is subtracted from the failover group VRRP priority.

Distributing Port Threshold

Distributing Interfaces

Commands for Troubleshooting

872

show vrrp status

This command displays the high-level status of the systems VRRP configuration. You can choose to display only those failover groups with a specific state. Note that if the failover groups Actual and Configured VRRP priorities are not the same, there is a failure. To find the details of the failure, use the other show vrrp commands for that failover group or virtual router ID.

Syntax
show vrrp status [<failover_group_id>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <failover_group_name> Description Displays only the monitored circuits for the specified failover group.

Output
The output for this command has the following format: Priority is Actual/Configured FG-ID Priority 1 100/100 2 150/150 3 150/150 (3 rows) Status Backup Backup Backup Preempt on off on Master Sys ID 0 0 0 Master Priority 0 0 0

The following table describes the information provided in each column/row. Column/Row Heading FG-ID Priority Status Information Provided Failover group ID number. Failover group priority (actual/configured). Failover group status. Possible values are: master Failover group is in master mode. backup Failover group is in backup mode. down Failover group is not functioning. init Failover group is initializing. Preempt Master Sys ID Master Priority Indicates whether preemption is enabled (on) or disabled (off) for each failover group. System ID assigned to the master system. Current priority of the failover group on the master system.

XOS Command Reference Guide

873

Restrictions
Default Privilege Level: 0

Example
The following is an example of this command: CBS# show vrrp status Group ID Priority VR ID Device Name 1 101 / 101 100 gig21 1 101 / 101 100 gig21 1 101 / 101 101 gig22 1 101 / 101 101 gig22 2 0 / 100 200 gig21 2 0 / 100 200 gig21 2 0 / 100 201 gig22 2 0 / 100 201 gig22 (8 rows) Priority is Actual/Configured Status Master Master Master Master Backup Backup Backup Backup

show vrrp vap-group

This command displays the VRRP configuration for all VAP groups or a specific VAP group. Only those VAP groups configured for VRRP are displayed.

Syntax
show vrrp vap-group [<VAP_group_name>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <VAP_group_name> Description Existing VAP group.

Output
The output for this command has the following format: VAP Group Enable (true/false) Hold Down Timer Priority Delta Active Slot Threshold Active VAPs Failover Group List : : : : : : : L2 t 120 51 2 2 fg1 fg2

Commands for Troubleshooting

874

The following table describes the information provided in each column/row. Column/Row Heading VAP Group Enable (true/false) Hold Down Timer Priority Delta The value that the priority will be decremented if the VAP group does not meet the minimum criteria for the VRRP configuration. The minimum number of slots required for the VAP group. When the number of active VAPs is less than this value, VRRP decrements the failover groups VRRP priority by the priority-delta value. The Active VAPs field show the number of VAPs that are currently active in the VAP group. If this number is less than the Active Slot Threshold value, then the Priority Delta value has been subtracted from the failover groups VRRP priority. Displays the failover groups that are participating in the VRRP configuration. Information Provided Displays the name of the VAP group assigned to the virtual router. Displays the status of the VAP group in the virtual-router.

Active Slot Threshold

Active VAPs

Failover Group List

Restrictions
Default Privilege Level: 15

Example
The following is an example of this command: CBS# show vrrp vap-group VAP Group : cb1ids Enable (true/false) : t Hold Down Timer : 1 Priority Delta : 2 Active Slot Threshold : 3 Active VAPs : 4 Failover Group List : failoverfw

show vrrp verify-next-hop

This command displays the next hop addresses that can affect a failover groups VRRP priority should they become unreachable.

Syntax
show vrrp verify-next-hop [<failover_group_name>] [vrrp-id <virtual_router_id>]

Context
You access this command from the main CLI context.

XOS Command Reference Guide

875

Parameters
The following table lists the parameters used with this command. Parameter <failover-group-name> vrrp-id <virtual_router_id> Description Displays only the configuration for the specified failover group. If not specified, all virtual routers are displayed. Existing virtual router Identifier. Values are 1-4096.

Output
The output for this command has the following format: Failover Group : 3 VRRP ID : 6 Circuit Name : c12Bottom VAP Group : fwv5 Verify Next Hop IP : 103.1.1.1 Priority Delta : 77 State : Reachable The following table describes the information provided in each column/row. Column/Row Heading Failover Group VRRP ID Circuit Name VAP Group Verify Next Hop IP Priority Delta State Information Provided Displays the virtual routers failover group name. Displays the virtual router ID number. Displays the name of the circuit mapped to the virtual router. Displays the name of the VAP group assigned to the virtual router. Displays the specified IP address for the next hop check. If the next hop IP address is unreachable, the failover groups priority will be decremented by the Priority Delta. The State can be Reachable, Unreachable, or Unknown. If the State is Unreachable or Unknown, the Priority Delta value has been subtracted from the failover groups VRRP priority.

Restrictions
Default Privilege Level: 15

Commands for Troubleshooting

876

Example
The following is an example. CBS# show vrrp verify-next-hop Failover Group VRRP ID Circuit Name VAP Group Verify Next Hop IP Priority Delta State : : : : : : : failoverfw 62 vlan602 cb1fw 192.168.1.106 2 Reachable

show vrrp virtual-router

This command displays the VRRP configuration for all virtual routers, displays the VRRP configuration for the virtual routers assigned to the specified failover group, or displays the VRRP configuration for the specified virtual router.

Syntax
show vrrp virtual-router [<failover_group_name>] [vrrp-id <virtual_router_id>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <failover-group-name> vrrp-id <virtual_router_ID> Description Displays the VRRP configurations only for the virtual routers that belong to the specified failover group. Displays the VRRP configuration only for the specified virtual router.

Output
The output for this command has the following format: Failover Group Failover Group ID VRRP State Virtual Router ID Circuit Name Priority Delta Backup Stay Up (true/false) MAC Usage VAP Group MAC Address : : : : : : : : : : fg2 2 Backup 4 MltOut 10 t vrrp-mac fwv5 00:00:5E:00:00:04

XOS Command Reference Guide

877

The following table describes the information provided in each column/row. Column/Row Heading Failover Group Failover Group ID VRRP State Information Provided Displays the virtual routers failover group name. Displays the virtual routers failover group ID number. Current state of the failover group: backup Failover group is in backup mode. down Failover group is not functioning. init Failover group is initializing. master Failover group is in master mode. unknown System cannot determine the state of the failover group. Virtual Router ID Circuit Name Priority Delta Displays the virtual router ID number. Displays the name of the circuit mapped to the virtual router. Displays the virtual routers configured priority-delta value. If the Interface (State) or Group Interface (State) is Down, Admin. Down, or Unknown, the failover groups priority has been decremented by the Priority Delta. Indicates whether the backup-stay-up parameter is enabled (t) or disabled (f) for the virtual router. Displays the mac-usage parameter setting for the virtual router. Displays the name of the VAP group assigned to the virtual router. Displays the interface type, slot/port, and state of the physical interface to which the virtual routers circuit is assigned. If the virtual routers circuit is assigned to a group interface, Interface (State) displays the interface type, slot/port, and state of each physical interface that belongs to the group interface. Each physical interface can be in one of the following states: Up - The interface is functioning normally. Down - The interface is not functioning. Admin. Down - The administrator has used the CLI to manually disable the individual interface or the group interface. Unknown - System cannot determine the state of the interface.

Backup Stay Up (true/false) MAC Usage VAP Group Interface (State)

Commands for Troubleshooting

878

Column/Row Heading Group Interface (State)

Information Provided Displays the name and state of the group interface to which the monitored circuit is assigned. The group interface can be in one of the following states: Up - The group interface is functioning normally. Down - The group interface is not functioning. Admin. Down - The administrator has used the CLI to manually disable the group interface. Unknown - System cannot determine the state of the group interface.

MAC Address

Displays the MAC address assigned to the virtual routers circuit.

Restrictions
Default Privilege Level: 15

Example
The following is an example. CBS# show vrrp virtual-router vrrp-id 1014 Failover Group : vrrp_vsx Failover Group ID : 200 VRRP State : Backup Virtual Router ID : 1014 Circuit Name : vsx_ckt_vsxb2_l2l3_3333 Priority Delta : 1 Backup Stay Up (true/false) : t MAC Usage : vrrp-mac VAP Group : vsxb2 Interface (State) : gigabitethernet 1/2 (Up), gigabitethernet 1/3 (Up), gigabitethernet 2/2 (Up), gigabitethernet 2/3 (Up) Group Interface (State) : l2l3 (Up) MAC Address : 00:00:5E:00:03:F6 (1 row)

XOS Command Reference Guide

879

Commands for Providing Troubleshooting Information to Crossbeam Customer Support

This section contains the following commands: show npm-tech on page 880 show tech-crash on page 883 show tech-support on page 885

show npm-tech
This command provides information needed to troubleshoot an NPM. The NPM heartbeat, interface information, status, revision information, slot/numbering mapping information, build information, flow table count statistics, and crash information are provided.

Syntax
show npm-tech [np1] [np2] [np3] [np4] [all] [-file <filename>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter np1 np2 np3 np4 all -file <filename> Description Information regarding the NPM in slot #1 Information regarding the NPM in slot #2 Information regarding the NPM in slot #3 Information regarding the NPM in slot #4 General information on all NPMs configured in the current system. This is the default. Specifies the name of a file to be used to capture the output of this command.

Restrictions
Default Privilege Level: 15

Example
The following is an abbreviated example of this command CBS# show npm-tech np1 -------------------- begin: show calendar -------------------Tue Mar 16 10:50:21 2010 --------- slot 1: show logging console hostname np1 ---------

Commands for Troubleshooting

880

Sep 4 04:02:04 np1 cbs_np6_flowd[639]: [W] COD_PRINT COD: Jan 30 2010 activated connection to slot 6 0 Sep 4 04:02:13 np1 cbs_np6_flowd[639]: [W] COD_PRINT COD: Jan 30 2010 activated connection to slot 7 0 Sep 4 04:46:20 np1 cbs_np6_flowd[639]: [W] COD_PRINT COD: deactivated slot 5 0 Sep 4 04:46:21 np1 cbs_np6_flowd[639]: [W] COD_PRINT COD: deactivated slot 8 0 ... ------------------- slot 1: show heartbeat ------------------Link Quality TO: 1 FROM 1 2 3 4 5 6 7 8 9 10 11 12 ON ports CB A: NA 100% NA 100% 100% 100% NA NA 100% NA NA NA CB B: NA NA NA NA NA NA NA NA NA NA NA NA DP A: 100% 100% NA 100% 100% 100% NA NA 100% NA NA NA DP B: NA NA NA NA NA NA NA NA NA NA NA NA ... ----------------------- show interface ----------------------... 10Gigabitethernet 1/12 is up Hardware address is N/A MTU N/A, BW 10 Gigabit, full-duplex, auto-negotiation is disabled

19:21:47 19:21:47 conn to conn to

13

14 100% NA 100% NA NA NA NA NA

Last clearing of "show interface" counters never 17 packets input, 1088 bytes Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions ... --------- slot 1: show module status revision serial --------NA = Not Available, DP = Data Plane, CP = Control Plane cp = Control Processor, ap = Application Processor, np = Network Processor Slot 1: Board Part Number 003927 Board Serial Number G7150512 Board Revision 8 FPGA Revision 0x2 ... -------------- slot 1: show module status link --------------NA = Not Available, DP = Data Plane, CP = Control Plane cp = Control Processor, ap = Application Processor, np = Network Processor Slot 1: Control Bus A Up Control Bus B Up np1/ap3 Link Up ... ------------------ show flow table counters -----------------Statistics Counts reported by np1: fp_up_slots: 0xfffffffffff simplexFlowCount: 2 ezFlowsRemaining: 2437119 All Total sent to EZ: All Total rcvd from EZ:

216 232

XOS Command Reference Guide

881

... --------------- show NPM86xx version and build --------------NPM86xx version and build information reported by np2: Copyright (c) 2000-2011 by Crossbeam Systems, Inc. All rights reserved. Version: NPM Software Version ==> 9.5.1 [Feb 19 2011 02:15:42] (bldmgr) gcc: 4.1.2 label: XOS-9_5_0_0-20101205_2 ------------------ show tech-crash for NPM ------------------NPs crash information on slot 3 =================================== Found NP crash information in total 480 -rw-r----- 1 root root 105 -rwxr-x--- 1 root root 402372 -rw-r----- 1 root root 38869 -rwxr-x--- 1 root root 638 -rwxr-x--- 1 root root 32760 Detail crash information: Crash information from /tftpboot/npm6_3/logs/cbsoops/crash.1/ksymoops.txt: Crash occured on 2011.02.23 at 00:06:08 Kernel release 2.6.16.26-Octeon. -- Watchdog Interrupt, core 0 Hardware Information cores present: cores active: DRAM size, MB: CPU clock MHz: DRAM clock MHz: SPI clock MHz: board type, rev: chip type, rev: serial number: mac_addr_base: (bootinfo): 0xffff 0xffff 2048 750 266 350 27, 1.0 2, 1.0 00:03:d2:00:01:01 the following directory: Mar Mar Mar Mar Mar 31 31 31 31 31 00:06 00:06 00:06 00:06 00:06 cbsoops.txt kallsyms ksymoops.txt modules nvdata.raw

Cpu 0 - Process 'swapper' -- Watchdog Interrupt, core 0 $ 0 : $ 4 : $ 8 : <output 0000000000000000 ffffffff8110b024 a80000002aecff58 a80000002afd48b0 a80000002afd4880 0000000000000001 0000000000000000 0000000000000000 a80000002aecc000 0000000000020000 0000000000040000 ffffffff82bf0000 example abbreviated>

----------- show ezchip and XBPRC data collection -----------NPM/EZ-chip RFD state ===================== NPM2 : OK rfd RFD rx_port_budget = 000000c0

Commands for Troubleshooting

882

RFD status rx RFD status tx RFD status rx/tx RFD status high

= = = =

00001000 00000000 00000000 00000000

END --------------------- end: show calendar --------------------Tue Mar 16 10:55:54 2010

show tech-crash
This command displays crash information to help technical support with any problems you may experience.

Syntax
show tech-crash [<n>]

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter <n> Description Specify a number to view a specific crash. Values are 0 to 20. Use 0 (default) to display all crashes.

Restrictions
Default Privilege Level: 15 NOTE: This command is not available on an offline CPM.

