Академический Документы
Профессиональный Документы
Культура Документы
Contents
About This Guide
Intended Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Typographical Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Cautions, Warnings, and Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IPv6 Address Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Customer Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 17 18 18 19 20 22
Chapter 4: Commands for Configuring the X-Series Platform to Enable System Management
Commands for Configuring System Management Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 calendar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 configure dns search-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
configure dns server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 configure hostname . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 configure ip domainname. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 configure ip forwarding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 configure ip ftp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 configure ip ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 configure ip telnet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 configure ldap-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 configure ldap-parameter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 cp-next-boot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 configure np-reload-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 configure np-reset-wait-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 configure ntp server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 configure operating-mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 configure radius-server host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 configure system-identifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 configure system-internal-network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 configure timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 configure timezone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 configure web-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 configure web-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 configure web-wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Commands for Configuring X-Series Platform Management Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . 79 configure management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 enable (conf-mgmt-gig context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 access-list (conf-mgmt-gig context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 ip-addr (conf-mgmt-gig context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 ip-alias (conf-mgmt-gig context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 ip-nat inside (conf-mgmt-gig context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 ip-nat outside (conf-mgmt-gig context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 mac-addr (conf-mgmt-gig context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 mtu (conf-mgmt-gig context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 speed (conf-mgmt-gig context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 show (conf-mgmt-gig context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 configure management ip-route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 configure management default-gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 configure management arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 configure access-list <ID_number> {deny | permit} ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 configure access-list <ID_number> {deny | permit} tcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 configure access-list <ID_number> {deny | permit} udp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 configure access-list <ID_number> {deny | permit} icmp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 configure access-list <ID_number> {deny | permit} protocol-number . . . . . . . . . . . . . . . . . . . . . . . 108 Commands for Configuring User Accounts and Managing User Access to the X-Series Platform . . . . 111 configure username . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 configure password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 configure reset-password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 configure privilege level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 enable level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 configure enable password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 disconnect ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 broadcast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 lock-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 logout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Commands for Configuring System Alarms and Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 audit-trail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 configure enable alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 configure facility-alarm cpu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 configure facility-alarm cpu-core . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Contents
configure facility-alarm disk-usage-boot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure facility-alarm disk-usage-cbconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure facility-alarm disk-usage-mgmt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure facility-alarm disk-usage-root . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure facility-alarm disk-usage-tftpboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure facility-alarm disk-usage-var . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure facility-alarm free-memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure snmp-server community. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure snmp-server host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure snmp-server contact. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure snmp-server location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure snmp-server engine-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure snmp-user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure rmon event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure rmon alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure logging console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure logging monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure logging server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Configuring Chassis Resource Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure chassis-resource-protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . flow-table-partition (conf-resource-protection context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . flow-table-profile (conf-flow-table-partition context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . table-limit-action (conf-rp-table-profile context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . backup-flow-info (conf-rp-table-profile context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . fragment-handling-options (conf-resource-protection context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . selective-drop (conf-rp-frag-handlings context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . allow-fragment-overlap (conf-rp-select-drop context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . limit-fragment-queue (conf-rp-select-drop context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ip-id-validation (conf-rp-frag-handlings context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . tcp-overlap-protection (conf-rp-frag-handlings context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . tcp-flow-validation (conf-resource-protection context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bypass-tcp-flow-setup-validation (tcp-flow-validation context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . packet-validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . validate-ip-packet (conf-pkt-validation context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . validate-tcp-packet (conf-pkt-validation context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . validate-tcp-xsum (conf-pkt-validation context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Configuring CPM Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure cp-redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . set (config-cp-redundancy context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure management vip-addr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure cp-action {cp1 | cp2} disk-error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . cp-unknown-state. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Accessing Other Systems from the CPM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CLI command: ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Unix Commands: ftp, telnet, ssh, rsh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
128 129 130 132 133 134 136 137 138 139 140 141 142 144 145 148 150 152 152 153 153 154 155 156 156 157 157 158 158 159 159 159 160 161 161 162 163 164 164 165 166 166 167 169 169 170
enable-ipv6 (conf-vap-grp context) (IPv6) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 ip-forwarding-ipv6 (enable-ipv6 context) (IPv6) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 ip-flow-rule (config-vap-grp context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 non-ip-flow-rule (config-vap-grp context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 ip-forwarding (config-vap-grp context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 fail-to-host (config-vap-grp context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 flow-proxy (config-vap-grp context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 jumbo-frame (config-vap-grp context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 scatter-gather (config-vap-grp context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 reload-timeout (config-vap-grp context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 vg-reset-wait-time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 delay-flow (config-vap-grp context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 application-monitor (config-vap-group context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 master-failover-trigger application (config-vap-grp context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 master-holddown (config-vap-grp context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 dhcp-relay-server-list (config-vap-grp context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 rp-filter (config-vap-grp context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 log-martians (config-vap-grp context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 show (config-vap-grp context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 Commands for Managing User Access to a VAP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 configure host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 vap-group-password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 vap-group-password-expiration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212 Commands for Installing, Configuring, and Managing an Application on a VAP Group . . . . . . . . . . . . 214 application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214 application-update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 application-upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 application-remove. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 show application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 show application vap-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 archive-vap-group backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 archive-vap-group restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 archive-vap-group delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 archive-vap-group show. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230 Commands for Installing, Configuring, and Managing Routing Software and Routing Protocols on a VAP Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 routing-protocol vap-group install. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 routing-protocol vap-group update. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 routing-protocol vap-group configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237 routing-protocol vap-group save . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238 routing-protocol vap-group restore. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 routing-protocol vap-group uninstall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242 routing-protocol vap-group status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 configure routing-protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244 routing-protocol-services vap-group configure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 routing-protocol-services vap-group save . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247 routing-protocol-services vap-group restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 routing-protocol-services vap-group status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 routing-protocol-services vap-group upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251 routing-protocol-services vap-group update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Contents
direction (conf-system-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . skip-port-protocol (conf-system-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . generate-reversed-flow (conf-system-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . source-addr (conf-system-ip-flow context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . destination-addr (conf-system-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . source-port (conf-system-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . destination-port (conf-system-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . protocol (conf-system-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . domain (conf-system-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . incoming-circuit-group (conf-system-ip-flow context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . timeout (conf-system-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . trace (conf-system-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . priority (conf-system-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . activate (conf-system-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show (conf-system-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure system-non-ip-flow-rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . action drop (conf-system-non-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . action pass-to-masters (conf-system-non-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . action broadcast (conf-system-non-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . encapsulation ethernet (conf-system-non-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . encapsulation lsap (conf-system-non-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . encapsulation snap (conf-system-non-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . activate (conf-system-non-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show (conf-system-non-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Configuring VAP-Group Level Flow Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ip-flow-rule (config-vap-grp context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . action load-balance (ip-flow-rule context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . action drop (ip-flow-rule context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . action allow (ip-flow-rule context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . action pass-to-master (ip-flow-rule context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . action pass-to-vap (ip-flow-rule context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . action broadcast (ip-flow-rule context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bypass-tcp-flow-setup-validation (ip-flow-rule context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . direction (ip-flow-rule context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . skip-port-protocol (ip-flow-rule context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . generate-reversed-flow (ip-flow-rule context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . source-addr (ip-flow-rule context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . destination-addr (ip-flow-rule context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . source-port (ip-flow-rule context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . destination-port (ip-flow-rule context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . protocol (ip-flow-rule context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . domain (ip-flow-rule context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . incoming-circuit-group (ip-flow-rule context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . timeout (ip-flow-rule context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . trace (ip-flow-rule context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . priority (ip-flow-rule context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . core-assignment (ip-flow-rule context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . activate (ip-flow-rule context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . bypass-tcp-flow-setup-validation (ip-flow-rule context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show (ip-flow-rule context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . non-ip-flow-rule (config-vap-grp context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . action drop (non-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . action pass-to-master (non-ip-flow context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . action broadcast (non-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . encapsulation ethernet (non-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . encapsulation lsap (non-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . encapsulation snap (non-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . core-assignment (non-ip-flow-rule context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . activate (non-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
259 261 262 263 264 266 267 268 270 271 273 275 276 277 278 287 289 290 291 292 293 295 296 297 301 302 304 305 306 307 308 309 310 310 312 312 314 315 317 318 319 321 322 324 326 327 329 330 331 331 340 342 342 343 345 346 348 350 351
show (non-ip-flow context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Monitoring Flows and Managing Flow Rule Conflicts . . . . . . . . . . . . . . . . . . . . . . . . . . show flow active. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show flow-path active. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show flow distribution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show npm-originated-flow-stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure check-flow-rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Clearing Flows from the X-Series Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . clear flow-active . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . clear interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . clear netstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . clear switch-data-path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . clear vdf-status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
351 356 357 370 382 385 387 388 388 390 392 393 393
Contents
logical (conf-intf-gig or conf-intf-10gig context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . circuit (intf-gig-logical or intf-10gig-logical context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show (intf-gig-logical or intf-10gig-logical context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . logical-all (conf-intf-gig or conf-intf-10gig context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . circuit (intf-gig-logical-all or intf-10gig-logical-all context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . standby-only (conf-intf-gig or conf-intf-10gig context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . pause-frame (conf-intf-gig or conf-intf-10gig context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . auto-negotiate (conf-intf-gig context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . duplex-mode (conf-intf-gig context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . media-speed (conf-intf-gig context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . enable (conf-intf-gig or conf-intf-10gig context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show (conf-intf-gig or conf-intf-10gig context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure interface-internal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . logical (conf-intf-internal context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . logical-all (conf-intf-internal context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . circuit (conf-intf-internal-log or conf-intf-internal-log-all context) . . . . . . . . . . . . . . . . . . . . . . . . . . . configure group-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . mode (conf-group-intf context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . interface-type (conf-group-intf context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . pause-frame (conf-grp-intf-gig or conf-grp-intf-10gig context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . auto-negotiate (conf-grp-intf-gig context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . duplex-mode (conf-grp-intf-gig context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . media-speed (conf-grp-intf-gig context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . enable (conf-grp-intf-gig or conf-grp-intf-10gig context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . interface (conf-group-intf context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . enable (conf-grp-intf-intf context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . logical (conf-group-intf context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . circuit (conf-group-intf-logical context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show (conf-group-intf context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure acl-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . direction (conf-acl-intf context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vlan (conf-acl-intf context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ether-type (conf-acl-intf context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . source-mac (conf-acl-intf context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . destination-mac (conf-acl-intf context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure interface-status-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure acl-interface-mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Configuring Interface Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure redundancy-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . failovermode (conf-intf-redun context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
469 471 473 475 477 479 480 481 482 483 485 485 488 490 492 494 496 497 500 502 503 504 506 508 510 512 514 516 519 524 526 527 529 531 533 535 536 541 541 545
backup-stay-up (conf-vrrp-failover-vr context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . dist-port-threshold (conf-vrrp-failover-vr context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . mac-usage (conf-vrrp-failover-vr context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . priority-delta (conf-vrrp-failover-vr context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vap-group (conf-vrrp-failover-vr context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ip (conf-vrrp-vr-vapgroup context) (IPv6 and IPv4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . verify-next-hop-ip (conf-vrrp-vr-vapgroup context) (IPv6 and IPv4). . . . . . . . . . . . . . . . . . . . . . . . . priority-delta (conf-vrrp-vr-verify-next-hop context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . virtual-ip (conf-vrrp-vr-vapgroup context) (IPv6 and IPv4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . enable (conf-vrrp-group context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure vrrp vap-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . active-vap-threshold (conf-vrrp-vap-group context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . enable (conf-vrrp-vap-group context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . failover-group-list (conf-vrrp-vap-group context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . hold-down-timer (conf-vrrp-vap-group context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . priority-delta (conf-vrrp-vap-group context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vrrp-relinquish-master . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
566 567 567 568 569 570 573 574 575 578 578 579 580 580 581 582 583
Chapter 9: Commands for Managing X-Series Platform Hardware and Software Upgrades and Maintenance
automated-workflow-menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . automated-workflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show automated-workflow-progress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . cp-disk-scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show cp-disk-scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure cp-action disk-error (config context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . configure module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . reload all . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . reload module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . reload offline-cp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . reset-cp-serial . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . reload vap-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . reset-configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . sleep . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . in-service (upgrade context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . batch-<n> (in-service-upgrade context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . batch-default (in-service-upgrade context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . clear-batches (in-service-upgrade context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . install (in-service-upgrade context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show (in-service-upgrade context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . install (upgrade context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . remove (upgrade context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show current-running-release (upgrade context) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show new-release (upgrade context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show release (upgrade context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . verify-system (upgrade context). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586 586 587 587 588 588 589 590 591 592 592 593 593 594 595 596 596 597 598 598 599 600 601 601 602 602 603
Contents
10
11
show management-ip-alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show management-ip-nat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show access-list. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Displaying User Account and User Access Configuration Settings . . . . . . . . . . . . . . . show lock-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show snmp-user. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show username . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show usernames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show autocommand. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show privilege . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show tree include-privilege . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Displaying System Alarm and Logging Configuration Settings . . . . . . . . . . . . . . . . . . . show alarm-enabled. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show facility-alarm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show snmp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show logging console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show logging setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show logging server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Displaying CPM Redundancy Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . show cp-redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show cp-disk-error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show cp-unknown-state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show management-vip. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Displaying VAP Group Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show archive-vap-group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show host. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show kernel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show routing-protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vap-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Displaying Flow Provisioning Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . show check-flow-rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show default-ip-flow-rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show default-non-ip-flow-rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show ip-flow-rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show non-ip-flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show system-ip-flow-rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show system-non-ip-flow-rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Displaying Circuits and Interface Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . show bridge-mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show circuit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show incoming-circuit-group-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show group-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show interface-status-group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show ip-mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show redundancy-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show status-grouping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vlan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show acl-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show acl-interface-mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Displaying Multi-System High-Availability Configuration Settings. . . . . . . . . . . . . . . . . show remote-box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vrrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vrrp circuit-ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vrrp detail-status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vrrp failover-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vrrp monitor-circuit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vrrp monitor-interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vrrp monitor-group-interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
666 666 667 668 668 668 669 670 671 672 673 674 674 674 676 677 679 679 681 681 682 682 683 684 684 687 687 688 688 690 690 690 691 692 693 694 695 696 696 697 698 699 700 705 706 707 707 708 708 710 712 712 713 714 718 720 722 724 726
Contents
12
show vrrp status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vrrp vap-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vrrp verify-next-hop. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vrrp virtual-router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Displaying Hardware and Software Maintenance Configuration Settings. . . . . . . . . . . show module admin-state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show module status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show reload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Displaying Advanced Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show auto-promote . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show alias . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Displaying Console Display Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . show terminal history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
727 729 730 732 735 735 736 739 740 740 740 741 741
13
show ssh-session. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show switch-data-path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show traplog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show web-session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . who . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Troubleshooting X-Series Platform Network Connectivity . . . . . . . . . . . . . . . . . . . . . . ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show neighbor-discovery (IPv6). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show circuit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show flow active. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show flow-path active. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show flow distribution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show group-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show internal-ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show netstat. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show redundancy-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vdf-status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . clear vdf-status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show veth-stats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Troubleshooting VAPs, VAP Groups, and Applications . . . . . . . . . . . . . . . . . . . . . . . . show ap-vap-mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show application vap-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Troubleshooting Multi-System High-Availability Issues . . . . . . . . . . . . . . . . . . . . . . . . show remote-box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vrrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vrrp circuit-ip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vrrp detail-status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vrrp failover-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vrrp monitor-circuit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vrrp monitor-interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vrrp monitor-group-interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vrrp status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vrrp vap-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vrrp verify-next-hop. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show vrrp virtual-router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Providing Troubleshooting Information to Crossbeam Customer Support . . . . . . . . . . show npm-tech. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show tech-crash. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . show tech-support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands for Crossbeam Customer Support Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . debug . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
799 800 801 802 803 803 804 804 805 805 808 810 823 835 837 838 843 845 845 846 849 850 852 852 854 855 858 858 859 860 863 865 868 870 871 873 874 875 877 880 880 883 885 890 890
Contents
14
Appendix A: Example XOS Running Configuration File Appendix B: Legal Single Line Command Groupings Appendix C: Configurable Command Privilege Levels Alphabetical Index of Commands Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 957
15
Contents
16
Intended Audience
This guide is intended for qualified service personnel responsible for installing, configuring, and managing software on Crossbeam X-Series Platforms.
Related Documentation
The following documents are provided on the Crossbeam USB Installer or on the Crossbeam Customer Support Portal. IMPORTANT: For the latest updates and revisions to X-Series Platform documentation, log into the Crossbeam Online Support Portal at http://www.crossbeam.com/support/online-support/. APM, CPM, and NPM Installation Notice X80-S Platform Hardware Installation Guide X60 Platform Hardware Installation Guide X20 and X30 Platform Hardware Installation Guide XOS Configuration Guide Multi-Application Serialization Configuration Guide Multi-System High Availability Configuration Guide Install Server User Guide USB Installer User Guide RSW Installation Guide (available with the RSW kit, purchased separately) XOS V9.5.1 Release Notes
17
Conventions
Typographical Conventions
For paragraph text conventions, see Table 1 on page 18. For command-line text conventions, see Table 2 on page 19.
>
From the taskbar, choose Start > Run. From the main menu, choose File > Save As... Right-click on the desktop and choose Arrange Icons By > Name from the pop-up menu.
18
Courier Bold Information that you must type in exactly as shown. <Courier Italic> Angle brackets surrounding Courier italic text indicate file names, folder names, command names, or other information that you must supply. Square brackets contain optional information that may be supplied with a command. Separates two or more mutually exclusive options. Braces contain two or more mutually exclusive options from which you must choose one.
[root@xxxxx]# md <your_folder_name>
[]
{}
19
Standard notation
The standard notation for IPv6 addresses is eight 16-bit hexadecimal words separated by colons. For example: 2001:BA95:AC10:0000:CF6A:000D:2145:3713 Specifying leading zeros is not required, provided that there is at least one numeric value in each field of the address. The above address can also be represented as: 2001:BA95:AC10:0:CF6A:D:2145:3713
Compressed notation
Many IPv6 addresses contain multiple fields of zeros. Use the double colon (::) notation to represent a single contiguous group of zero fields within an IPv6 address. For example: 1458:0:0:0:0:A03:5:AC17 AF06:0:0:0:BC:0:0:4 0:0:0:0:0:0:0:1 0:0:0:0:0:0:0:0 These can be represented as: 1458::A03:5:AC17 AF06::BC:0:0:4 ::1 :: NOTE: The AF06:0:0:0:BC:0:0:4 example is represented as AF06::BC:0:0:4 because only one ::'' is allowed in an address. In this guide, the example IPv6 addresses are taken from: The Unique Local Unicast address range (FC00::/7) because these addresses are not propagated over the Internet The 2002: address range as part of the prefix for IPv6 6to4 tunnels
20
NOTE: In accordance with the IANA IPv6 address space allocations, an XOS VAP of type xslinux_v3 ("V3"), xslinux_v5 ("V5"), xslinux_v5_64 ("V5_64"), or xsve will treat some address ranges as reserved. At this writing, the IANA range assignments are as follows (excerpted from http://www.iana.org/assignments/ipv6-address-space/): IPv6 Prefix 0000::/8 0100::/8 0200::/7 0400::/6 0800::/5 1000::/4 2000::/3 4000::/3 6000::/3 8000::/3 A000::/3 C000::/3 E000::/4 F000::/5 F800::/6 FC00::/7 FE00::/9 FE80::/10 FEC0::/10 FF00::/8 Allocation Reserved by IETF Reserved by IETF Reserved by IETF Reserved by IETF Reserved by IETF Reserved by IETF Global Unicast Reserved by IETF Reserved by IETF Reserved by IETF Reserved by IETF Reserved by IETF Reserved by IETF Reserved by IETF Reserved by IETF Unique Local Unicast Reserved by IETF Link Local Unicast Reserved by IETF Multicast Reference [RFC4291] [RFC4291] [RFC4048] [RFC4291] [RFC4291] [RFC4291] [RFC4291] [RFC4291] [RFC4291] [RFC4291] [RFC4291] [RFC4291] [RFC4291] [RFC4291] [RFC4291] [RFC4193] [RFC4291] [RFC4291] [RFC3879] [RFC4291]
With regard to reserved address blocks, some kernel versions make address-type determinations that are different from those made by other kernel versions. It should be noted that, in particular, V3 VAPs treat the following ranges as strictly reserved (that is, these addresses are reserved and are not treated as Global Unicast addresses), whereas V5 and V5_64 VAPs treat these ranges as reserved Global Unicast addresses: 0000::/8 0100::/8 0200::/7 0400::/6 For purposes of XOS circuit/interface configuration, it is recommended that the above "Reserved by IETF" ranges NOT be used unless warranted by special circumstances. In the general case, user-assigned XOS IPv6 unicast circuit/interface addresses should be allocated from the 2000::/3 (Global Unicast) and/or the FC00::/7 (Unique Local Unicast) address block(s).
21
Customer Support
Crossbeam Systems offers a variety of service plans designed to meet your specific technical support requirements. For information on purchasing a service plan for your organization, please contact your account representative or refer to http://www.crossbeam.com/support/technical-support/. If you have purchased a Crossbeam Systems product service plan and need technical assistance, you can report issues by telephone: United States: EMEA: Asia Pacific: Latin America: +1 800-331-1338 OR +1 978-318-7595 + 33 4 8986 0400 +1 978-318-7595 +1 978-318-7595
You can also report issues via e-mail to support@crossbeam.com. In addition, all of our service plans include access to the Crossbeam Customer Support Portal located at http://www.crossbeam.com/support/online-support/. The Crossbeam Customer Support Portal provides you with access to a variety of resources, including Customer Support Knowledgebase articles, technical bulletins, product documentation, and release notes. You can also access our real-time problem reporting application, which lets you submit new technical support requests and view all your open requests. Crossbeam Systems also offers extensive customer training on all of its products. For current course offerings and schedules, please refer to the Crossbeam Education Services Web pages located at http://www.crossbeam.com/support/training-services/.
22
1
Introduction to the Command Line Interface
This chapter explains how to access and use the XOS Command-Line Interface (CLI). This chapter contains the following sections: Accessing the Command-Line Interface on page 24 Using the CLI on page 26
23
Figure 1.
CRITICAL
MAJOR
MINOR
10
11
12
13
14
NPM 8600
ACTIVE STANDBY FAILED
NPM 8600
ACTIVE STANDBY FAILED
APM 8600
ACTIVE STANDBY FAILED
APM 8600
ACTIVE STANDBY FAILED
APM 8600
ACTIVE STANDBY FAILED
CPM 8600
ACTIVE STANDBY FAILED
CPM 8600
ACTIVE STANDBY FAILED
USB
USB
6
Link 3 Link 2 Link 3 Link 2
H A
H A
M A N A G E M E N T
M A N A G E M E N T
10
10
CONSOLE
CONSOLE
CONSOLE
CONSOLE
CONSOLE
11
11
12
12
MODEM
MODEM
10
11
12
13
14
24
3. 4. 5. 6. 7.
Figure 2.
Switch
CRITICAL
MAJOR
MINOR
10
11
12
13
14
NPM 8600
ACTIVE STAN D BY FAILED
NPM 8600
ACTIVE STAN DBY FAILED
APM 8600
ACTIVE STAN DBY FAILED
APM 8600
ACTIVE STAN D BY FAILED
APM 8600
ACTIVE STAN D BY
CPM 8600
ACTIVE STAN DBY FAILED
CPM 8600
ACTIV E STAN D BY FAILED
FAILED
USB
USB
6
Link 3 Link 2 Link 3 Link 2
H A
H A
M A N A G E M E N T
M A N A G E M E N T
10
10
CONSOL E
CONSOL E
CONSOL E
CONSOL E
CONSOL E
11
11
12
12
MODE M
MODE M
10
11
12
13
14
25
26
27
28
29
For example, the following command shows the privilege level assigned to the admin user: CBS# show username admin Username Assigned CLI Privilege Level Current CLI Privilege Level GUI Access Level Maxdays (1 row) : : : : : admin 15 15 Administrator 30
Use the following command to display the CLI command privilege level assigned to every user account configured on the X-Series Platform: CBS# show usernames For example: CBS# show usernames Username : admin Assigned CLI Privilege Level : 15 GUI Access Level : Administrator Maxdays : 30 Username : admin2 Assigned CLI Privilege Level : 15 GUI Access Level : Administrator Maxdays : 28 Username : guest Assigned CLI Privilege Level : 15 GUI Access Level : Guest Maxdays : 30 (3 rows)
30
You can get help about the editing keystrokes by typing help edit at the CLI prompt. You can also abbreviate commands to the fewest number of letters required to make the commands unique. For example, you can enter sho to execute the show command. You can also use the Tab key to complete abbreviated commands. Enter the fewest number of letters required to make the command unique and press Tab. The CLI then completes the command. For example if you press Tab after typing the following: CBS# conf The CLI completes the command and you can press Enter to execute it: CBS# configure CBS(config)# The output of some commands may exceed the screen length. When this occurs, you can press the any key except Q or Enter to display the next screen of the output, or press Enter to display the next line of the output. Press Q to quit the output display and return to the command prompt.
31
IMPORTANT: If you create a user-defined string that includes upper-case letters, you must always enter the string with the correct case. Otherwise, the command will fail, or may have unintended results. For example, you have created a VAP group named Test_name: CBS# configure vap-group Test_name xslinux_v5 CBS(config-vap-grp)# You then want to modify the configuration of the VAP group, and enter: CBS# configure vap-group Test_name CBS(config-vap-grp)# The CLI places you in the config-vap-grp context, from which you can modify the configuration of the VAP group Test_name. However, if you enter the command without the upper-case letter, you are instructing XOS to create a new VAP group named test_name. If you continue, XOS creates a new VAP group, and the CLI places you in the config-vap-grp context for the new VAP group. CBS# configure vap-group test_name CBS(config-vap-grp)#
32
33
Getting Help
You can access the CLI online help using any of the following methods: To display help for the next expected commands available from the current CLI context, enter the help command or enter a question mark (?) at the command prompt. To display help for a specific command available from the current CLI context, specify that command as a parameter to the help command (help <command>). To display help for all of a commands legal arguments, enter a question mark (?) in place of an argument to that command. To display help for the available commands that start with a particular character set, enter the character set as a parameter to the help command (help <character_set>). To display a list of the available commands and command aliases (without descriptions) that start with a particular character set, you can do one of the following: Enter an abbreviated command immediately followed by a question mark (?). Enter an abbreviated command and press the Tab key. NOTE: Command aliases are displayed with an asterisk (*) after their names.
34
2
CLI Command Changes in XOS V9.5.1
This chapter provides information on CLI changes implemented in XOS V9.5.1. This chapter contains the following sections: New and Changed XOS CLI Commands on page 36 Removed Commands on page 39
35
Command Names application-remove <app_id> release <release_#> version <version_#> automated-workflows purge-log-files configure incoming-circuit-groupname <icg> <icgname> show incoming-circuit-groupname configure circuit <circuit_name> link-state-resistant configure circuit <circuit_name> vap-group <VAP_group_name> ip <IP_address> alias <alias_IP_address> floating configure interface-internal
Changes The parameters release and version have been added to the application-remove command to allow you to specify the release and version of the application you want to remove. The automated-workflows purge-log-files command removes the automated workflow log files. Configures the name of a specified incoming circuit group. The range of values available for the incoming circuit group number is now <2-255>. This command displays all incoming circuit groups, giving the number and name of each one. When a circuit is mapped to an external interface, configuring the circuit as link-state-resistant ensures that the circuit stays up regardless of the state of the external interface. The floating parameter assigns the alias IP address to the master VAP, allowing traffic, cluster management, and synchronization communication to go directly to the master VAP. If a new master VAP is elected, the address floats to the new master.
This command defines an internal interface that can be used for internal connectivity between VAPs or VAP groups that include circuits assigned to the internal interface. Use this command to enable internal communication between VAPs or a serialized connection between VAP groups. This command ties the status of interfaces or group-interfaces together. If all interfaces and group-interfaces in an interface-status-group are UP, then the state of the interface-status-group is UP. If any interface or group-interface in the interface-status-group is DOWN, then the interface-status-group state is DOWN. This command sets the time in seconds the system will wait before resetting an NPM if no connectivity is detected. This command displays the time in seconds the system will wait before resetting an NPM if no connectivity is detected. When creating a system-ip-flow-rule, in addition to specifying the number of an incoming-circuit-group, you can now specify any. This parameter acts as a wild card.
configure interface-status-group
36
Changes The xsve parameter defines a virtual environment VAP operating system for use with virtualized applications. Using this parameter creates an xsve VAP group that is preconfigured for one or more virtual machines. During the application installation, the virtual machine is created on the APM (the host). The fail-to-host parameter has been added to the configure vap-group command in a virtualized environment to configure the action of the host when the guest has failed. Configuring this parameter enables the host to process traffic intended for the guest. Using the no parameter disables this behavior. The flow-proxy parameter has been added to the configure vap-group command. In a virtualized environment, the host flow management cannot determine the destination of any flow that is passed to the guest. The flow-proxy parameter improves performance by indicating to the host flow management that flows will be consumed by the guest and do not need to be managed by the host. When creating an ip-flow-rule for a vap-group, in addition to specifying the number of an incoming-circuit-group, you can now specify any. This parameter acts as a wild card.
configure vap-group <VAP_group_name> ip-flow-rule <ip_flow_rule_name> incoming-circuit-group any configure vap-group <VAP_group_name> vg-reset-wait-time configure vrrp failover-group <failover_group_name> monitor-group-interfaces <priority_delta> <dist-port-threshold>
The vg-reset-wait-time sub-command has been added to the configure vap-group command to configure the wait time before resetting the VAP if no connectivity is detected. The monitor-group-interfaces command has been added to the configure vrrp failover-group context to enable you to configure health monitoring for the specified vrrp group interface. The priority_delta parameter sets the priority delta value for the group interface. The dist-port-threshold parameter sets the minimum number of ports that must be in the active, distributing state. If the number of ports in that state falls below this threshold, the priority delta value is subtracted from failover group priority. The floating parameter assigns the virtual IP address to the master VAP, allowing traffic, cluster management, and synchronization communication to go directly to the master VAP. If a new master VAP is elected, the address floats (is assigned) to the new master. In a VRRP configuration, the floating parameter assigns the virtual IP address to the master VAP on the new master chassis in the event of a failover. This command is used to select a different disk partitioning scheme than the current one. When you execute this command, you set the value of the configured scheme. After the next CPM reboot, the value that you configured is used to reconfigure the disk partitioning scheme. The show cp-disk-scheme command displays the current and configured disk partitioning scheme. The show acl-mapping command has been renamed to show acl-interface-mapping.
configure vrrp failover-group <failover_group_name> virtual-router <vr_name> vap-group <VAP_group_name> virtual-ip <IP_address> floating cp-disk-scheme
37
Command Names show alarms {active | history | model} clear alarms {id {<id#> | <lowest_id#> <highest_id#>} | all} show cp-next-boot show interface detail [phy | ipv4 | ipv6 | non-ipv4] show interface high-availability clear interface high-availability show remote-box <remote_system_id> show tech-support -bundle show tech-support -paging show vrrp monitor-group-interfaces [<failover_group_name>] show|copy running-config bridge-mode <circuit_name> show|copy running-config interface-internal <interface-internal_ name> show|copy running-config interface-status-group <interface-status_group_ name> show|copy startup-config interface-internal <interface-internal_ name> show|copy startup-config interface-status-group <interface-status_group_ name>
Changes This command now requires either the active or history parameter to display alarms data. Additional parameters enable you to filter output by severity, source, alarm ID, date, and to display verbose output. The model parameter displays the XOS alarms model. This command enables an administrator to clear a user-clearable alarm from the active alarms table. The privilege level of this command has been changed from 15 to 0 to support the GEM application. The phy, ipv4, ipv6, and non-ipv4 parameters have been added to the show interface detail command to enable you to filter the verbose output of the command. The high-availability parameter has been added to the show interface command to display the high-availability port configuration and statistics. The high-availability parameter has been added to the clear interface command to clear the counters on the high-availability interface. The show remote-box command can now be used with the <remote_system_id> as a parameter. When used this way, a specific remote system can be specified. The bundle parameter has been added to the show tech-support command to capture additional diagnostic information in tar.gz format. The paging parameter has been added to the show tech-support command to enable paging the output one screen at a time. The new default behavior is to write all of the output to the screen. The monitor-group-interfaces command displays the VRRP configuration and current status of all monitored group-interfaces, or displays all monitored group-interfaces assigned to circuits that belong to the specified failover group. The bridge-mode parameter has been added enable you to specify the bridge circuit whose configuration will be displayed or copied. The interface-internal parameter has been added enable you to specify the interface-internal whose configuration will be displayed or copied. The interface-status-group parameter has been added to enable you to specify the interface-status-group whose configuration will be displayed or copied. The interface-internal parameter has been added enable you to specify the interface-internal whose configuration will be displayed or copied. The interface-status-group parameter has been added to enable you to specify the interface-status-group whose configuration will be displayed or copied.
38
Removed Commands
No commands were removed in XOS V9.5.1. The following commands were removed in XOS V9.5.
Command Names configure automated-workflows log-file-maxdays configure circuit <circuit_name> internal configure group-interface group <group_interface_name> configure group-interface interface-internal configure group-interface mode [bridge | transparent] configure group-interface <group_interface_name> mode multi-link circuit <circuit_name> interface <slot/port> device-name configure group-interface status-grouping configure management-server show acl-mapping
Changes The configure automated-workflows command and the sub-command log-file-maxdays have been removed. See automated-workflows in the previous table. The internal command is no longer available in this context. The functions of the internal command have been replaced. See configure interface-internal and configure circuit <circuit_name> link-state-resistant in the previous table. The group command has been removed.
The interface-internal command is no longer available in this context. See configure interface-internal in the previous table. The bridge and transparent sub-commands are no longer available in this context. Use configure bridge-mode or configure bridge-mode <circuit_name> transparent. The device-name command is no longer available in this context. It is not applicable to a multi-link configuration.
The status-grouping command is no longer available in this context. See configure interface-status-group in the previous table. The management-server command has been removed. The show management-server command has also been removed. The show acl-mapping command has been renamed to show acl-interface-mapping.
39
Command Names show cp-disk-error configure web-timeout show web-timeout configure web-wizard show web-wizard
Changes This command assumes the presence of two CPMs and does not apply on an X20 or X30 chassis. This EMS command is not supported on X20, X30, or X60 chassis. This EMS command is not supported on X20, X30, or X60 chassis. This EMS command is not supported on X20, X30, or X60 chassis. This EMS command is not supported on X20, X30, or X60 chassis.
40
3
Basic CLI Console Commands
This chapter describes the basic CLI console commands. You use these commands to navigate through CLI contexts, navigate through the directory structure on the CPM, configure the CLI console display, and display context-sensitive help for CLI commands and parameters. This chapter contains the following sections: Commands for Moving to a Higher-Level CLI Context on page 42 Commands for Navigating the Directory Structure on the CPM on page 44 Commands for Configuring the CLI Console Display on page 47 CLI Help Commands on page 52
41
end
Moves you up to the main CLI context from any lower-level CLI context. NOTE: You can also press Ctrl-z to enter a command and then return to the main CLI context.
Syntax
end
Context
You can access this command from any CLI context.
Restrictions
Default Privilege Level: 0
Example
In the following example, the end command is used to move up to the main CLI context from the VAP group configuration (config-vap-grp) CLI context. CBS(config-vap-grp)# end CBS#
42
exit
If you issue this command from a nested CLI context level, the command moves you up to the next-highest CLI context level. If you issue this command from the main CLI context, the command logs you out of the current CLI session.
Syntax
exit
Context
You can access this command from any CLI context.
Restrictions
Default Privilege Level: 0
Example
In the following example, the exit command is used to move up to the configuration (conf-vrrp-group) CLI context from the virtual router configuration (conf-vrrp-failover-vr) CLI context. CBS# configure vrrp failover-group fail1 failover-group-id 55 CBS(conf-vrrp-group)# virtual-router vrrp-id 55 circuit cct1 CBS(conf-vrrp-failover-vr)# exit CBS(conf-vrrp-group)#
43
cd
Standard Unix change directory command. You can specify a directory name, full path name, or relative path name to access a directory on the CPM. You can also specify the cd command without arguments to access your home directory. NOTE: Your home directory is: /tftpboot/.private/home/<user_name>
Syntax
cd [<directory_name> | <full_path_name> | <relative_path_name>]
Context
You can access this command from any CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <directory_name> <full_path_name> <relative_path_name> Description Specifies the name of the directory to which you want to navigate. The specified directory must be nested within the current directory. Specifies the full path to the directory to which you want to navigate. Specifies the relative path to the directory to which you want to navigate. For example: CBS# cd ../mytestdir CBS#
Restrictions
Default Privilege Level: 0
Example
The following command moves the user into the /crossbeam/rpm directory: CBS# cd /crossbeam/rpm CBS#
44
dir
Lists the existing files and directories in the specified directory. If you do not specify a directory name or full path name, the command lists the existing files and directories in the current directory. NOTE: This command is functionally equivalent to the standard Linux ls command, and you can use ls command options with the dir command.
Syntax
dir [<directory_name> | <full_path_name> | <relative_path_name>]
Context
You can access this command from any CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <directory_name> <full_path_name> <relative_path_name> Description Specifies the name of the directory whose contents you want to display. Specifies the full path to the directory whose contents you want to display. Specifies the relative path to the directory whose contents you want to display. For example: CBS# dir ../mytestdir CBS#
Restrictions
Default Privilege Level: 0
Example
The following command displays the contents of the admin users home directory: CBS# dir total 24 drwx-----drwxr-xr-x -rw-r--r--rw-r--r--rw-r--r--rw-r--r-CBS#
2 4 1 1 1 1
2 4 2 2 2 2
45
pwd
Displays the current directory path.
Syntax
pwd
Context
You can access this command from any CLI context.
Restrictions
Default Privilege Level: 0
Example
The following command displays the path to the home directory for the admin user. CBS# pwd /tftpboot/.private/home/admin CBS# NOTE: The example above assumes the user has not changed from the home directory.
46
clear-screen
Clears all text from the current CLI console screen.
Syntax
clear-screen
Context
You can access this command from any CLI context.
Restrictions
Default Privilege Level: 0
configure prompt
Configures the default CLI system prompt for the current CLI console session and all new CLI console sessions.
Syntax
configure prompt <prompt_string>
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <prompt_string> Description Default CLI prompt text string.
47
Restrictions
Default Privilege Level: 15 A CLI prompt text string must contain only alphanumeric characters. A CLI prompt text string cannot contain whitespace characters.
Example
The following command changes the default CLI prompt text to XOS_Expert: CBS# configure prompt XOS_Expert XOS_Expert#
prompt
Configures the CLI system prompt for the current CLI console session only.
Syntax
prompt <prompt_string>
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <prompt_string> Description CLI prompt text string used during the current CLI session.
Restrictions
Default Privilege Level: 0 A CLI prompt text string must contain only alphanumeric characters. A CLI prompt text string cannot contain whitespace characters.
Example
The following command changes the CLI prompt text to XOS Expert for the duration of the current CLI console session: CBS# prompt XOSExpert XOSExpert#
48
Syntax
configure terminal [no] history <number_of_commands>
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <number_of_commands> Description Number of previously entered CLI commands stored in the terminal history buffer. Valid values are 0 to 256. Default is 70.
Restrictions
Default Privilege Level: 15
Example
The following command sets the number of commands stored in the terminal history buffer to 100, for the current CLI console session and all new CLI console sessions: CBS# configure terminal history 100 CBS#
49
terminal history
Sets the number of commands stored in the terminal history buffer for the current CLI console session only. The default is 70 commands. Use the no parameter to restore this default value. Use the show terminal history command to display the number of commands stored in the terminal history buffer for the current CLI console session. NOTE: The X-Series Platform stores the current users most recent CLI command entries in the terminal history buffer. Use the show history command to display the commands currently stored in the terminal history buffer. You can press the up arrow or press Ctrl-p to view and/or reissue the prior command in the terminal history buffer. You can press the down arrow or press Ctrl-n to view and/or reissue the next command in the terminal history buffer.
Syntax
terminal [no] history size <number_of_commands>
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter size <number_of_commands> Description Required keyword Number of previously entered CLI commands stored in the terminal history buffer. Valid values are 0 to 256. Default is 70.
Restrictions
Default Privilege Level: 0
Example
The following command sets the number of commands stored in the terminal history buffer to 100, for the current CLI console session only: CBS# terminal history 100 CBS#
50
enable more
Enables or disables (using no) the CLI console displays paging feature for the current CLI session. This feature is enabled by default. When the paging feature is enabled, the CLI console displays only as much text as will fit on a single screen, and then prompts you to press a key to display more text. When the paging feature is disabled, the CLI console displays each commands output in its entirety, even if the text does not fit on a single screen. To see more than one screen full of command output, you will have to scroll up in the CLI console window. NOTE: This command applies only to the current CLI console session.
Syntax
[no] enable more
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0
Example
The following command disables the CLI console displays paging feature for the current CLI session: CBS# no enable more CBS#
51
Syntax
? <abbreviated_command>? <commands> [<arguments>] ?
Context
You can access this command from any CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <abbreviated_command> Description Initial characters used in one or more CLI commands. Issue the question mark (?) command immediately after an abbreviated command to display a list of the available commands that begin with those characters. For example, show ap? displays the two commands that start with show ap show ap-vap-mapping and show application. <commands> One or more CLI commands that can be entered on the command line from within the current context. Specify one or more commands followed by a space and then the question mark (?) command to display help for all legal arguments to the specified command(s).
52
Parameter <arguments>
Description One or more legal arguments to the CLI commands that are currently entered on the command line. Specify commands with one or more legal arguments followed by a space and then the question mark (?) command to display help for all legal commands and arguments that you can enter at the end of the current command line.
Restrictions
Default Privilege Level: 0
Examples
The following command displays help for the commands that you can issue from within the VRRP VAP group configuration (conf-vrrp-vap-group) CLI context: CBS(conf-vrrp-vap-group)# ? active-vap-threshold [no] enable [no] failover-group-list [no] hold-down-timer [no] priority-delta <cr> CBS(conf-vrrp-vap-group)# The following command displays help for the legal arguments to the configure vap-group command. Since one legal argument to this command is the name of an existing VAP group, the question mark (?) command also lists the existing VAP groups currently configured on the system. CBS# configure vap-group ? vap-group <WORD> Existing Vap Groups : es3, es4 - VAP Group name - Number of active VAPs required, or priority is reduced - Enables VRRP on the VAP group - Enables failover groups to be affected by this VAP group - Time to wait before becoming VRRP master - Reduces priority when insufficient active VAPs
The following command lists the commands that are available from the main CLI context and that begin with the characters show ap: CBS# show ap? ap-vap-mapping CBS# show ap application
53
help
Displays context-sensitive help for CLI commands and parameters, or displays help for command-line editing keystrokes. Use the help command, as follows: To display help for all commands available from the current CLI context, enter the help command without parameters. To display help for a specific CLI command available from the current CLI context, enter that command as a parameter to the help command (help <command>). To display help for any available commands that begin with a particular character set, enter that character set as a parameter to the help command (help <character_set>). To display help for all command-line editing keystrokes, enter help edit. For more information, see Getting Help on page 34 and Editing the Command Line on page 31.
Syntax
help [<command> | <character_set> | edit]
Context
You can access this command from any CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <command> Description CLI command available from the current CLI context. Specify a CLI command to display help for that command. NOTE: Commands that contain more than one keyword do not need to be surrounded by quotation marks. If you specify a command that is not available from the current CLI context, the help command results in an error. <character_set> Initial characters used in one or more CLI commands available from the current CLI context. Specify a set of characters to display help for all available commands that contain those characters. NOTE: The character set cannot contain spaces. If you specify a set of characters that is not part of any CLI command available from the current CLI context, the help command results in an error. edit Displays help for all command-line editing keystrokes.
Restrictions
Default Privilege Level: 0
54
Examples
The following command displays help for the commands that you can issue from within the VRRP VAP group configuration (conf-vrrp-vap-group) CLI context: CBS(conf-vrrp-vap-group)# help [no] vap-group - Configures a VAP group for High Availability active-vap-threshold - Number of active VAPs required, or priority is reduced [no] enable - Enables VRRP on the VAP group [no] failover-group-list - Enables failover groups to be affected by this VAP group [no] hold-down-timer - Time to wait before becoming VRRP master [no] priority-delta - Reduces priority when insufficient active VAPs CBS(conf-vrrp-vap-group)# The following command displays help for the configure vap-group command and all of its legal arguments. Since one legal argument is the name of an existing VAP group, the help command also lists the existing VAP groups currently configured on the system. CBS# help configure vap-group [no] vap-group vap-group <WORD> Existing Vap Groups : es3, es4 - Configures a VAP Group - VAP Group name
The following command displays help for the commands that are available from the main CLI context and that begin with the characters cp: CBS# help ro routing-protocol routing-protocol-services - Accesses requires - Accesses requires routing protocol commands, RSW routing protocol services, RSW
The following command displays help for all command-line editing keystrokes: CBS# help edit Available editing keystrokes Delete current character.....................Ctrl-d Delete text up to cursor.....................Ctrl-u Delete from cursor to end of line............Ctrl-k Move to beginning of line....................Ctrl-a Move to end of line..........................Ctrl-e Get prior command from history...............Ctrl-p Get next command from history................Ctrl-n Move cursor left.............................Ctrl-b Move cursor right............................Ctrl-f Move back one word...........................Esc-b Move forward one word........................Esc-f Convert rest of word to uppercase............Esc-c Convert rest of word to lowercase............Esc-l Delete remainder of word.....................Esc-d Delete word up to cursor.....................Ctrl-w Transpose current and previous character.....Ctrl-t Enter command and return to root prompt......Ctrl-z Refresh input line...........................Ctrl-l
55
Syntax
show vrrp detail-status-help
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 15
Example
CBS# show vrrp detail-status-help FG ID - This column displays failover group ID Status - This column displays failover group status. Possible values are as follows: master, backup, down and init Priority - This column shows failover group priority (actual/configured) Delta - This column displays vrrp component's configured priority delta as well as information about its usage Example: 10 - priority delta of a component configured as 10 - failover group priority NOT decremented by this delta (no failure) -10 - priority delta of a component configured as 10 - failover group priority decremented by this delta (component failure) 10* - (or -10*) unknown next hop status (see Config Guide for details) Type - This column displays vrrp component type. Possible values are: vr - virtual router, mi - monitored interface, mc - monitored circuit, vg - active vap threshold, nh - next hop Component - This column gives detailed information about vrrp component type Format of this column depends on value of "Type" column: vr - virtual router circuit name/virtual router id mi - monitored interface mc - monitored circuit name vg - vap group (active-vap-threshold) nh - verify-next-hop IP/virtual router ID
56
4
Commands for Configuring the X-Series Platform to Enable System Management
This chapter describes the CLI commands that you can use to configure and manage the X-Series Platform. This chapter contains the following sections: Commands for Configuring System Management Settings on page 58 Commands for Configuring X-Series Platform Management Interfaces on page 79 Commands for Configuring User Accounts and Managing User Access to the X-Series Platform on page 111 Commands for Configuring System Alarms and Logs on page 124 Commands for Configuring Chassis Resource Protection on page 153 Commands for Configuring CPM Redundancy on page 164 Commands for Accessing Other Systems from the CPM on page 169
57
58
calendar
This command sets the system calendar time and date. You must reboot all modules in the chassis (using the reload all command) to enable the calendar command to take effect. NOTE: The system calendar runs continuously, even if the X-Series Platform is powered off or rebooted. Use the show calendar command to display the current system calendar time and date.
Syntax
calendar <time> <day> <month> <year>
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <time> Description Current time in 24-hour format, using the following syntax: <hours>:<minutes>:<seconds> You must specify all three numbers, and you must specify all numbers in two-digit format (using a leading zero with single-digit numbers). For example, to specify 6:00 AM, enter 06:00:00. To specify 6:00 PM, enter 18:00:00. <day> <month> <year> Current day of the month. Valid values are from 1 to 31. Current month in three-letter format. Current year in four-digit format. Valid values are from 2000 to 2037.
Restrictions
Default Privilege Level: 15
Example
The following command sets the system calendar time and date to 4:30 PM on January 13, 2010. CBS# calendar 16:30:00 13 jan 2010
59
Syntax
configure [no] dns search-name <domain_name> [vap-group <VAP_group_name>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <domain_name> Description Domain name that you want to add to the list of domains that the CPM or the VAPs in the specified VAP group can append to a hostname during a DNS query. NOTE: You can define a maximum of 6 domain names for use by a single CPM or VAP group. The total number of characters in the domain names configured for use by a single CPM or VAP group cannot exceed 256. vap-group <VAP_group_name> Adds the specified domain name to the list of domains that the VAPs in the specified VAP group can append to a hostname during a DNS query. If you do not specify this parameter, the configure dns search-name command adds the specified domain name to the list of domains that the CPM can append to a hostname during a DNS query.
Restrictions
Default Privilege Level: 15 You can define a maximum of 6 domain names for use by a single CPM or VAP group. The total number of characters in the domain names configured for use by a single CPM or VAP group cannot exceed 256.
Example
The following command adds the domain name, crossbeamxseries.com, to the list of domains that the CPM can append to a hostname when performing a DNS lookup to resolve host names to IP addresses: CBS# configure dns search-name crossbeamxseries.com CBS#
60
Syntax
configure [no] dns server <IP_address> [vap-group <VAP_group_name>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <IP_address> vap-group <VAP_group_name> Description IP address of the DNS server. Configures the DNS server IP address to be used by the specified VAP group. If you do not specify this parameter, all VAP groups will use the specified DNS server IP address.
Restrictions
Default Privilege Level: 15 Maximum of 3 DNS servers can be specified
Example
The following command shows how to configure a DNS IP address to a firewall VAP group. CBS# configure dns server 192.168.2.1 vap-group fw_vap CBS#
61
configure hostname
Assigns a host name to the X-Series Platform or to the specified CPM. The default host name for the X-Series Platform is crossbeam. To restore this default setting, enter the configure hostname command without specifying the <host_name> parameter. Use the show hostname command to display the host name assigned to the X-Series Platform.