Example
The following shows output from this command. CBS# show tech-crash CPs crash information ===================== Found CP crash information in the following directory: /crossbeam/logs/cbsoops/crash.1: total 4376 -rwxr-x--- 1 root root 1219612 Mar 15 12:14 System.map -rw-r----- 1 root root 305 Mar 15 12:14 cbsoops.txt -rw-r----- 1 root root 78 Mar 15 12:37 cinfo -rw-r----- 1 root root 575 Mar 15 12:14 ksymoops.txt -rwxr-x--- 1 root root 3232837 Mar 15 12:56 ksyms -rwxr-x--- 1 root root 1804 Mar 15 12:56 modules Detail crash information:

XOS Command Reference Guide

883

Crash information from /crossbeam/logs/cbsoops/crash.1/ksymoops.txt: Kernel rlease 2.6.18-53.el5_64smp. Crash occured on 01/07/2011 at 18:21:12.180912 CPU: 0 RIP: [<ffffffff88ee7837>] RSP: [<ffff8100d0329dd8>] EFLAGS: 0000000000000002 Call Trace: [<ffffffff8000be53>] [<ffffffff88ee7837>] [<ffffffff800356ff>] [<ffffffff8000c2e3>] [<ffffffff802be76d>] Code:>>RIP; <ffffffff88ee7837 [cbnvram]CbNvramRead+50> Trace; <ffffffff8000be53 cbs_dump_crash+958> Trace; <ffffffff88ee7837 [cbnvram]CbNvramRead+50> Trace; <ffffffff800356ff [x_tables]printk+67> Trace; <ffffffff8000c2e3 show_registers+3b> Trace; <ffffffff802be76d __die+af> APs crash information ===================== No crash information found NPs crash information ===================== Found NP crash information in total 480 -rw-r----- 1 root root 105 -rwxr-x--- 1 root root 402372 -rw-r----- 1 root root 38869 -rwxr-x--- 1 root root 638 -rwxr-x--- 1 root root 32760 Detail crash information: Crash information from /tftpboot/npm6_3/logs/cbsoops/crash.1/ksymoops.txt: Crash occured on 2010.03.31 at 00:06:08 Kernel release 2.6.16.26-Octeon. -- Watchdog Interrupt, core 0 Hardware Information (bootinfo): cores present: cores active: DRAM size, MB: CPU clock MHz: DRAM clock MHz: SPI clock MHz: board type, rev: chip type, rev: serial number: mac_addr_base: Cpu 0xffff 0xffff 2048 750 266 350 27, 1.0 2, 1.0 00:03:d2:00:01:01

the following directory: Mar Mar Mar Mar Mar 31 31 31 31 31 00:06 00:06 00:06 00:06 00:06 cbsoops.txt kallsyms ksymoops.txt modules nvdata.raw

0 - Process 'swapper'

-- Watchdog Interrupt, core 0 $ 0 $ 4 $ 8 : 0000000000000000 ffffffff8110b024 a80000002aecff58 a80000002afd48b0 : a80000002afd4880 0000000000000001 0000000000000000 0000000000000000 : a80000002aecc000 0000000000020000 0000000000040000 ffffffff82bf0000

Commands for Troubleshooting

884

$12 : $16 : $20 : $24 : $28 : Hi : Lo : epc : ra : Status: Cause : Process

ffffffff82be0000 ffffffff82bf0000 0000500000999000 a80000002ab26900 0000000000000001 0000000000000017 0000000004000000 0000000000000001 ffffffff82be0000 ffffffff82bf0000 ffffffff82bf0000 ffffffff813a4000 ffffffff813a7d40 0000000000000000 0000000000000000 0000000000000000 ffffffff81351700 ffffffff81155b1c 1000ffe3 KX SX UX KERNEL EXL IE 00800400 swapper (pid: 0, state: 0, sigpend: 0) 202d2d2057617463 ffffffff813a7be0 ffffffff813a7c00 0000000000000000 ffffffff81155b1c ffffffff813a7be0 ffffffff813a7c00 ffffffff813a7e00 68646f6720496e74 a800000002a5ade8 0000000000000000 0000000000000034 a80000002ab26900 0000000004000000 a80000002ab26900 0000000004000000

0000100000000000 ffffffff813a7e00 0000000000000001 ffffffff81155b1c

Stack : 0000000000000000 636f726520300a00 0000000000000001 a80000002afdcd00 ffffffff8116a1b4 0000000000000034 ffffffff8116a2f8 0000000000000017

6572727570742c20 a80000002afd4880 0000000000000000 ffffffff813a7be0 ffffffff813fdf00 ffffffff813fdf28 0000000000000001 0000000000000001

Code: 0000010f ac800000 0000010f 0000010f <03e00008> 00000000 0000010f 0000010f ac800000 Call Trace: [<c000000000038434>] rgmii_eth + 0x2434 Cpu 1 - Process 'cbs_flowd' <output example abbreviated> CBS#

10a00002 0000010f

41606000 0000010f

41606020 41606020

show tech-support
This command runs several show commands to display extensive and detailed information to help Crossbeam Systems technical support diagnose any problems that your X-Series Platform may experience. Use the -paging parameter to enable paging of the output of the show tech-support command to the screen. By default, all of the show tech-support command output is printed to the screen. This output is typically 5000 or more lines, so make sure the scrollback buffer of your command shell is set to a sufficient size. Use the -file parameter to send the output to a file instead of the screen. Use the -bundle parameter to send the output file and additional diagnostic data to a .tar.gz archive. NOTE: If you use the -file or -bundle parameter, you will need to wait for up to several minutes for the command to complete its various operations and send all the information to the designated file or archive.

Syntax
show tech-support [-paging | -file <filenameWithCompletePath> | -bundle <filenameWithCompletePath>]

XOS Command Reference Guide

885

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter -bundle <filename> Description Use the -bundle parameter to capture the show tech-support commands output and bundles with additional diagnostic information in tar.gz format. The <filename> should include the complete path desired for the tar.gz archive. Use the optional -file parameter to send the show tech-support commands output to a file. The <filename> should include the complete path desired for the output file. Use the paging parameter to enable paging of the output of the show tech-support command to the screen. Press Q to quit the output. Press any other key to view the next page of output. If you do not use the -paging parameter, the command prints all of the output to the screen.

-file <filename>

-paging

Output
The output of the show tech-support command consists of the aggregate output of a number of CLI show commands. The following table lists the commands that are executed when you run the show tech-support command. Command show calendar show version detail show tech-crash show startup-config show running-config show chassis show environment show system show interface detail show application vap-group show alarms active minor/major/critical show operating-mode show module status See show calendar on page 779 See show version on page 644 See show tech-crash on page 883 See show startup-config on page 636 See show running-config on page 632 See show chassis on page 780 See show environment on page 786 See show system on page 801 See show interface on page 838 See show application vap-group on page 855 See show alarms on page 769 See show operating-mode on page 660 See show module status on page 794

Commands for Troubleshooting

886

Command show ap-vap-mapping show firmware Revision Checking show Release History show cp-redundancy show cp-unknown-state show ip-mapping show ip addresses show kernel show module admin-state show redundancy-interface show veth-stats show group-interface status show bridge-mode show cpu utilization-average show cpu load-average show cpu statistic show vrrp show NFIq and VDF show disk-usage history show current disk-usage show flow distribution show vdf-stats show resource-statistics show audit-trail show npm-tech show heartbeat show NPM interface detail show flow table counters show NPM86xx version and build show tech-crash for NPM show ezchip and XBPRC data collection show current-release verify-rpm show calendar See show ap-vap-mapping on page 852 See revs_check in the XOS Configuration Guide Displays XOS installation and upgrade history See show cp-redundancy on page 681 See show cp-unknown-state on page 682 See show ip-mapping on page 706 See show ip addresses on page 653 See show kernel on page 687 See show module admin-state on page 793 See show redundancy-interface on page 845 See show veth-stats on page 850 See show group-interface on page 837 See show bridge-mode on page 696 See show cpu on page 782 See show cpu on page 782 See show cpu on page 782 See show vrrp on page 859 See show vdf-status on page 846 See show disk-usage on page 785 See show disk-usage on page 785 show flow distribution on page 835 See show vdf-status on page 846 See show resource-statistics on page 641 See show audit-trail on page 630 See show npm-tech on page 880 See show heartbeat on page 788 See show interface on page 838 See show npm-tech on page 880 See show npm-tech on page 880 See show tech-crash on page 883 See show npm-tech on page 880 See show current-release on page 784 See show calendar on page 779

Restrictions
Default Privilege Level: 15

XOS Command Reference Guide

887

Example
The following shows a partial output from this command. NOTE: Information for some parameters such as mac-addr are only available for NPM Series-2 mode. ----------------------- show calendar -----------------------Thu Nov 18 14:18:40 2010

-------------------- show version detail --------------------Copyright (c) 2000-2011 by Crossbeam Systems, Inc. All rights reserved. Version: XOS 9.5.1 [Feb 26 2011 02:12:22] (bldmgr) gcc: gcc version 2.96 20000731 (Linux 7.3 2.96-112) CVS_Label: XOS-9_5_1_0-20110226_1 Kit_Number: 37 CPU at 2327 Mhz processor with 16410064K bytes of memory 8165904K bytes of memory in use Uptime is 3 day(s) 17 hour(s) 58 min(s) 17 sec(s) Hard disk is 500(GB) Second Hard disk is 500(GB) Flash is not present

Details per slot: Revision for slot 1 Boot Strap version Bootloader version Diagnostics version SysCtl FPGA version Focus FPGA version CPLD version Board version Board serial number Board type Board part number Revision for slot 2 Boot Strap version Bootloader version Diagnostics version SysCtl FPGA version Focus FPGA version CPLD version Board version Board serial number Board type Board part number Revision for slot 5 Boot Strap version Bootloader version Diagnostics version : 1.7.0.1 : 1.7.0.2 : 1.1.0.4 : : : : : : : : : : 2.0.0.10 2.0.0.10 2.1.0.3 0x4 0xf 0x4 8 G7150508 NP8600 003927 : : : : : : : : : : 2.0.0.10 2.0.0.10 2.1.0.3 0x4 0xf 0x4 8 G7150499 NP8600 003927

Commands for Troubleshooting

888

SysCtl FPGA version Focus FPGA version CPLD version Board version Board serial number Board type Board part number

: : : : : : :

0x600 0x600 0x15 8 L845H046 AP8650 004911

XOS Command Reference Guide

889

Commands for Crossbeam Customer Support Use

This section contains the following commands: debug on page 890

debug
This command is used for troubleshooting. It should only be used when advised by Customer Support.

Syntax
debug {dump-database <table_name>|dump-psql <query>|tree-syntax}

Context
You access this command from the main CLI context.

Parameters
The following table lists the parameters used with this command. Parameter dump-database dump-psql tree-syntax Description Displays database for a given table (internal debug only). Displays table according to PSQL query (internal debug only). Displays command tree with syntax (internal debug only).

Restrictions
Default Privilege Level: 15

Commands for Troubleshooting

890

15
Using Unix Commands
This chapter describes the UNIX commands used on all VAPs within a VAP group. NOTE: /usr/os/bin/cbs_rsh is a tool that can be used to execute any interactive UNIX command on all available VAPs in a VAP group or on a particular VAP within a VAP group. Executing Unix Commands on a Designated VAP on page 892 Executing Unix Commands on All VAPs on page 892

XOS Command Reference Guide

891

Executing Unix Commands on a Designated VAP

To execute Unix commands on a designated VAP in a VAP group, use the following command: /usr/os/bin/cbs_rsh <VAP_group_name> <VAP_index> This command takes you to an rsh session on the specified VAP. In that rsh session, you can execute any UNIX command on that VAP. The following is an example for a VAP with an index of 2 in a VAP group named vgSync. In this example, the command would be entered as follows: [root@xxxx bin]# /usr/os/bin/cbs_rsh vgSync 2 Last login: Thu May 16 17:33:09 from primarycpm [root@vgSync_2 /root]# [root@vgSync_2 /root]#ps PID 1651 1652 1672 TTY pts/0 pts/0 pts/0 TIME 00:00:00 00:00:00 00:00:00 CMD login bash ps

[root@vgSync_2 /root]# [root@vgSync_2 /root]# exit rlogin: connection closed. [root@xxxx bin]#

Executing Unix Commands on All VAPs

To execute Unix commands on a all VAPs within a VAP group, use the following command: /usr/os/bin/cbs_rsh <VAP_group_name> This command causes the following prompt to display: VAP_group_name>> Commands entered at this prompt are either specific to cbs_rsh, or are executed directly on each VAP within the VAP group. After execution, the command results are displayed. When the execution of all commands has completed you are returned to the VAP group name prompt. Commands specific to the cbs_rsh are as shown in Table 3.

Table 3. cbs_rsh commands

Command quit /q ? /help cbs_start_s cbs_stop_s cbs_cp !p Description Exits the cbs_rsh session. Displays help menu. Starts saving commands for those VAPs that are down. Whenever these VAPs come back up, all the save commands are executed on that VAP. Stops saving commands for those VAPs that are down. Copies an existing file on the CPM to all VAPs within the VAP group. Execute previous unix command.

Using Unix Commands

892

Copying an Existing File to a VAP Group

To copy a file to VAPs within a VAP group, complete the following: 1. 2. Enter the cbs_cp command at the VAP_group_name>> prompt. The following questions display: Source File on CPM (with full path) : Enter the name of the file to copy, with the full path on the CPM. After entering the name of the file, a check is performed as to the existence of the file on CPM, you are then prompted as follows: Destination File on VAP (with full path) : 3. Enter the name of the file/directory on each VAP with full path. The following is an example of the copy command uses on a VAP group named vgSync. [root@xxxx bin]# /usr/os/bin/cbs_rsh vgSync quit/q - Exit this program cbs_cp - Copy a file on CPM to all vaps within a vap-group cbs_start_s - Start saving commands for VAPs currently not present cbs_stop_s - Stop saving commands for VAPs currently not present vgSync>> ps ######################################################### Executing "ps" on VAP ====> vgSync_1 ######################################################### PID 1 2 3 4 5 6 359 369 472 495 527 544 559 560 568 576 608 612 615 1154 1166 TTY ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? TIME 00:00:04 00:00:00 00:00:00 00:00:00 00:00:00 00:00:00 00:00:00 00:00:00 00:00:00 00:00:00 00:00:00 00:00:00 00:00:03 00:00:00 00:00:00 00:00:00 00:00:00 00:00:00 00:00:00 00:00:00 00:00:00 CMD init kflushd kupdate kswapd keventd rpciod syslogd klogd ntpd xinetd cbsvapcfgd crond cbshagentd cbshagentd cbsinitd cprid uugetty cbsflowagentd cbsstatsd cpwd cpd

XOS Command Reference Guide

893

PID 1175 1177 1178 1229 1234 1235 1685 1686 1687

TTY ? ? ? ? ? ? ? ? ?

TIME 00:00:00 00:00:00 00:00:00 00:00:00 00:00:00 00:00:00 00:00:00 00:00:00 00:00:00

CMD cpd cpd cpd fw fw fw in.rshd bash ps

vgSync >> quit [root@xxxx bin]#

Upgrading an Application on a VAP Group

The /usr/os/bin/cbs_rsh tool, in combination with other commands, can be used to install a new application or upgrade existing applications on a particular VAP group. To do so: NOTE: To make sure that the installation/upgrade commands are also executed on all VAPs that are presently down, use the cbs_start_s sub command within /usr/os/bin/cbs_rsh before issuing any of the installation/upgrade commands mentioned in Step 2 of the following procedure. 1. 2. Locate the application upgrade files or new applications files in a directory on the CPM using FTP, the Install Server, or HTTP. After files are located on the CPM, run /usr/os/bin/cbs_rsh, for the VAP group on which you want to upgrade an application or install a new application. This copies files and executes all related installation/upgrade commands on each VAP within the VAP group.

Using Unix Commands

894

16
Understanding CLI Error Messages
This chapter describes the system error and warning messages. These messages are specified by the following categories: General Error Messages on page 896 Subsystem Errors on page 897 Threshold (RMON) Agent Errors on page 898 SNMP Errors on page 899 WEB Access Control Related Error Messages on page 899 Warning Messages on page 899

XOS Command Reference Guide

895

General Error Messages

General error messages occur across all XOS subsystems. The following are general error messages generated by the XOS software. Also included is an explanation and a possible solution for each. Message All OK Failed Invalid value Unimplemented commands/argument Database general error Description System operating normally. Present operation has failed. Invalid value entered. Command or argument is not currently supported. Database problem has occurred. Action No action required. Check operation and restart. Check value and re-enter. No action required. Check database for corruption and restart operation, if problem still exists, contact Customer Support. Determine what controlled entity is reaching its limit and take appropriate action if needed. Check the entry or specify another entry. Check the entry or specify another entry. Try command again or select another interface. Try command again or select another interface to pair. Check application settings and restart application. Check the specified file name or select another file name and re-enter. Re-enter the file name, select another file name, or check the file permission, and re-enter. Check entry or select another entry and retry operation. Check the command syntax or re-enter the command. Check disk space and free up memory. Re-enter command with correct parameter. Check the specified IP addresses and re-enter the command. Check the specified network portion and re-enter the command.

Database maximum entries reached

Database has reached the maximum number of entries for a controlled entity such as the number of circuits allowed. Database entry specified is currently in use. Database entry specified does not exist. The logical interface specified is unavailable. The paired-logical interface specified is unavailable. An application conflict has been detected. The file specified was not found. File specified is not currently accessible. Entry specified has generated a conflict. The command specified could not be executed. System could not allocate memory for this action. Parameter missing from entered command. A conflict in IP addresses has occurred. The network portion specified is empty.

Entry is being used Entry not found Unavailable logical interface Paired interface is unavailable Application conflict detected File not found File not accessible

Conflict with existing entry Unable to execute command Could not allocate memory Missing parameter IP Address confliction found Network portion is empty

Understanding CLI Error Messages

896

Message Multicast, broadcast network Loopback network Invalid Host Portion Vlan tag ranges overlaps with other logical interfaces on this physical interface Invalid Backup Interface. Interface type should not be the same as the primary Un-recognized type Input too short Input too long Error converting Network mask format Error retrieving IP address and Mask from CIDR format

Description Multicast/Broadcast IP address not valid. Loopback IP address not valid.

Action Enter valid IP address. Enter valid IP address.

The host portion specified is not valid. Check the specified host portion and re-enter the command. Physical interface has VLAN tag ranges that overlap logical interfaces configured on this physical interface. The backup interface is configured the same as the primary interface. Check VLAN range for the logical interface and reconfigure them with a different VLAN range. Reconfigure the backup interface to be different from the primary interface.

The type specified is not valid. The input specified is too short. The input specified is too long. An error occurred during the network mask conversion process. An error occurred during the IP address and network mask from CDIR format.

Check the specified type and re-enter the command. Check the specified input and re-enter the command. Check the specified input and re-enter the command. Check the network mask and re-enter the command. Check the CIDR format and re-enter the command.

Subsystem Errors
Message Error connecting to the database Bad data found during execution Bad input arguments found Bad output method specified Unable to obtain RPC Handle RPC call failed Unable to obtain Exec Handle Description An error occurred during the system to database connection was in progress. Corrupt data found during the execution of the current process. Incorrect input parameters found in command. Incorrect output method specified. Unable to obtain RPC handle. Error occurred during RPC call. Unable to obtain Exec handle. Action Check syslog and contact Customer Support. Check syslog and contact Customer Support. Check syslog and contact Customer Support. Check syslog and contact Customer Support. Check syslog and contact Customer Support. Check syslog and contact Customer Support. Check syslog and contact Customer Support.

XOS Command Reference Guide

897

Message Command needs to be run in tty mode

Description Specified command needs to be run in the TTY mode.

Action Change to TTY mode and re-enter command.

Threshold (RMON) Agent Errors

Message RMON daemon not responding Can't modify an existing entry Could not add Alarm Entry Could not add Event Entry Invalid Alarm variable: Variable type not supported Description RMON daemon not currently responding. Specified entry can not be modified. Specified Alarm entry could not be added. Specified Event entry could not be added. Specified Alarm variable parameter is not valid. Action Check syslog and contact Customer Support. To modify entry, delete and recreate it. Check entry and re-enter command. Check entry and re-enter command. Check parameter and re-enter command.

Understanding CLI Error Messages

898

SNMP Errors
Message Invalid Alarm variable: SNMP NoSuchName Invalid Alarm variable: SNMP General Error SNMP Error SNMP agent not responding Community string internal not allowed Description Specified Alarm parameter is not valid. Specified Alarm parameter is not valid. SNMP error has occurred. SNMP agent not responding. Specified string not allowed. Restart SNMP agent. Check string and re-enter command. Action Check parameter and re-enter command. Check parameter and re-enter command.

WEB Access Control Related Error Messages

Message Invalid User Name Invalid Password Could not create session-id This user already exists Too many users logged in Description Specified username is not valid. Specified password is not valid. Session-id could not be created (system error). Specified user already exists. Too many users currently logged in. Action Check username and re-enter command. Check password and re-enter command. No action required. Check username and re-enter command. Try again later.

Warning Messages
Message WARNING: Command takes effect next system reboot (reload) WARNING: Operation Pending Description Specified command does not activate dynamically. Specified operation is in progress. Action Re-boot system. No action required.

XOS Command Reference Guide

899

Understanding CLI Error Messages

900

A
Example XOS Running Configuration File
#Do not remove after this line # Last time the configuration was saved on Wed Feb 23 14:08:10.831535 2011 EST # Configuration generated by CLI on Wed Feb 23 14:23:52 2011 # CLI Version 9.5.1 [Feb 19 2011 02:15:42] (bldmgr) # Kit Number: xx #Do not remove above this line # configure # hostname x80 cp1 hostname x80 cp2 ip domainname crossbeam ip telnet ip ftp system-identifier 40 system-internal-network 1.1.0.0/16 operating-mode quad-np series-6 # # access-list 1001 permit ip source-ip 0.0.0.0 255.255.255.255 destination-ip 0.0.0.0 255.255.255.255 access-list 1002 permit ip source-ip 0.0.0.0 255.255.255.255 destination-ip 0.0.0.0 255.255.255.255 # ntp server 192.168.66.10 # # # # username admin privilege 15 gui-level administrator # prompt x80 no timeout web-server # alias wr 'copy running-config startup-config' # # # vap-group iss xslinux_v3 vap-count 2 max-load-count 2 ap-list ap3 ap5 load-balance-vap-list 1 2 3 4 5 6 7 8 9 10

901

ip-flow-rule iss_lb action load-balance incoming-circuit-group any activate vap-group vsx xslinux_v5 vap-count 3 max-load-count 2 ap-list ap8 ap9 load-balance-vap-list 3 4 5 6 7 8 9 10 1 2 ip-forwarding no rp-filter ip-flow-rule ikesync action broadcast domain 500 priority 15 destination-port 500 500 activate vap-group mca xsve vap-count 2 max-load-count 2 ap-list ap4 ap10 ap7 load-balance-vap-list 1 2 ip-forwarding fail-to-host flow-proxy ip-flow-rule mca_lb action load-balance incoming-circuit-group any activate ip-flow-rule mca_sync action broadcast priority 30 incoming-circuit-group 3 destination-addr 239.255.0.0 239.255.0.255 activate vap-group ft xslinux_v5 vap-count 2 ap-list ap6 ap7 load-balance-vap-list 1 2 ip-flow-rule ft action load-balance activate # system-non-ip-flow-rule stp encapsulation lsap any action pass-to-masters activate system-non-ip-flow-rule snap

Example XOS Running Configuration File

902

encapsulation snap any action pass-to-masters activate # dns server 192.168.66.10 vap-group mca dns server 192.168.66.10 vap-group ft # dns search-name lab.crossbeamsys.com vap-group ft # incoming-circuit-group-name 2 internal incoming-circuit-group-name 3 sync incoming-circuit-group-name 4 ser incoming-circuit-group-name 5 ymlt incoming-circuit-group-name 6 mgmt # circuit sync device-name sync incoming-circuit-group 3 link-state-resistant vap-group mca ip-forwarding ip 5.5.5.1 255.255.255.0 5.5.5.255 increment-per-vap 5.5.5.4 alias 5.5.5.5/24 5.5.5.255 floating circuit sync2 domain 500 device-name sync link-state-resistant vap-group vsx ip-forwarding ip 7.7.7.1 255.255.255.0 7.7.7.255 increment-per-vap 7.7.7.4

circuit ser device-name ser incoming-circuit-group 4 vap-group iss promiscuous-mode active vap-group vsx vap-group mca circuit ser_3001 domain 501 device-name ser.3001 incoming-circuit-group 4 vap-group mca ip-forwarding default-egress-vlan-tag 3001 ip 30.30.1.1/24 30.30.1.255 circuit mgt device-name mgt incoming-circuit-group 6 vap-group iss management-circuit ip 172.16.1.94 255.255.255.0 172.16.1.255 increment-per-vap 172.16.1.95 vap-group vsx ip-forwarding

XOS Command Reference Guide

903

ip 172.16.1.35/24 172.16.1.255 increment-per-vap 172.16.1.37 vap-group mca ip-forwarding ip 172.16.1.41/24 172.16.1.255 increment-per-vap 172.16.1.44 alias 192.168.71.45/24 192.168.71.255 floating vap-group ft management-circuit ip 172.16.1.60/24 172.16.1.255 increment-per-vap 172.16.1.62 circuit vpn circuit-id device-name vpn vap-group vsx

circuit snif device-name snif vap-group ft promiscuous-mode circuit ct72 device-name ct72 vap-group ft ip 172.16.2.55/24 172.16.2.255 circuit l2br device-name l2br vap-group iss circuit inside device-name inside vap-group iss promiscuous-mode active circuit ymlt device-name ymlt incoming-circuit-group 5 vap-group vsx vap-group mca vap-group ft circuit ymlt_4001 domain 502 device-name ymlt.4001 incoming-circuit-group 5 vap-group mca ip-forwarding default-egress-vlan-tag 4001 ip 40.40.0.1/24 40.40.0.255 circuit ymlt_4003 device-name ymlt.4003ft vap-group ft

Example XOS Running Configuration File

904

default-egress-vlan-tag 4003 ip 40.40.3.1 255.255.255.0 40.40.3.255

circuit vsx_ckt_vsx_internal_ser_3002 domain 501 device-name ser.3002 vap-group vsx ip-forwarding default-egress-vlan-tag 3002 ip 30.30.2.1 255.255.255.0 30.30.2.255 circuit vsx_ckt_vsx_ymlt_4002 domain 505 device-name ymlt.4002 vap-group vsx ip-forwarding default-egress-vlan-tag 4002 ip 40.40.2.1 255.255.255.0 40.40.2.255 # bridge-mode l2br transparent circuit inside circuit ser # interface gigabitethernet 1/10 logical-all snif circuit snif interface gigabitethernet 2/1 logical mgt circuit mgt interface gigabitethernet 2/10 logical vpn circuit vpn interface gigabitethernet 4/7 logical ct72 circuit ct72 # group-interface inside interface-type gigabitethernet mode multi-link circuit inside interface 2/4 interface 4/4 group-interface ymlt interface-type gigabitethernet mode multi-link circuit ymlt interface 2/6 interface 4/6 logical ymlt_4001 ingress-vlan-tag 4001 4001 circuit ymlt_4001 logical ymlt_4003 ingress-vlan-tag 4003 4003 circuit ymlt_4003

XOS Command Reference Guide

905

logical vsx_log_vsxe40_ymlt_4002 ingress-vlan-tag 4002 4002 circuit vsx_ckt_vsxe40_ymlt_4002

# interface-internal l2br logical-all log_ser circuit ser logical ser_3001 ingress-vlan-tag 3001 3001 circuit ser_3001 logical vsx_log_vsxe40_l2br_3002 ingress-vlan-tag 3002 3002 circuit vsx_ckt_vsxe40_internal_ser_3002 # interface-internal sync logical-all sync circuit sync # interface-internal sync2 logical-all sync2 circuit sync2 # ip route 0.0.0.0 0.0.0.0 172.16.1.1 vap-group mca circuit mgt ip route 0.0.0.0 0.0.0.0 172.16.1.1 vap-group iss circuit mgt ip route 0.0.0.0 0.0.0.0 172.16.2.1 vap-group ft circuit ct72 ip route 10.0.0.0/8 172.16.1.1 vap-group ft circuit mgt # management gigabitethernet 13/1 ip-addr 192.168.71.200 255.255.255.0 192.168.71.255 enable access-list 1001 input access-list 1002 output # management high-availability cp1 management high-availability cp2 # management default-gateway 192.168.71.1 # cp-action cp1 disk-error offline cp-action cp2 disk-error offline # end

Example XOS Running Configuration File

906

B
Legal Single Line Command Groupings
This appendix describes a complete list of all possible XOS CLI commands that you can enter from the main context: alias application application-remove application-remove version application-remove version release application-update application-upgrade archive-vap-group archive-vap-group backup archive-vap-group delete archive-vap-group restore archive-vap-group show audit-trail auto-promote automated-workflow-menu automated-workflows automated-workflows purge-log-files broadcast calendar cd clear clear alarms clear alarms all clear alarms id clear flow-active clear interface clear interface 10gigabitethernet clear interface all clear interface gigabitethernet clear interface gigabitethernet default1 clear interface high-availability clear netstat

907

clear resource-statistics clear switch-data-path clear switch-data-path all clear switch-data-path module clear vdf-status clear vdf-status module clear vdf-status vap-group-member clear-screen configure configure access-list configure access-list icmp configure access-list icmp source-any configure access-list icmp source-any destination-any configure access-list icmp source-any destination-any icmp-message configure access-list icmp source-any destination-any icmp-type configure access-list icmp source-any destination-ip configure access-list icmp source-any destination-ip icmp-message configure access-list icmp source-any destination-ip icmp-type configure access-list icmp source-ip configure access-list icmp source-ip destination-any configure access-list icmp source-ip destination-any icmp-message configure access-list icmp source-ip destination-any icmp-type configure access-list icmp source-ip destination-ip configure access-list icmp source-ip destination-ip icmp-message configure access-list icmp source-ip destination-ip icmp-type configure access-list ip configure access-list ip source-any configure access-list ip source-any destination-any configure access-list ip source-any destination-ip configure access-list ip source-ip configure access-list ip source-ip destination-any configure access-list ip source-ip destination-ip configure access-list protocol-number configure access-list protocol-number source-any configure access-list protocol-number source-any destination-any configure access-list protocol-number source-any destination-ip configure access-list protocol-number source-ip configure access-list protocol-number source-ip destination-any configure access-list protocol-number source-ip destination-ip configure access-list tcp

Legal Single Line Command Groupings

908

configure access-list tcp source-any configure access-list tcp source-any source-port configure access-list tcp source-any source-port destination-any configure access-list tcp source-any source-port destination-any destination-port configure access-list tcp source-any source-port destination-any destination-port-any configure access-list tcp source-any source-port destination-any destination-port-name configure access-list tcp source-any source-port destination-ip configure access-list tcp source-any source-port destination-ip destination-port configure access-list tcp source-any source-port destination-ip destination-port-any configure access-list tcp source-any source-port destination-ip destination-port-name configure access-list tcp source-any source-port-any configure access-list tcp source-any source-port-any destination-any configure access-list tcp source-any source-port-any destination-any destination-port configure access-list tcp source-any source-port-any destination-any destination-port-any configure access-list tcp source-any source-port-any destination-any destination-port-name configure access-list tcp source-any source-port-any destination-ip configure access-list tcp source-any source-port-any destination-ip destination-port configure access-list tcp source-any source-port-any destination-ip destination-port-any configure access-list tcp source-any source-port-any destination-ip destination-port-name configure access-list tcp source-any source-port-name configure access-list tcp source-any source-port-name destination-any configure access-list tcp source-any source-port-name destination-any destination-port configure access-list tcp source-any source-port-name destination-any destination-port-any configure access-list tcp source-any source-port-name destination-any destination-port-name configure access-list tcp source-any source-port-name destination-ip configure access-list tcp source-any source-port-name destination-ip destination-port configure access-list tcp source-any source-port-name destination-ip destination-port-any configure access-list tcp source-any source-port-name destination-ip destination-port-name configure access-list tcp source-ip configure access-list tcp source-ip source-port configure access-list tcp source-ip source-port destination-any configure access-list tcp source-ip source-port destination-any destination-port configure access-list tcp source-ip source-port destination-any destination-port-any configure access-list tcp source-ip source-port destination-any destination-port-name configure access-list tcp source-ip source-port destination-ip configure access-list tcp source-ip source-port destination-ip destination-port configure access-list tcp source-ip source-port destination-ip destination-port-any configure access-list tcp source-ip source-port destination-ip destination-port-name configure access-list tcp source-ip source-port-any configure access-list tcp source-ip source-port-any destination-any

XOS Command Reference Guide

909

configure access-list tcp source-ip source-port-any destination-any destination-port configure access-list tcp source-ip source-port-any destination-any destination-port-any configure access-list tcp source-ip source-port-any destination-any destination-port-name configure access-list tcp source-ip source-port-any destination-ip configure access-list tcp source-ip source-port-any destination-ip destination-port configure access-list tcp source-ip source-port-any destination-ip destination-port-any configure access-list tcp source-ip source-port-any destination-ip destination-port-name configure access-list tcp source-ip source-port-name configure access-list tcp source-ip source-port-name destination-any configure access-list tcp source-ip source-port-name destination-any destination-port configure access-list tcp source-ip source-port-name destination-any destination-port-any configure access-list tcp source-ip source-port-name destination-any destination-port-name configure access-list tcp source-ip source-port-name destination-ip configure access-list tcp source-ip source-port-name destination-ip destination-port configure access-list tcp source-ip source-port-name destination-ip destination-port-any configure access-list tcp source-ip source-port-name destination-ip destination-port-name configure access-list udp configure access-list udp source-any configure access-list udp source-any source-port configure access-list udp source-any source-port destination-any configure access-list udp source-any source-port destination-any destination-port configure access-list udp source-any source-port destination-any destination-port-any configure access-list udp source-any source-port destination-any destination-port-name configure access-list udp source-any source-port destination-ip configure access-list udp source-any source-port destination-ip destination-port configure access-list udp source-any source-port destination-ip destination-port-any configure access-list udp source-any source-port destination-ip destination-port-name configure access-list udp source-any source-port-any configure access-list udp source-any source-port-any destination-any configure access-list udp source-any source-port-any destination-any destination-port configure access-list udp source-any source-port-any destination-any destination-port-any configure access-list udp source-any source-port-any destination-any destination-port-name configure access-list udp source-any source-port-any destination-ip configure access-list udp source-any source-port-any destination-ip destination-port configure access-list udp source-any source-port-any destination-ip destination-port-any configure access-list udp source-any source-port-any destination-ip destination-port-name configure access-list udp source-any source-port-name configure access-list udp source-any source-port-name destination-any configure access-list udp source-any source-port-name destination-any destination-port configure access-list udp source-any source-port-name destination-any destination-port-any