Syntax
configure hostname [<host_name>] [cp1 | cp2]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <host_name> [cp1 | cp2] Description Host name assigned to the X-Series Platform or to the specified CPM. The default host name is crossbeam. Assigns the host name only to the CPM with the specified module name (cp1 or cp2). Use the show chassis command to display the slot numbers and module names assigned to each CPM in your chassis. If you do not specify a module name, the configure hostname command assigns the specified host name to both CPMs.
Restrictions
Default Privilege Level: 15
Example
The following command assigns the host name XOSExpert to the X-Series Platform. CBS# configure hostname XOSExpert CBS#
62
configure ip domainname
Configures the domain name for the X-Series Platform. The default domain name is crossbeam. Use the no parameter to restore this default setting. Use the show ip domainname command to display the domain name configured for the X-Series Platform.
Syntax
configure [no] ip domainname <domain_name>
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <domain_name> Description Domain name that you want to assign to the X-Series Platform. The default domain name is crossbeam.
Restrictions
Default Privilege Level: 15
Example
The following command assigns the domain name example.com to the X-Series Platform: CBS# configure ip domainname example.com CBS#
configure ip forwarding
Enables or disables (using no) IP forwarding on the primary CPM. IP forwarding is disabled by default. Use the show ip forwarding command to determine whether IP forwarding is enabled on the primary CPM.
Syntax
configure [no] ip forwarding
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 15
63
configure ip ftp
Enables or disables (using no) the FTP server on the CPM. The FTP server is disabled by default.
Syntax
configure [no] ip ftp
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 15
configure ip ssh
Enables and disables (using no) the SSH server on the X-Series Platform, and configures SSH server authentication options. An attempted SSH connection is denied if any of the following conditions is true: The SSH server is disabled. By default, the SSH server is enabled. The user does not enter a valid username and password within the SSH connection timeout period. Default timeout period is 120 seconds. The user does not enter a valid username and password within the maximum number of SSH authentication attempts (retries) configured for the SSH server on the X-Series Platform. Default maximum number of SSH authentication attempts is 3. The user does not enter a valid username and password within the maximum number of SSH authentication attempts (retries) configured for the SSH client. Default maximum number of SSH authentication attempts is 3. NOTE: An attempted SSH connection is denied when the user reaches the maximum number of authentication retries for either the SSH client or the SSH server on the X-Series Platform. If the SSH client and the SSH server have different settings for maximum number of authentication retries, the lower setting applies. For example, if the setting for the SSH client is 3 and the setting for the SSH server on the X-Series Platform is 4, the maximum number of authentication retries allowed is 3. The no parameter has three possible functions, depending on its placement in the command line: Use the configure no ip ssh command to disable the SSH server on the X-Series Platform. Use the configure ip ssh no timeout command to restore the default SSH connection timeout period. Use the configure ip ssh no authentication-retries command to restore the default maximum number of SSH authentication retries. Use the show ip ssh command to display the SSH server configuration for the X-Series Platform.
Syntax
configure ip ssh [authentication-timeout <seconds> | authentication-retries <integer>] configure no ip ssh configure ip ssh no authentication-timeout configure ip ssh no authentication-retries
Commands for Configuring the X-Series Platform to Enable System Management 64
Context
You access this command from the main CLI context.
Inline Commands
The following table lists the CLI commands that you can use inline with the configure ip ssh command. Command [no] authentication-timeout <seconds> Description Configures the SSH connection timeout period (measured in seconds) for the X-Series Platform. An attempted SSH connection terminates if the user does not specify a valid username and password within the SSH authentication-timeout period. Range is 065535 seconds. Default timeout period is 120 seconds. Use the no parameter to restore the default setting. [no] authentication-retries <integer> Configures the maximum number of user authentication attempts (retries) for an SSH connection attempt on the X-Series Platform. An attempted SSH connection terminates if a user fails to provide a valid username and password within the maximum number of user authentication attempts. Default maximum number of user authentication attempts is 3. Use the no parameter to restore the default setting. NOTE: An attempted SSH connection is denied when the user reaches the maximum number of authentication retries for either the SSH client or the SSH server on the X-Series Platform. If the SSH client and the SSH server have different settings for maximum number of authentication retries, the lower setting applies. For example, if the setting for the SSH client is 3 and the setting for the SSH server on the X-Series Platform is 4, the maximum number of authentication retries allowed is 3.
Restrictions
Default Privilege Level: 15
configure ip telnet
Enables or disables (using no) the telnet server on the CPM. The telnet server is disabled by default. Use the show ip telnet command to determine whether the telnet server is enabled or disabled.
Syntax
configure [no] ip telnet
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 15
XOS Command Reference Guide 65
configure ldap-server
Configures the X-Series Platform to use the specified Lightweight Directory Access Protocol (LDAP) server. Use the no parameter to remove the specified LDAP server definition from the X-Series Platform configuration. The X-Series Platform supports a limited number of Lightweight Directory Access Protocol (LDAP) features to authenticate user logins. Use the show ldap-server command to display the LDAP server configuration (if any) for the X-Series Platform.
Syntax
configure [no] ldap-server {<host_name> | <IP_address>} [auth-port <UDP_destination_port_number>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter {<host_name> | <IP_address>} auth-port <UDP_destination_port_number> Description Host name or IP address of the LDAP server that you want the X-Series Platform to use. Configures the X-Series Platform to use the specified UDP destination port for LDAP server authentication requests. Valid values are 0 to 65535. Default UDP destination port number is 389.
Restrictions
Default Privilege Level: 15
66
configure ldap-parameter
Defines the parameters that the X-Series Platform uses to search for a valid Lightweight Directory Access Protocol (LDAP) server. For more information on using an LDAP server, see configure ldap-server on page 66. Use the configure no ldap-parameter command to remove all LDAP server search parameters defined for the X-Series Platform. Use the show ldap-parameters command to display the LDAP server search parameters defined for the X-Series Platform.
Syntax
configure ldap-parameter [version {2|3}] [distinguished-name <distinguished-name>] configure no ldap-parameter
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter version {2|3} distinguished-name <distinguished-name> Description LDAP version (2 or 3) used by the LDAP server(s) that you want the X-Series Platform to use. Default version number is 3. Distinguished name assigned to the LDAP server(s) that you want the X-Series Platform to use.
Restrictions
Default Privilege Level: 15
cp-next-boot
Configures the specified CPM to boot from the specified disk partition the next time that the CPM boots.
Syntax
cp-next-boot {cp1|cp2} {distribution 1 | distribution 2}
Context
You access this command from the main CLI context.
67
Parameters
The following table lists the parameters used with this command. Parameter {cp1|cp2} {distribution 1 | distribution 2} Description Specifies the CPM (cp1 or cp2) for which you want to configure the disk partition used for the next CPM boot. Specifies the disk partition (distribution 1 or distribution 2) that the specified CPM will use the next time it boots.
Restrictions
Default Privilege Level: 15
Example
The following command configures the CPM named cp1 to boot from the distribution 2 disk partition the next time the CPM reboots: CBS# cp-next-boot cp1 distribution 2
configure np-reload-timeout
Configures the time interval, measured in seconds, that the system waits for an NPM to reload. If an NPM reload is not completed within the specified time interval, the system declares the NPM inaccessible and resets the slot. The default time interval is 300 seconds. Use the no parameter to restore this default setting. If your configuration includes a large number of circuits, you may need to configure the system to wait longer for your NPMs to reload. Use the show np-reload-timeout command to display the NPM reload timeout interval configured for the X-Series Platform.
Syntax
configure [no] np-reload-timeout <time_interval>
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <time_interval> Description Amount of time, in seconds, that the system waits for an NPM to reload before declaring the NPM inaccessible and resetting the slot. Valid values are from 60 to 18000. Default is 300.
Restrictions
Default Privilege Level: 15
Commands for Configuring the X-Series Platform to Enable System Management 68
configure np-reset-wait-time
Configures the time interval, measured in seconds, that the system waits for a heartbeat signal from an NPM before resetting it. The default time interval is 5 seconds. Use the no parameter to restore this default setting. Use the show np-reset-wait-time command to display the NPM reset timeout interval configured for the X-Series Platform.
Syntax
configure [no] np-reset-wait-time <time_interval>
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <time_interval> Description Amount of time, in seconds, that the system waits for an NPM to reload before declaring the NPM inaccessible and resetting the slot. Valid values are from 0 to 60. Default is 5.
Restrictions
Default Privilege Level: 15
69
Syntax
configure ntp server <IP_address> configure no ntp server <IP_address> configure ntp no server <IP_address>
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <IP_address> Description IP address of the NTP server that you want the X-Series Platform to use.
Restrictions
Default Privilege Level: 15 If an X-Series Platform is using an NTP server, you cannot use the calendar command to configure the system calendar date and time for the X-Series Platform.
configure operating-mode
Configures the NPM operating mode settings for the X-Series Platform. Use these settings to: Configure the X-Series Platform to use one, two, or four NPMs. By default, the X-Series Platform is configured to use two NPMs. Configure the X-Series Platform to run in Series-6 NPM mode, which supports functionality available only when using NPM-86x0s. This is the default setting. IMPORTANT: You must issue the reload all command to enable an NPM operating mode configuration change to take effect. Use the no parameter to restore the default NPM operating mode settings listed above.
70
Use the show operating-mode command to display the current NPM operating mode settings for the X-Series Platform.
Syntax
configure operating-mode {single-np | dual-np | quad-np} series-6 configure no operating-mode
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter [single-np | dual-np | quad-np] Description Configures the X-Series Platform to use one, two, or four NPMs. Specify one of the following: single-np Configures the X-Series Platform to use only one NPM. This setting is valid only when used with X20, X30, X45, or X60 chassis. dual-np Configures the X-Series Platform to use two NPMs. This is the default setting. quad-np Configures the X-Series Platform to use four NPMs. This setting is valid only when used with X80 chassis. NOTE: The dual-np and quad-np parameters cannot be used on either the X20 or X30 chassis. series-6 Configures the X-Series Platform to run in Series-6 NPM mode, which supports functionality available only when using NPM-86x0s. This is the default setting.
Restrictions
Default privilege level: 15 The operating mode settings that you specify with this command must reflect the actual number and type of NPMs installed in the X-Series Platform.
Example
The following command configures the X-Series Platform to use four NPMs instead of two: CBS# configure operating-mode quad-np series-6 CBS# IMPORTANT: You must issue the reload all command to enable the above settings to take effect.
71
Syntax
configure [no] radius-server host {<host_name>|<IP_address>} [auth-port <auth_port_value>] [timeout <seconds>] [key <keyword>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter host {<host_name> | <IP_address>} Description Domain Name Server (DNS) searchable host name or IP address of the host that you want the X-Series Platform to use as a RADIUS server for RADIUS Authentication. Configures the X-Series Platform to use the specified UDP destination port for RADIUS Authentication requests. Valid values are 0 to 65535. Default UDP destination port number is 1812. timeout <seconds> Configures the timeout period, in seconds, for a RADIUS server connection attempt. If a RADIUS server host does not reply to a RADIUS Authentication request within the timeout period, the X-Series Platform terminates the connection to the RADIUS server host. Valid values are from 0 to 3600 seconds. Default is 3 seconds. key <keyword> Authentication and encryption key used for all RADIUS communications between the RADIUS server host and the RADIUS daemon. The key must match the encryption used on the RADIUS daemon. Invalid characters are ignored. Valid characters include all alphanumeric characters, as well as the following: $ _ @ / + ( ) . < > _
auth-port <UDP_destination_port_number>
Restrictions
Default Privilege Level: 15 The IP address for the RADIUS server host cannot be in the X-Series Platforms system internal network. The X-Series Platform uses the system internal network for communication between X-Series hardware modules and between X-Series chassis. (For more information, see configure system-internal-network on page 74.)
72
You cannot assign an IP address to a RADIUS server host if that IP address is already assigned to an existing element in the XOS configuration. For example, you cannot use an existing circuits IP address or an existing management IP address as the RADIUS server hosts IP address. NOTE: The IP address for the RADIUS server host can be in the same network as an existing circuit IP address and can be in the same network an existing management IP address.
configure system-identifier
Assigns a system identifier to the X-Series Platform and integrates the system identifier into the internal control network IP address. The internal control network IP address is in the format, a.b.xxx.0; the configured system identifier replaces xxx. The system identifier must be unique for each X-Series Platform. NOTE: Before migrating to XOS V9.5.1 from a previous release, you must ensure that a system identifier has been configured for the X-Series Platform. Use the show system-identifier command to display the system identifier (if any) assigned to the X-Series Platform.
Syntax
configure system-identifier <system_ID>
Context
You access this command from the main CLI context.
Example
On a system with an internal network of 5.8.0.0/16 and a system-identifier of 44, NPM1 would be assigned IP address 5.8.44.1, the primary CPM would be assigned 5.8.44.20, and APM1 would be assigned 5.8.44.32.
Parameters
The following table lists the parameters used with this command. Parameter <system_ID> Description System identifier assigned to the X-Series Platform. Valid values are from 1 to 255.
Restrictions
Default Privilege Level: 15 Each X-Series Platform must have a unique system identifier.
73
configure system-internal-network
Configures the internal control network for the X-Series Platform. Use the show system-internal-network command to display the configured and operational internal control network IP addresses for the X-Series Platform.
Syntax
configure system-internal-network {<IP_address> <subnet_mask> | <IP_address>/<0-16>}
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter {<IP_address> <subnet_mask> | <IP_address>/<0-16>} Description Internal control network assigned to the X-Series Platform. You can specify the internal control network as a separate network IP address and subnet mask, or you can specify the internal control network using CIDR format (for example, 10.15.0.0/16).
Restrictions
Default Privilege Level: 15 The system internal network IP address cannot be in Class D (224.0.0.0 - 239.255.255.255) or Class E (240.0.0.0 - 255.255.255.255). The configured and operational system internal network must be unique in the XOS configuration. This means that the configured and operational system internal network IP addresses cannot belong to the same network as any other configured IP address.
74
configure timeout
Defines the timeout interval for the current CLI console session and for all new CLI console sessions. The default timeout interval is 300 seconds. Use the configure no timeout command to disable the timeout functionality on the X-Series Platform. Use the show timeout command to display the timeout interval for the current CLI console session.
Syntax
configure timeout <seconds> configure no timeout
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <seconds> Description Timeout interval, in seconds, that you want to define for the current CLI console session and for all new CLI console sessions. Valid values are from 1 to 65535. Default is 300 seconds.
Restrictions
Default Privilege Level: 15
timeout
Defines the timeout interval for this CLI console session only. The default timeout interval is 300 seconds. Use the no timeout command to restore this default setting. Use the show timeout command to display the timeout interval for the current CLI console session.
Syntax
timeout <seconds> no timeout
Context
You access this command from the main CLI context.
75
Parameters
The following table lists the parameters used with this command. Parameter <seconds> Description Timeout interval, in seconds, used only for the current CLI session. Valid values are from 1 to 65535. Default is 300 seconds.
Restrictions
Default Privilege Level: 0
configure timezone
Configures the system time zone for the X-Series Platform. You can specify a time zone with the configure timezone command, or you can issue the command without parameters and allow the CLI to prompt you to select a time zone from a series of menus. NOTE: The time zone menu also provides you with the option to enter a specific GMT offset time for the system instead of selecting a time zone. Use the show timezone command to display the current system time zone setting for the X-Series Platform.
Syntax
configure timezone [<time_zone>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <time_zone> Description Specifies the name of the system time zone or specifies the area in which the system is being configured. <time_zone> must be a valid Unix time zone keyword. The <time_zone> string is case-sensitive. If you do not specify a time zone, the CLI provides you with a series of menu options that allow you to select a system time zone or enter a GMT offset time for the X-Series Platform.
Restrictions
Default Privilege Level: 15
76
configure web-server
Enables or disables (using no) access to the Web server on the X-Series Platform. By default, X-Series Platform Web server access is disabled. Enabling access to the Web server allows users to access and manage the X-Series Platform using EMS (Crossbeams Web-based X-Series Platform management GUI).
Syntax
configure [no] web-server
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 15
configure web-timeout
Configures the Web server timeout interval for all EMS sessions.
Syntax
configure web-timeout <minutes>
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <minutes> Description Web server timeout interval, in minutes, used for all EMS sessions. Valid values are from 1 to 65535. Default is 20 minutes.
Restrictions
Default Privilege Level: 15 This command is not available on the X20, X30, or X60 chassis.
Example
The following command sets the Web server timeout interval used for EMS sessions to 20 minutes. CBS# configure web-timeout 20
77
configure web-wizard
Configures the X-Series Platform to start the EMS Web Wizard whenever a user logs into the X-Series Platform using EMS.
Syntax
[no] configure web-wizard
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 15 This command is not available on the X20, X30, or X60 chassis.
78
79
configure management
Defines a CPM port as an X-Series Platform management interface, and places you in the CLI context in which you can configure that management interface. Use the no parameter to delete an X-Series Platform management interface configuration.
Syntax
configure [no] management gigabitethernet <slot>/<port>
Inline Commands
The following table lists the CLI commands used inline with the configure management command. Command gigabitethernet Description Defines a Gigabit Ethernet port on a CPM as an X-Series Platform management interface.
Parameters
The following table lists the parameters used with this command. Parameter <slot> <port> Description Slot number for the CPM on which you want to define a port as an X-Series Platform management interface. Port number for the port that you want to define as an X-Series Platform management interface.
80
Restrictions
Default Privilege Level: 15
Example
The following example defines Gigabit Ethernet port 1 on the CPM in slot 14 as an X-Series Platform management interface. CBS# configure management gigabitethernet 14/1 CBS(conf-mgmt-gig)#
Syntax
[no] enable
Contexts
You access this command from the conf-mgmt-gig context. You can access either of these contexts from the main CLI context by issuing the configure management command.
Restrictions
Default Privilege Level: 15
81
Syntax
[no] access-list <ACL_ID_number> {input | output}
Contexts
You access this command from the conf-mgmt-gig context. You can access either of these contexts from the main CLI context by issuing the configure management command.
Parameters
The following table lists the parameters used with this command. Parameter <ACL_ID_number> {input | output} Description ID number assigned to the ACL that you want to add to or delete from the X-Series Platform management interface configuration. Specifies whether the CPM applies the ACL to incoming (input) or outgoing (output) traffic passing through the X-Series Platform management interface that you are currently configuring.
Restrictions
Default Privilege Level: 15
Example
The following commands configure the X-Series Platform to apply access control list (ACL) 5 to incoming traffic passing through the X-Series Platform management interface configured on Gigabit Ethernet port 1 on the CPM in slot 14. CBS# configure management gigabitethernet 14/1 CBS(conf-mgmt-gig)# access-list 5 input CBS(conf-mgmt-gig)#
82
Syntax
ip-addr {<IP_address> <subnet_mask> | <IP_address>/<0-32>} [<broadcast_IP_address>]
Contexts
You access this command from the conf-mgmt-gig context. You can access either of these contexts from the main CLI context by issuing the configure management command.
Parameters
The following table lists the parameters used with this command. Parameter {<IP_address> <subnet_mask> | <IP_address>/<0-32>} Description IP address and subnet mask that you want to assign to the X-Series Platform management interface that you are configuring. You can specify a subnet mask in dotted-quad format (for example, 10.15.3.5 255.255.0.0), or you can specify an IP network using CIDR notation (for example, 10.15.0.0/16). <broadcast_IP_address> Assigns the specified broadcast IP address to the X-Series Platform management interface that you are currently configuring.
Restrictions
Default Privilege Level: 15
83
Syntax
[no] ip-alias {<IP_address <subnet_mask> | <IP_address>/<0-32>} [<broadcast_IP_address>]
Contexts
You access this command from the conf-mgmt-gig context. You can access either of these contexts from the main CLI context by issuing the configure management command.
Parameters
The following table lists the parameters used with this command. Parameter {<IP_address> <subnet_mask> | <IP_address>/<0-32>} Description Alias IP address and subnet mask that you want to assign to the X-Series Platform management interface that you are configuring. You can specify a subnet mask in dotted-quad format (for example, 10.15.3.5 255.255.0.0), or you can specify an IP network using CIDR notation (for example, 10.15.0.0/16). <broadcast_IP_address> Assigns the specified broadcast IP address to the alias IP address for the X-Series Platform management interface that you are currently configuring.
Restrictions
Default Privilege Level: 15
84
Syntax
[no] ip-nat inside <VAP_management_IP_address> vap-group <VAP_group_name> <VAP_index_number>
Contexts
You access this command from the conf-mgmt-gig context. You can access either of these contexts from the main CLI context by issuing the configure management command.
Parameters
The following table lists the parameters used with this command. Parameter Description
<VAP_management_IP_address> Management IP address assigned to the VAP for which you want to enable or disable NAT for internal management traffic. vap-group <VAP_group_name> <VAP_index_number> Specifies the VAP group that includes the VAP for which you want to enable or disable NAT for internal management traffic. Specifies the VAP index number for the VAP for which you want to enable or disable NAT for internal management traffic. NOTE: You can use the show ap-vap-mapping command to determine the VAP index number for each VAP in each VAP group configured on the X-Series Platform.
Restrictions
Default Privilege Level: 15
85
Syntax
[no] ip-nat outside <host_IP_address> <Internal_IP_address_for_CPM>
Contexts
You access this command from the conf-mgmt-gig context. You can access either of these contexts from the main CLI context by issuing the configure management command.
Parameters
The following table lists the parameters used with this command. Parameter <host_IP_address> Description IP address of the external host for which you want to enable or disable NAT on the X-Series Platform management interface that you are currently configuring. Internal IP address assigned to the CPM whose management interface you are currently configuring. NOTE: You can use the show internal-ip command to determine the internal IP address for the CPM.
<Internal_IP_address_for_CPM>
Restrictions
Default Privilege Level: 15
Syntax
[no] mac-addr <MAC_address>
Contexts
You access this command from the conf-mgmt-gig context. You can access either of these contexts from the main CLI context by issuing the configure management command.
86
Parameters
The following table lists the parameters used with this command. Parameter <MAC_address> Description MAC address that you want to assign to the X-Series Platform management interface that you are currently configuring. NOTE: You must specify the MAC address using the standard format (xx:xx:xx:xx:xx:xx). The MAC address cannot contain only 0s or only fs.
Restrictions
Default Privilege Level: 15 The MAC address assigned to a management interface cannot contain only 0s (0:0:0:0:0:0) or only fs (ff:ff:ff:ff:ff:ff).
Syntax
[no] mtu <max_packet_size>
Contexts
You access this command from the conf-mgmt-gig context. You can access either of these contexts from the main CLI context by issuing the configure management command.
Parameters
The following table lists the parameters used with this command. Parameter <max_packet_size> Description Maximum Transmission Unit (MTU), or maximum packet size, in bytes, that you want to set for the X-Series Platform management interface that you are currently configuring. Valid values are from 68 to 1536. Default is 1500.
Restrictions
Default Privilege Level: 15
87
Syntax
speed [10 | 100 | 1000 | auto-negotiate] [half | full]
Contexts
You access this command from the conf-mgmt-gig context. You can access either of these contexts from the main CLI context by issuing the configure management command.
Parameters
The following table lists the parameters used with this command. Parameter [10 | 100 | 1000 | auto-negotiate] Description Sets a fixed media speed in Mbps (10, 100, or 1000) or enables auto-negotiation of media speed (auto-negotiate) for connections with the X-Series Platform management interface that you are currently configuring. By default, auto-negotiation is enabled, so there is no fixed media speed for the management interface. [half | full] Sets the duplex mode for the X-Series Platform management interface that you are configuring. Valid modes are half duplex (half) and full duplex (full). Default mode is full duplex.
Restrictions
Default Privilege Level: 15
88
Syntax
show
Contexts
You access this command from the conf-mgmt-gig context. You can access either of these contexts from the main CLI context by issuing the configure management command.
89
Description Broadcast IP address assigned to the X-Series Platform management interface. See ip-addr (conf-mgmt-gig context) on page 83 for information about configuring a broadcast IP address for an X-Series Platform management interface.
Indicates whether auto-negotiation of media speed is enabled (t) or disabled (f) for the X-Series Platform management interface. See speed (conf-mgmt-gig context) on page 88 for information about configuring the media speed setting for an X-Series Platform management interface.
Fixed media speed (in Mbps) configured for the X-Series Platform management interface. NOTE: This field only appears if auto-negotiation is disabled. See speed (conf-mgmt-gig context) on page 88 for information about configuring a fixed media speed for an X-Series Platform management interface.
ID number assigned to the access control list (ACL) that the CPM applies to incoming traffic passing through the X-Series Platform management interface. See access-list (conf-mgmt-gig context) on page 81 for information about configuring an ACL for an X-Series Platform management interface.
ID number assigned to the access control list (ACL) that the CPM applies to outgoing traffic passing through the X-Series Platform management interface. See access-list (conf-mgmt-gig context) on page 81 for information about configuring an ACL for an X-Series Platform management interface.
Restrictions
Default Privilege Level: 15
Example
The following commands display the existing management interface configuration settings for Gigabit Ethernet port 1 on the CPM in slot 14. CBS# configure management gigabitethernet CBS(conf-mgmt-gig)# show Management Interface : Enabled (true/false) : IP Address : Netmask : Broadcast Address : Auto Negotiate Enabled (true/false) : Input Access List : Output Access List : (1 row) CBS# 14/1 gigabitethernet 14/1 t 192.168.15.109 255.255.255.0 192.198.100.255 t 1001 1002
90
Syntax
configure management ip-route {<IP_address> <subnet_mask> | <IP_address>/<0-32>} <next_hop_IP_address> [metric <metric_value>] configure management ip-route {<IP_address> <subnet_mask> | <IP_address>/<0-32>} <next_hop_IP_address> no metric configure management no ip-route {<IP_address> <subnet_mask> | <IP_address>/<0-32>} <next_hop_IP_address>
Context
You access this command from the main CLI context.
Inline Commands
The following table lists the CLI commands used inline with the configure management ip-route command. Command [no] metric <metric_value> Description Configures the X-Series Platform to assign the specified metric value to the management IP route that you are configuring. Valid values are 1 to 255. Use the no parameter to delete the metric assigned to the specified IP route.
91
Parameters
The following table lists the parameters used with this command. Parameter {<IP_address> <subnet_mask> | <IP_address>/<0-32>} Description Destination network for which the static IP route is defined. You can specify the destination network as a separate network IP address and subnet mask, or you can specify the destination network using CIDR format (for example, 10.15.0.0/16). Next hop IP address that packets must use to reach the specified destination network.
<next_hop_IP_address>
Restrictions
Default Privilege Level: 15 The destination IP address configured for an IP route cannot be the same as either the configured system internal network IP address or the operational system internal network IP address.
Syntax
configure [no] management default-gateway <IP_address>
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <IP_address> Description Default gateway IP address that you want to configure for X-Series Platform management traffic.
Restrictions
Default Privilege Level: 15
92
Syntax
configure [no] management arp <IP_address> <MAC_address>
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <IP_address> <MAC_address> Description IP address of the static ARP entry. MAC address of the static ARP entry. NOTE: The MAC address cannot contain only 0s or only fs.
Restrictions
Default Privilege Level: 15 The MAC address included in the ARP entry cannot contain only 0s (0:0:0:0:0:0) or only fs (ff:ff:ff:ff:ff:ff).
Syntax
configure access-list <ID_number> {deny | permit} ip {source-any | source-ip <IP_address> <wildcard_mask>} {destination-any | destination-ip <IP_address> <wildcard_mask>} [log] configure no access-list <ID_number>
Context
You access this command from the main CLI context.
93
Parameters
The following table lists the parameters used with this command. Parameter <ID_number> {deny | permit} Description Assigns an ID number to the ACL. Sets the ACLs action to deny (drop packet) or permit (allow packet to pass through the primary management interface on the CPM). The X-Series Platform applies the specified action to IP packets that meet the matching criteria configured for the ACL. Default action for all IP packets is deny. (Drop all IP packets.) log Enables packet information logging for the ACL. By default, logging is disabled. If logging is enabled, the X-Series Platform logs an informational message about each packet that meets the matching criteria configured for the ACL.
Inline Commands
The following table lists the CLI commands used inline with the configure access-list <ID_number> {deny | permit} ip command. Command source-any Description Sets the source IP address matching criteria for the ACL to any source IP address. The X-Series Platform applies the ACLs action without considering a packets source IP address. source-ip <IP_address> <wildcard_mask> Configures the source IP address matching criteria for the ACL. The X-Series Platform applies the ACLs action (deny or permit) to a packet only if its source IP address matches the specified IP address when the specified wildcard mask is applied. You must specify the wildcard mask as a reverse mask in four-part dotted-decimal format (for example, 0.0.0.255). However, the X-Series Platform applies the wildcard mask in four-part dotted-binary format (for example, 00000000.00000000.00000000.11111111), where 1s indicate wildcard bits. A packets source IP address matches the specified IP address if all their non-wildcard bits match. To apply the ACLs action only to packets with the specified source IP address, use a wildcard mask of 0.0.0.0. To apply the ACLs action without considering a packets source IP address, use a wildcard mask of 255.255.255.255. destination-any Sets the destination IP address matching criteria for the ACL to any destination IP address. The X-Series Platform applies the ACLs action without considering a packets destination IP address.
94
Description Configures the destination IP address matching criteria for the ACL. Applies the ACLs action (deny or permit) to a packet only if its destination IP address matches the specified IP address when the specified wildcard mask is applied. You must specify the wildcard mask as a reverse mask in four-part dotted-decimal format (for example, 0.0.0.255). However, the X-Series Platform applies the wildcard mask in four-part dotted-binary format (for example, 00000000.00000000.00000000.11111111), where 1s indicate wildcard bits. A packets destination IP address matches the specified IP address if all their non-wildcard bits match. To apply the ACLs action only to packets with the specified destination IP address, use a wildcard mask of 0.0.0.0. To apply the ACLs action without considering a packets destination IP address, use a wildcard mask of 255.255.255.255.
Restrictions
Default Privilege Level: 15
Syntax
configure access-list <ID_number> {deny | permit} tcp {source-any | source-ip <IP_address> <wildcard_mask>} {source-port-any | source-port-name <port_name> | source-port {<port_number> | <lowest_port_number> <highest_port_number>}} {destination-any | destination-ip <IP_address> <wildcard_mask>} {destination-port-any | destination-port-name <port_name> | destination-port {<port_number> | <lowest_port_number> <highest_port_number>}} [log] configure no access-list <ID_number>
Context
You access this command from the main CLI context.
95
Parameters
The following table lists the parameters used with this command. Parameter <ID_number> {deny | permit} Description Assigns an ID number to the ACL. Sets the ACLs action to deny (drop packet) or permit (allow packet to pass through the primary management interface on the CPM). The X-Series Platform applies the specified action to TCP packets that meet the matching criteria configured for the ACL. Default action for all TCP packets is deny. (Drop all TCP packets.) log Enables packet information logging for the ACL. By default, logging is disabled. If logging is enabled, the X-Series Platform logs an informational message about each packet that meets the matching criteria configured for the ACL.
Inline Commands
The following table lists the CLI commands used inline with the configure access-list <ID_number> {deny | permit} tcp command. Command source-any Description Sets the source IP address matching criteria for the ACL to any source IP address. The X-Series Platform applies the ACLs action without considering a packets source IP address. source-ip <IP_address> <wildcard_mask> Configures the source IP address matching criteria for the ACL. The X-Series Platform applies the ACLs action (deny or permit) to a packet only if its source IP address matches the specified IP address when the specified wildcard mask is applied. You must specify the wildcard mask as a reverse mask in four-part dotted-decimal format (for example, 0.0.0.255). However, the X-Series Platform applies the wildcard mask in four-part dotted-binary format (for example, 00000000.00000000.00000000.11111111), where 1s indicate wildcard bits. A packets source IP address matches the specified IP address if all their non-wildcard bits match. To apply the ACLs action only to packets with the specified source IP address, use a wildcard mask of 0.0.0.0. To apply the ACLs action without considering a packets source IP address, use a wildcard mask of 255.255.255.255. source-port-any Sets the source port matching criteria for the ACL to any source port. The X-Series Platform applies the ACLs action without considering a packets source port.
96
Description Configures the source port matching criteria for the ACL to include only the specified port name. The X-Series Platform applies the ACLs action (deny or permit) to a packet only if its source port name matches the specified port name. Valid source port names are: ftp-data File Transfer Protocol Data (port 20) ftp File Transfer Protocol (port 21) ssh Secure SHell (port 22) telnet Telecommunications Network Protocol (port 23) smtp Simple Mail Transfer Protocol (port 25) time Time (port 37) domain Domain Name Server (port 53) bootps Bootstrap Protocol Server Protocol (port 67) bootpc Bootstrap Protocol Client Protocol (port 68) tftp Trivial File Transfer Protocol (port 69) http Hyper Text Transfer Protocol or www or www-http (port 80) rtelnet Remote Telecommunications Network Protocol (port 107) pop3 Post Office Protocol Version 3 (port 110) nntp Network News Transfer Protocol (port 119) ntp Network Time Protocol (port 123) imap Internet Message Access Protocol (port 143) snmp Simple Network Management Protocol (port 161) ldap Lightweight Directory Access Protocol (port 389) https Secure Hyper Text Transfer Protocol (port 443) isakmp Internet Security Association and Key Management Protocol (port 500)
Configures the source port matching criteria for the ACL to include only the specified port number or range of port numbers. The X-Series Platform applies the ACLs action (deny or permit) to a packet only if its source port number matches the specified port number or is included in the specified range of port numbers. Sets the destination IP address matching criteria for the ACL to any destination IP address. The X-Series Platform applies the ACLs action without considering a packets destination IP address.
destination-any
97
Description Configures the destination IP address matching criteria for the ACL. Applies the ACLs action (deny or permit) to a packet only if its destination IP address matches the specified IP address when the specified wildcard mask is applied. You must specify the wildcard mask as a reverse mask in four-part dotted-decimal format (for example, 0.0.0.255). However, the X-Series Platform applies the wildcard mask in four-part dotted-binary format (for example, 00000000.00000000.00000000.11111111), where 1s indicate wildcard bits. A packets destination IP address matches the specified IP address if all their non-wildcard bits match. To apply the ACLs action only to packets with the specified destination IP address, use a wildcard mask of 0.0.0.0. To apply the ACLs action without considering a packets destination IP address, use a wildcard mask of 255.255.255.255.
destination-port-any
Sets the destination port matching criteria for the ACL to any destination port. The X-Series Platform applies the ACLs action without considering a packets destination port.
98
Description Configures the destination port matching criteria for the ACL to include only the specified port name. The X-Series Platform applies the ACLs action (deny or permit) to a packet only if its destination port name matches the specified port name. Valid destination port names are: ftp-data File Transfer Protocol Data (port 20) ftp File Transfer Protocol (port 21) ssh Secure SHell (port 22) telnet Telecommunications Network Protocol (port 23) smtp Simple Mail Transfer Protocol (port 25) time Time (port 37) domain Domain Name Server (port 53) bootps Bootstrap Protocol Server Protocol (port 67) bootpc Bootstrap Protocol Client Protocol (port 68) tftp Trivial File Transfer Protocol (port 69) http Hyper Text Transfer Protocol or www or www-http (port 80) rtelnet Remote Telecommunications Network Protocol (port 107) pop3 Post Office Protocol Version 3 (port 110) nntp Network News Transfer Protocol (port 119) ntp Network Time Protocol (port 123) imap Internet Message Access Protocol (port 143) snmp Simple Network Management Protocol (port 161) ldap Lightweight Directory Access Protocol (port 389) https Secure Hyper Text Transfer Protocol (port 443) isakmp Internet Security Association and Key Management Protocol (port 500)
Configures the destination port matching criteria for the ACL to include only the specified port number or range of port numbers. The X-Series Platform applies the ACLs action (deny or permit) to a packet only if its destination port number matches the specified port number or is included in the specified range of port numbers.
Restrictions
Default Privilege Level: 15
99
Syntax
configure access-list <ID_number> {deny | permit} udp {source-any | source-ip <IP_address> <wildcard_mask>} {source-port-any | source-port-name <port_name> | source-port {<port_number> | <lowest_port_number> <highest_port_number>}} {destination-any | destination-ip <IP_address> <wildcard_mask>} {destination-port-any | destination-port-name <port_name> | destination-port {<port_number> | <lowest_port_number> <highest_port_number>}} [log] configure no access-list <ID_number>
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <ID_number> {deny | permit} Description Assigns an ID number to the ACL. Sets the ACLs action to deny (drop packet) or permit (allow packet to pass through the primary management interface on the CPM). The X-Series Platform applies the specified action to UDP packets that meet the matching criteria configured for the ACL. Default action for all UDP packets is deny. (Drop all UDP packets.) log Enables packet information logging for the ACL. By default, logging is disabled. If logging is enabled, the X-Series Platform logs an informational message about each packet that meets the matching criteria configured for the ACL.
100
Inline Commands
The following table lists the CLI commands used inline with the configure access-list <ID_number> {deny | permit} udp command. Command source-any Description Sets the source IP address matching criteria for the ACL to any source IP address. The X-Series Platform applies the ACLs action without considering a packets source IP address. source-ip <IP_address> <wildcard_mask> Configures the source IP address matching criteria for the ACL. The X-Series Platform applies the ACLs action (deny or permit) to a packet only if its source IP address matches the specified IP address when the specified wildcard mask is applied. You must specify the wildcard mask as a reverse mask in four-part dotted-decimal format (for example, 0.0.0.255). However, the X-Series Platform applies the wildcard mask in four-part dotted-binary format (for example, 00000000.00000000.00000000.11111111), where 1s indicate wildcard bits. A packets source IP address matches the specified IP address if all their non-wildcard bits match. To apply the ACLs action only to packets with the specified source IP address, use a wildcard mask of 0.0.0.0. To apply the ACLs action without considering a packets source IP address, use a wildcard mask of 255.255.255.255. source-port-any Sets the source port matching criteria for the ACL to any source port. The X-Series Platform applies the ACLs action without considering a packets source port.
101
Description Configures the source port matching criteria for the ACL to include only the specified port name. The X-Series Platform applies the ACLs action (deny or permit) to a packet only if its source port name matches the specified port name. Valid source port names are: ftp-data File Transfer Protocol Data (port 20) ftp File Transfer Protocol (port 21) ssh Secure SHell (port 22) telnet Telecommunications Network Protocol (port 23) smtp Simple Mail Transfer Protocol (port 25) time Time (port 37) domain Domain Name Server (port 53) bootps Bootstrap Protocol Server Protocol (port 67) bootpc Bootstrap Protocol Client Protocol (port 68) tftp Trivial File Transfer Protocol (port 69) http Hyper Text Transfer Protocol or www or www-http (port 80) rtelnet Remote Telecommunications Network Protocol (port 107) pop3 Post Office Protocol Version 3 (port 110) nntp Network News Transfer Protocol (port 119) ntp Network Time Protocol (port 123) imap Internet Message Access Protocol (port 143) snmp Simple Network Management Protocol (port 161) ldap Lightweight Directory Access Protocol (port 389) https Secure Hyper Text Transfer Protocol (port 443) isakmp Internet Security Association and Key Management Protocol (port 500)
Configures the source port matching criteria for the ACL to include only the specified port number or range of port numbers. The X-Series Platform applies the ACLs action (deny or permit) to a packet only if its source port number matches the specified port number or is included in the specified range of port numbers. Sets the destination IP address matching criteria for the ACL to any destination IP address. The X-Series Platform applies the ACLs action without considering a packets destination IP address.
destination-any
102
Description Configures the destination IP address matching criteria for the ACL. Applies the ACLs action (deny or permit) to a packet only if its destination IP address matches the specified IP address when the specified wildcard mask is applied. You must specify the wildcard mask as a reverse mask in four-part dotted-decimal format (for example, 0.0.0.255). However, the X-Series Platform applies the wildcard mask in four-part dotted-binary format (for example, 00000000.00000000.00000000.11111111), where 1s indicate wildcard bits. A packets destination IP address matches the specified IP address if all their non-wildcard bits match. To apply the ACLs action only to packets with the specified destination IP address, use a wildcard mask of 0.0.0.0. To apply the ACLs action without considering a packets destination IP address, use a wildcard mask of 255.255.255.255.
destination-port-any
Sets the destination port matching criteria for the ACL to any destination port. The X-Series Platform applies the ACLs action without considering a packets destination port.
103
Description Configures the destination port matching criteria for the ACL to include only the specified port name. The X-Series Platform applies the ACLs action (deny or permit) to a packet only if its destination port name matches the specified port name. Valid destination port names are: ftp-data File Transfer Protocol Data (port 20) ftp File Transfer Protocol (port 21) ssh Secure SHell (port 22) telnet Telecommunications Network Protocol (port 23) smtp Simple Mail Transfer Protocol (port 25) time Time (port 37) domain Domain Name Server (port 53) bootps Bootstrap Protocol Server Protocol (port 67) bootpc Bootstrap Protocol Client Protocol (port 68) tftp Trivial File Transfer Protocol (port 69) http Hyper Text Transfer Protocol or www or www-http (port 80) rtelnet Remote Telecommunications Network Protocol (port 107) pop3 Post Office Protocol Version 3 (port 110) nntp Network News Transfer Protocol (port 119) ntp Network Time Protocol (port 123) imap Internet Message Access Protocol (port 143) snmp Simple Network Management Protocol (port 161) ldap Lightweight Directory Access Protocol (port 389) https Secure Hyper Text Transfer Protocol (port 443) isakmp Internet Security Association and Key Management Protocol (port 500)
Configures the destination port matching criteria for the ACL to include only the specified port number or range of port numbers. The X-Series Platform applies the ACLs action (deny or permit) to a packet only if its destination port number matches the specified port number or is included in the specified range of port numbers.
Restrictions
Default Privilege Level: 15
104
Syntax
configure access-list <ID_number> {deny | permit} icmp {source-any | source-ip <IP_address> <wildcard_mask>} {destination-any | destination-ip <IP_address> <wildcard_mask>} {icmp-message <message_name> | icmp-type <type_number>} [log] configure no access-list <ID_number>
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <ID_number> {deny | permit} Description Assigns an ID number to the ACL. Sets the ACLs action to deny (drop packet) or permit (allow packet to pass through the primary management interface on the CPM). The X-Series Platform applies the specified action to ICMP packets that meet the matching criteria configured for the ACL. Default action for all ICMP packets is deny. (Drop all ICMP packets.) log Enables packet information logging for the ACL. By default, logging is disabled. If logging is enabled, the X-Series Platform logs an informational message about each packet that meets the matching criteria configured for the ACL.
105
Inline Commands
The following table lists the CLI commands used inline with the configure access-list <ID_number> {deny | permit} icmp command. Command source-any Description Sets the source IP address matching criteria for the ACL to any source IP address. The X-Series Platform applies the ACLs action without considering a packets source IP address. source-ip <IP_address> <wildcard_mask> Configures the source IP address matching criteria for the ACL. The X-Series Platform applies the ACLs action (deny or permit) to a packet only if its source IP address matches the specified IP address when the specified wildcard mask is applied. You must specify the wildcard mask as a reverse mask in four-part dotted-decimal format (for example, 0.0.0.255). However, the X-Series Platform applies the wildcard mask in four-part dotted-binary format (for example, 00000000.00000000.00000000.11111111), where 1s indicate wildcard bits. A packets source IP address matches the specified IP address if all their non-wildcard bits match. To apply the ACLs action only to packets with the specified source IP address, use a wildcard mask of 0.0.0.0. To apply the ACLs action without considering a packets source IP address, use a wildcard mask of 255.255.255.255. destination-any Sets the destination IP address matching criteria for the ACL to any destination IP address. The X-Series Platform applies the ACLs action without considering a packets destination IP address. destination-ip <IP_address> <wildcard_mask> Configures the destination IP address matching criteria for the ACL. Applies the ACLs action (deny or permit) to a packet only if its destination IP address matches the specified IP address when the specified wildcard mask is applied. You must specify the wildcard mask as a reverse mask in four-part dotted-decimal format (for example, 0.0.0.255). However, the X-Series Platform applies the wildcard mask in four-part dotted-binary format (for example, 00000000.00000000.00000000.11111111), where 1s indicate wildcard bits. A packets destination IP address matches the specified IP address if all their non-wildcard bits match. To apply the ACLs action only to packets with the specified destination IP address, use a wildcard mask of 0.0.0.0. To apply the ACLs action without considering a packets destination IP address, use a wildcard mask of 255.255.255.255.
106
Description Configures the ICMP message matching criteria for the ACL to include only the specified message name. The X-Series Platform applies the ACLs action (deny or permit) to a packet only if its message name matches the specified message name. Enter the text string, for example, network-redirect. As an alternative, see the next row in this table for information on how to enter the icmp-type followed by the type number. A list of names, types, and codes is located here: http://www.iana.org/assignments/icmp-parameters Valid message names are: echo-reply echo-reply messages (type 0) destination-unreachable unreachable messages (type 3) network-unreachable net-unreachable messages (type 3) host-unreachable host-unreachable messages (type 3) protocol-unreachable protocol-unreachable messages (type 3) port-unreachable port-unreachable messages (type 3) fragmentation-needed packet-too-big messages (type 3) source-route-failed source-route-failed messages (type 3) network-unknown network-unknown messages (type 3) host-unknown host-unknown messages (type 3) network-prohibited dod-net-prohibited messages (type 3) host-prohibited dod-host-prohibited messages (type 3) tos-network-unreachable net-tos-unreachable messages (type 3) tos-host-unreachable host-tos-unreachable messages (type 3) communication-prohibited administratively-prohibited messages (type 3) host-precedence-violation host-precedence-unreachable messages (type 3) precedence-cutoff precedence-unreachable messages (type 3) source-quench source-quench messages (type 4) redirect redirect messages (type 5) network-redirect net-redirect messages (type 5) host-redirect host-redirect messages (type 5) tos-network-redirect net-tos-redirect messages (type 5) tos-host-redirect host-tos-redirect messages (type 5)
107
Description echo-request echo messages (type 8) router-advertisement router-advertisement messages (type 9) router-solicitation router-solicitation messages (type 10) time-exceeded time-exceeded messages (type 11) ttl-zero-during-transit ttl-exceeded messages (type 11) ttl-zero-during-reassembly reassembly-timeout messages (type 11) parameter-problem parameter-problem messages (type 12) ip-header-bad general-parameter-problem messages (type 12) required-option-missing option-missing messages (type 12) timestamp-request timestamp-request messages (type 13) timestamp-reply timestamp-replace messages (type 14) address-mask-request mask-request messages (type 17) address-mask-reply mask-reply messages (type 18)
icmp-type <type_number>
Configures the ICMP message matching criteria for the ACL to include only packets with the specified message type. The X-Series Platform applies the ACLs action (deny or permit) to a packet only if its message type number matches the specified message type number. Valid message type numbers are from 0 to 255.
Restrictions
Default Privilege Level: 15
Syntax
configure access-list <ID_number> {deny | permit} protocol-number <p_number> {source-any | source-ip <IP_address> <wildcard_mask>} {destination-any | destination-ip <IP_address> <wildcard_mask>} [log] configure no access-list <ID_number>
108
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <ID_number> {deny | permit} Description Assigns an ID number to the ACL. Sets the ACLs action to deny (drop packet) or permit (allow packet to pass through the primary management interface on the CPM). The X-Series Platform applies the specified action to IP packets that meet the matching criteria configured for the ACL. Default action for all IP packets is deny. (Drop all IP packets.) <p_number> Standard protocol number assigned to the protocol for which the ACL restricts traffic over the primary management interface on the CPM. For example, if you specify 6 as the <p_number>, the X-Series Platform applies the ACLs action (deny or permit) to all TCP packets that meet the ACLs matching criteria. Valid values for <p_number> are from 0 to 255. log Enables packet information logging for the ACL. By default, logging is disabled. If logging is enabled, the X-Series Platform logs an informational message about each packet that meets the matching criteria configured for the ACL.
Inline Commands
The following table lists the CLI commands used inline with the configure access-list <ID_number> {deny | permit} protocol-number command. Command source-any Description Sets the source IP address matching criteria for the ACL to any source IP address. The X-Series Platform applies the ACLs action without considering a packets source IP address.
109
Description Configures the source IP address matching criteria for the ACL. The X-Series Platform applies the ACLs action (deny or permit) to a packet only if its source IP address matches the specified IP address when the specified wildcard mask is applied. You must specify the wildcard mask as a reverse mask in four-part dotted-decimal format (for example, 0.0.0.255). However, the X-Series Platform applies the wildcard mask in four-part dotted-binary format (for example, 00000000.00000000.00000000.11111111), where 1s indicate wildcard bits. A packets source IP address matches the specified IP address if all their non-wildcard bits match. To apply the ACLs action only to packets with the specified source IP address, use a wildcard mask of 0.0.0.0. To apply the ACLs action without considering a packets source IP address, use a wildcard mask of 255.255.255.255.
destination-any
Sets the destination IP address matching criteria for the ACL to any destination IP address. The X-Series Platform applies the ACLs action without considering a packets destination IP address.
Configures the destination IP address matching criteria for the ACL. Applies the ACLs action (deny or permit) to a packet only if its destination IP address matches the specified IP address when the specified wildcard mask is applied. You must specify the wildcard mask as a reverse mask in four-part dotted-decimal format (for example, 0.0.0.255). However, the X-Series Platform applies the wildcard mask in four-part dotted-binary format (for example, 00000000.00000000.00000000.11111111), where 1s indicate wildcard bits. A packets destination IP address matches the specified IP address if all their non-wildcard bits match. To apply the ACLs action only to packets with the specified destination IP address, use a wildcard mask of 0.0.0.0. To apply the ACLs action without considering a packets destination IP address, use a wildcard mask of 255.255.255.255.