Legal Single Line Command Groupings

910

configure access-list udp source-any source-port-name destination-any destination-port-name configure access-list udp source-any source-port-name destination-ip configure access-list udp source-any source-port-name destination-ip destination-port configure access-list udp source-any source-port-name destination-ip destination-port-any configure access-list udp source-any source-port-name destination-ip destination-port-name configure access-list udp source-ip configure access-list udp source-ip source-port configure access-list udp source-ip source-port destination-any configure access-list udp source-ip source-port destination-any destination-port configure access-list udp source-ip source-port destination-any destination-port-any configure access-list udp source-ip source-port destination-any destination-port-name configure access-list udp source-ip source-port destination-ip configure access-list udp source-ip source-port destination-ip destination-port configure access-list udp source-ip source-port destination-ip destination-port-any configure access-list udp source-ip source-port destination-ip destination-port-name configure access-list udp source-ip source-port-any configure access-list udp source-ip source-port-any destination-any configure access-list udp source-ip source-port-any destination-any destination-port configure access-list udp source-ip source-port-any destination-any destination-port-any configure access-list udp source-ip source-port-any destination-any destination-port-name configure access-list udp source-ip source-port-any destination-ip configure access-list udp source-ip source-port-any destination-ip destination-port configure access-list udp source-ip source-port-any destination-ip destination-port-any configure access-list udp source-ip source-port-any destination-ip destination-port-name configure access-list udp source-ip source-port-name configure access-list udp source-ip source-port-name destination-any configure access-list udp source-ip source-port-name destination-any destination-port configure access-list udp source-ip source-port-name destination-any destination-port-any configure access-list udp source-ip source-port-name destination-any destination-port-name configure access-list udp source-ip source-port-name destination-ip configure access-list udp source-ip source-port-name destination-ip destination-port configure access-list udp source-ip source-port-name destination-ip destination-port-any configure access-list udp source-ip source-port-name destination-ip destination-port-name configure acl-interface configure acl-interface destination-mac configure acl-interface direction configure acl-interface ether-type configure acl-interface source-mac configure acl-interface vlan configure acl-interface-mapping

XOS Command Reference Guide

911

configure acl-interface-mapping group-interface configure acl-interface-mapping group-interface acl-interface configure acl-interface-mapping group-interface acl-interface capture configure acl-interface-mapping group-interface acl-interface drop configure acl-interface-mapping group-interface acl-interface mirror configure acl-interface-mapping group-interface acl-interface mirror 10gigabitethernet configure acl-interface-mapping group-interface acl-interface mirror gigabitethernet configure acl-interface-mapping group-interface acl-interface pass-through configure acl-interface-mapping group-interface acl-interface pass-through 10gigabitethernet configure acl-interface-mapping group-interface acl-interface pass-through gigabitethernet configure acl-interface-mapping interface configure acl-interface-mapping interface 10gigabitethernet configure acl-interface-mapping interface 10gigabitethernet acl-interface configure acl-interface-mapping interface 10gigabitethernet acl-interface capture configure acl-interface-mapping interface 10gigabitethernet acl-interface drop configure acl-interface-mapping interface 10gigabitethernet acl-interface mirror configure acl-interface-mapping interface 10gigabitethernet acl-interface mirror 10gigabitethernet configure acl-interface-mapping interface 10gigabitethernet acl-interface mirror gigabitethernet configure acl-interface-mapping interface 10gigabitethernet acl-interface pass-through configure acl-interface-mapping interface 10gigabitethernet acl-interface pass-through 10gigabitethernet configure acl-interface-mapping interface 10gigabitethernet acl-interface pass-through gigabitethernet configure acl-interface-mapping interface gigabitethernet configure acl-interface-mapping interface gigabitethernet acl-interface configure acl-interface-mapping interface gigabitethernet acl-interface capture configure acl-interface-mapping interface gigabitethernet acl-interface drop configure acl-interface-mapping interface gigabitethernet acl-interface mirror configure acl-interface-mapping interface gigabitethernet acl-interface mirror 10gigabitethernet configure acl-interface-mapping interface gigabitethernet acl-interface mirror gigabitethernet configure acl-interface-mapping interface gigabitethernet acl-interface pass-through configure acl-interface-mapping interface gigabitethernet acl-interface pass-through 10gigabitethernet configure acl-interface-mapping interface gigabitethernet acl-interface pass-through gigabitethernet configure alias configure arp configure bridge-mode configure bridge-mode circuit configure bridge-mode show configure chassis-resource-protection configure chassis-resource-protection enable configure chassis-resource-protection flow-table-partition configure chassis-resource-protection flow-table-partition flow-table-profile

Legal Single Line Command Groupings

912

configure chassis-resource-protection flow-table-partition flow-table-profile backup-flow-info configure chassis-resource-protection flow-table-partition flow-table-profile table-limit configure chassis-resource-protection fragment-handling-options configure chassis-resource-protection fragment-handling-options ip-id-validation configure chassis-resource-protection fragment-handling-options selective-drop configure chassis-resource-protection fragment-handling-options selective-drop allow-fragment-overlap configure chassis-resource-protection fragment-handling-options selective-drop limit-fragment-queue configure chassis-resource-protection fragment-handling-options tcp-overlap-protection configure chassis-resource-protection tcp-flow-validation configure chassis-resource-protection tcp-flow-validation bypass-tcp-flow-setup-validation configure check-flow-rule configure circuit configure circuit device-name configure circuit incoming-circuit-group configure circuit link-state-resistant configure circuit new-flow-control configure circuit proxy-arp configure circuit show configure circuit tcp-rst-injection configure circuit vap-group configure circuit vap-group default-egress-vlan-tag configure circuit vap-group dhcp-relay configure circuit vap-group enable configure circuit vap-group icmp-redirect configure circuit vap-group ip configure circuit vap-group ip alias configure circuit vap-group ip alias floating configure circuit vap-group ip-flow-rule-no-failover configure circuit vap-group ip-flow-rule-priority configure circuit vap-group ip-forwarding configure circuit vap-group mac-addr configure circuit vap-group management-circuit configure circuit vap-group mtu configure circuit vap-group promiscuous-mode configure circuit vap-group reclassify-nat-flows configure circuit vap-group replace-vlan-tag configure circuit vap-group verify-next-hop-ip configure cp-action configure cp-action disk-error configure cp-redundancy

XOS Command Reference Guide

913

configure cp-redundancy set configure dns configure dns search-name configure dns server configure enable configure enable alarm configure enable password configure facility-alarm configure facility-alarm cpu configure facility-alarm cpu-core configure facility-alarm disk-usage-boot configure facility-alarm disk-usage-cbconfig configure facility-alarm disk-usage-mgmt configure facility-alarm disk-usage-root configure facility-alarm disk-usage-tftpboot configure facility-alarm disk-usage-var configure facility-alarm free-memory configure group-interface configure group-interface flow-table-limit configure group-interface fragment-handling-options configure group-interface interface configure group-interface interface enable configure group-interface interface-type configure group-interface interface-type 10gigabitethernet configure group-interface interface-type 10gigabitethernet enable configure group-interface interface-type 10gigabitethernet mac-addr configure group-interface interface-type 10gigabitethernet pause-frame configure group-interface interface-type gigabitethernet configure group-interface interface-type gigabitethernet auto-negotiate configure group-interface interface-type gigabitethernet duplex-mode configure group-interface interface-type gigabitethernet enable configure group-interface interface-type gigabitethernet mac-addr configure group-interface interface-type gigabitethernet media-speed configure group-interface interface-type gigabitethernet pause-frame configure group-interface logical configure group-interface logical circuit configure group-interface logical circuit flow-table-limit configure group-interface logical circuit fragment-handling-options configure group-interface logical circuit packet-validation configure group-interface logical circuit packet-validation validate-ip-packet

Legal Single Line Command Groupings

914

configure group-interface logical circuit packet-validation validate-tcp-packet configure group-interface logical circuit packet-validation validate-tcp-xsum configure group-interface mode configure group-interface packet-validation configure group-interface packet-validation validate-ip-packet configure group-interface packet-validation validate-tcp-packet configure group-interface packet-validation validate-tcp-xsum configure group-interface show configure host configure hostname configure incoming-circuit-group-name configure interface configure interface 10gigabitethernet configure interface 10gigabitethernet enable configure interface 10gigabitethernet logical configure interface 10gigabitethernet logical circuit configure interface 10gigabitethernet logical circuit flow-table-limit configure interface 10gigabitethernet logical circuit fragment-handling-options configure interface 10gigabitethernet logical circuit packet-validation configure interface 10gigabitethernet logical circuit packet-validation validate-ip-packet configure interface 10gigabitethernet logical circuit packet-validation validate-tcp-packet configure interface 10gigabitethernet logical circuit packet-validation validate-tcp-xsum configure interface 10gigabitethernet logical show configure interface 10gigabitethernet logical-all configure interface 10gigabitethernet logical-all circuit configure interface 10gigabitethernet logical-all circuit flow-table-limit configure interface 10gigabitethernet logical-all circuit fragment-handling-options configure interface 10gigabitethernet logical-all circuit packet-validation configure interface 10gigabitethernet logical-all circuit packet-validation validate-ip-packet configure interface 10gigabitethernet logical-all circuit packet-validation validate-tcp-packet configure interface 10gigabitethernet logical-all circuit packet-validation validate-tcp-xsum configure interface 10gigabitethernet pause-frame configure interface 10gigabitethernet show configure interface 10gigabitethernet standby-only configure interface gigabitethernet configure interface gigabitethernet auto-negotiate configure interface gigabitethernet duplex-mode configure interface gigabitethernet enable configure interface gigabitethernet logical configure interface gigabitethernet logical circuit

XOS Command Reference Guide

915

configure interface gigabitethernet logical circuit flow-table-limit configure interface gigabitethernet logical circuit fragment-handling-options configure interface gigabitethernet logical circuit packet-validation configure interface gigabitethernet logical circuit packet-validation validate-ip-packet configure interface gigabitethernet logical circuit packet-validation validate-tcp-packet configure interface gigabitethernet logical circuit packet-validation validate-tcp-xsum configure interface gigabitethernet logical show configure interface gigabitethernet logical-all configure interface gigabitethernet logical-all circuit configure interface gigabitethernet logical-all circuit flow-table-limit configure interface gigabitethernet logical-all circuit fragment-handling-options configure interface gigabitethernet logical-all circuit packet-validation configure interface gigabitethernet logical-all circuit packet-validation validate-ip-packet configure interface gigabitethernet logical-all circuit packet-validation validate-tcp-packet configure interface gigabitethernet logical-all circuit packet-validation validate-tcp-xsum configure interface gigabitethernet mac-addr configure interface gigabitethernet media-speed configure interface gigabitethernet pause-frame configure interface gigabitethernet show configure interface gigabitethernet standby-only configure interface-internal configure interface-internal logical configure interface-internal logical circuit configure interface-internal logical circuit flow-table-limit configure interface-internal logical circuit fragment-handling-options configure interface-internal logical circuit packet-validation configure interface-internal logical circuit packet-validation validate-ip-packet configure interface-internal logical circuit packet-validation validate-tcp-packet configure interface-internal logical circuit packet-validation validate-tcp-xsum configure interface-internal logical-all configure interface-internal logical-all circuit configure interface-internal logical-all circuit flow-table-limit configure interface-internal logical-all circuit fragment-handling-options configure interface-internal logical-all circuit packet-validation configure interface-internal logical-all circuit packet-validation validate-ip-packet configure interface-internal logical-all circuit packet-validation validate-tcp-packet configure interface-internal logical-all circuit packet-validation validate-tcp-xsum configure interface-status-group configure interface-status-group 10gigabitethernet configure interface-status-group gigabitethernet

Legal Single Line Command Groupings

916

configure interface-status-group group-interface configure ip configure ip default-network configure ip default-network metric configure ip default-network verify-next-hop configure ip domainname configure ip forwarding configure ip ftp configure ip route configure ip route metric configure ip route verify-next-hop configure ip ssh configure ip ssh authentication-retries configure ip ssh authentication-timeout configure ip telnet configure ipv6-tunnel configure ipv6-tunnel 6to4 configure ipv6-tunnel 6to4 path-mtu-discovery configure ipv6-tunnel 6to4 source-address configure ipv6-tunnel 6to4 time-to-live configure ipv6-tunnel gre configure ipv6-tunnel gre path-mtu-discovery configure ipv6-tunnel gre source-address configure ipv6-tunnel gre time-to-live configure ipv6-tunnel ipv6ip configure ipv6-tunnel ipv6ip path-mtu-discovery configure ipv6-tunnel ipv6ip source-address configure ipv6-tunnel ipv6ip time-to-live configure ipv6-tunnel isatap configure ipv6-tunnel isatap path-mtu-discovery configure ipv6-tunnel isatap source-address configure ipv6-tunnel isatap time-to-live configure ldap-parameter configure ldap-server configure logging configure logging console configure logging monitor configure logging server configure management configure management arp

XOS Command Reference Guide

917

configure management default-gateway configure management gigabitethernet configure management gigabitethernet access-list configure management gigabitethernet enable configure management gigabitethernet ip-addr configure management gigabitethernet ip-alias configure management gigabitethernet ip-nat configure management gigabitethernet ip-nat inside configure management gigabitethernet ip-nat outside configure management gigabitethernet mac-addr configure management gigabitethernet mtu configure management gigabitethernet show configure management gigabitethernet speed configure management high-availability configure management high-availability auto-negotiate configure management high-availability duplex-mode configure management high-availability speed configure management ip-route configure management ip-route metric configure management vip-addr configure module configure neighbor-discovery configure np-reload-timeout configure np-reset-wait-time configure ntp configure ntp server configure operating-mode configure packet-validation configure packet-validation validate-ip-packet configure packet-validation validate-tcp-packet configure packet-validation validate-tcp-xsum configure password configure privilege configure prompt configure radius-server configure radius-server host configure rate-limiter configure rate-limiter excess-burst configure rate-limiter rate configure rate-limiter show

Legal Single Line Command Groupings

918

configure redundancy-interface configure redundancy-interface master configure redundancy-interface master 10gigabitethernet configure redundancy-interface master 10gigabitethernet backup configure redundancy-interface master 10gigabitethernet backup 10gigabitethernet configure redundancy-interface master 10gigabitethernet backup 10gigabitethernet failovermode configure redundancy-interface master 10gigabitethernet backup gigabitethernet configure redundancy-interface master 10gigabitethernet backup gigabitethernet failovermode configure redundancy-interface master gigabitethernet configure redundancy-interface master gigabitethernet backup configure redundancy-interface master gigabitethernet backup 10gigabitethernet configure redundancy-interface master gigabitethernet backup 10gigabitethernet failovermode configure redundancy-interface master gigabitethernet backup gigabitethernet configure redundancy-interface master gigabitethernet backup gigabitethernet failovermode configure remote-box configure reset-password configure rmon configure rmon alarm configure rmon event configure routing-protocol configure routing-protocol-services configure snmp-server configure snmp-server community configure snmp-server contact configure snmp-server engine-id configure snmp-server host configure snmp-server location configure snmp-user configure snmp-user auth-type configure snmp-user no-passwords configure snmp-user priv-type configure system-identifier configure system-internal-network configure system-ip-flow-rule configure system-ip-flow-rule action configure system-ip-flow-rule action allow configure system-ip-flow-rule action broadcast configure system-ip-flow-rule action drop configure system-ip-flow-rule action none configure system-ip-flow-rule action pass-to-masters

XOS Command Reference Guide

919

configure system-ip-flow-rule activate configure system-ip-flow-rule core-assignment configure system-ip-flow-rule destination-addr configure system-ip-flow-rule destination-port configure system-ip-flow-rule direction configure system-ip-flow-rule domain configure system-ip-flow-rule generate-reversed-flow configure system-ip-flow-rule hide-slot-originator configure system-ip-flow-rule incoming-circuit-group configure system-ip-flow-rule priority configure system-ip-flow-rule protocol configure system-ip-flow-rule rate-limiter configure system-ip-flow-rule show configure system-ip-flow-rule skip-port configure system-ip-flow-rule skip-port-protocol configure system-ip-flow-rule skip-protocol configure system-ip-flow-rule source-addr configure system-ip-flow-rule source-port configure system-ip-flow-rule timeout configure system-ip-flow-rule trace configure system-non-ip-flow-rule configure system-non-ip-flow-rule action configure system-non-ip-flow-rule action broadcast configure system-non-ip-flow-rule action drop configure system-non-ip-flow-rule action pass-to-masters configure system-non-ip-flow-rule activate configure system-non-ip-flow-rule core-assignment configure system-non-ip-flow-rule encapsulation configure system-non-ip-flow-rule encapsulation ethernet configure system-non-ip-flow-rule encapsulation lsap configure system-non-ip-flow-rule encapsulation snap configure system-non-ip-flow-rule show configure terminal configure terminal history configure timeout configure timezone configure username configure vap-group configure vap-group ap-list configure vap-group application-monitor