Restrictions
Default Privilege Level: 15
110
Commands for Configuring User Accounts and Managing User Access to the X-Series Platform
This section describes the commands that you can use to: Create, configure, and manage X-Series Platform user accounts and passwords. Set CLI command privilege levels. Manage user access to the X-Series Platform. Manage user access to specific services on the X-Series Platform. This section contains the following command descriptions: configure username on page 111 configure password on page 114 configure reset-password on page 114 configure privilege level on page 115 enable level on page 117 configure enable password on page 119 disconnect ssh on page 121 broadcast on page 121 lock-config on page 122 logout on page 123
configure username
Creates and configures a new user account or configures the specified existing user account. Use the no parameter to delete the specified user account. By default, the admin user account is the only user account configured on the X-Series Platform. NOTE: When you use this command to create a new CLI/GUI user account, the X-Series Platform also creates a Unix user account and adds it to the default user group. By creating and configuring multiple user accounts, you can provide multiple users with secure access to the X-Series Platform, and you can control each users ability to view and change XOS configuration settings. Use the privilege parameter to set the specified users CLI privilege level. To execute a CLI command, a users CLI privilege level must be greater than or equal to the commands privilege level. See configure privilege level on page 115 for more information on configuring command privilege levels. See Understanding Command Privilege Levels on page 29 for a more detailed discussion of CLI privilege levels. Valid values for both command privilege level and user privilege level are from 0-15. The default privilege level for the admin user account is 15. However, when you configure a new account using the configure username command, the default privilege level is 0. If you use the configure username command to configure an existing user account and you do not specify the privilege parameter, the users existing CLI privilege level remains unchanged. Use the gui-level parameter to set the GUI privilege level for the specified user account. The default privilege level for a new user account is guest, which provides the user with read-only access to the X-Series Platforms management GUI. However, if you do not specify the gui-level parameter when configuring an existing user account, the X-Series Platform retains the users current GUI command privilege level. By default, when you create a new user account, the CLI prompts you twice to enter the users initial password. The X-Series Platform then encrypts the password and stores the encrypted password in the running configuration file. Optionally, you can use the crypted-password parameter to enter a user-encrypted password.
111
NOTE: The users initial password must be at least six characters in length, but does not have to meet any other standards for secure passwords. If you enter a valid password that does not meet IT industry standards for secure passwords, the CLI implements the new password assignment, but issues a warning message. A user can change his/her password at any time by issuing the configure password command. A user must change his/her personal password immediately upon logging into his/her account if one of the following conditions is true: This is the first time a new user has logged into his/her account. The users personal password has expired. NOTE: You can use the maxdays parameter to set the maximum number of days that a user account password remains valid before it expires and must be changed upon the users next login. The default maxdays parameter value is 30 days. If the user forgets his/her password, an X-Series Platform system administrator can use the configure reset-password command to reset the users password.
Syntax
configure [no] username <user_name> [privilege <privilege_level>] [gui-level {unauthorized | guest | network-operator | service-operator | administrator}] [crypted-password <encrypted_password>] [autocommand <command>] [maxdays <number_of_days>]
Parameters
The following table lists the parameters used with this command. Parameter <user_name> Description User name assigned to the new user account that you are creating or the existing user account that you are configuring. If you specify a user name for which a user account does not exist, the configure username command creates and configures a new user account with the specified user name. If you specify a user name for which a user account does exist, the configure username command configures that user account. privilege <privilege_level> Sets the CLI privilege level for the user account that you are creating or configuring. To execute a CLI command, a users CLI privilege level must be greater than or equal to the commands privilege level. Valid values are from 0-15. The default CLI privilege level for a new user account is 0. If you do not specify the privilege parameter when configuring an existing user account, the users CLI privilege level remains unchanged.
112
Description Sets the GUI privilege level for the user account that you are creating or configuring. Valid GUI privilege levels are as follows: unauthorized User cannot access the GUI at all. guest User has read-only access to the GUI. User can view current X-Series Platform configuration settings, but cannot change any settings using the GUI. network-operator User can view current X-Series Platform configuration settings and can change network connectivity configuration settings such as NPM interface configuration settings. service-operator User can view current X-Series Platform configuration settings and can change service provisioning configuration settings such as VAP group configuration settings. administrator User can view and change all current X-Series Platform configuration settings. The default setting for new user accounts is guest. However, when configuring an existing user account, if you do not specify the gui-level parameter, the X-Series Platform retains the users current GUI privilege level.
crypted-password <encrypted_password>
The crypted-password command is generally used only when configuring a chassis. By running the command show running-config echo-password, the current usernames are shown along with the encrypted password strings. The actual passwords are not displayed. A system administrator can use this information to create a new username with the same password as an existing username. The administrator copies the encrypted password string for an existing username and pastes it into the configure username command after the crypted-password parameter. This enables the system administrator to create the new username without needing to know the actual password associated with either username. Using the same method, a system administrator could create usernames on another chassis, copying the encrypted password strings without knowing the actual passwords.
Caution: If you enter an unencrypted string after the crypted-password parameter, you cannot enter that string later as the password.
NOTE: The crypted-password command is also used with the configure enable password command. autocommand <command> maxdays <number_of_days> Configures the login script for the specified user account to execute the specified CLI command each time the user logs into the account. Sets the maximum number of days that a user account password can remain valid before it expires. When a password expires, the user must change the password upon his/her next login. The default maxdays parameter value is 30 days. The valid range is 0 - 65355.
Restrictions
Default Privilege Level: 15
XOS Command Reference Guide 113
configure password
Initiates a password change for the current user. When you issue this command, the CLI first prompts you to enter your old password and then prompts you to enter your new password. The CLI then implements the password change and issues a confirmation message. NOTE: A users password must be at least six characters in length and must meet IT industry standards for secure passwords. If you enter a new password that does not meet these requirements, the CLI issues a warning message and prompts you to enter a different new password.
Syntax
configure password
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0
Example
In the following example, a user called test issues the configure password command and enters his current and new passwords when prompted. Note that in this example, the user is prompted to enter the new password twice: When prompted the first time, the user enters a new password that is not secure. The CLI then issues a error message and prompts the user to enter another new password. When prompted the second time, the user enters a secure password. The CLI then implements the new password and issues the confirmation message, Password changed. NOTE: The CLI does not display passwords as you type them. CBS# configure password Changing password for user test. Changing password for test (current) UNIX password: New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. CBS#
configure reset-password
Initiates a new password assignment for the specified user. When you issue this command, the CLI prompts you to enter the new password for the specified user account and then re-enter the new password to confirm it. The CLI then implements the new password assignment and returns you to the main CLI context. NOTE: The new password must be at least six characters in length, but does not have to meet any other standards for secure passwords. If you enter a valid password that does not meet IT industry standards for secure passwords, the CLI implements the new password assignment, but issues a warning message.
114
Syntax
configure reset-password <user_name>
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <user_name> Description User name for the account whose password you want to create or change.
Restrictions
Default Privilege Level: 15
Examples
In the following example, the administrator assigns a new password to a user called test, but the CLI warns that the password is not secure. NOTE: For security, the CLI does not display passwords as you type them. CBS# configure reset-password test Password: Retype password: %WARNING: Password updated successful with warning Detail: Warning in replacing password: Warning BAD PASSWORD: it is too simplistic/systematic CBS# In the following example, the administrator assigns another, more secure password to the user called test. NOTE: For security, the CLI does not display passwords as you type them. CBS# configure reset-password test Password: Retype password: CBS#
115
By default, each command has a privilege level of either 0 or 15. Use the no parameter to restore the default privilege level of the specified command with the lowest CLI context level. See Appendix C, Configurable Command Privilege Levels on page 931, for a list of commands that have configurable command privilege levels, along with the default privilege level for each command.
Syntax
configure [no] privilege level <level> <root_level_command> [<first_level_subcommand>] [<second_level_subcommand>] ... [<nth_level_subcommand>] NOTE: To determine whether a user is allowed access to a command, XOS compares the privilege level of the command and the privilege level of the parent command to the privilege level of the user. If the privilege level of either the parent command or the sub-command is higher than the privilege level of the user, access is denied. For example, you have configured these privilege levels: User: 10 Sub-command: 0 Parent command: 15 Although the intent was to allow the user to access the sub-command, the privilege level of the parent command prevents this. NOTE: Arguments containing whitespace characters are valid; do not enclose these arguments in quotation marks ( ).
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <level> Description Privilege level that you want to assign to the specified command. Valid values are from 0-15. By default, each command has a privilege level of either 0 or 15. Use the show privilege command to display a commands current privilege level. <root_level_command> <first_level_subcommand> <second_level_subcommand> ... <nth_level_subcommand> Specifies the sequence of commands, starting from the main CLI context, that you use to first access and then execute the command whose privilege level you want to change. For example, to change the privilege level for the vap-group command under the configuration context, you would specify the command sequence, configure vap-group. In this example, configure is the <main_context_command> and vap-group is the <second_context_level_command>.
116
Restrictions
Default Privilege Level: 15
Examples
The following command sets the privilege level to 10 for the vap-group command under the main configuration context: CBS# configure privilege level 10 configure vap-group CBS# The following command sets the privilege level to 10 for the vap-group command under the circuit configuration context: CBS# configure privilege level 10 configure circuit vap-group CBS# If you change the privilege level of a command, the new privilege level appears at the beginning of the output of the {show | copy} running-config and startup-config commands. The following example shows this output. CBS# show running-config #Do not remove after this line # Last time the configuration was saved on Wed Feb 23 14:08:10.831535 2011 EST # Configuration generated by CLI on Wed Feb 23 14:23:52 2011 # CLI Version 9.5.1 [Feb 19 2011 02:15:42] (bldmgr) # Kit Number: xx #Do not remove above this line # configure # privilege level 10 configure vrrp # hostname TestChassis-X45 cp1
enable level
Changes your CLI user privilege level for the current CLI console session only. Valid values for CLI user privilege level are from 0-15. IMPORTANT: If you specify a CLI user privilege level higher than your current privilege level, the CLI prompts you to enter the password assigned to the desired privilege level. See configure enable password on page 119 for information on configuring a password for each CLI user privilege level. Use the no parameter to restore your default CLI user privilege level. Use the show username command to display your default CLI user privilege level. To execute a CLI command, your CLI user privilege level must be greater than or equal to the CLI commands privilege level. Use the show privilege command to display the privilege level for a specific CLI command. See Understanding Command Privilege Levels on page 29 for a more detailed discussion of CLI privilege levels.
117
Syntax
[no] enable level <level>
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <level> Description CLI user privilege level that you want to assign to yourself for the remainder of the current CLI console session. Valid values are from 0-15.
Restrictions
Default Privilege Level: 0
Example
In the following example, the current user, test, has a default CLI user privilege level of 0: CBS# show username Username Assigned CLI Privilege Level Current CLI Privilege Level GUI Access Level Maxdays (1 row) CBS# The configured privilege level for the configure vap-group command is 9: CBS> show privilege configure vap-group Command 'configure vap-group' at privilege level 9 So, when the user tries to execute the configure vap-group command, he gets an error: CBS> configure vap-group es3 ^ % Invalid input detected at '^' marker CBS> Then, the user executes the enable level command to change his CLI user privilege level to 10: CBS> enable level 10 Password: CBS> NOTE: For security, the CLI does not display the password that the user types. With a CLI user privilege level of 10, the user can successfully execute the configure vap-group command: CBS> configure vap-group es3 CBS(config-vap-grp)> : : : : : test 0 0 Guest 30
118
Syntax
configure [no] enable password [level <level>] [crypted-password <password>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter level <level> Description Specifies the CLI user privilege level for which you want to enable or disable password protection. Valid values are from 0-15. If you do not specify this parameter, the configure enable password command enables or disables password protection for CLI user privilege level 15.
119
Description The crypted-password command is generally used only when configuring a chassis. By running the command show running-config echo-password, the current usernames are shown along with the encrypted password strings. The actual passwords are not displayed. A system administrator could copy the encrypted password string for a user and paste it into the configure enable password command after the crypted-password parameter. The password for all commands that have the specified privilege level is set to the password of that user.
Caution: If you enter an unencrypted string after the crypted-password parameter, you cannot enter that string later as the password.
NOTE: If you do not specify the crypted-password command, the CLI prompts you (twice) to enter a password and then encrypts the password. NOTE: The crypted-password command is also used with the configure username command.
Restrictions
Default Privilege Level: 15
Example
In this example, the students in a training class have been given user accounts that have the default CLI user privilege level of 0. The instructor wants to teach the class how to configure a VAP group, but all of the VAP group configuration CLI commands have a privilege level of 15. Therefore, before beginning the lesson, the instructor uses the following command to enable use of a password for CLI user privilege level 15. When prompted, the instructor enters BlueDuck1 as the privilege level 15 password. He then shares this password with the class CBS# configure enable password level 15 Password: Retype password: CBS# NOTE: For security, the CLI does not display the password that the instructor types. Next, each student in the class issues the following command to request temporary access to CLI user privilege level 15. When prompted, each student enters BlueDuck1 as the password. CBS> enable level 15 Password: CBS# NOTE: For security, the CLI does not display the password that the student types. Upon entering the correct password, each student gets CLI user privilege level 15 until the end of his/her current CLI console session. The instructor can now teach the class how to configure a VAP group, since each student now has the CLI user privilege level required to execute VAP group configuration commands.
120
When the lesson is over, the instructor tells the students to log out of their accounts. The instructor then uses the following command to change the password for access to CLI user privilege level 15. When prompted, the instructor enters the old password, BlueDuck1, once. He then enters the new password twice. CBS# configure enable password level 15 Current Password: New Password: Retype password: CBS# NOTE: For security, the CLI does not display the passwords that the instructor types. The next time the students log into their user accounts, they will each have the default CLI user privilege level of 0, and they will no longer have the correct password required to access CLI user privilege level 15.
disconnect ssh
Terminates the existing SSH network connection with the specified session identifier.
Syntax
disconnect ssh <session_identifier>
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <session_identifier> Description SSH session identifier assigned to the SSH network connection that you want to terminate. Use the show ssh-session command to display a list of the active SSH network connections, along with their session identifiers.
Restrictions
Default Privilege Level: 15
broadcast
Sends the specified broadcast message to all CLI users currently logged into the X-Series Platform.
Syntax
broadcast <message>
121
Context
You can access this command from any CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <message> Description Text message that you intend to send to all users currently logged into the X-Series Platform.
Restrictions
Default Privilege Level: 0
lock-config
Locks the current XOS configuration so that only you can change it. (Only you can write to the running configuration file.) Use the no parameter to unlock the configuration.
Syntax
[no] lock-config [force]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter force Description Forces the configuration lock to take effect, even if the configuration is already locked by another user. You can also use the no lock-config force command to force the configuration to become unlocked, even if the configuration has been locked by another user.
Restrictions
Default Privilege Level: 15
122
logout
Logs the current user out of the current CLI console session. NOTE: If you are currently at the main CLI context level, you can also use the exit command to log out.
Syntax
logout [save-config [no-confirm]]
Context
You can issue this command from any CLI context.
Inline Commands
The following table lists the CLI commands used inline with the logout command. Command save-config [no-confirm] Description Saves the running configuration file as the startup configuration file. This saves your configuration changes as part of the logout process. Use the no-confirm parameter to save configuration changes without being prompted to confirm the operation. NOTE: The system uses the default answers to all confirmation questions.
Restrictions
Default Privilege Level for logout Command: 0 Default Privilege Level for logout save-config Command: 15
123
audit-trail
Writes the specified text message to the audit trail log file.
Syntax
audit-trail <text_message>
Context
You can access this command from any CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <text_message> Description Text message that you wish to write to the audit trail log file.
Restrictions
Default Privilege Level: 0
124
Syntax
configure enable [no] alarm {power-supply | power-feed}
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter {power-supply | power-feed} Description Specifies the alarm that you want to enable or disable: power-supply Power supply failure alarm power-feed Power feed failure alarm By default, both alarms are enabled.
Restrictions
Default Privilege Level: 15
Syntax
configure facility-alarm cpu [upper-minor <percentage>] [upper-major <percentage>] [upper-critical <percentage>] [lower-minor <percentage>] [lower-major <percentage>] [lower-critical <percentage>] configure facility-alarm no cpu
Context
You access this command from the main CLI context.
125
Parameters
The following table lists the parameters used with this command. Parameter upper-minor <percentage> Description Configures the upper threshold value, expressed as a percentage, for the minor alarm for CPU utilization. If the CPU utilization percentage rises above the upper threshold value, the alarm sensor triggers a minor alarm. Valid values are 0 to 100. Default is 80. upper-major <percentage> Configures the upper threshold value, expressed as a percentage, for the major alarm for CPU utilization. If the CPU utilization percentage rises above the upper threshold value, the alarm sensor triggers a major alarm. Valid values are 0 to 100. Default is 90. upper-critical <percentage> Configures the upper threshold value, expressed as a percentage, for the critical alarm for CPU utilization. If the CPU utilization percentage rises above the upper threshold value, the alarm sensor triggers a critical alarm. Valid values are 0 to 100. Default is 99. lower-minor <percentage> Configures the lower threshold value, expressed as a percentage, for the minor alarm for CPU utilization. If the CPU utilization percentage falls below the lower threshold value, the alarm sensor triggers a minor alarm. Valid values are 0 to 100. Default is 0. lower-major <percentage> Configures the lower threshold value, expressed as a percentage, for the major alarm for CPU utilization. If the CPU utilization percentage falls below the lower threshold value, the alarm sensor triggers a major alarm. Valid values are 0 to 100. Default is 0. lower-critical <percentage> Configures the lower threshold value, expressed as a percentage, for the critical alarm for CPU utilization. If the CPU utilization percentage falls below the lower threshold value, the alarm sensor triggers a critical alarm. Valid values are 0 to 100. Default is 0.
Restrictions
Default Privilege Level: 15
126
If you enter the configure facility-alarm cpu-core command without specifying any parameters, the system does not change the existing alarm threshold settings.
Syntax
configure facility-alarm cpu-core [upper-minor <percentage>] [upper-major <percentage>] [upper-critical <percentage>] [lower-minor <percentage>] [lower-major <percentage>] [lower-critical <percentage>] configure facility-alarm no cpu-core
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter upper-minor <percentage> Description Configures the upper threshold value, expressed as a percentage, for the minor alarm for CPU core utilization. If the CPU core utilization percentage rises above the upper threshold value, the alarm sensor triggers a minor alarm. Valid values are 0 to 100. Default is 80. upper-major <percentage> Configures the upper threshold value, expressed as a percentage, for the major alarm for CPU core utilization. If the CPU core utilization percentage rises above the upper threshold value, the alarm sensor triggers a major alarm. Valid values are 0 to 100. Default is 90. upper-critical <percentage> Configures the upper threshold value, expressed as a percentage, for the critical alarm for CPU core utilization. If the CPU core utilization percentage rises above the upper threshold value, the alarm sensor triggers a critical alarm. Valid values are 0 to 100. Default is 99. lower-minor <percentage> Configures the lower threshold value, expressed as a percentage, for the minor alarm for CPU core utilization. If the CPU core utilization percentage falls below the lower threshold value, the alarm sensor triggers a minor alarm. Valid values are 0 to 100. Default is 0. lower-major <percentage> Configures the lower threshold value, expressed as a percentage, for the major alarm for CPU core utilization. If the CPU core utilization percentage falls below the lower threshold value, the alarm sensor triggers a major alarm. Valid values are 0 to 100. Default is 0.
127
Description Configures the lower threshold value, expressed as a percentage, for the critical alarm for CPU core utilization. If the CPU core utilization percentage falls below the lower threshold value, the alarm sensor triggers a critical alarm. Valid values are 0 to 100. Default is 0.
Restrictions
Default Privilege Level: 15
Syntax
configure facility-alarm disk-usage-boot [upper-minor <percentage>] [upper-major <percentage>] [upper-critical <percentage>] [lower-minor <percentage>] [lower-major <percentage> ] [lower-critical <percentage>] configure facility-alarm no disk-usage-boot
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter upper-minor <percentage> Description Configures the upper threshold value, expressed as a percentage, for the minor alarm for the /boot partitions disk utilization. If the /boot partitions disk utilization percentage rises above the upper threshold value, the alarm sensor triggers a minor alarm. Valid values are 0 to 100. Default is 70. upper-major <percentage> Configures the upper threshold value, expressed as a percentage, for the major alarm for the /boot partitions disk utilization. If the /boot partitions disk utilization percentage rises above the upper threshold value, the alarm sensor triggers a major alarm. Valid values are 0 to 100. Default is 80.
128
Description Configures the upper threshold value, expressed as a percentage, for the critical alarm for the /boot partitions disk utilization. If the /boot partitions disk utilization percentage rises above the upper threshold value, the alarm sensor triggers a critical alarm. Valid values are 0 to 100. Default is 97.
lower-minor <percentage>
Configures the lower threshold value, expressed as a percentage, for the minor alarm for the /boot partitions disk utilization. If the /boot partitions disk utilization percentage falls below the lower threshold value, the alarm sensor triggers a minor alarm. Valid values are 0 to 100. Default is 0.
lower-major <percentage>
Configures the lower threshold value, expressed as a percentage, for the major alarm for the /boot partitions disk utilization. If the /boot partitions disk utilization percentage falls below the lower threshold value, the alarm sensor triggers a major alarm. Valid values are 0 to 100. Default is 0.
lower-critical <percentage>
Configures the lower threshold value, expressed as a percentage, for the critical alarm for the /boot partitions disk utilization. If the /boot partitions disk utilization percentage falls below the lower threshold value, the alarm sensor triggers a critical alarm. Valid values are 0 to 100. Default is 0.
Restrictions
Default Privilege Level: 15
Syntax
configure facility-alarm disk-usage-cbconfig [upper-minor <percentage>] [upper-major <percentage>] [upper-critical <percentage>] [lower-minor <percentage>] [lower-major <percentage>] [lower-critical <percentage>] configure facility-alarm no disk-usage-cbconfig
Context
You access this command from the main CLI context.
129
Parameters
The following table lists the parameters used with this command. Parameter upper-minor <percentage> Description Configures the upper threshold value, expressed as a percentage, for the minor alarm for the /cbconfig partitions disk utilization. If the /cbconfig partitions disk utilization percentage rises above the upper threshold value, the alarm sensor triggers a minor alarm. Valid values are 0 to 100. Default is 70. upper-major <percentage> Configures the upper threshold value, expressed as a percentage, for the major alarm for the /cbconfig partitions disk utilization. If the /cbconfig partitions disk utilization percentage rises above the upper threshold value, the alarm sensor triggers a major alarm. Valid values are 0 to 100. Default is 80. upper-critical <percentage> Configures the upper threshold value, expressed as a percentage, for the critical alarm for the /cbconfig partitions disk utilization. If the /cbconfig partitions disk utilization percentage rises above the upper threshold value, the alarm sensor triggers a critical alarm. Valid values are 0 to 100. Default is 97. lower-minor <percentage> Configures the lower threshold value, expressed as a percentage, for the minor alarm for the /cbconfig partitions disk utilization. If the /cbconfig partitions disk utilization percentage falls below the lower threshold value, the alarm sensor triggers a minor alarm. Valid values are 0 to 100. Default is 0. lower-major <percentage> Configures the lower threshold value, expressed as a percentage, for the major alarm for the /cbconfig partitions disk utilization. If the /cbconfig partitions disk utilization percentage falls below the lower threshold value, the alarm sensor triggers a major alarm. Valid values are 0 to 100. Default is 0. lower-critical <percentage> Configures the lower threshold value, expressed as a percentage, for the critical alarm for the /cbconfig partitions disk utilization. If the /cbconfig partitions disk utilization percentage falls below the lower threshold value, the alarm sensor triggers a critical alarm. Valid values are 0 to 100. Default is 0.
Restrictions
Default Privilege Level: 15
130
If you enter the configure facility-alarm disk-usage-mgmt command without specifying any parameters, the system does not change the existing alarm threshold settings.
Syntax
configure facility-alarm disk-usage-mgmt [upper-minor <percentage>] [upper-major <percentage>] [upper-critical <percentage>] [lower-minor <percentage>] [lower-major <percentage> ] [lower-critical <percentage>] configure facility-alarm no disk-usage-mgmt
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter upper-minor <percentage> Description Configures the upper threshold value, expressed as a percentage, for the minor alarm for the /mgmt partitions disk utilization. If the /mgmt partitions disk utilization percentage rises above the upper threshold value, the alarm sensor triggers a minor alarm. Valid values are 0 to 100. Default is 70. upper-major <percentage> Configures the upper threshold value, expressed as a percentage, for the major alarm for the /mgmt partitions disk utilization. If the /mgmt partitions disk utilization percentage rises above the upper threshold value, the alarm sensor triggers a major alarm. Valid values are 0 to 100. Default is 80. upper-critical <percentage> Configures the upper threshold value, expressed as a percentage, for the critical alarm for the /mgmt partitions disk utilization. If the /mgmt partitions disk utilization percentage rises above the upper threshold value, the alarm sensor triggers a critical alarm. Valid values are 0 to 100. Default is 97. lower-minor <percentage> Configures the lower threshold value, expressed as a percentage, for the minor alarm for the /mgmt partitions disk utilization. If the /mgmt partitions disk utilization percentage falls below the lower threshold value, the alarm sensor triggers a minor alarm. Valid values are 0 to 100. Default is 0. lower-major <percentage> Configures the lower threshold value, expressed as a percentage, for the major alarm for the /mgmt partitions disk utilization. If the /mgmt partitions disk utilization percentage falls below the lower threshold value, the alarm sensor triggers a major alarm. Valid values are 0 to 100. Default is 0.
131
Description Configures the lower threshold value, expressed as a percentage, for the critical alarm for the /mgmt partitions disk utilization. If the /mgmt partitions disk utilization percentage falls below the lower threshold value, the alarm sensor triggers a critical alarm. Valid values are 0 to 100. Default is 0.
Restrictions
Default Privilege Level: 15
Syntax
configure facility-alarm disk-usage-root [upper-minor <percentage>] [upper-major <percentage>] [upper-critical <percentage>] [lower-minor <percentage>] [lower-major <percentage>] [lower-critical <percentage>] configure facility-alarm no disk-usage-root
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter upper-minor <percentage> Description Configures the upper threshold value, expressed as a percentage, for the minor alarm for the root partitions disk utilization. If the root partitions disk utilization percentage rises above the upper threshold value, the alarm sensor triggers a minor alarm. Valid values are 0 to 100. Default is 70. upper-major <percentage> Configures the upper threshold value, expressed as a percentage, for the major alarm for the root partitions disk utilization. If the root partitions disk utilization percentage rises above the upper threshold value, the alarm sensor triggers a major alarm. Valid values are 0 to 100. Default is 80.
132
Description Configures the upper threshold value, expressed as a percentage, for the critical alarm for the root partitions disk utilization. If the root partitions disk utilization percentage rises above the upper threshold value, the alarm sensor triggers a critical alarm. Valid values are 0 to 100. Default is 97.
lower-minor <percentage>
Configures the lower threshold value, expressed as a percentage, for the minor alarm for the root partitions disk utilization. If the root partitions disk utilization percentage falls below the lower threshold value, the alarm sensor triggers a minor alarm. Valid values are 0 to 100. Default is 0.
lower-major <percentage>
Configures the lower threshold value, expressed as a percentage, for the major alarm for the root partitions disk utilization. If the root partitions disk utilization percentage falls below the lower threshold value, the alarm sensor triggers a major alarm. Valid values are 0 to 100. Default is 0.
lower-critical <percentage>
Configures the lower threshold value, expressed as a percentage, for the critical alarm for the root partitions disk utilization. If the root partitions disk utilization percentage falls below the lower threshold value, the alarm sensor triggers a critical alarm. Valid values are 0 to 100. Default is 0.
Restrictions
Default Privilege Level: 15
Syntax
configure facility-alarm disk-usage-tftpboot [upper-minor <percentage>] [upper-major <percentage>] [upper-critical <percentage>] [lower-minor <percentage>] [lower-major <percentage>] [lower-critical <percentage>] configure facility-alarm no disk-usage-tftpboot
Context
You access this command from the main CLI context.
133
Parameters
The following table lists the parameters used with this command. Parameter upper-minor <percentage> Description Configures the upper threshold value, expressed as a percentage, for the minor alarm for the /tftpboot partitions disk utilization. If the /tftpboot partitions disk utilization percentage rises above the upper threshold value, the alarm sensor triggers a minor alarm. Valid values are 0 to 100. Default is 70. upper-major <percentage> Configures the upper threshold value, expressed as a percentage, for the major alarm for the /tftpboot partitions disk utilization. If the /tftpboot partitions disk utilization percentage rises above the upper threshold value, the alarm sensor triggers a major alarm. Valid values are 0 to 100. Default is 80. upper-critical <percentage> Configures the upper threshold value, expressed as a percentage, for the critical alarm for the /tftpboot partitions disk utilization. If the /tftpboot partitions disk utilization percentage rises above the upper threshold value, the alarm sensor triggers a critical alarm. Valid values are 0 to 100. Default is 97. lower-minor <percentage> Configures the lower threshold value, expressed as a percentage, for the minor alarm for the /tftpboot partitions disk utilization. If the /tftpboot partitions disk utilization percentage falls below the lower threshold value, the alarm sensor triggers a minor alarm. Valid values are 0 to 100. Default is 0. lower-major <percentage> Configures the lower threshold value, expressed as a percentage, for the major alarm for the /tftpboot partitions disk utilization. If the /tftpboot partitions disk utilization percentage falls below the lower threshold value, the alarm sensor triggers a major alarm. Valid values are 0 to 100. Default is 0. lower-critical <percentage> Configures the lower threshold value, expressed as a percentage, for the critical alarm for the /tftpboot partitions disk utilization. If the /tftpboot partitions disk utilization percentage falls below the lower threshold value, the alarm sensor triggers a critical alarm. Valid values are 0 to 100. Default is 0.
Restrictions
Default Privilege Level: 15
134
If you enter the configure facility-alarm disk-usage-var command without specifying any parameters, the system does not change the existing alarm threshold settings.
Syntax
configure facility-alarm disk-usage-var [upper-minor <percentage>] [upper-major <percentage>] [upper-critical <percentage>] [lower-minor <percentage>] [lower-major <percentage>] [lower-critical <percentage>] configure facility-alarm no disk-usage-var
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter upper-minor <percentage> Description Configures the upper threshold value, expressed as a percentage, for the minor alarm for the /var partitions disk utilization. If the /var partitions disk utilization percentage rises above the upper threshold value, the alarm sensor triggers a minor alarm. Valid values are 0 to 100. Default is 70. upper-major <percentage> Configures the upper threshold value, expressed as a percentage, for the major alarm for the /var partitions disk utilization. If the /var partitions disk utilization percentage rises above the upper threshold value, the alarm sensor triggers a major alarm. Valid values are 0 to 100. Default is 80. upper-critical <percentage> Configures the upper threshold value, expressed as a percentage, for the critical alarm for the /var partitions disk utilization. If the /var partitions disk utilization percentage rises above the upper threshold value, the alarm sensor triggers a critical alarm. Valid values are 0 to 100. Default is 97. lower-minor <percentage> Configures the lower threshold value, expressed as a percentage, for the minor alarm for the /var partitions disk utilization. If the /var partitions disk utilization percentage falls below the lower threshold value, the alarm sensor triggers a minor alarm. Valid values are 0 to 100. Default is 0. lower-major <percentage> Configures the lower threshold value, expressed as a percentage, for the major alarm for the /var partitions disk utilization. If the /var partitions disk utilization percentage falls below the lower threshold value, the alarm sensor triggers a major alarm. Valid values are 0 to 100. Default is 0.
135
Description Configures the lower threshold value, expressed as a percentage, for the critical alarm for the /var partitions disk utilization. If the /var partitions disk utilization percentage falls below the lower threshold value, the alarm sensor triggers a critical alarm. Valid values are 0 to 100. Default is 0.
Restrictions
Default Privilege Level: 15
Syntax
configure facility-alarm free-memory [lower-minor <threshold_multiplier>] [lower-major <threshold_multiplier>] configure facility-alarm no free-memory
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter lower-minor <threshold_multiplier> Description Specifies the lower-minor alarms APM free page count threshold multiplier. The alarm sensor triggers a minor alarm if the amount of free memory on any APM falls below: (7500 free pages * <threshold_multiplier>) Valid values are 1 to 100. Default is 4.
136
Description Specifies the lower-major alarms APM free page count threshold multiplier. The alarm sensor triggers a major alarm if the amount of free memory on any APM falls below: (7500 free pages * <threshold_multiplier>) Valid values are 1 to 100, with a default of 2.
Restrictions
Default Privilege Level: 15
Syntax
configure snmp-server community <community_string> {<IP_address> | {<IP_address> <subnet_mask> | <IP_address>/<0-32>}} configure no snmp-server community <community_string>
Context
You access this command from the main CLI context.
137
Parameters
The following table lists the parameters used with this command. Parameter community <community_string> Description Community string, expressed as a text string, assigned to the SNMP community that you are defining. The SNMP management stations use the specified community string as a password to read the SNMP agent on the X-Series Platform. NOTE: The community string cannot contain whitespace characters. <IP_address> Configures the SNMP community to include the SNMP agent on the X-Series Platform (the SNMP server) and the single SNMP management station (SNMP client) with the specified IP address. Configures the SNMP community to include the SNMP agent on the X-Series Platform (the SNMP server) and all other SNMP management stations (SNMP clients) on the specified subnet. Example: 10.15.3.0/16
Restrictions
Default Privilege Level: 15 A community string cannot contain whitespace characters.
138
Syntax
configure snmp-server host <IP_address> [traps | informs] [version {1 | 2c}] <community_string> [udp-port <port_number>] configure snmp-server no host <IP_address> <community_string> [traps | informs] configure no snmp-server host <IP_address> <community_string> [informs]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter host <IP_address> [traps | informs] Description Specifies the IP address of the host that you want to configure as an SNMP notification receiver. Configures the host to receive either SNMP traps or SNMP informs. By default, the host receives SNMP traps. version {1 | 2c} Specifies the SNMP version that the host uses for security and message processing. Default is version 1. <community_string> Community string, expressed as a text string, assigned to the SNMP community for which the host is to become an SNMP notification receiver. Use the show snmp command to display the community strings for the SNMP communities defined on the X-Series Platform. See configure snmp-server community on page 137 for more information on configuring a community string for an SNMP community. udp-port <port_number> Configures the host to receive SNMP notification messages through the specified UDP port. Default UDP port is 162.
Restrictions
Default Privilege Level: 15
139
NOTE: The X-Series Platform stores only the most recently configured contact information. If you execute the configure snmp-server contact command multiple times, each command replaces the existing contact information with the new contact information that you provide. To view existing SNMP server system administrator contact information for your X-Series Platform, use the show snmp command.
Syntax
configure snmp-server contact <contact_info_string> configure snmp-server no contact NOTE: If the contact information string contains whitespace characters, it must be enclosed in quotation marks ( ).
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter contact <contact_info_string> Description Text string, such as a name or e-mail address, that serves as contact information for the SNMP server administrator on the X-Series Platform.
Restrictions
Default Privilege Level: 15
Syntax
configure snmp-server location <location_info_string> configure snmp-server no location
140
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter Description
location <location_info_string> Text string that specifies the physical location of the X-Series Platform. The text string can have a maximum of 255 alphanumeric characters and cannot include whitespace characters.
Restrictions
Default Privilege Level: 15
Caution: If you wish to change the SNMP V3 engine ID, you must first reconfigure the SNMP V3 engine ID, and then reconfigure the authentication passwords for all existing SNMP V3 user accounts. If you do not reconfigure the authentication passwords, then the authentication and encryption keys generated from those passwords will be based on the previous engine ID. See configure snmp-user on page 142 for information on configuring authentication passwords for SNMP V3 user accounts.
To display the SNMP V3 engine ID (if any) configured for the SNMP V3 engine running on your X-Series Platform, use the show snmp command.
Syntax
configure snmp-server engine-id <identifier_string> configure snmp-server no engine-id
141
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <identifier_string> Description SNMP V3 engine ID assigned to the SNMP agent that is running on the X-Series Platform.
Restrictions
Default Privilege Level: 15
configure snmp-user
Creates and configures a new SNMP V3 user account, or configures the specified existing SNMPv3 user account. Use the no parameter to delete the specified SNMP V3 user account.
Syntax
configure [no] snmp-user <user_name> [no-passwords] [auth-type {md5 | sha | none}] [priv-type {des | none}] [oid <MIB_subtree_OID>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <user_name> no-passwords Description User name assigned to the SNMP V3 user account that you are creating and/or configuring. Configures the specified SNMP V3 user account to be accessible without an authentication password. By default, if a user account is configured with an authorization password, the user must enter that password to gain access to the account.
142
Description Specifies the type of authentication used to access the SNMP V3 user account. Use one of the following keywords to specify the authentication type: none No authentication required to access this account. This is the default setting. md5 MD5 checksum authentication. sha Secure hash algorithm (SHA) authentication. NOTE: If you specify either md5 or sha, the CLI prompts you twice to enter the authentication password for the account. This password must be at least 8 characters in length.
Specifies whether you want to use the Data Encryption Standard (DES) algorithm to encrypt data sent to the SNMP V3 user account. If you want to use the DES algorithm, specify priv-type des; if not, specify priv-type none. The default setting is priv-type none.
oid <MIB_subtree_OID>
Specifies the MIB subtree that the SNMP V3 user can access. The following OID formats are allowed: Numeric OIDs, such as .1.3.6.1 Fully qualified OID names, such as .iso.org.dod OID names for specific MIB subtrees, such as .mib-2 OID names for subtrees that are one tree level below .mib-2, such as .system, .interfaces, .at, and .ip NOTE: All numeric and text OIDs must start with a dot (.). The default setting is .iso. This allows the user to access the entire MIB tree. For example, if you specify oid mib-2, the user can access only those MIB objects that are part of the mib-2 subtree. If you specify oid interfaces, the user can access only those MIB objects that are part of the interface table.
Restrictions
Default Privilege Level: 15 All numeric and text OIDs must start with a dot (.).
143
Syntax
configure rmon event <RMON_event_number> [log] [trap <community_string>] [description <event_description>] [owner <owner_name>] configure no rmon event <RMON_event_number>
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <RMON_event_number> Description Specifies the RMON event number assigned to the event that you want to configure and add to the RMON event table. In the eventTable, the <RMON_event_number> becomes the events eventIndex. Valid values are 1 to 64999. log Configures the event to generate an RMON log entry. In the eventTable, the events eventType becomes log or log-and-trap. trap <community_string> Configures the event to trigger an SNMP trap notification message for the SNMP community with the specified community string. In the eventTable, the events eventType becomes snmptrap or log-and-trap. The <community_string> becomes the events eventCommunity. description <event_description> Configures the event with the specified event description. In the eventTable, the <event_description> becomes the events eventDescription. owner <owner_name> Configures the event with the specified event owner. In the eventTable, the <owner_name> becomes the events eventOwner.
144
Restrictions
Default Privilege Level: 15
Example
The following command adds event number 1 to the RMON event table: CBS# configure rmon event 1 log trap snmpcommunity1 description "High CPU Utilization" owner jroy The new event has the following configuration settings: The event description is High CPU Utilization. The event owner is jroy. Each time the event occurs, it generates an RMON log entry. Each time the event occurs, the X-Series Platform sends an SNMP trap notification message to the SNMP community that uses the community string, snmpcommunity1.
Syntax
configure rmon alarm <RMON_alarm_number> <MIB_object> <sample_interval> {delta | absolute} rising-threshold <rising_threshold_value> [<rising_threshold_event_number>] falling-threshold <falling_threshold_value> [<falling_threshold_event_number>] [owner <alarm_owner>] configure no threshold alarm <number>
Context
You access this command from the main CLI context.
145
Parameters
The following table lists the parameters used with this command. Parameter <RMON_alarm_number> Description Specifies the RMON alarm number assigned to the alarm that you want to configure and add to the RMON alarm table. In the alarmTable, the <RMON_alarm_number> becomes the events alarmIndex. Valid values are 1 to 64999. <MIB_object> Specifies the MIB object for which you want to configure an RMON alarm. In the alarmTable, the <MIB_object> becomes the alarmVariable. <sample_interval> Configures the sample interval, expressed in seconds, for the alarm sensor. The alarm sensor obtains a sample measurement every <sample_interval> seconds. In the alarmTable, <sample_interval> becomes the alarmInterval. {delta | absolute} Specifies the method that the alarm sensor uses to calculate the MIB objects current value. You must specify one of the following: delta MIB objects current value is the delta between the alarm sensors last two consecutive sample measurements. absolute MIB objects current value is the absolute value of the current sample measurement. In the alarmTable, the alarms alarmSampleType becomes delta or absolute. rising-threshold <rising_threshold_value> Configures the alarm sensors rising threshold value. If the MIB objects current value is equal to or greater than the specified rising threshold value, the alarm sensor triggers the alarm. In the alarmTable, the <threshold_value> becomes the alarms alarmRisingThreshold. Valid values are from -2147483648 to 2147483647. <rising_threshold_event_number> Configures the RMON alarm to trigger the specified RMON event. In the alarmTable, the <rising_threshold_event_number> becomes the alarms alarmRisingEventIndex. Valid values are from 1 to 64999.
146
Description Configures the alarm sensors falling threshold value. After the alarm sensor triggers the alarm, the alarm remains active until the MIB objects current value is less than or equal to the specified falling threshold value. At that point, the alarm sensor resets the alarm. In the alarmTable, the <threshold_value> becomes the alarms alarmFallingThreshold. Valid values are from -2147483648 to 2147483647.
<falling_threshold_event_number>
Configures the resetting of the RMON alarm to trigger the specified RMON event. In the alarmTable, the <falling_threshold_event_number> becomes the alarms alarmFallingEventIndex. Valid values are from 1 to 64999.
owner <alarm_owner>
Configures the alarm with the specified alarm owner. In the alarmTable, the <owner_name> becomes the events alarmOwner.
Restrictions
Default Privilege Level: 15
Example
The following command configures RMON alarm number 10: CBS# configure rmon alarm 10 ifEntry.2.1 30 delta rising-threshold 15 0 falling-threshold 1 owner jjohnson The new alarm has the following configuration settings: The alarm sensor monitors the MIB object, ifEntry.2.1. The alarm sensors sample interval is 30. The alarm obtains a sample measurement every 30 seconds, until the alarm is disabled. The alarms alarmSampleType is delta. Each time the alarm sensor obtains a sample measurement, the sensor calculates the delta between the current sample measurement and the previous sample measurement. This delta value becomes the current value of ifEntry.2.1. The alarms rising threshold value is 15. When the current value of ifEntry.2.1 is greater than or equal to 15 (that is, the measured value of ifEntry.2.1 increases by at least 15), the sensor triggers the alarm. When the alarm sensor trigger the alarm, the alarm triggers event number 1. The alarms falling threshold is 0. After the alarm sensor triggers the alarm, it continues to obtain sample measurements and calculate the current value of ifEntry.2.1 every 30 seconds. If the current value of ifEntry.2.1 falls to a value less than or equal to 1 (that is, the measured value of ifEntry.2.1 does not increase), the sensor resets the alarm. The alarm owner is jjohnson.
147
Syntax
configure logging console level {<level_number> | emerg | alert | crit | error | warning | notice | info | debug} configure no logging console
Context
You access this command from the main CLI context.
148
Parameters
The following table lists the parameters used with this command. Parameter level {<level_number> | emerg | alert | crit | error | warning | notice | info | debug} Description Configures the console log level for the X-Series Platform. The console log stores all event messages that have a severity level equal to or lower than the console log level. You can specify the console log level using either its level number or its level name. Valid values for log level number (<level_number>) are 0-7. Default is 4. Valid console log level names are: emerg Specifies log level 0 (LOG_EMERG). Logs messages with severity level 0, Emergency. Emergency messages indicate that the system is unstable. alert Specifies log level 1 (LOG_ALERT). Logs messages with severity levels 0 and 1. Severity level 1 is Alert, which indicates that immediate action is needed. crit Specifies log level 2 (LOG_CRIT). Logs messages with severity levels 0-2. Severity level 2 is Critical, which indicates a critical condition. error Specifies log level 3 (LOG_ERROR). Logs messages with severity levels 0-3. Severity level 3 is Error, which indicates an error condition. warning Default log level. Specifies log level 4 (LOG_WARNING). Logs messages with severity levels 0-4. Severity level 4 is Warning, which indicates a warning condition. notice Specifies log level 5 (LOG_NOTICE). Logs messages with severity levels 0-5. Severity level 5 is Notification, which indicates that a significant event has occurred, but conditions remain normal. info Specifies log level 6 (LOG_INFO). Logs messages with severity levels 0-6. Severity level 6 is Informational. Use these messages for information only. debug Specifies log level 7 (LOG_DEBUG). Logs messages with severity levels 0-7. Severity level 7 is Debugging. Use these messages for debugging only.
Restrictions
Default Privilege Level: 15
149
Syntax
configure logging monitor level {<level_number> | emerg | alert | crit | error | warning | notice | info | debug} configure no logging monitor
Context
You access this command from the main CLI context.
Parameters
See Parameters on page 151 for a list of parameters used with this command.
150
Parameters
Parameter level {<level_number> | emerg | alert | crit | error | warning | notice | info | debug} Description Configures the log monitoring level for the X-Series Platform. The console terminal displays only the event messages stored in the console log that have a severity level equal to or lower than the specified log monitoring level, allowing the user to monitor specific types of events in real time. You can specify the log monitoring level using either its level number or its level name. Valid values for log level number (<level_number>) are 0-7. Default is 4. Valid log monitoring level names are: emerg Specifies log level 0 (LOG_EMERG). Console terminal displays messages with severity level 0, Emergency. Emergency messages indicate that the system is unstable. alert Specifies log level 1 (LOG_ALERT). Console terminal displays messages with severity levels 0 and 1. Severity level 1 is Alert, which indicates that immediate action is needed. crit Specifies log level 2 (LOG_CRIT). Console terminal displays messages with severity levels 0-2. Severity level 2 is Critical, which indicates a critical condition. error Specifies log level 3 (LOG_ERROR). Console terminal displays messages with severity levels 0-3. Severity level 3 is Error, which indicates an error condition. warning Default log level. Specifies log level 4 (LOG_WARNING). Console terminal displays messages with severity levels 0-4. Severity level 4 is Warning, which indicates a warning condition. notice Specifies log level 5 (LOG_NOTICE). Console terminal displays messages with severity levels 0-5. Severity level 5 is Notification, which indicates that a significant event has occurred, but conditions remain normal. info Specifies log level 6 (LOG_INFO). Console terminal displays messages with severity levels 0-6. Severity level 6 is Informational. Use these messages for information only. debug Specifies log level 7 (LOG_DEBUG). Console terminal displays messages with severity levels 0-7. Severity level 7 is Debugging. Use these messages for debugging only.
Restrictions
Default Privilege Level: 15
151
Syntax
configure [no] logging server {<host_name> | <IP_address>}
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <host_name> <IP_address> Description Host name assigned to the syslog server to which the X-Series Platform sends log messages. IP address assigned to the syslog server to which the X-Series Platform sends log messages.
Restrictions
Default Privilege Level: 15
logging
Writes the specified text message to the X-Series Platforms system log. In the log, the text message is prepended by a series of equal signs (=), as shown in the example below.
Syntax
logging <text_message>
Context
You can access this command from any CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <text_message> Description Text message that the X-Series Platform writes to the system log.
152
Restrictions
Default Privilege Level: 0
Example
The following command writes the text message, Hello World! to the X-Series Platforms system log: mercury# logging Hello World! The following log message appears in the /var/log/messages file on the CPM: Jan 20 16:26:42 mercury admin: ==================== Hello World!
configure chassis-resource-protection
Chassis Resource Protection provides configuration parameters to prevent malicious traffic from consuming critical NPM resources. Parameters based on TCP flow validation and flow table limits are set to monitor and filter traffic flow. Additional fragment handling parameters can also be enabled for effective handling fragmented packets. These features must be enabled by the user, and are off by default. configure chassis-resource-protection enables global resource protection settings on the X-Series Platform. Use the no parameter to disable chassis resource protection. NOTE: To restore all the resource protection settings to default values, use the no chassis-resource-protection command.
153
Syntax
configure [no] chassis-resource-protection [no] enable
Parameters
The following table lists the parameters used with this command. Parameter [no] enable Description [Disable] Enable resource protection on the chassis. Once enabled, you can disable settings per logical line, or on a flow rule basis.
Restrictions
Default Privilege Level: 15 Settings are off by default Once enabled, settings may be disabled per logical interface.