Legal Single Line Command Groupings

920

configure vap-group backup-mode configure vap-group delay-flow configure vap-group dhcp-relay-server-list configure vap-group enable-ipv6 configure vap-group enable-ipv6 ip-forwarding-ipv6 configure vap-group fail-to-host configure vap-group flow-proxy configure vap-group ip-flow-rule configure vap-group ip-flow-rule action configure vap-group ip-flow-rule action allow configure vap-group ip-flow-rule action broadcast configure vap-group ip-flow-rule action dest-ip-based-load-balance configure vap-group ip-flow-rule action dest-ip-based-load-balance-no-failover configure vap-group ip-flow-rule action drop configure vap-group ip-flow-rule action load-balance configure vap-group ip-flow-rule action pass-to-master configure vap-group ip-flow-rule action pass-to-vap configure vap-group ip-flow-rule action pass-to-vap-no-failover configure vap-group ip-flow-rule activate configure vap-group ip-flow-rule bypass-tcp-flow-setup-validation configure vap-group ip-flow-rule core-assignment configure vap-group ip-flow-rule destination-addr configure vap-group ip-flow-rule destination-port configure vap-group ip-flow-rule direction configure vap-group ip-flow-rule domain configure vap-group ip-flow-rule generate-reversed-flow configure vap-group ip-flow-rule hide-slot-originator configure vap-group ip-flow-rule incoming-circuit-group configure vap-group ip-flow-rule priority configure vap-group ip-flow-rule protocol configure vap-group ip-flow-rule rate-limiter configure vap-group ip-flow-rule show configure vap-group ip-flow-rule skip-port configure vap-group ip-flow-rule skip-port-protocol configure vap-group ip-flow-rule skip-protocol configure vap-group ip-flow-rule source-addr configure vap-group ip-flow-rule source-port configure vap-group ip-flow-rule timeout configure vap-group ip-flow-rule trace configure vap-group ip-forwarding

XOS Command Reference Guide

921

configure vap-group jumbo-frame configure vap-group load-balance-vap-list configure vap-group load-priority configure vap-group log-martians configure vap-group master-failover-trigger configure vap-group master-holddown configure vap-group max-load-count configure vap-group max-reload-count configure vap-group non-ip-flow-rule configure vap-group non-ip-flow-rule action configure vap-group non-ip-flow-rule action broadcast configure vap-group non-ip-flow-rule action drop configure vap-group non-ip-flow-rule action pass-to-master configure vap-group non-ip-flow-rule activate configure vap-group non-ip-flow-rule core-assignment configure vap-group non-ip-flow-rule encapsulation configure vap-group non-ip-flow-rule encapsulation ethernet configure vap-group non-ip-flow-rule encapsulation lsap configure vap-group non-ip-flow-rule encapsulation snap configure vap-group non-ip-flow-rule show configure vap-group preemption-priority configure vap-group raid configure vap-group reload-timeout configure vap-group rp-filter configure vap-group scatter-gather configure vap-group show configure vap-group vap-count configure vap-group vg-reset-wait-time configure vrrp configure vrrp failover-group configure vrrp failover-group advertise-interval configure vrrp failover-group enable configure vrrp failover-group monitor-circuit configure vrrp failover-group monitor-circuit priority-delta configure vrrp failover-group monitor-group-interface configure vrrp failover-group monitor-group-interface dist-port-threshold configure vrrp failover-group monitor-group-interface priority-delta configure vrrp failover-group monitor-interface configure vrrp failover-group monitor-interface 10gigabitethernet configure vrrp failover-group monitor-interface 10gigabitethernet priority-delta

Legal Single Line Command Groupings

922

configure vrrp failover-group monitor-interface gigabitethernet configure vrrp failover-group monitor-interface gigabitethernet priority-delta configure vrrp failover-group ospf-cost-increment configure vrrp failover-group preemption configure vrrp failover-group priority configure vrrp failover-group virtual-router configure vrrp failover-group virtual-router backup-stay-up configure vrrp failover-group virtual-router dist-port-threshold configure vrrp failover-group virtual-router mac-usage configure vrrp failover-group virtual-router priority-delta configure vrrp failover-group virtual-router vap-group configure vrrp failover-group virtual-router vap-group ip configure vrrp failover-group virtual-router vap-group verify-next-hop-ip configure vrrp failover-group virtual-router vap-group verify-next-hop-ip priority-delta configure vrrp failover-group virtual-router vap-group virtual-ip configure vrrp failover-group virtual-router vap-group virtual-ip floating configure vrrp vap-group configure vrrp vap-group active-vap-threshold configure vrrp vap-group enable configure vrrp vap-group failover-group-list configure vrrp vap-group hold-down-timer configure vrrp vap-group priority-delta configure web-server configure web-timeout configure web-wizard copy copy running-config copy startup-config copy startup-config interface copy startup-config interface 10gigabitethernet copy startup-config interface gigabitethernet cp-disk-scheme cp-next-boot cp-unknown-state debug debug dump-database debug dump-psql debug tree-syntax dir disconnect

XOS Command Reference Guide

923

disconnect ssh echo enable enable level enable more end exec exit grep help lock-config logging logout logout save-config ping prompt pwd reload reload all reload all at reload all in reload module reload module at reload module in reload offline-cp reload vap-group reset-configuration routing-protocol routing-protocol configure routing-protocol install routing-protocol restore routing-protocol save routing-protocol status routing-protocol uninstall routing-protocol update routing-protocol-services routing-protocol-services configure routing-protocol-services install routing-protocol-services restore routing-protocol-services save

Legal Single Line Command Groupings

924

routing-protocol-services status routing-protocol-services uninstall routing-protocol-services update routing-protocol-services upgrade script search show show access-list show acl-interface show acl-interface-mapping show alarm-enabled show alarms show alarms active show alarms active date show alarms history show alarms history date show alarms model show alias show ap-vap-mapping show application show application vap-group show archive-vap-group show arp show audit-trail show audit-trail date show auto-promote show autocommand show automated-workflow-progress show bridge-mode show calendar show chassis show check-flow-rule show circuit show cp-disk-error show cp-disk-scheme show cp-next-boot show cp-redundancy show cp-unknown-state show cpu show current-release

XOS Command Reference Guide

925

show default-ip-flow-rule show default-non-ip-flow-rule show disk-usage show dns-search-name show dns-server show environment show facility-alarm show flow show flow active show flow distribution show flow-path show flow-path active show group-interface show group-interface stats show group-interface status show heartbeat show history show host show hostname show incoming-circuit-group-name show interface show interface 10gigabitethernet show interface gigabitethernet show interface high-availability show interface-internal show interface-status-group show internal-ip show ip show ip addresses show ip default-network show ip domainname show ip forwarding show ip ftp show ip route show ip ssh show ip telnet show ip-flow-rule show ip-mapping show kernel show ldap-parameters

Legal Single Line Command Groupings

926

show ldap-server show lock-config show logging show logging console show logging console date show logging server show logging setting show management show management gigabitethernet show management high-availability show management-ip-alias show management-ip-nat show management-vip show module show module admin-state show module status show neighbor-discovery show netstat show non-ip-flow show np-reload-timeout show np-reset-wait-time show npm-originated-flow-stats show npm-tech show ntp-server show operating-mode show privilege show radius-server show rate-limiter show redundancy-interface show related-running-config show related-startup-config show reload show remote-box show resource-statistics show resource-statistics flow-table-limit show resource-statistics flow-table-usage show rmon show routing-protocol show running-config show running-config interface

XOS Command Reference Guide

927

show running-config interface 10gigabitethernet show running-config interface gigabitethernet show snmp show snmp-user show ssh-session show startup-config show startup-config interface show startup-config interface 10gigabitethernet show startup-config interface gigabitethernet show status-grouping show switch-data-path show system show system-identifier show system-internal-network show system-ip-flow-rule show system-non-ip-flow-rule show tech-crash show tech-support show tech-support -bundle show tech-support -file show tech-support -paging show terminal show terminal history show timeout show timezone show traplog show tree show username show usernames show vap-group show vdf-status show vdf-status module show vdf-status vap-group show vdf-status vap-group-member show version show veth-stats show vlan show vrrp show vrrp circuit-ip show vrrp detail-status

Legal Single Line Command Groupings

928

show vrrp detail-status-help show vrrp failover-group show vrrp monitor-circuit show vrrp monitor-group-interfaces show vrrp monitor-interfaces show vrrp status show vrrp vap-group show vrrp verify-next-hop show vrrp virtual-router show vsx-configuration show web-server show web-session show web-timeout show web-wizard shutdown sleep ssh swatch terminal terminal history timeout unix upgrade upgrade in-service upgrade in-service batch-1 upgrade in-service batch-10 upgrade in-service batch-2 upgrade in-service batch-3 upgrade in-service batch-4 upgrade in-service batch-5 upgrade in-service batch-6 upgrade in-service batch-7 upgrade in-service batch-8 upgrade in-service batch-9 upgrade in-service batch-default upgrade in-service clear-batches upgrade in-service install upgrade in-service show upgrade in-service show batches upgrade in-service show default-batches

XOS Command Reference Guide

929

upgrade in-service show new-releases upgrade in-service show progress upgrade in-service show standby-modules upgrade install upgrade remove upgrade show upgrade show current-running-release upgrade show new-release upgrade show release upgrade verify-system validate-configuration vap-group-password vap-group-password-expiration vrrp-relinquish-master who

Legal Single Line Command Groupings

930

C
Configurable Command Privilege Levels
This appendix describes the default privilege level for all commands. +-alias (0) +-application (15) +-application-remove (15) | +-version (15) | +-release (15) +-application-update (15) +-application-upgrade (15) +-archive-vap-group (15) | +-backup (15) | +-delete (15) | +-restore (15) | +-show (15) +-audit-trail (0) +-auto-promote (0) +-automated-workflow-menu (0) +-automated-workflows (15) | +-purge-log-files (15) +-broadcast (0) +-calendar (15) +-cd (0) +-clear (15) | +-alarms (15) | | +-all (15) | | +-id (15) | +-flow-active (15) | +-interface (15) | | +-10gigabitethernet (15) | | +-all (15) | | +-gigabitethernet (15) | | | +-default1 (0) | | +-high-availability (15) | +-netstat (15) | +-resource-statistics (15) | +-switch-data-path (15) | | +-all (15) | | +-module (15) | +-vdf-status (15) | +-module (15) | +-vap-group-member (15) +-clear-screen (0) +-configure (0) | +-access-list (15) | | +-icmp (15) | | | +-source-any (15) | | | | +-destination-any (15) | | | | | +-icmp-message (15) | | | | | +-icmp-type (15)

931

| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

| | +-destination-ip (15) | | +-icmp-message (15) | | +-icmp-type (15) | +-source-ip (15) | +-destination-any (15) | | +-icmp-message (15) | | +-icmp-type (15) | +-destination-ip (15) | +-icmp-message (15) | +-icmp-type (15) +-ip (15) | +-source-any (15) | | +-destination-any (15) | | +-destination-ip (15) | +-source-ip (15) | +-destination-any (15) | +-destination-ip (15) +-protocol-number (15) | +-source-any (15) | | +-destination-any (15) | | +-destination-ip (15) | +-source-ip (15) | +-destination-any (15) | +-destination-ip (15) +-tcp (15) | +-source-any (15) | | +-source-port (15) | | | +-destination-any (15) | | | | +-destination-port (15) | | | | +-destination-port-any (15) | | | | +-destination-port-name (15) | | | +-destination-ip (15) | | | +-destination-port (15) | | | +-destination-port-any (15) | | | +-destination-port-name (15) | | +-source-port-any (15) | | | +-destination-any (15) | | | | +-destination-port (15) | | | | +-destination-port-any (15) | | | | +-destination-port-name (15) | | | +-destination-ip (15) | | | +-destination-port (15) | | | +-destination-port-any (15) | | | +-destination-port-name (15) | | +-source-port-name (15) | | +-destination-any (15) | | | +-destination-port (15) | | | +-destination-port-any (15) | | | +-destination-port-name (15) | | +-destination-ip (15) | | +-destination-port (15) | | +-destination-port-any (15) | | +-destination-port-name (15) | +-source-ip (15) | +-source-port (15) | | +-destination-any (15) | | | +-destination-port (15) | | | +-destination-port-any (15)

Configurable Command Privilege Levels

932

| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

| | | +-destination-port-name (15) | | +-destination-ip (15) | | +-destination-port (15) | | +-destination-port-any (15) | | +-destination-port-name (15) | +-source-port-any (15) | | +-destination-any (15) | | | +-destination-port (15) | | | +-destination-port-any (15) | | | +-destination-port-name (15) | | +-destination-ip (15) | | +-destination-port (15) | | +-destination-port-any (15) | | +-destination-port-name (15) | +-source-port-name (15) | +-destination-any (15) | | +-destination-port (15) | | +-destination-port-any (15) | | +-destination-port-name (15) | +-destination-ip (15) | +-destination-port (15) | +-destination-port-any (15) | +-destination-port-name (15) +-udp (15) +-source-any (15) | +-source-port (15) | | +-destination-any (15) | | | +-destination-port (15) | | | +-destination-port-any (15) | | | +-destination-port-name (15) | | +-destination-ip (15) | | +-destination-port (15) | | +-destination-port-any (15) | | +-destination-port-name (15) | +-source-port-any (15) | | +-destination-any (15) | | | +-destination-port (15) | | | +-destination-port-any (15) | | | +-destination-port-name (15) | | +-destination-ip (15) | | +-destination-port (15) | | +-destination-port-any (15) | | +-destination-port-name (15) | +-source-port-name (15) | +-destination-any (15) | | +-destination-port (15) | | +-destination-port-any (15) | | +-destination-port-name (15) | +-destination-ip (15) | +-destination-port (15) | +-destination-port-any (15) | +-destination-port-name (15) +-source-ip (15) +-source-port (15) | +-destination-any (15) | | +-destination-port (15) | | +-destination-port-any (15) | | +-destination-port-name (15)

XOS Command Reference Guide

933

| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

| | +-destination-ip (15) | | +-destination-port (15) | | +-destination-port-any (15) | | +-destination-port-name (15) | +-source-port-any (15) | | +-destination-any (15) | | | +-destination-port (15) | | | +-destination-port-any (15) | | | +-destination-port-name (15) | | +-destination-ip (15) | | +-destination-port (15) | | +-destination-port-any (15) | | +-destination-port-name (15) | +-source-port-name (15) | +-destination-any (15) | | +-destination-port (15) | | +-destination-port-any (15) | | +-destination-port-name (15) | +-destination-ip (15) | +-destination-port (15) | +-destination-port-any (15) | +-destination-port-name (15) +-acl-interface (15) | +-destination-mac (15) | +-direction (15) | +-ether-type (15) | +-source-mac (15) | +-vlan (15) +-acl-interface-mapping (15) | +-group-interface (15) | | +-acl-interface (15) | | +-capture (15) | | +-drop (15) | | +-mirror (15) | | | +-10gigabitethernet (15) | | | +-gigabitethernet (15) | | +-pass-through (15) | | +-10gigabitethernet (15) | | +-gigabitethernet (15) | +-interface (15) | +-10gigabitethernet (15) | | +-acl-interface (15) | | +-capture (15) | | +-drop (15) | | +-mirror (15) | | | +-10gigabitethernet (15) | | | +-gigabitethernet (15) | | +-pass-through (15) | | +-10gigabitethernet (15) | | +-gigabitethernet (15) | +-gigabitethernet (15) | +-acl-interface (15) | +-capture (15) | +-drop (15) | +-mirror (15) | | +-10gigabitethernet (15) | | +-gigabitethernet (15) | +-pass-through (15)

Configurable Command Privilege Levels

934

| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

| +-10gigabitethernet (15) | +-gigabitethernet (15) +-alias (15) +-arp (15) +-bridge-mode (15) | +-circuit (15) | +-show (15) +-chassis-resource-protection (15) | +-enable (15) | +-flow-table-partition (15) | | +-flow-table-profile (15) | | +-backup-flow-info (15) | | +-table-limit (15) | +-fragment-handling-options (15) | | +-ip-id-validation (15) | | +-selective-drop (15) | | | +-allow-fragment-overlap (15) | | | +-limit-fragment-queue (15) | | +-tcp-overlap-protection (15) | +-tcp-flow-validation (15) | +-bypass-tcp-flow-setup-validation (15) +-check-flow-rule (15) +-circuit (15) | +-device-name (15) | +-incoming-circuit-group (15) | +-link-state-resistant (15) | +-new-flow-control (15) | +-proxy-arp (15) | +-show (15) | +-tcp-rst-injection (15) | +-vap-group (15) | | +-default-egress-vlan-tag (15) | | +-dhcp-relay (15) | | +-enable (15) | | +-icmp-redirect (15) | | +-ip (15) | | | +-alias (15) | | | +-floating (15) | | +-ip-flow-rule-no-failover (15) | | +-ip-flow-rule-priority (15) | | +-ip-forwarding (15) | | +-mac-addr (15) | | +-management-circuit (15) | | +-mtu (15) | | +-promiscuous-mode (15) | | +-reclassify-nat-flows (15) | | +-replace-vlan-tag (15) | | +-verify-next-hop-ip (15) +-cp-action (15) | +-disk-error (15) +-cp-redundancy (15) | +-set (15) +-dns (15) | +-search-name (15) | +-server (15) +-enable (15) | +-alarm (15) | +-password (15)

XOS Command Reference Guide

935

| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

+-facility-alarm (15) | +-cpu (15) | +-cpu-core (15) | +-disk-usage-boot (15) | +-disk-usage-cbconfig (15) | +-disk-usage-mgmt (15) | +-disk-usage-root (15) | +-disk-usage-tftpboot (15) | +-disk-usage-var (15) | +-free-memory (15) +-group-interface (15) | +-flow-table-limit (15) | +-fragment-handling-options (15) | +-interface (15) | | +-enable (15) | +-interface-type (15) | | +-10gigabitethernet (15) | | | +-enable (15) | | | +-mac-addr (15) | | | +-pause-frame (15) | | +-gigabitethernet (15) | | +-auto-negotiate (15) | | +-duplex-mode (15) | | +-enable (15) | | +-mac-addr (15) | | +-media-speed (15) | | +-pause-frame (15) | +-logical (15) | | +-circuit (15) | | +-flow-table-limit (15) | | +-fragment-handling-options (15) | | +-packet-validation (15) | | +-validate-ip-packet (15) | | +-validate-tcp-packet (15) | | +-validate-tcp-xsum (15) | +-mode (15) | +-packet-validation (15) | | +-validate-ip-packet (15) | | +-validate-tcp-packet (15) | | +-validate-tcp-xsum (15) | +-show (15) +-host (15) +-hostname (15) +-incoming-circuit-group-name (15) +-interface (15) | +-10gigabitethernet (15) | | +-enable (15) | | +-logical (15) | | | +-circuit (15) | | | | +-flow-table-limit (15) | | | | +-fragment-handling-options (15) | | | | +-packet-validation (15) | | | | +-validate-ip-packet (15) | | | | +-validate-tcp-packet (15) | | | | +-validate-tcp-xsum (15) | | | +-show (15) | | +-logical-all (15) | | | +-circuit (15)

Configurable Command Privilege Levels

936

| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

| | | +-flow-table-limit (15) | | | +-fragment-handling-options (15) | | | +-packet-validation (15) | | | +-validate-ip-packet (15) | | | +-validate-tcp-packet (15) | | | +-validate-tcp-xsum (15) | | +-pause-frame (15) | | +-show (15) | | +-standby-only (15) | +-gigabitethernet (15) | +-auto-negotiate (15) | +-duplex-mode (15) | +-enable (15) | +-logical (15) | | +-circuit (15) | | | +-flow-table-limit (15) | | | +-fragment-handling-options (15) | | | +-packet-validation (15) | | | +-validate-ip-packet (15) | | | +-validate-tcp-packet (15) | | | +-validate-tcp-xsum (15) | | +-show (15) | +-logical-all (15) | | +-circuit (15) | | +-flow-table-limit (15) | | +-fragment-handling-options (15) | | +-packet-validation (15) | | +-validate-ip-packet (15) | | +-validate-tcp-packet (15) | | +-validate-tcp-xsum (15) | +-mac-addr (15) | +-media-speed (15) | +-pause-frame (15) | +-show (15) | +-standby-only (15) +-interface-internal (15) | +-logical (15) | | +-circuit (15) | | +-flow-table-limit (15) | | +-fragment-handling-options (15) | | +-packet-validation (15) | | +-validate-ip-packet (15) | | +-validate-tcp-packet (15) | | +-validate-tcp-xsum (15) | +-logical-all (15) | +-circuit (15) | +-flow-table-limit (15) | +-fragment-handling-options (15) | +-packet-validation (15) | +-validate-ip-packet (15) | +-validate-tcp-packet (15) | +-validate-tcp-xsum (15) +-interface-status-group (15) | +-10gigabitethernet (15) | +-gigabitethernet (15) | +-group-interface (15) +-ip (15) | +-default-network (15)

XOS Command Reference Guide

937

| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

| | +-metric (15) | | +-verify-next-hop (15) | +-domainname (15) | +-forwarding (15) | +-ftp (15) | +-route (15) | | +-metric (15) | | +-verify-next-hop (15) | +-ssh (15) | | +-authentication-retries (15) | | +-authentication-timeout (15) | +-telnet (15) +-ipv6-tunnel (15) | +-6to4 (15) | | +-path-mtu-discovery (15) | | +-source-address (15) | | +-time-to-live (15) | +-gre (15) | | +-path-mtu-discovery (15) | | +-source-address (15) | | +-time-to-live (15) | +-ipv6ip (15) | | +-path-mtu-discovery (15) | | +-source-address (15) | | +-time-to-live (15) | +-isatap (15) | +-path-mtu-discovery (15) | +-source-address (15) | +-time-to-live (15) +-ldap-parameter (15) +-ldap-server (15) +-logging (15) | +-console (15) | +-monitor (15) | +-server (15) +-management (15) | +-arp (15) | +-default-gateway (15) | +-gigabitethernet (15) | | +-access-list (15) | | +-enable (15) | | +-ip-addr (15) | | +-ip-alias (15) | | +-ip-nat (15) | | | +-inside (15) | | | +-outside (15) | | +-mac-addr (15) | | +-mtu (15) | | +-show (15) | | +-speed (15) | +-high-availability (15) | | +-auto-negotiate (15) | | +-duplex-mode (15) | | +-speed (15) | +-ip-route (15) | | +-metric (15) | +-vip-addr (15) +-module (15)

Configurable Command Privilege Levels

938

| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

+-neighbor-discovery (15) +-np-reload-timeout (15) +-np-reset-wait-time (15) +-ntp (15) | +-server (15) +-operating-mode (15) +-packet-validation (15) | +-validate-ip-packet (15) | +-validate-tcp-packet (15) | +-validate-tcp-xsum (15) +-password (0) +-privilege (15) +-prompt (15) +-radius-server (15) | +-host (15) +-rate-limiter (15) | +-excess-burst (15) | +-rate (15) | +-show (15) +-redundancy-interface (15) | +-master (15) | +-10gigabitethernet (15) | | +-backup (15) | | +-10gigabitethernet (15) | | | +-failovermode (15) | | +-gigabitethernet (15) | | +-failovermode (15) | +-gigabitethernet (15) | +-backup (15) | +-10gigabitethernet (15) | | +-failovermode (15) | +-gigabitethernet (15) | +-failovermode (15) +-remote-box (15) +-reset-password (15) +-rmon (15) | +-alarm (15) | +-event (15) +-routing-protocol (15) +-routing-protocol-services (15) +-snmp-server (15) | +-community (15) | +-contact (15) | +-engine-id (15) | +-host (15) | +-location (15) +-snmp-user (15) | +-auth-type (15) | +-no-passwords (15) | +-priv-type (15) +-system-identifier (15) +-system-internal-network (15) +-system-ip-flow-rule (15) | +-action (15) | | +-allow (15) | | +-broadcast (15) | | +-drop (15) | | +-none (15)

XOS Command Reference Guide

939

| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

| | +-pass-to-masters (15) | +-activate (15) | +-core-assignment (15) | +-destination-addr (15) | +-destination-port (15) | +-direction (15) | +-domain (15) | +-generate-reversed-flow (15) | +-hide-slot-originator (15) | +-incoming-circuit-group (15) | +-priority (15) | +-protocol (15) | +-rate-limiter (15) | +-show (15) | +-skip-port (15) | +-skip-port-protocol (15) | +-skip-protocol (15) | +-source-addr (15) | +-source-port (15) | +-timeout (15) | +-trace (15) +-system-non-ip-flow-rule (15) | +-action (15) | | +-broadcast (15) | | +-drop (15) | | +-pass-to-masters (15) | +-activate (15) | +-core-assignment (15) | +-encapsulation (15) | | +-ethernet (15) | | +-lsap (15) | | +-snap (15) | +-show (15) +-terminal (15) | +-history (15) +-timeout (15) +-timezone (15) +-username (15) +-vap-group (15) | +-ap-list (15) | +-application-monitor (15) | +-backup-mode (15) | +-delay-flow (15) | +-dhcp-relay-server-list (15) | +-enable-ipv6 (15) | | +-ip-forwarding-ipv6 (15) | +-fail-to-host (15) | +-flow-proxy (15) | +-ip-flow-rule (15) | | +-action (15) | | | +-allow (15) | | | +-broadcast (15) | | | +-dest-ip-based-load-balance (15) | | | +-dest-ip-based-load-balance-no-failover (15) | | | +-drop (15) | | | +-load-balance (15) | | | +-pass-to-master (15) | | | +-pass-to-vap (15)

Configurable Command Privilege Levels

940

| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

| | | +-pass-to-vap-no-failover (15) | | +-activate (15) | | +-bypass-tcp-flow-setup-validation (15) | | +-core-assignment (15) | | +-destination-addr (15) | | +-destination-port (15) | | +-direction (15) | | +-domain (15) | | +-generate-reversed-flow (15) | | +-hide-slot-originator (15) | | +-incoming-circuit-group (15) | | +-priority (15) | | +-protocol (15) | | +-rate-limiter (15) | | +-show (15) | | +-skip-port (15) | | +-skip-port-protocol (15) | | +-skip-protocol (15) | | +-source-addr (15) | | +-source-port (15) | | +-timeout (15) | | +-trace (15) | +-ip-forwarding (15) | +-jumbo-frame (15) | +-load-balance-vap-list (15) | +-load-priority (15) | +-log-martians (15) | +-master-failover-trigger (15) | +-master-holddown (15) | +-max-load-count (15) | +-max-reload-count (15) | +-non-ip-flow-rule (15) | | +-action (15) | | | +-broadcast (15) | | | +-drop (15) | | | +-pass-to-master (15) | | +-activate (15) | | +-core-assignment (15) | | +-encapsulation (15) | | | +-ethernet (15) | | | +-lsap (15) | | | +-snap (15) | | +-show (15) | +-preemption-priority (15) | +-raid (15) | +-reload-timeout (15) | +-rp-filter (15) | +-scatter-gather (15) | +-show (15) | +-vap-count (15) | +-vg-reset-wait-time (15) +-vrrp (10) | +-failover-group (15) | | +-advertise-interval (15) | | +-enable (15) | | +-monitor-circuit (15) | | | +-priority-delta (15) | | +-monitor-group-interface (15)

XOS Command Reference Guide

941

| | | | +-dist-port-threshold (15) | | | | +-priority-delta (15) | | | +-monitor-interface (15) | | | | +-10gigabitethernet (15) | | | | | +-priority-delta (15) | | | | +-gigabitethernet (15) | | | | +-priority-delta (15) | | | +-ospf-cost-increment (15) | | | +-preemption (15) | | | +-priority (15) | | | +-virtual-router (15) | | | +-backup-stay-up (15) | | | +-dist-port-threshold (15) | | | +-mac-usage (15) | | | +-priority-delta (15) | | | +-vap-group (15) | | | +-ip (15) | | | +-verify-next-hop-ip (15) | | | | +-priority-delta (15) | | | +-virtual-ip (15) | | | +-floating (15) | | +-vap-group (15) | | +-active-vap-threshold (15) | | +-enable (15) | | +-failover-group-list (15) | | +-hold-down-timer (15) | | +-priority-delta (15) | +-web-server (15) | +-web-timeout (15) | +-web-wizard (15) +-copy (15) | +-running-config (15) | +-startup-config (15) | +-interface (15) | +-10gigabitethernet (15) | +-gigabitethernet (15) +-cp-disk-scheme (15) +-cp-next-boot (15) +-cp-unknown-state (15) +-debug (15) | +-dump-database (15) | +-dump-psql (15) | +-tree-syntax (15) +-dir (0) +-disconnect (15) | +-ssh (15) +-echo (0) +-enable (0) | +-level (0) | +-more (0) +-end (0) +-exec (0) +-exit (0) +-grep (15) +-help (0) +-lock-config (15) +-logging (0) +-logout (0)

Configurable Command Privilege Levels

942

| +-save-config (15) +-ping (0) +-prompt (0) +-pwd (0) +-reload (15) | +-all (15) | | +-at (15) | | +-in (15) | +-module (15) | | +-at (15) | | +-in (15) | +-offline-cp (15) | +-vap-group (15) +-reset-configuration (15) +-routing-protocol (15) | +-configure (15) | +-install (15) | +-restore (15) | +-save (15) | +-status (15) | +-uninstall (15) | +-update (15) +-routing-protocol-services (15) | +-configure (15) | +-install (15) | +-restore (15) | +-save (15) | +-status (15) | +-uninstall (15) | +-update (15) | +-upgrade (15) +-script (0) +-search (0) +-show (0) | +-access-list (15) | +-acl-interface (15) | +-acl-interface-mapping (15) | +-alarm-enabled (0) | +-alarms (0) | | +-active (0) | | | +-date (0) | | +-history (0) | | | +-date (0) | | +-model (0) | +-alias (0) | +-ap-vap-mapping (0) | +-application (0) | | +-vap-group (0) | +-archive-vap-group (0) | +-arp (0) | +-audit-trail (0) | | +-date (0) | +-auto-promote (0) | +-autocommand (0) | +-automated-workflow-progress (15) | +-bridge-mode (0) | +-calendar (0) | +-chassis (0)

XOS Command Reference Guide

943

| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

+-check-flow-rule (0) +-circuit (0) +-cp-disk-error (15) +-cp-disk-scheme (0) +-cp-next-boot (0) +-cp-redundancy (0) +-cp-unknown-state (15) +-cpu (0) +-current-release (0) +-default-ip-flow-rule (15) +-default-non-ip-flow-rule (15) +-disk-usage (15) +-dns-search-name (0) +-dns-server (0) +-environment (0) +-facility-alarm (0) +-flow (0) | +-active (15) | +-distribution (0) +-flow-path (15) | +-active (15) +-group-interface (15) | +-stats (15) | +-status (15) +-heartbeat (0) +-history (0) +-host (0) +-hostname (0) +-incoming-circuit-group-name (0) +-interface (0) | +-10gigabitethernet (0) | +-gigabitethernet (0) | +-high-availability (0) +-interface-internal (15) +-interface-status-group (0) +-internal-ip (0) +-ip (0) | +-addresses (0) | +-default-network (0) | +-domainname (0) | +-forwarding (0) | +-ftp (0) | +-route (0) | +-ssh (0) | +-telnet (0) +-ip-flow-rule (15) +-ip-mapping (0) +-kernel (0) +-ldap-parameters (15) +-ldap-server (15) +-lock-config (0) +-logging (0) | +-console (0) | | +-date (0) | +-server (0) | +-setting (0) +-management (0) | +-gigabitethernet (0)

Configurable Command Privilege Levels

944

| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

| +-high-availability (0) +-management-ip-alias (0) +-management-ip-nat (0) +-management-vip (15) +-module (0) | +-admin-state (0) | +-status (0) +-neighbor-discovery (0) +-netstat (0) +-non-ip-flow (15) +-np-reload-timeout (0) +-np-reset-wait-time (15) +-npm-originated-flow-stats (0) +-npm-tech (15) +-ntp-server (0) +-operating-mode (15) +-privilege (0) +-radius-server (15) +-rate-limiter (0) +-redundancy-interface (0) +-related-running-config (15) +-related-startup-config (15) +-reload (15) +-remote-box (15) +-resource-statistics (0) | +-flow-table-limit (15) | +-flow-table-usage (0) +-rmon (0) +-routing-protocol (0) +-running-config (0) | +-interface (15) | +-10gigabitethernet (15) | +-gigabitethernet (15) +-snmp (0) +-snmp-user (0) +-ssh-session (0) +-startup-config (15) | +-interface (15) | +-10gigabitethernet (15) | +-gigabitethernet (15) +-status-grouping (0) +-switch-data-path (0) +-system (0) +-system-identifier (15) +-system-internal-network (15) +-system-ip-flow-rule (15) +-system-non-ip-flow-rule (15) +-tech-crash (15) +-tech-support (15) | +--bundle (15) | +--file (15) | +--paging (15) +-terminal (0) | +-history (0) +-timeout (0) +-timezone (0) +-traplog (0) +-tree (0)