Example
configure chassis-resource-protection enable
Syntax
flow-table-partition threshold <0 - 85>
154
Parameters
The following table lists the parameters used with this command. Parameter tcp <0-100> udp <0-100> icmp <0-100> other-ip <0-100> flow-table-profile {tcp | udp | icmp | other-ip} backup-flow-info table-limit Description Percentage of flow table allocated for protocol TCP Percentage of flow table allocated for protocol UDP Percentage of flow table allocated for protocol ICMP Percentage of flow table allocated for other-IP protocols Configures the system action for the tcp, udp, icmp, or other-ip partition Enables the flow information to be backed up for high-availability Specifies the action to take when the flow table limit is exceeded. Values are: action drop Drops packets when the limit has been exceeded action pass Passes packets when the limit has been exceeded
Restrictions
Default Privilege Level: 15
Example
Use the configure chassis-resource-protection command to enter the correct context, then define the flow table partitions. CBS# configure chassis-resource-protection CBS(conf-resource-protection)# flow-table-partition threshold 60 tcp 20 udp 20 icmp 0 other-ip 0
Syntax
flow-table-profile {tcp| udp | icmp | other-ip}
Subcommands
table-limit-action (conf-rp-table-profile context) on page 156 backup-flow-info (conf-rp-table-profile context) on page 156
155
Parameters
The following table lists the parameters used with this command. Parameter tcp udp icmp other-ip Description Sets the profile for TCP Sets the profile for UDP Sets the profile for ICMP Sets the profile for Other-IP
Restrictions
Default Privilege Level: 15
Example
CBS(conf-resource-protection)# flow-table-partition threshold 60 tcp 20 udp 20 icmp 0 other-ip 0 CBS(conf-flow-table-partition)# flow-table-profile tcp CBS(conf-rp-table-profile)#
Syntax
table-limit {action drop | action pass}
Restrictions
Default Privilege Level: 15
Example
CBS(conf-resource-protection)# flow-table-partition threshold 60 tcp 20 udp 20 icmp 0 other-ip 0 CBS(conf-flow-table-partition)# flow-table-profile tcp CBS(conf-rp-table-profile)# table-limit action drop CBS(conf-rp-table-profile)# backup-flow-info
Syntax
[no] backup-flow-info
156
Restrictions
Default Privilege Level: 15
Example
CBS(conf-resource-protection)# flow-table-partition threshold 60 tcp 20 udp 20 icmp 0 other-ip 0 CBS(conf-flow-table-partition)# flow-table-profile tcp CBS(conf-rp-table-profile)# table-limit action drop CBS(conf-rp-table-profile)# backup-flow-info CBS(conf-rp-table-profile)#
Syntax
fragment-handling-options
Restrictions
Default Privilege Level: 15
Example
CBS(conf-resource-protection)# fragment-handling-options CBS(conf-rp-frag-handlings)#
Syntax
selective-drop
157
Subcommands include: allow-fragment-overlap (conf-rp-select-drop context) on page 158 limit-fragment-queue (conf-rp-select-drop context) on page 158
Restrictions
Default Privilege Level: 15
Example
CBS(conf-rp-frag-handlings)# selective-drop CBS(conf-rp-select-drop)#
Syntax
allow-fragment-overlap
Context
Access this command from the selective drop context. Use the following commands to reach the correct context: CBS# configure chassis-resource-protection CBS(conf-resource-protection)# fragment-handling-options CBS(conf-rp-frag-handlings)# selective-drop CBS(conf-rp-select-drop)# allow-fragment-overlap
Syntax
limit-fragment-queue
Restrictions
Default Privilege Level: 15
Context
Access this command from the selective drop context. Use the following commands to reach the correct context: CBS# configure chassis-resource-protection CBS(conf-resource-protection)# fragment-handling-options CBS(conf-rp-frag-handlings)# selective-drop CBS(conf-rp-select-drop)# limit-fragment-queue
158
Syntax
ip-id-validation
Restrictions
Default Privilege Level: 15
Context
Access this command from the fragment-handling-options context. Use the following commands to reach the correct context: CBS# configure chassis-resource-protection CBS(conf-resource-protection)# fragment-handling-options CBS(conf-rp-frag-handlings)# ip-id-validation CBS(conf-rp-frag-handlings)#
Syntax
tcp-overlap-protection
Restrictions
Default Privilege Level: 15
Context
Access this command from the fragment-handling-options context. Use the following commands to reach the correct context: CBS# configure chassis-resource-protection CBS(conf-resource-protection)# fragment-handling-options CBS(conf-rp-frag-handlings)# tcp-overlap-protection CBS(conf-rp-frag-handlings)#
159
Syntax
tcp-flow-validation
Restrictions
Default Privilege Level: 15
Example
CBS# configure chassis-resource-protection CBS(conf-resource-protection)# tcp-flow-validation CBS(conf-rp-tcp-flow)#
Syntax
bypass-tcp-flow-setup-validation
Restrictions
Default Privilege Level: 15
Example
CBS# configure chassis-resource-protection CBS(conf-resource-protection)# tcp-flow-validation CBS(conf-rp-tcp-flow)# bypass-tcp-flow-setup-validation CBS(conf-rp-tcp-flow)#
160
packet-validation
TCP Packet validation is an inspection process to detect and drop invalid TCP/IP frames. Packet Validation checks TCP and IP header information, packet size, flags, checksums, and other specific aspects of each incoming packet. When the packet-validation feature is enabled, the subcommands provide the option to either drop or pass non-conformant traffic. In all packet validation checks, statistics are maintained regardless of the action. These checks are applied globally to circuits connected to external interfaces. Packet validation can be disabled on individual circuits by assigning a per-circuit alternative-action. Refer to the example below for additional information.
Syntax
packet-validation
Restrictions
Default Privilege Level: 15
Example
CBS# configure packet-validation CBS(conf-pkt-validation)#
Example
CBS# configure interface gigabitethernet 2/4 CBS(conf-intf-gig)# logical trflog CBS(intf-gig-logical)# circuit trf CBS(intf-gig-log-cct)# packet-validation
161
Syntax
validate-ip-packet action <drop | pass>
Restrictions
Default Privilege Level: 15
Example
CBS# configure packet-validation CBS(conf-pkt-validation)# validate-ip-packet action drop
Example
CBS# configure interface gigabitethernet 2/4 CBS(conf-intf-gig)# logical trflog CBS(intf-gig-logical)# circuit trf CBS(intf-gig-log-cct)# packet-validation CBS(intf-gig-log-cct)# validate-ip-packet alternative-action pass
Syntax
validate-tcp-packet action <drop | pass>
Restrictions
Default Privilege Level: 15
Example
CBS# configure packet-validation CBS(conf-pkt-validation)# validate-tcp-packet action drop
162
Example
CBS# configure interface gigabitethernet 2/4 CBS(conf-intf-gig)# logical trflog CBS(intf-gig-logical)# circuit trf CBS(intf-gig-log-cct)# packet-validation CBS(intf-gig-log-cct)# validate-tcp-packet alternative-action pass
Syntax
validate-tcp-xsum action <drop | pass>
Restrictions
Default Privilege Level: 15
Example
CBS# configure packet-validation CBS(conf-pkt-validation)# validate-tcp-xsum action drop
Example
CBS# configure interface gigabitethernet 2/4 CBS(conf-intf-gig)# logical trflog CBS(intf-gig-logical)# circuit trf CBS(intf-gig-log-cct)# packet-validation CBS(intf-gig-log-cct)# validate-tcp-xsum alternative-action pass
XOS Command Reference Guide 163
configure cp-redundancy
Configures CPM redundancy on the X-Series Platform. Sets the operational state of the online CPM the CPM on which you issue the configure cp-redundancy command to primary. Sets the administrative state of both CPMs to election. IMPORTANT: The CPM redundancy configuration takes effect immediately on the offline CPM. However, the CPM redundancy configuration does not take effect on the online (primary) CPM until after you reboot it. To begin using CPM redundancy, you must first write the XOS running configuration file to the startup configuration file using the startup-config parameter with the copy running-config command, and then reboot the online CPM using the reload module command. If CPM redundancy is already configured on the X-Series Platform, this command places you in the config-cp-redundancy context, from which you can configure each CPMs administrative state. Use the no parameter to delete the existing CPM redundancy configuration from both CPMs.
Syntax
configure [no] cp-redundancy
Restrictions
Default Privilege Level: 15 CPMs configured for redundancy must have identical RAID configurations. (Their mirrored partition sizes must match.) Therefore: If one CPM is configured for RAID, both CPMs must be configured for RAID. If both CPMs are configured for RAID, they must both be configured for the same RAID type (RAID 1 or RAID 0). NOTE: To support a RAID configuration, you must perform a fresh XOS installation on both CPMs.
164
Syntax
set {cp1 | cp2 | this_cp | other_cp} {election | offline}
Context
You access this command from the config-cp-redundancy CLI context. You access this context from the main CLI context by issuing the configure cp-redundancy command.
Parameters
The following table lists the parameters used with this command. Parameter {cp1 | cp2 | this_cp | other_cp} Description Specifies the CPM for which you are configuring CPM redundancy: cp1 CPM named cp1. Use the show chassis command to display the slot number and module name assigned to each CPM in your chassis. cp2 CPM named cp2. Use the show chassis command to display the slot number and module name assigned to each CPM in your chassis. this_cp The CPM from which you are issuing the set command (this CPM). other_cp The other CPM. {election | offline} Configures the specified CPM with one of the following CPM redundancy administrative states: election CPM participates in the primary CPM election, and can be elected as the primary CPM. This is the default administrative state for both CPMs when CPM redundancy is first configured. offline Specified CPM is offline. An offline CPM does not communicate with other modules in the chassis, and cannot be elected as the primary CPM.
Restrictions
Default Privilege Level: 15
165
Syntax
configure management [no] vip-addr <IP_address>
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <IP_address> Description Virtual management IP address that you wish to assign to the X-Series Platform.
Restrictions
Default Privilege Level: 15 The virtual management IP address, the actual management IP address of cp1, and the actual management IP address of cp2 must all be part of the same subnet.
Syntax
configure cp-action {cp1 | cp2} disk-error {offline | none}
Context
You access this command from the main CLI context.
166
Parameters
The following table lists the parameters used with this command. Parameter {cp1 | cp2} Description Specifies the CPM that you want to configure. You specify a CPM using its module name (cp1 or cp2). Use the show chassis command to display the slot number and module name assigned to each CPM in your chassis. {offline | none} Configures the CPM to respond to a critical disk error in one of two ways: offline CPM goes offline when a critical disk error occurs. none CPM takes no action when a critical disk error occurs.
Restrictions
Default Privilege Level: 15
Example
The following command configures the CPM named cp1 to go offline when a critical disk error occurs. CBS(config)# cp-action cp1 disk-error offline
cp-unknown-state
Configures the specified CPM to take one of two actions when the other CPMs state is unknown: Continue monitoring the other CPM while its state is unknown, and be prepared to take action should the other CPM fail after exiting the unknown state. Ignore the other CPM while its state is unknown, and resume monitoring the other CPM when it enters a known state.
Syntax
cp-unknown-state {cp1 | cp2} {monitor | ignore}
Context
You access this command from the main CLI context.
167
Parameters
The following table lists the parameters used with this command. Parameter {cp1 | cp2} Description Specifies the CPM that you want to configure. You specify a CPM using its module name (cp1 or cp2). Use the show chassis command to display the slot number and module name assigned to each CPM in your chassis. {monitor | ignore} Configures the specified CPM to take one of two actions when the other CPMs state is unknown: monitor Continue monitoring the other CPM while its state is unknown, and be prepared to take action should the other CPM fail after exiting the unknown state. ignore Ignore the other CPM while its state is unknown, and resume monitoring the other CPM when it enters a known state.
Restrictions
Default Privilege Level: 15 This command is not available on the X20 or X30 chassis.
Example
In the following example, an X-Series Platform is configured for CPM redundancy. The primary CPM is cp1 and the secondary is cp2. The system administrator plans an activity on cp2 that will result in cp2 being temporarily unable to send heartbeat signals. Examples include: Performing a fresh XOS software installation on cp2 using the USB Installer (USBI) Rebuilding the partitions on the cp2 disk NOTE: The loss of heartbeat from cp2 occurs after the cp-disk-scheme command has been used, and after cp2 has rebooted. Copying the cp2 primary distribution to the secondary distribution NOTE: This can occur during: An AWS "Prepare system for a possible rollback" operation As part of the preparation for a safe upgrade (see Preparing for Safe Upgrade in the XOS Configuration Guide) Prior to starting the activity on cp2, the system administrator uses the following command on cp1 to instruct it to ignore the lack of heartbeat signals from cp2. CBS# cp-unknown-state cp1 ignore After the activity on cp2 has been completed, the administrator uses the following command to instruct cp1 to resume monitoring of cp2. CBS# cp-unknown-state cp1 monitor
168
Syntax
ssh [username <user_name>] {<IP_address> | <host_name>}
Context
You can access this command from the any CLI context.
Parameters
The following table lists the parameters used with this command. Parameter username <user_name> Description Configures the X-Series Platform to login to the SSH server using the specified user name. By default, the X-Series Platform attempts to log into the SSH server using your X-Series Platform user name. <IP_address> <host_name> IP address assigned to the SSH server (the remote host). Host name assigned to the SSH server (the remote host).
Restrictions
Default Privilege Level: 15
169
170
5
Commands for Configuring and Managing VAP Groups
This chapter describes the CLI commands that you can use to: Create, configure, and manage a virtual application processor (VAP) group on an X-Series Platform. Install, configure, and manage an application on a VAP group. Install and configure routing software and services on a VAP group. This chapter contains the following sections: Commands for Creating and Configuring a VAP Group on page 172 Commands for Managing User Access to a VAP Group on page 209 Commands for Installing, Configuring, and Managing an Application on a VAP Group on page 214 Commands for Installing, Configuring, and Managing Routing Software and Routing Protocols on a VAP Group on page 233
171
172
configure vap-group
Creates and configures a new virtual application processor (VAP) group or configures the specified existing VAP group. Places you into the config-vap-grp context in which you can configure the specified VAP group. When you issue the configure vap-group command to create a new VAP group, the CLI prompts you to confirm your decision to create a new VAP group. If you confirm your decision, the CLI displays a progress message while the X-Series Platform creates and configures the new VAP group. When the VAP group configuration is complete, the CLI returns you to the command prompt. See the example below for details. NOTE: When you create a new VAP group, the X-Series Platform configures that VAP group with the default VAP count of 1. That is, the VAP group includes only one VAP. To increase the number of VAPs included in a new VAP group, use the vap-count (config-vap-grp context) command. You can specify a Crossbeam VAP operating system (VAP OS) parameter with the configure vap-group command to configure a new VAP group to run the xslinux_v3, xslinux_v5, xslinux_v5_64, or xsve VAP OS. If you do not specify a VAP OS parameter when you create a new VAP group, the X-Series Platform configures the new VAP group to run the default VAP OS, xslinux_v3. NOTE: You must configure a new VAP group to run the specific Crossbeam VAP OS required to support the application that you plan to install on that VAP group. Refer to the installation guide for your application to determine its VAP OS requirements. You cannot change the VAP OS configuration for an existing VAP group. If you do not specify a VAP OS parameter when you configure an existing VAP group, the X-Series Platform retains the current VAP OS configuration for that VAP group. Use the show (config-vap-grp context) command to display the VAP OS currently running on the VAP group that you are configuring. Use the configure no vap-group <VAP_group_name> command to delete the specified VAP group. NOTE: You must delete all parts of the XOS configuration that reference a specific VAP group before deleting that VAP group.
Syntax
configure vap-group <VAP_group_name> [xslinux_v3 | xslinux_v5 | xslinux_v5_64 | xsve] configure no vap-group <VAP_group_name>
173
enable-ipv6 (conf-vap-grp context) (IPv6) on page 186 ip-forwarding-ipv6 (enable-ipv6 context) (IPv6) on page 187 ip-flow-rule (config-vap-grp context) on page 188 non-ip-flow-rule (config-vap-grp context) on page 189 ip-forwarding (config-vap-grp context) on page 192 fail-to-host (config-vap-grp context) on page 192 flow-proxy (config-vap-grp context) on page 193 jumbo-frame (config-vap-grp context) on page 193 scatter-gather (config-vap-grp context) on page 194 reload-timeout (config-vap-grp context) on page 195 vg-reset-wait-time on page 196 delay-flow (config-vap-grp context) on page 197 application-monitor (config-vap-group context) on page 198 master-failover-trigger application (config-vap-grp context) on page 199 master-holddown (config-vap-grp context) on page 200 dhcp-relay-server-list (config-vap-grp context) on page 201 rp-filter (config-vap-grp context) on page 202 log-martians (config-vap-grp context) on page 203 show (config-vap-grp context) on page 204
Parameters
The following table lists the parameters used with this command. Parameter <VAP_group_name> Description Name assigned to the new or existing VAP group that you wish to create and/or configure. Each VAP group must have a unique name, and VAP group names are not case-sensitive. For example, you cannot create two VAP groups named firewall1, and you cannot create one VAP group named firewall2 and another group named FireWall2. NOTE: A VAP group cannot be named npm6, and cannot be more than 12 characters long.
174
Description Configures the VAP group to run the specified Crossbeam VAP operating system (VAP OS). Each application requires a specific VAP OS. Refer to the installation guide for your application to determine its VAP OS requirements. An application that runs in a virtual environment requires xsve. The default VAP OS is xslinux_v3. NOTE: If you do not specify a VAP OS when you create a new VAP group, the X-Series Platform configures the new VAP group to run the default VAP OS, xslinux_v3. Use the show (config-vap-grp context) command to display the VAP OS running on the VAP group that you are currently configuring.
Restrictions
Default Privilege Level: 15 Each VAP group must have a unique name, and VAP group names are not case-sensitive. A VAP group cannot be named npm6. A VAP group name cannot be more than 12 characters long. You cannot change the VAP OS configuration for an existing VAP group.
Example
The following command creates a new VAP group called testvapgroup, which consists of one VAP and is configured to run the xslinux_v5 VAP OS: CBS# configure vap-group testvapgroup xslinux_v5 Are you sure you want to create a new vap-group with OS version xslinux_v5? <Y or N> [Y]: Y Creating vap-group testvapgroup. May take several minutes...........+...........+.. CBS(config-vap-grp)#
175
When you issue the vap-count command to change the VAP count for a given VAP group, the CLI prompts you to confirm the new VAP count setting. If you confirm the new VAP count setting, the CLI displays a progress message while the X-Series Platform adjusts the VAP count. When the VAP count adjustment is complete, the CLI returns you to the command prompt. See the example below for details.
Syntax
vap-count <number_of_VAPs_in_group>
Context
You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command.
Parameters
The following table lists the parameters used with this command. Parameter <number_of_VAPs_in_group> Description VAP count setting for the VAP group that you are currently configuring. Valid values are from 1 to 63. Default is 1. Use the show (config-vap-grp context) command to display the VAP count for the VAP group that you are currently configuring.
Restrictions
Default Privilege Level: 15
Example
The following command places you in the config-vap-grp context in which you can configure the existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# The following command sets the VAP count of testvapgroup to 3: CBS(config-vap-grp)# vap-count 3 Are you sure you want to adjust vap-count to 3? <Y or N> [Y]: Y Adjusting vap-count. May take several minutes...........+...........+.... CBS(config-vap-grp)#
176
Syntax
[no] max-load-count <number_of_VAPs>
Context
You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command.
Parameters
The following table lists the parameters used with this command. Parameter <number_of_VAPs> Description Max load count setting for the VAP group that you are configuring. Valid values are 0 to 63. Default is 0. Use the show (config-vap-grp context) command to display the max load count for the VAP group that you are configuring.
Restrictions
Default Privilege Level: 15 A VAP groups max load count must be equal to or lower than its VAP count.
177
Example
The following command places you in the config-vap-grp context in which you can configure the existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# The following command sets the max load count of testvapgroup to 3: CBS(config-vap-grp)# max-load-count 3 CBS(config-vap-grp)#
Syntax
max-reload-count <reload_count>
Context
You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command.
Parameters
The following table lists the parameters used with this command. Parameter <reload_count> Description The number of reloads that are allowed. Range: 1 to 32767 Default Value: 3
Restrictions
Default Privilege Level: 15
178
When you use the ap-list command to define a new APM list for a VAP group, the new list replaces the old one. That is, the new APM list for the VAP group that you are configuring includes only the APMs that you specify with the ap-list command. NOTE: You must specify at least one APM name with the ap-list command; you cannot define a new APM list with no members. Use the no ap-list command to remove all APMs from the APM list for the VAP group that you are currently configuring. Use the show (config-vap-grp context) command to display the APM list for the VAP group that you are currently configuring.
Syntax
ap-list {<APM_name1>} [<APM_name2>] [<APM_name3>] ... [<APM_nameN>] no ap-list
Context
You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command.
Parameters
The following table lists the parameters used with this command. Parameter <APM_nameN> Description Module name assigned to an APM that you want to add to the APM list for the VAP group that you are currently configuring. APM names have the format, apN, where N can be any number from 1 to 10. By default, the APM list for a new VAP group includes all APMs installed in the chassis.
Restrictions
Default Privilege Level: 15 You must specify at least one APM name with the ap-list command.
Example
In this example, the X-Series Platform administrator wants to install a firewall application on the VAP group called testvapgroup. The administrator wants to run this application on a VAP group consisting solely of APM-8650s.
179
The administrator uses the following command to determine which module names are assigned to the APM-8650s installed in his chassis. CBS# show chassis Chassis Status for X80: Power Type: AC-3 1G Backplane Support: Yes 1G Backplane Capability for Slots 3 and 4: Yes Chassis Revision: C2 Chassis Serial Number: G808F008 Chassis Part Number: 004360 Chassis OCODE: A000 Slot Present Module Name Module Type 1 No n/a n/a 2 Yes np2 NP8600 3 No n/a n/a 4 No n/a n/a 5 Yes ap3 AP8600 6 No n/a n/a 7 Yes ap5 AP8650 8 Yes ap6 AP8650 9 Yes ap7 AP8650 10 No n/a n/a 11 No n/a n/a 12 No n/a n/a 13 Yes cp1 CP8600 14 No n/a n/a CBS# This command shows that the APM-8650s in the chassis are named ap5, ap6, and ap7. Therefore, the administrator issues the following commands to configure the APM list for the VAP group, testvapgroup, to include only ap5, ap6, and ap7. CBS# configure vap-group testvapgroup CBS(config-vap-grp)# ap-list ap5 ap6 ap7 CBS(config-vap-grp)#
Status n/a Up n/a n/a Active n/a Active Active Active n/a n/a n/a Up n/a
13 days, 04:14
180
Syntax
load-balance-vap-list <VAP_index_number> [<VAP_index_number>] [<VAP_index_number>] ... no load-balance-vap-list
Context
You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command.
Parameters
The following table lists the parameters used with this command. Parameter <VAP_index_number> Description VAP index number assigned to a VAP that you want to include in the load-balance VAP list for the VAP group that you are currently configuring. Use the show ap-vap-mapping command to display the VAP group name and index number assigned to each VAPs that is loaded on an APM. Valid values are from 1 to 63. NOTE: You can specify up to 63 VAP index numbers, but the NPMs load balance flows only across VAPs that are loaded onto APMs.
Restrictions
Default Privilege Level: 15 You must specify at least one VAP index number with the load-balance-vap-list command.
Example
In this example, an X-Series Platform administrator originally installed a firewall application on a VAP group called testvapgroup, which consisted of three VAPs. Now, the X-Series Platform administrator wants to add a fourth VAP to testvapgroup and install the firewall application onto a fourth APM-8650. The administrator issues the following commands to increase the VAP count for testvapgroup and add a fourth APM-8650, ap8, to that VAP groups APM list. CBS# configure vap-group testvapgroup CBS(config-vap-grp)# vap-count 4 Are you sure you want to adjust vap-count to 4? <Y or N> [Y]: Y Adjusting vap-count. May take several minutes...........+...........+.... CBS(config-vap-grp)# ap-list ap5 ap6 ap7 ap8 Now, to prevent the NPM from assigning new flows to the new VAP during firewall application installation, the X-Series Platform administrator issues the following commands to configure the load-balance VAP list for the VAP group, testvapgroup, to include only the VAPs with index numbers 1, 2, and 3. (The newest VAPs index number is 4.) CBS(config-vap-grp)# load-balance-vap-list 1 2 3 CBS(config-vap-grp)#
XOS Command Reference Guide 181
Next, the administrator issues the following command to increase the max load count to 4 and load the new VAP onto an APM (ap8): CBS(config-vap-grp)# max-load-count 4 CBS(config-vap-grp)# The administrator then installs the firewall application on the new VAP. When the installation is complete, the administrator uses the following command to add the new VAP to the load-balance VAP list for testvapgroup, so that the new VAP can start processing traffic. CBS(config-vap-grp)# load-balance-vap-list 1 2 3 4 CBS(config-vap-grp)#
Syntax
load-priority <load_priority_value> no load-priority
Context
You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command.
Parameters
The following table lists the parameters used with this command. Parameter <load_priority_value> Description Load priority value that you want to assign to the VAP group that you are configuring. Valid values are from 0 to 255. The default value is 0.
Restrictions
Default Privilege Level: 15 A VAP groups load priority value must be equal to or higher than its preemption priority value.
182
Use the show (config-vap-grp context) command to display the current preemption priority value for the VAP group that you are configuring. See preemption-priority (config-vap-grp context) on page 183 for information on setting the preemption priority value for the VAP group that you are configuring.
Example
In this example, a VAP group called idsvapgroup is running an IDS application, and a VAP group called testvapgroup is running a firewall application. The X-Series Platforms system administrator has been told that maintaining the availability of the firewall application is much more important than maintaining the availability of the IDS application. Therefore, the administrator decides to configure the two VAP groups to ensure availability of the firewall application in the event that the administrator must reboot the X-Series Platform. The administrator uses the following commands to set the load priority for the firewall applications VAP group (testvapgroup) to 10: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# load-priority 10 CBS(config-vap-grp)# end CBS# The administrator then uses the following commands to set the load priority for the IDS applications VAP group (idsvapgroup) to 5: CBS# configure vap-group idsvapgroup CBS(config-vap-grp)# load-priority 5 CBS(config-vap-grp)# end CBS# Now, whenever the X-Series Platform reboots, the CPM will load all the VAPs in testvapgroup onto APMs before loading any of the VAPs in idsvapgroup onto APMs. Therefore, after an X-Series Platform reboot, the firewall application starts running on the first APMs that become available. Also, if there are not enough APMs to run all VAPs in both groups, the CPM loads the IDS applications VAPs only if APMs remain available after the CPM loads all of the firewall applications VAPs onto APMs.
183
Syntax
preemption-priority <preemption_priority_value> no preemption-priority
Context
You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command.
Parameters
The following table lists the parameters used with this command. Parameter <preemption_priority_value> Description Preemption priority value that you want to assign to the VAP group that you are configuring. Valid values are from 0 to 255. The default value is 0.
Restrictions
Default Privilege Level: 15 A VAP groups preemption priority value must be equal to or lower than its load priority value. Use the show (config-vap-grp context) command to display the current load priority value for the VAP group that you are configuring. See load-priority (config-vap-grp context) on page 182 for information on setting the load priority value for the VAP group that you are configuring.