XOS Command Reference Guide

945

| +-username (0) | +-usernames (0) | +-vap-group (0) | +-vdf-status (0) | | +-module (0) | | +-vap-group (0) | | +-vap-group-member (0) | +-version (0) | +-veth-stats (0) | +-vlan (0) | +-vrrp (0) | | +-circuit-ip (15) | | +-detail-status (15) | | +-detail-status-help (15) | | +-failover-group (0) | | +-monitor-circuit (15) | | +-monitor-group-interfaces (15) | | +-monitor-interfaces (15) | | +-status (0) | | +-vap-group (15) | | +-verify-next-hop (15) | | +-virtual-router (15) | +-vsx-configuration (15) | +-web-server (0) | +-web-session (0) | +-web-timeout (0) | +-web-wizard (0) +-shutdown (15) +-sleep (0) +-ssh (15) +-swatch (15) +-terminal (0) | +-history (0) +-timeout (0) +-unix (15) +-upgrade (15) | +-in-service (15) | | +-batch-1 (15) | | +-batch-10 (15) | | +-batch-2 (15) | | +-batch-3 (15) | | +-batch-4 (15) | | +-batch-5 (15) | | +-batch-6 (15) | | +-batch-7 (15) | | +-batch-8 (15) | | +-batch-9 (15) | | +-batch-default (15) | | +-clear-batches (15) | | +-install (15) | | +-show (15) | | +-batches (15) | | +-default-batches (15) | | +-new-releases (15) | | +-progress (15) | | +-standby-modules (15) | +-install (15) | +-remove (15)

Configurable Command Privilege Levels

946

| +-show (15) | | +-current-running-release (15) | | +-new-release (15) | | +-release (15) | +-verify-system (15) +-validate-configuration (15) +-vap-group-password (15) +-vap-group-password-expiration (15) +-vrrp-relinquish-master (15) +-who (0)

XOS Command Reference Guide

947

Configurable Command Privilege Levels

948

Alphabetical Index of Commands

access-list (conf-mgmt-gig context) 81 action allow (conf-system-ip-flow context) 257 action allow (ip-flow-rule context) 306 action broadcast (conf-system-ip-flow context) 259 action broadcast (conf-system-non-ip-flow context) 291 action broadcast (ip-flow-rule context) 309 action broadcast (non-ip-flow context) 343 action drop (conf-system-ip-flow context) 256 action drop (conf-system-non-ip-flow context) 289 action drop (ip-flow-rule context) 305 action drop (non-ip-flow context) 342 action load-balance (ip-flow-rule context) 304 action pass-to-master (ip-flow-rule context) 307 action pass-to-master (non-ip-flow context) 342 action pass-to-masters (conf-system-ip-flow context) 258 action pass-to-masters (conf-system-non-ip-flow context) 290 action pass-to-vap (ip-flow-rule context) 308 activate (conf-system-ip-flow context) 277 activate (conf-system-non-ip-flow context) 296 activate (ip-flow-rule context) 330 activate (non-ip-flow context) 351 active-vap-threshold (conf-vrrp-vap-group context) 579 advertise-interval (conf-vrrp-group context) 557 alias (conf-cct-vapgroup-ip context) (IPv6 and IPv4) 411 alias 622 allow-fragment-overlap (conf-rp-select-drop context) 158 ap-list (config-vap-grp context) 178 APM Firewall Statistics (apmfwstats.swc) 748 APM Firewall Statistics by Slot (apmfwstats_slot.swc) 749 APM Interface Statistics (apmdevstats_slot.swc) 747 APM IP, ICMP, TCP, and UDP Statistics (apmsnmpstats.swc) 750 APM Switched Data Path Statistics (apmdevstats.swc) 745 application 214 application-monitor (config-vap-group context) 198 application-remove 221 application-update 218 application-upgrade 219 archive-vap-group backup 226 archive-vap-group delete 229 archive-vap-group restore 227 archive-vap-group show 230 audit-trail 124 audit-trail 765 automated-workflow-menu 586 automated-workflows 586 auto-negotiate (conf-grp-intf-gig context) 503 auto-negotiate (conf-intf-gig context) 481 auto-negotiate (conf-mgmt-ha context) 551 auto-promote 623 backup-flow-info (conf-rp-table-profile context) 156 backup-stay-up (conf-vrrp-failover-vr context) 566 batch-<n> (in-service-upgrade context) 596 batch-default (in-service-upgrade context) 597 broadcast 121 bypass-tcp-flow-setup-validation (ip-flow-rule context) 310 bypass-tcp-flow-setup-validation (ip-flow-rule context) 331 bypass-tcp-flow-setup-validation (tcp-flow-validation context) 160 calendar 59 Cautions, Warnings, and Notes 19 cd 44 circuit (conf-bridge-mode context) 447 circuit (conf-group-intf-logical context) 516 circuit (conf-intf-internal-log or conf-intf-internal-log-all context) 494 circuit (intf-gig-logical or intf-10gig-logical context) 471 circuit (intf-gig-logical-all or intf-10gig-logical-all context) 477 clear alarms 778 clear flow-active 388 clear interface 390 clear netstat 392 clear resource-statistics 642 clear switch-data-path 393 clear vdf-status 393 clear vdf-status 849 clear-batches (in-service-upgrade context) 598 clear-screen 47 CLI command: ssh 169 configure access-list <ID_number> {deny | permit} icmp 105 configure access-list <ID_number> {deny | permit} ip 93 configure access-list <ID_number> {deny | permit} protocol-number 108 configure access-list <ID_number> {deny | permit} tcp 95 configure access-list <ID_number> {deny | permit} udp 100 configure acl-interface 524 configure acl-interface-mapping 536 configure alias 622 configure arp 460

XOS Command Reference Guide

949

configure bridge-mode 445 configure chassis-resource-protection 153 configure check-flow-rule 387 configure circuit 397 configure cp-action {cp1 | cp2} disk-error 166 configure cp-action disk-error (config context) 588 configure cp-redundancy 164 configure dns search-name 60 configure dns server 61 configure enable alarm 125 configure enable password 119 configure facility-alarm cpu 125 configure facility-alarm cpu-core 126 configure facility-alarm disk-usage-boot 128 configure facility-alarm disk-usage-cbconfig 129 configure facility-alarm disk-usage-mgmt 130 configure facility-alarm disk-usage-root 132 configure facility-alarm disk-usage-tftpboot 133 configure facility-alarm disk-usage-var 134 configure facility-alarm free-memory 136 configure group-interface 496 configure host 209 configure hostname 62 configure incoming-circuit-group-name 405 configure interface 467 configure interface-internal 488 configure interface-status-group 535 configure ip default-network (IPv6 and IPv4) 456 configure ip domainname 63 configure ip forwarding 63 configure ip ftp 64 configure ip route (IPv6 and IPv4) 452 configure ip ssh 64

configure ip telnet 65 configure ipv6-tunnel (IPv6) 463 configure ldap-parameter 67 configure ldap-server 66 configure logging console 148 configure logging monitor 150 configure logging server 152 configure management 80 configure management arp 93 configure management default-gateway 92 configure management high-availability 550 configure management ip-route 91 configure management vip-addr 166 configure module 589 configure neighbor-discovery (IPv6) 461 configure np-reload-timeout 68 configure np-reset-wait-time 69 configure ntp server 70 configure operating-mode 70 configure password 114 configure privilege level 115 configure prompt 47 configure radius-server host 72 configure redundancy-interface 541 configure remote-box 553 configure reset-password 114 configure rmon alarm 145 configure rmon event 144 configure routing-protocol 244 configure snmp-server community 137 configure snmp-server contact 139 configure snmp-server engine-id 141 configure snmp-server host 138 configure snmp-server location 140 configure snmp-user 142 configure system-identifier 73 configure system-internal-network 74 configure system-ip-flow-rule 255 configure system-non-ip-flow-rule 287

configure terminal history 49 configure timeout 75 configure timezone 76 configure username 111 configure vap-group 173 configure vrrp failover-group 554 configure vrrp vap-group 578 configure web-server 77 configure web-timeout 77 configure web-wizard 78 copy running-config 606 copy startup-config 607 Copying an Existing File to a VAP Group 893 core-assignment (ip-flow-rule context) 329 core-assignment (non-ip-flow-rule context) 350 cp-disk-scheme 587 cp-next-boot 67 CPU Activity for the APM and CPM (health_cpubsy.swc) 759 CPU and Board Temperature (health_temp.swc) 761 CPU Load, Utilization, and Memory Information (health_cpumem.swc) 760 cp-unknown-state 167 Crossbeam Daemon Status Script (cbsinitdstats.swc) 754 debug 890 default-egress-vlan-tag (conf-cct-vapgroup context) 417 delay-flow (config-vap-grp context) 197 destination-addr (conf-system-ip-flow context) 264 destination-addr (ip-flow-rule context) 315 destination-mac (conf-acl-intf context) 533 destination-port (conf-system-ip-flow context) 267 destination-port (ip-flow-rule context) 318 device-name (conf-cct context) 399 dhcp-relay (conf-cct-vapgroup context)

Alphabetical Index of Commands

950

422 dhcp-relay-server-list (config-vap-grp context) 201 dir 45 direction (conf-acl-intf context) 526 direction (conf-system-ip-flow context) 259 direction (ip-flow-rule context) 310 disconnect ssh 121 dist-port-threshold (conf-vrrp-failover-vr context) 567 domain (conf-system-ip-flow context) 270 domain (ip-flow-rule context) 321 duplex-mode (conf-grp-intf-gig context) 504 duplex-mode (conf-intf-gig context) 482 duplex-mode (conf-mgmt-ha context) 551 echo 624 Editing the Command Line 31 enable (conf-cct-vapgroup) 430 enable (conf-grp-intf-gig or conf-grp-intf-10gig context) 508 enable (conf-grp-intf-intf context) 512 enable (conf-intf-gig or conf-intf-10gig context) 485 enable (conf-mgmt-gig context) 81 enable (conf-vrrp-group context) 578 enable (conf-vrrp-vap-group context) 580 enable level 117 enable more 51 enable-ipv6 (conf-vap-grp context) (IPv6) 186 encapsulation ethernet (conf-system-non-ip-flow context) 292 encapsulation ethernet (non-ip-flow context) 345 encapsulation lsap (conf-system-non-ip-flow context) 293 encapsulation lsap (non-ip-flow context) 346 encapsulation snap (conf-system-non-ip-flow context) 295 encapsulation snap (non-ip-flow

context) 348 end 42 Entering User-defined Strings 32 ether-type (conf-acl-intf context) 529 exec 625 exit 43 failover-group-list (conf-vrrp-vap-group context) 580 failovermode (conf-intf-redun context) 545 fail-to-host (config-vap-grp context) 192 Flow Assignment and Scheduling Statistics (flowsched.swc) 757 flow-proxy (config-vap-grp context) 193 flow-table-partition (conf-resource-protection context) 154 flow-table-profile (conf-flow-table-partition context) 155 fragment-handling-options (conf-resource-protection context) 157 generate-reversed-flow (conf-system-ip-flow context) 262 generate-reversed-flow (ip-flow-rule context) 312 Getting Help 34 grep 611 grep 628 Group Interface Statistics (groupintstats.swc) 758 help 54 hold-down-timer (conf-vrrp-vap-group context) 581 icmp-redirect (conf-cct-vapgroup) 429 incoming-circuit-group (conf-cct context) 403 incoming-circuit-group (conf-system-ip-flow context) 271 incoming-circuit-group (ip-flow-rule context) 322 in-service (upgrade context) 596 install (in-service-upgrade context) 598 install (upgrade context) 600 interface (conf-group-intf context) 510 interface-type (conf-group-intf context) 500

ip (conf-cct-vapgroup context) (IPv6 and IPv4) 407 ip (conf-vrrp-vr-vapgroup context) (IPv6 and IPv4) 570 ip-addr (conf-mgmt-gig context) 83 ip-alias (conf-mgmt-gig context) 84 ip-flow-rule (config-vap-grp context) 188 ip-flow-rule (config-vap-grp context) 302 ip-flow-rule-priority (conf-cct-vapgroup context) 415 ip-forwarding (conf-cct-vapgroup context) 428 ip-forwarding (config-vap-grp context) 192 ip-forwarding-ipv6 (enable-ipv6 context) (IPv6) 187 ip-id-validation (conf-rp-frag-handlings context) 159 ip-nat inside (conf-mgmt-gig context) 85 ip-nat outside (conf-mgmt-gig context) 86 IPv6 Address Notation 20 jumbo-frame (config-vap-grp context) 193 limit-fragment-queue (conf-rp-select-drop context) 158 link-state-resistant (conf-cct context) 400 load-balance-vap-list (config-vap-grp context) 180 load-priority (config-vap-grp context) 182 Local Network Interface Statistics (netifstats.swc) 762 lock-config 122 logging 152 Logging Out of the CLI Session 34 logical (conf-group-intf context) 514 logical (conf-intf-gig or conf-intf-10gig context) 469 logical (conf-intf-internal context) 490 logical-all (conf-intf-gig or conf-intf-10gig context) 475 logical-all (conf-intf-internal context) 492 log-martians (config-vap-grp context)

XOS Command Reference Guide

951

203 logout 123 logout 609 mac-addr (conf-cct-vapgroup context) 424 mac-addr (conf-mgmt-gig context) 86 mac-usage (conf-vrrp-failover-vr context) 567 management-circuit (conf-cct-vapgroup context) 421 master-failover-trigger application (config-vap-grp context) 199 master-holddown (config-vap-grp context) 200 max-load-count (config-vap-grp context) 177 max-reload-count (config-vap-grp context) 178 media-speed (conf-grp-intf-gig context) 506 media-speed (conf-intf-gig context) 483 metric (config-ip-route context) 454 metric (conf-ip-default-network context) 458 mode (conf-group-intf context) 497 Module Uptime Statistics (moduleuptime.swc) 761 monitor-circuit (conf-vrrp-group context) 557 monitor-group-interface (conf-vrrp-group context) 562 monitor-interface (conf-vrrp-group context) 559 mtu (conf-cct-vapgroup context) 427 mtu (conf-mgmt-gig context) 87 non-ip-flow-rule (config-vap-grp context) 189 non-ip-flow-rule (config-vap-grp context) 340 NPM Fabric Packet Statistics (fabricstats.swc) 754 NPM Flow Calculation Statistics (flowcalcstats.swc) 757 NPM Interface Statistics (npmdevstats.swc) 762 NPM VDF Status (npmfragstats.swc) 764
Alphabetical Index of Commands

ospf-cost-increment (conf-vrrp-group context) 564 packet-validation 161 path-mtu-discovery (conf-tunnel-<tunnel_type> context) 464 pause-frame (conf-grp-intf-gig or conf-grp-intf-10gig context) 502 pause-frame (conf-intf-gig or conf-intf-10gig context) 480 ping 804 preemption (conf-vrrp-group context) 556 preemption-priority (config-vap-grp context) 183 priority (conf-system-ip-flow context) 276 priority (conf-vrrp-group context) 555 priority (ip-flow-rule context) 327 priority-delta (conf-intf-gig or conf-intf-10gig context) 561 priority-delta (conf-vrrp-failover-cct context) 558 priority-delta (conf-vrrp-failover-grpintf) 563 priority-delta (conf-vrrp-failover-vr context) 568 priority-delta (conf-vrrp-vap-group context) 582 priority-delta (conf-vrrp-vr-verify-next-hop context) 574 promiscuous-mode (conf-cct-vapgroup context) 423 prompt 48 protocol (conf-system-ip-flow context) 268 protocol (ip-flow-rule context) 319 proxy-arp (conf-cct context) 402 pwd 46 Question Mark (?) Command 52 raid (config-vap-grp context) 185 reload all 590 reload module 591 reload offline-cp 592 reload vap-group 593

reload-timeout (config-vap-grp context) 195 remove (upgrade context) 601 replace-vlan-tag (conf-cct-vapgroup context) 419 reset-configuration 593 reset-configuration 609 reset-cp-serial 592 routing-protocol vap-group configure 237 routing-protocol vap-group install 234 routing-protocol vap-group restore 240 routing-protocol vap-group save 238 routing-protocol vap-group status 243 routing-protocol vap-group uninstall 242 routing-protocol vap-group update 235 routing-protocol-services vap-group configure 246 routing-protocol-services vap-group restore 248 routing-protocol-services vap-group save 247 routing-protocol-services vap-group status 250 routing-protocol-services vap-group update 252 routing-protocol-services vap-group upgrade 251 rp-filter (config-vap-grp context) 202 scatter-gather (config-vap-grp context) 194 script 626 search 612 search 629 selective-drop (conf-rp-frag-handlings context) 157 set (config-cp-redundancy context) 165 show (conf-bridge-mode context) 449 show (conf-cct context) 431 show (conf-group-intf context) 519 show (config-vap-grp context) 204 show (conf-intf-gig or conf-intf-10gig context) 485 show (conf-mgmt-gig context) 89 show (conf-system-ip-flow context) 278

952

show (conf-system-non-ip-flow context) 297 show (in-service-upgrade context) 599 show (intf-gig-logical or intf-10gig-logical context) 473 show (ip-flow-rule context) 331 show (non-ip-flow context) 351 show access-list 667 show acl-interface 708 show acl-interface-mapping 710 show alarm-enabled 674 show alarms 769 show alias 740 show application 222 show application 854 show application vap-group 223 show application vap-group 855 show ap-vap-mapping 852 show archive-vap-group 684 show arp 647 show arp 805 show audit-trail 630 show audit-trail 766 show autocommand 671 show automated-workflow-progress 587 show auto-promote 740 show bridge-mode 696 show calendar 779 show chassis 780 show check-flow-rule 690 show circuit 697 show circuit 808 show cp-disk-error 682 show cp-disk-scheme 588 show cp-next-boot 658 show cp-redundancy 681 show cpu 782 show cp-unknown-state 682 show current-release 784 show current-running-release (upgrade

context) 601 show current-running-release (upgrade context) 785 show default-ip-flow-rule 690 show default-non-ip-flow-rule 691 show disk-usage 785 show dns-search-name 651 show dns-server 652 show environment 786 show facility-alarm 674 show flow active 357 show flow active 810 show flow distribution 382 show flow distribution 835 show flow-path active 370 show flow-path active 823 show group-interface 699 show group-interface 837 show heartbeat 788 show history 632 show history 768 show host 687 show hostname 652 show incoming-circuit-group-name 698 show interface 700 show interface 838 show interface-status-group 705 show internal-ip 843 show ip addresses 653 show ip default-network 653 show ip domainname 653 show ip forwarding 654 show ip ftp 654 show ip route 654 show ip ssh 656 show ip telnet 656 show ip-flow-rule 692 show ip-mapping 706 show kernel 687 show ldap-parameters 657

show ldap-server 657 show lock-config 668 show logging console 677 show logging console 791 show logging server 679 show logging setting 679 show management 665 show management-ip-alias 666 show management-ip-nat 666 show management-vip 683 show module admin-state 735 show module admin-state 793 show module status 736 show module status 794 show neighbor-discovery (IPv6) 648 show neighbor-discovery (IPv6) 805 show netstat 845 show new-release (upgrade context) 602 show non-ip-flow 693 show npm-originated-flow-stats 385 show npm-tech 880 show np-reload-timeout 658 show np-reset-wait-time 659 show ntp-server 659 show operating-mode 660 show privilege 672 show radius-server 660 show redundancy-interface 707 show redundancy-interface 845 show release (upgrade context) 602 show release (upgrade context) 797 show reload 739 show remote-box 712 show remote-box 858 show resource-statistics 641 show rmon 798 show routing-protocol 688 show running-config 613 show running-config 632

XOS Command Reference Guide

953

show snmp 676 show snmp 798 show snmp-user 668 show ssh-session 799 show startup-config 616 show startup-config 636 show status-grouping 707 show switch-data-path 800 show system 643 show system 801 show system-identifier 661 show system-internal-network 661 show system-ip-flow-rule 694 show system-non-ip-flow-rule 695 show tech-crash 883 show tech-support 885 show terminal history 741 show timeout 662 show timezone 662 show traplog 802 show tree include-privilege 673 show username 669 show usernames 670 show vap-group 688 show vdf-status 846 show version 644 show veth-stats 850 show vlan 708 show vrrp 713 show vrrp 859 show vrrp circuit-ip 714 show vrrp circuit-ip 860 show vrrp detail-status 718 show vrrp detail-status 863 show vrrp detail-status-help 56 show vrrp failover-group 720 show vrrp failover-group 865 show vrrp monitor-circuit 722 show vrrp monitor-circuit 868 show vrrp monitor-group-interfaces 726

show vrrp monitor-group-interfaces 871 show vrrp monitor-interfaces 724 show vrrp monitor-interfaces 870 show vrrp status 727 show vrrp status 873 show vrrp vap-group 729 show vrrp vap-group 874 show vrrp verify-next-hop 730 show vrrp verify-next-hop 875 show vrrp virtual-router 732 show vrrp virtual-router 877 show vsx-configuration 639 show web-server 662 show web-session 663 show web-session 803 show web-timeout 664 show web-wizard 664 skip-port-protocol (conf-system-ip-flow context) 261 skip-port-protocol (ip-flow-rule context) 312 sleep 594 source-addr (conf-system-ip-flow context) 263 source-addr (ip-flow-rule context) 314 source-address (conf-tunnel-<tunnel_type> context) 465 source-mac (conf-acl-intf context) 531 source-port (conf-system-ip-flow context) 266 source-port (ip-flow-rule context) 317 speed (conf-mgmt-gig context) 88 speed (conf-mgmt-ha context) 552 standby-only (conf-intf-gig or conf-intf-10gig context) 479 table-limit-action (conf-rp-table-profile context) 156 tcp-flow-validation (conf-resource-protection context) 159 tcp-overlap-protection (conf-rp-frag-handlings context) 159 tcp-rst-injection (conf-cct context) 402 terminal history 50

timeout (conf-system-ip-flow context) 273 timeout (ip-flow-rule context) 324 timeout 75 time-to-live (conf-tunnel-<tunnel_type> context) 465 trace (conf-system-ip-flow context) 275 trace (ip-flow-rule context) 326 Typographical Conventions 18 Understanding CLI Contexts 28 Understanding CLI Syntax Error Messages 33 Understanding Command Privilege Levels 29 Understanding Command Structure and Command Syntax 27 unix 626 Unix Commands: ftp, telnet, ssh, rsh 170 upgrade 595 Upgrading an Application on a VAP Group 894 Using a Serial Connection to Access the CLI 24 Using an Ethernet Connection to Access the CLI over a LAN 25 validate-configuration 768 validate-ip-packet (conf-pkt-validation context) 161 validate-tcp-packet (conf-pkt-validation context) 162 validate-tcp-xsum (conf-pkt-validation context) 163 vap-count (config-vap-grp context) 175 vap-group (conf-cct context) 406 vap-group (conf-vrrp-failover-vr context) 569 vap-group-password 211 vap-group-password-expiration 212 verify-next-hop (config-ip-route context) 455 verify-next-hop (conf-ip-default-network context) 459 verify-next-hop-ip (conf-cct-vapgroup context) (IPv6 and IPv4) 416 verify-next-hop-ip (conf-vrrp-vr-vapgroup context) (IPv6 and IPv4) 573
954

Alphabetical Index of Commands

verify-system (upgrade context) 603 vg-reset-wait-time 196 virtual-ip (conf-vrrp-vr-vapgroup context) (IPv6 and IPv4) 575 virtual-router (conf-vrrp-group context) 565 vlan (conf-acl-intf context) 527 vrrp-relinquish-master 583 who 803

XOS Command Reference Guide

955

Alphabetical Index of Commands

956

Glossary
The following terms are used throughout the X-Series Platform documentation set.

3DES
Triple Data Encryption Standard. Provides a stronger form of DES encryption where the algorithm is applied three times in order to encrypt data.

ACL
Access Control List. Provides packet filtering through the permission or denial of packets based on certain IP criteria, such as IP address, port, or protocol.

APM
Application Processor Module. The XOS Application Processor system module that provides application processing, status monitoring, and standard and application specific logging. The APM contains one or more CPUs to host applications and network services while processing packets belonging to individual flows.

ARP
Address Resolution Protocol. An Internet protocol used to map an IP address to a MAC address.

BOTW
Bump-on-the-Wire. A device with two or more interfaces that are transparent to the adjacent Layer 3 devices.

cbsflowagentd
Flow Agent daemon that collects statistics and runs on each VAP.

cbsflowcalcd
Flow Calculator daemon that runs the flow scheduling chow file and executes on the CPM.

circuit
An abstract object representing a logical network interface (network service access point). A circuit can be mapped to either single or multiple logical lines. Attributes of a circuit include: a set of physical line or channel pairs, a layer 2 encapsulation type, a layer 2 address, and an IP address (optional).

CLI
Command Line Interface.

CM
Configuration manager/monitor.

957

core-intf
An interface which is attached to the core-facing networks.

CPM
Control Processor Module. The XOS system module that coordinates the actions of all other modules, enables management access to the platform, and supports access to a local disk containing configuration files and databases necessary to execute the applications which reside on the platform.

DES
Data Encryption Standard. A popular algorithm for encrypting data. It is a product cipher that operates on 64-bit blocks of data, using a 56-bit key.

device
OS concept representing either a physical or logical I/O port connected to the APM.

domain
A set of interconnected IP networks belonging to a unique address space. A domain is uniquely identified within the X-Series Platform by a 8-bit domain ID. IP flows must be unique within a given domain.

DSA
Digital Signature Algorithm.

ECC
Error Checking and Correcting. A collection of methods to detect errors in transmitted or stored data and a means to correct them.

edge interface
An interface that is attached to edge-facing networks (typically where subscribers are located).

edge server
A server that is physically located close to its end users designed to deliver faster, higher quality transmissions, typically in a local commercial ISP facility. The number of edge servers in a region depends on the number of users in the locale.

Element Management System

Graphical user interface for X-Series Platforms accessed via the web server.

Error Checking and Correcting (ECC)

A collection of methods for detecting and correcting errors in transmitted or stored data.

FCAPS
Faults, Configuration, Accounting, Performance, and Security. The general requirements of a network management system as defined by the International Organization for Standardization.

FIB
Forwarding Information Base. A set of IP data structures replacing a route table in Linux.

Glossary

958

firewall
A set of software tools that protects a company's internal network from unwanted entry by unauthorized external users. The firewall works in conjunction with a router program to filter incoming network packets and reject those of unknown origin.

flow
Specific stream of data traveling between two endpoints across a network. Specified by source IP, destination IP, source port, destination port and IP protocol type.

flow rule
A filter rule specifying how a packet is processed.

flow specific
A stream of data traveling between two endpoints across a network. Specified by source IP, destination IP, source port, destination port and IP protocol type.

flow table
A table maintained on the NPM that maps individual flows to their respective processors.

FPGA
Field Programmable Gate Array. A gate array where the logic network can be programmed into the device after its manufacture. An FPGA consists of an array of logic elements, either gates or lookup table RAMs, flip-flops, and programmable interconnect wiring.

FTP
File Transfer Protocol.

gateway
A Layer 3 devices with at least two logical interfaces, that uses a routing table to forward packets between interfaces. Note that a gateway may also act as a multi-homed host.

GBIC
Gigabit Interface Converter. A transceiver that converts electric currents (digital highs and lows) to optical signals, and optical signals to digital electric currents. The GBIC is typically employed in fiber optic and Ethernet systems as an interface for high-speed networking. The data transfer rate is one gigabit per second (1 Gbps) or more.

GEM
Greenlight Element Manager. A GUI tha provides a view into the components and health of your X-Series Platform.

GLM
Gigabit Link Module.

GRUB
GRand Unified Bootloader.

XOS Command Reference Guide

959

hash
A crytographic operation where an entire message is run through a mathematical operation that results in a fixed-length string that is unique.

HTTP
Hypertext Transfer Protocol.

IDEA
International Data Encryption Algorithm. A conventional encryption algorithm, using block cipher, operating on 64-bit blocks with a 128 bit key.

IDS
Intrusion Detection System.

IOP
I/O Processor.

IP Address
Internet Protocol (IP). A numerical address that identifies senders and receivers of Internet data. The address accompanies packetized data and identifies it with a particular network on the Internet and the specific device (such as a server) from which it originated.

IPS
Intrusion Prevention System.

In-Service Upgrade
ISU is an alternate method of upgrading XOS software while minimizing downtime. This feature has several requirements for successful completion of an ISU, including redundant CPMs, APMs, and NPMs. During ISU, the chassis is virtually split in two halves during which time only one half of the chassis will be responsible for forwarding traffic.

LACP
Link Aggregation Control Protocol.

load balancing
Distributing flows in real time amongst multiple APMs.

load table
A table that maps flow profiles to weighted lists of virtual processors.

logical interface
A channelized interface on a physical interface. A subdivision of a physical interface. Currently supported logical interface types are default and VLAN.

Glossary

960

logical line
A combination of a physical line and a sub-line (channel). A logical line is uniquely identified by a physical line ID or channel ID pair.

MD5
Message Digest 5. A one-way function that takes a variable-length message and produces a fixed-length hash.

MAC address
Media Access Control (MAC). A hardware address that uniquely identifies each node of a network. In IEEE 802 networks, the Data Link Control (DLC) layer of the OSI Reference Model is divided into two sub-layers: the Logical Link Control (LLC) layer and the Media Access Control (MAC) layer. The MAC layer interfaces directly with the network media. Consequently, each different type of network media requires a different MAC layer.

MIB
Management Information Base.

MS
Management Server.

multi-homed host
A Layer 3 device with at least two logical interfaces that generate packets but does not forward the packets.

NPM
Network Processor Module. The XOS module responsible for network interface access (up to 1 Gb/sec full-duplex), flow classification, distribution of flows to APMs, and load balancing of the APMs.

PGP
Pretty Good Privacy. A high-security RSA public-key encryption application that enables files or messages to be exchanged with privacy and authentication.

physical interface
The physical hardware connector on the NPM or CPM representing a network interface port.

POS
Packet Over Sonet.

POST
Power On Self-Test.

PPP
Point to Point Protocol.

XOS Command Reference Guide

961

RAID
Redundant Array of Inexpensive/Independent Drives. A data storage scheme used to allow multiple drives to work as a single drive. RAID level 0 and level 1 are supported by Crossbeam Systems in our newer modules. RAID 0 writes data to whichever drive is currently free. This method is used for greater data speed efficiency (however, all drives in the RAID are needed to fully access all the data). RAID 1 writes identical data to all the drives in the RAID grouping. This method is used for greater data integrity.

RDRAM
Rambus Direct Random Access Memory.

RMON
Remote Network Monitoring.

RPM
Red Hat Package Manager.

SCP
Secure copy.

SMP
Symmetric Multi Processor.

SNMP
Simple Network Management Protocol. The Internet standard protocol developed to manage and monitor nodes on an IP network.

SSH
Secure Shell. A powerful authentication and encryption program replacing older and less secure tools like Telnet. SSH provides both authentication and encryption and is therefore the preferred method of network access. SSH allows a secure connection to be established between a client computer and a server host. The X-Series Platform provides SSH server, SSH client, and scp capability.

SSL
Secure Socket Layer.

Stateful Inspection (dynamic packet filtering)

A firewall architecture operating at the network layer. Unlike static packet filtering, which examines a packet based on the information in its header, stateful inspection examines not just the header information but also the contents of the packet up through the application layer in order to determine more about the packet than just information about its source and destination. A stateful inspection firewall also monitors the state of the connection and compiles the information in a state table. Because of this, filtering decisions are based not only on administrator-defined rules (as in static packet filtering) but also on context that has been established by prior packets that have passed through the firewall. As an added security measure against port scanning, stateful inspection firewalls close off ports until connection to the specific port is requested.

static route
A user-defined route that causes packets to move between a source and destination along a specific path.

Glossary

962

sub-line
A multiplexed channel within a single line. Examples include: a DS0 channel within a T1/T3 serial interface, a ATM PVC, and a tagged VLAN. A sub-line is uniquely identified by a 32-bit channel ID.

SYSLOGD
System Logger Daemon.

Telnet
An administrator can enable Telnet as part of the boot dialogue, or by using a CLI command. Telnet comes disabled because traffic is not encrypted between the client and the X-Series Platform.

VAP
Virtual Application Processor. An application operating environment which can be run on an APM. A VAP consists of the OS, system software, and a set of applications which run concurrently.

VAP group
A virtual set of Application Processor Modules identically configured for load balancing and redundancy to process the same set of applications.

VLAN
Virtual Local Area Network. A local area network with a definition that maps workstations on some other basis than geographic location (for example, by department, type of user, or primary application).

VND
Virtual Network Device. A Linux kernel object representing a logical network interface. A virtual network device is directly mapped to an NPM circuit.

VPN
Virtual Private Network. Consists of private lines, switching equipment and other networking equipment that are provided for the exclusive use of one customer. A VPN gives users a secure way to access resources over the Internet or other public or private networks using encryption, authentication, and tunneling.

VRRP
Virtual Router Redundancy Protocol. This protocol allows several routers on a multiaccess link to utilize the same virtual IP address. One router will be elected as a master with the other routers acting as backups in case of the failure of the master router. The protocol should also support the ability to load share traffic when both routers are up. A Virtual Router in XOS is an IP address or a set of IP addresses that can be instantiated on a circuit for a subset of the VAP groups on which the circuit is configured, and active only on one of the X-Series Platforms participating in multi-system High Availability configuration.

XML
Extensible Markup Language. The universal format for structured documents and data on the Web as defined by a set of specifications and recommendations from the W3C.

XOS Command Reference Guide

963