Example
In this example, a VAP group called idsvapgroup is running an IDS application, and a VAP group called testvapgroup is running a firewall application. The X-Series Platforms system administrator has been told that maintaining the availability of the firewall application is much more important than maintaining the availability of the IDS application. Therefore, the administrator decides to configure the two VAP groups to minimize downtime for the firewall application in the event that the administrator must reboot the X-Series Platform. The administrator uses the following commands to set the preemption priority for the firewall applications VAP group (testvapgroup) to 10: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# preemption-priority 10 CBS(config-vap-grp)# end CBS# The administrator then uses the following commands to set the preemption priority for the IDS applications VAP group (idsvapgroup) to 5: CBS# configure vap-group idsvapgroup CBS(config-vap-grp)# preemption-priority 5 CBS(config-vap-grp)# end CBS#
184
Now, if one or more APMs fail while running the firewall application, the CPM first attempts to replace the failed APMs with standby APMs. If there are not enough standby APMs available to replace all the failed APMs, the CPM removes APMs from the IDS applications VAP group (idsvapgroup) and reassigns those APMs to the firewall applications VAP group (testvapgroup). The CPM continues to reassign APMs to testvapgroup until every VAP in that group is assigned to an APM or until there are no available APMs left in the chassis. This way, the VAP group running the highest-priority application (the firewall) will always have APMs on which to run, because the firewall applications VAP group (testvapgroup) will always have an APM assigned to every VAP in the group.
Syntax
raid {1 | 0} no raid
Context
You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command.
185
Parameters
The following table lists the parameters used with this command. Parameter {1 | 0} Description Specifies the RAID level that you want to set for the APMs assigned to the VAP group that you are configuring. Specify one of the following: 0 Specifies RAID level 0, striping. Each APM writes an equal amount of data to both of its local hard drives. 1 Specifies RAID level 1, mirroring. Each APM writes identical data to both of its local hard drives. By default, if a VAP group runs on APMs with two hard drives, the APMs do not use RAID; the two disks on each APM work independently of one another.
Restrictions
Default Privilege Level: 15
Example
The following command places you in the config-vap-grp context in which you can configure the existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# The following command configures the APMs assigned to testvapgroup to use RAID 1: CBS(config-vap-grp)# raid 1 CBS(config-vap-grp)#
Syntax
[no] enable-ipv6
Do not disable or change this rule while IPv6 support is enabled for the VAP group.
Restrictions
Default Privilege Level: 15 To enable IPv6 on a VAP group, all associated circuits must have an MTU size of at least 1280.
Example
The following command places you in the config-vap-grp context in which you can configure the existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# The following command enables IPv6 services for VAP group: CBS(config-vap-grp)# enable-ipv6 CBS(config-vap-grp)#
Syntax
[no] ip-forwarding-ipv6
Restrictions
Default Privilege Level: 15 Typically, the application running on the module preforms IP forwarding, if required. This command is primarily used for lab testing.
Example
The following command places you in the config-vap-grp context in which you can configure the existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# The following commands configure the APMs assigned to testvapgroup for IPv6 traffic and enable the forwarding of IPv6 packets.: CBS(config-vap-grp)# enable-ipv6 CBS(enable-ipv6)# ip-forwarding-ipv6
187
Syntax
[no] ip-flow-rule <IP_flow_rule_name>
188
generate-reversed-flow (ip-flow-rule context) on page 312 source-addr (ip-flow-rule context) on page 314 destination-addr (ip-flow-rule context) on page 315 source-port (ip-flow-rule context) on page 317 destination-port (ip-flow-rule context) on page 318 protocol (ip-flow-rule context) on page 319 domain (ip-flow-rule context) on page 321 incoming-circuit-group (ip-flow-rule context) on page 322 timeout (ip-flow-rule context) on page 324 trace (ip-flow-rule context) on page 326 core-assignment (ip-flow-rule context) on page 329 activate (ip-flow-rule context) on page 330 show (ip-flow-rule context) on page 331
Parameters
The following table lists the parameters used with this command. Parameter <IP_flow_rule_name> Description Name assigned to the IP flow rule that you want to create or configure for the VAP group that you are configuring.
Restrictions
Default Privilege Level: 15
Example
The following command places you in the config-vap-grp context in which you can configure the existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# The following command creates an IP flow rule for the VAP group called testvapgroup and places you in the context in which you can configure and activate that IP flow rule (called testiprule): CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)#
189
NOTE: If an NPM is unable to apply any non-IP flow rules to an incoming non-IP packet, the NPM drops the packet. Each VAP group non-IP flow rule is comprised of an action and a set of packet-matching criteria. The NPM performs the action on flows that match the conditions defined in the packet-matching criteria. For example, you can create a non-IP flow rule that instructs the NPM to send all Spanning-Tree-Protocol-related traffic destined for a VAP group to the master VAP for that VAP group. You must configure each VAP group non-IP flow rule with one of three link encapsulation types: ethernet Enables the NPM to process Ethernet encapsulated packets that arrive on logical interfaces configured for the VAP group. Configures the NPM to apply the VAP group non-IP flow rules action only to Ethernet encapsulated packets that meet the flow rules destination Ethernet protocol matching criteria. lsap Enables the NPM to process LSAP encapsulated packets that arrive on logical interfaces configured for the VAP group. Configures the NPM to apply the VAP group non-IP flow rules action only to LSAP encapsulated packets that meet the flow rules Destination Service Access Point (DSAP) and Source Service Access Point (SSAP) matching criteria. snap Enables the NPM to process SNAP encapsulated packets that arrive on logical interfaces configured for the VAP group. Configures the NPM to apply the VAP group non-IP flow rules action only to SNAP encapsulated packets that meet the flow rules destination Ethernet protocol and Organization Unique Identifier (OUI) matching criteria. NOTE: By default, the link encapsulation type for all VAP group non-IP flow rules is ethernet, and the destination Ethernet protocol matching criteria is set to any Ethernet protocol number. Use the show (non-ip-flow context) command to display the link encapsulation type and packet-matching criteria defined for the VAP group non-IP flow rule that you are configuring. You must activate a VAP group non-IP flow rule before it will take effect. By default, VAP group non-IP flow rules are not activated. See activate (non-ip-flow context) on page 351 for instructions on activating the VAP group non-IP flow rule that you are configuring. Use the no parameter to delete the specified non-IP flow rule. Use the show non-ip-flow command to display the current configuration for the VAP group non-IP flow rule that you are configuring. Use the show non-ip-flow command to display all VAP group non-IP flow rules currently configured on the X-Series Platform.
Syntax
[no] non-ip-flow-rule <non_IP_flow_rule_name>
190
encapsulation snap (non-ip-flow context) on page 348 core-assignment (non-ip-flow-rule context) on page 350 activate (non-ip-flow context) on page 351 show (non-ip-flow context) on page 351
Parameters
The following table lists the parameters used with this command. Parameter <non_IP_flow_rule_name> Description Name assigned to the non-IP flow rule that you want to create or configure for the VAP group that you are configuring.
Restrictions
Default Privilege Level: 15
Example
The following command places you in the config-vap-grp context in which you can configure the existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# The following command creates a non-IP flow rule for the VAP group called testvapgroup and places you in the context in which you can configure and activate that IP flow rule (called testnoniprule): CBS(config-vap-grp)# non-ip-flow-rule testnoniprule CBS(non-ip-flow)#
191
Syntax
[no] ip-forwarding
Context
You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command.
Restrictions
Default Privilege Level: 15
Example
The following command places you in the config-vap-grp context in which you can configure the existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# The following command enables IP forwarding for the VAP group called testvapgroup: CBS(config-vap-grp)# ip-forwarding CBS(config-vap-grp)#
Syntax
[no] fail-to-host
192
Context
You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command.
Restrictions
Default Privilege Level: 15 Applies only to VAP groups that have been configured with the xsve operating system If fail-to-host is configured, ip-forwarding must be enabled for the vap-group
Example
CBS# configure vap-group testvapgroup xsve CBS(config-vap-group)# fail-to-host
Syntax
[no] flow-proxy
Context
You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command.
Restrictions
Default Privilege Level: 15 This command is required for any vap-group that uses the xsve VAP operating system.
Example
CBS# configure vap-group testvapgroup CBS(config-vap-group)# flow-proxy CBS(config-vap-group)#
193
Use the show (config-vap-grp context) command to determine whether jumbo Ethernet frame support is enabled for the VAP group that you are currently configuring. NOTE: If you enable jumbo Ethernet frame support for a VAP group, you must also set the Maximum Transfer Unit (MTU) size to 9000 for each circuit associated with that VAP group. Use the show circuit command to determine the MTU size configured for every circuit associated with the VAP group that you are configuring. See mtu (conf-cct-vapgroup context) on page 427 for instructions on setting the MTU size for a circuit associated with a VAP group.
Syntax
[no] jumbo-frame
Context
You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command.
Restrictions
Default Privilege Level: 15 If jumbo Ethernet frame support is enabled for a VAP group, every circuit associated with that VAP group must have a Maximum Transfer Unit (MTU) size of 9000.
Example
The following command places you in the config-vap-grp context in which you can configure the existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# The following command enables jumbo Ethernet frame support for the VAP group called testvapgroup: CBS(config-vap-grp)# jumbo-frame CBS(config-vap-grp)#
194
Syntax
[no] scatter-gather
Context
You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command.
Restrictions
Default Privilege Level: 15
Example
The following command places you in the config-vap-grp context in which you can configure the existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# The following command enables support for fragmenting large Ethernet frames into multiple buffers in host memory on the APMs assigned to testvapgroup. That is, the following command enables support for scatter-gather functionality for testvapgroup: CBS(config-vap-grp)# scatter-gather CBS(config-vap-grp)#
Syntax
reload-timeout <reload_timeout_interval> no reload-timeout
195
Context
You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command.
Parameters
The following table lists the parameters used with this command. Parameter <reload_timeout_interval> Description Reload timeout interval that you want to assign to the VAP group that you are configuring. You specify the reload timeout interval in seconds. Valid values are from 60 to 18000. Default is 300.
Restrictions
Default Privilege Level: 15
Example
The following command places you in the config-vap-grp context in which you can configure the existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# The following command sets the reload timeout interval for testvapgroup to 500 seconds: CBS(config-vap-grp)# reload-timeout 500 CBS(config-vap-grp)# When you reload the VAP group, testvapgroup, the X-Series Platform waits 500 seconds for the VAP group to finish reloading. After 500 seconds, if any VAPs in testvapgroup are not loaded onto APMs, the X-Series Platform declares those VAPs inaccessible and attempts to reload them again.
vg-reset-wait-time
Sets the wait time before resetting a VAP when no connectivity to the VAP has been detected. You can use this command to delay the resetting of a VAP if the VAP is busy and fails to send heartbeats for a period of time. Specify a time from 0 (zero) to 60 seconds. Use the no vg-reset-wait-time parameter to set the time to the default value (5 seconds).
Syntax
[no] vg-reset-wait-time <wait_time>
Context
You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command.
196
Parameters
The following table lists the parameters used with this command. Parameter <wait_time> Description The time that XOS waits after detecting no connectivity from a VAP before resetting the VAP. You specify the wait time in seconds. Valid values are from 0 to 60 seconds. The default is 5.
Restrictions
Default Privilege Level: 15
Example
CBS# configure vap-group testvap-group CBS(config-vap-grp)# vg-reset-wait-time 15
Syntax
delay-flow <new_flow_delay_interval> no delay-flow
Context
You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command.
197
Parameters
The following table lists the parameters used with this command. Parameter <new_flow_delay_interval> Description New flow delay interval that you want to assign to the VAP group that you are configuring. You specify the new flow delay interval in seconds. Valid values are 1 to 3600 seconds. NOTE: By default, a VAP group has no new flow delay interval, but 0 is not a valid value for <new_flow_delay_interval>. To restore the default behavior, you must use the no delay-flow command.
Restrictions
Default Privilege Level: 15
Example
The following command places you in the config-vap-grp context in which you can configure the existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# The following command sets the new flow delay interval for testvapgroup to 100 seconds: CBS(config-vap-grp)# delay-flow 100 CBS(config-vap-grp)# When you reload the VAP group, testvapgroup, the NPM waits 100 seconds after each APM assigned to that VAP group enters the Active state before assigning new flows to that APM.
198
Syntax
[no] application-monitor
Context
You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command.
Restrictions
Default Privilege Level: 15
Example
The following command places you in the config-vap-grp context in which you can configure the existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# The following command disables application monitoring for the VAP group called testvapgroup: CBS(config-vap-grp)# no application-monitor CBS(config-vap-grp)#
Syntax
master-failover-trigger application no master-failover-trigger
Context
You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command.
199
Restrictions
Default Privilege Level: 15
Example
The following command places you in the config-vap-grp context in which you can configure the existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# The following command configures application failure as a master VAP failover trigger for the VAP group, testvapgroup: CBS(config-vap-grp)# master-failover-trigger application CBS(config-vap-grp)# When the application fails to run on the master VAP for the VAP group, testvapgroup, XOS will elect a new master VAP for the group.
Syntax
master-holddown <master_VAP_hold-down_time> no master-holddown
Context
You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command.
Parameters
The following table lists the parameters used with this command. Parameter <master_VAP_hold-down_time> Description Master VAP hold-down time that you want to assign to the VAP group that you are configuring. You specify the master VAP hold-down time in seconds. Valid values are 0-3600. Default is 0.
200
Restrictions
Default Privilege Level: 15
Example
The following command places you in the config-vap-grp context in which you can configure the existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# The following command sets the master VAP hold-down time for testvapgroup to 30 seconds: CBS(config-vap-grp)# master-holddown 30 CBS(config-vap-grp)# If the current master VAP for testvapgroup should fail, XOS will wait 30 seconds before re-electing a new master VAP for the group.
Syntax
[no] dhcp-relay-server-list <IP_address> [<IP_address>] [<IP_address>] ...
Context
You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command.
201
Parameters
The following table lists the parameters used with this command. Parameter <IP_address> Description IP address of a DHCP relay server that you want to add to or remove from the DHCP relay server list for the VAP group that you are configuring. You must specify each IP address in the standard format (A.B.C.D).
Restrictions
Default Privilege Level: 15
Example
The following command places you in the config-vap-grp context in which you can configure the existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# The following command adds the DHCP relay servers with the IP addresses 10.10.10.10 and 10.10.10.20 to the DHCP relay server list for the VAP group called testvapgroup: CBS(config-vap-grp)# dhcp-relay-server-list 10.10.10.10 10.10.10.20 CBS(config-vap-grp)#
Syntax
[no] rp-filter
Context
You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command.
202
Restrictions
Default Privilege Level: 15
Example
The following command places you in the config-vap-grp context in which you can configure the existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# The following command disables RP filtering for the VAP group called testvapgroup: CBS(config-vap-grp)# no rp-filter CBS(config-vap-grp)#
Syntax
[no] log-martians
Context
You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command.
Restrictions
Default Privilege Level: 15
Example
The following command places you in the config-vap-grp context in which you can configure the existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# The following command configures the VAP group called testvapgroup create a syslog entry for each martian that comes into the VAP group. CBS(config-vap-grp)# log-martians CBS(config-vap-grp)#
203
Syntax
show
Context
You access this command from the config-vap-grp context. You access this context from the main CLI context by issuing the configure vap-group command.
Output
The output for this command has the following format: VAP Group Operating System : <VAP_group_name> : {xslinux_v3 | xslinux_v5 | xslinux_v5_64 | xsve} Load Priority : <load_priority_value> Preemption Priority : <preemption_priority_value> AP List : <apN> <apN> <apN> ... VAP Count : <number_of_VAPs_in_group> Max Load Count : <number_of_VAPs> Max Reload Count : <number_of_reloads> Load Balance VAP List : <index_number> <index_number> ... IP Forwarding (true/false) : {t | f} Delay Flow (seconds) : <new_flow_delay_interval> Backup Mode : none Reload Timeout (seconds) : <reload_timeout_interval> RP Filter (true/false) : {t | f} Log Martians (true/false) : {t | f} DHCP Relay Server List : <IP_address> <IP_address> ... RAID : {none | 0 | 1} Jumbo Frame (true/false) : {t | f} Scatter Gather (true/false) : {t | f} Master HoldDown Timer (in seconds) : <master_VAP_hold-down_time> Master Failover Trigger : application Application Monitoring (true/false) : {t | f} IPv6 Enabled (true/false) : {t | f} IPv6 IP Forwarding (true/false) : {t | f} Fail To Host (true/false) : f Flow Proxy (true/false) : f Reset Wait Time (seconds) : 5 (1 row)
204
The following table describes the information provided in each column/row. Column/Row Heading VAP Group Information Provided Name assigned to the VAP group. See configure vap-group on page 173 for instructions on assigning a name to a VAP group. Operating System VAP OS that the VAP group uses. Default is xslinux_v3. See configure vap-group on page 173 for instructions on configuring a VAP group to use a specific VAP OS. Load Priority Load priority assigned to the VAP group. Default is 0. See load-priority (config-vap-grp context) on page 182 for information about setting load priorities for the VAP groups configured on your X-Series Platform. Preemption Priority Preemption priority assigned to the VAP group. Default is 0. See preemption-priority (config-vap-grp context) on page 183 for information about setting preemption priorities for the VAP groups configured on your X-Series Platform. AP List Module names assigned to the APMs included in the VAP groups APM list. By default, every VAP groups APM list includes all APMs installed in the X-Series Platform. See ap-list (config-vap-grp context) on page 178 for instructions on configuring an APM list for a VAP group. VAP Count VAP count configured for the VAP group. Default is 1. See vap-count (config-vap-grp context) on page 175 for instructions on setting the VAP count for a VAP group. Max Load Count Max load count configured for the VAP group. Default is 0. See max-load-count (config-vap-grp context) on page 177 for instructions on setting the max load count for a VAP group. Max Reload Count The maximum number of reloads for an APM before the APM is declared DOWN. See max-reload-count (config-vap-grp context) on page 178 for instructions on setting the max reload count for an APM. Load Balance VAP List VAP index numbers assigned to the VAPs included in the VAP groups load-balance VAP list. By default, all VAPs in a VAP group are included in its load-balance VAP list. See load-balance-vap-list (config-vap-grp context) on page 180 for instructions on configuring a load-balance VAP list for a VAP group. IP Forwarding (true/false) Indicates whether IP forwarding is enabled (t) or disabled (f) for the VAP group. Default is disabled (f). See ip-forwarding (config-vap-grp context) on page 192 for instructions on enabling and disabling IP forwarding for a VAP group.
205
Information Provided New flow delay interval configured for the VAP group. Default is 0. See delay-flow (config-vap-grp context) on page 197 for instructions on configuring a new flow delay interval for a VAP group.
Backup mode assigned to the VAP group. Default is none. This setting is no longer configurable. Reload timeout interval, expressed in seconds, that is configured for the VAP group. Default is 300. See reload-timeout (config-vap-grp context) on page 195 for instructions on configuring a reload timeout interval for a VAP group.
RP Filter (true/false)
Indicates whether RP filtering is enabled (t) or disabled (f) for the VAP group. Default is enabled (t). See rp-filter (config-vap-grp context) on page 202 for instructions on enabling and disabling RP filtering for a VAP group.
Indicates whether incoming packets (called martians) that are dropped due to RP filtering are logged (t) or not (f). By default, martians are not logged (f). See log-martians (config-vap-grp context) on page 203 for instructions on configuring a VAP group log martians.
IP addresses of the DHCP servers included in the VAP groups DHCP relay server list. By default, there are no servers included in this list. See dhcp-relay-server-list (config-vap-grp context) on page 201 for instructions on configuring a DHCP relay server list for a VAP group.
RAID
RAID level configured for the two local hard drives installed on each APM assigned to the VAP group. 1 and 0 indicate RAID 1 and RAID 0, respectively; none (the default setting) indicates that local hard drives installed on APMs assigned to the VAP group do not use RAID. See raid (config-vap-grp context) on page 185 for instructions on configuring a RAID level for the local hard drives installed on APMs assigned to a VAP group.
Indicates whether support for jumbo Ethernet frames is enabled (t) or disabled (f) for the VAP group. Default is disabled (f). See jumbo-frame (config-vap-grp context) on page 193 for instructions on enabling and disabling jumbo Ethernet frame support for a VAP group.
Indicates whether scatter-gather functionality is enabled (t) or disabled (f) for the VAP group. Default is disabled (f). See scatter-gather (config-vap-grp context) on page 194 for instructions on enabling and disabling scatter-gather functionality for a VAP group.
206
Information Provided Master VAP hold-down time, expressed in seconds, that is configured for the VAP group. Default is 0. See master-holddown (config-vap-grp context) on page 200 for instructions on configuring the master VAP hold-down time for a VAP group.
If this field appears in the output, its value is always application, and it indicates that application failure is configured as a master VAP failover trigger for the VAP group. By default, application failure is not configured as a master VAP failover trigger for any VAP group. If this default behavior is configured for a VAP group, the Master Failover Trigger field does not appear in the show command output. See master-failover-trigger application (config-vap-grp context) on page 199 for information on configuring application failure as a master VAP failover trigger for a VAP group.
Indicates whether application monitoring is enabled (t) or disabled (f) for the VAP group. Default is enabled (t). See application-monitor (config-vap-group context) on page 198 for instructions on enabling and disabling application monitoring for a VAP group.
Indicates whether IPv6 services are enabled (t) or disabled (f) for the VAP group. Default is disabled (f). Indicates whether IPv6 IP forwarding is enabled (t) or disabled (f) for the VAP group. Default is disabled (f). This setting depends on the value of IPv6 Enabled. If IPv6 Enabled is false (f), you cannot set IPv6 IP Forwarding and no value for IPv6 IP Forwarding appears in the output.
In a virtualized environment, if the guest application fails, this parameter controls whether the host continues to forward traffic that was intended for the guest. Indicates whether all flows should be directed to the VAP group. The time that the CPM waits before resetting the APM. Some applications require a substantial boot time. By setting this wait time, you can avoid having the APM reset before it has completed the boot process. Some applications have their own restart on failure mechanisms. By setting this wait time, you can avoid having the APM reset before the application restart has had sufficient time to succeed.
Restrictions
Default Privilege Level: 15
207
Example
The following command displays the VAP group configuration settings for the VAP group called testvapgroup. NOTE: The example output displays the VAP group configuration settings that you would create for testvapgroup if you issued all the example commands that we have provided throughout this section. CBS# configure vap-group testvapgroup CBS(config-vap-grp)# show VAP Group : Operating System : Load Priority : Preemption Priority : AP List : VAP Count : Max Load Count : Max Reload Count : Load Balance VAP List : IP Forwarding (true/false) : Delay Flow (seconds) : Backup Mode : Reload Timeout (seconds) : RP Filter (true/false) : Log Martians (true/false) : DHCP Relay Server List : RAID : Jumbo Frame (true/false) : Scatter Gather (true/false) : Master HoldDown Timer (in seconds) : Master Failover Trigger : Application Monitoring (true/false) : IPv6 Enabled (true/false) : IPv6 IP Forwarding (true/false) : Fail To Host (true/false) : Flow Proxy (true/false) : Reset Wait Time (seconds) : (1 row)
testvapgroup xslinux_v5 10 10 ap5 ap6 ap7 ap8 4 4 3 1 2 3 4 t 100 none 500 f t 10.10.10.10 10.10.10.20 1 t t 30 application f t f f f 5
208
configure host
Creates a host entry for the specified IP address, mapping that IP address to the specified host names and fully qualified domain names (FQDNs). You can create a host entry for an external system, or for a VAP. To create an entry for a VAP, specify the VAPs management IP address along with the host names and fully qualified domain names (FQDNs) that you want to assign to the VAP. NOTE: You can use the show ap-vap-mapping command to display the management IP addresses assigned to the VAPs in the VAP groups configured on the X-Series Platform. Each time you issue this command to assign a host name or FQDN to a host, the CPM stores the new host name or FQDN assignment as a host entry in the /etc/hosts file. The CPM and the VAPs configured on the X-Series Platform can use the entries in the /etc/hosts file to look up a hosts IP address using its host name(s) or FQDN(s). Use the show host command to display all host entries currently stored in the /etc/hosts file on the CPM. Use the configure no host command to remove all host entries that include the specified IP address.
Syntax
configure host <host_IP_address> {<host_name_1> | <FQDN_1>} [<host_name_2> | <FQDN_2>] ... [<host_name_3> | <FQDN_3>] configure no host <host_IP_address>
Context
You access this command from the main CLI context.
209
Parameters
The following table lists the parameters used with this command. Parameter <host_IP_address> Description IP address assigned to the host or management IP address assigned to the VAP for which you want to create or delete host entries. NOTE: You can use the show ap-vap-mapping command to display the management IP addresses assigned to the VAPs in the VAP groups configured on the X-Series Platform. <host_name_n> Host name that you want to assign to the host or VAP with the specified IP address. NOTE: You can specify more than one host name for a single host or VAP. <FQDN_n> Fully-qualified domain name (FQDN) that you want to assign to the host or VAP with the specified IP address. NOTE: You can specify more than one FQDN for a single host or VAP.
Restrictions
Default Privilege Level: 15 You can specify a maximum of five host names or FQDNs for a single host or VAP.
Example
In this example, the X-Series Platform administrator wants to assign a hostname to all VAPs in the VAP group testvapgroup. First, the administrator issues the following command to display the management IP addresses assigned to each VAP in testvapgroup: CBS# show ap-vap-mapping Module Slot Status VAP IP Address AP3 5 Active 1.1.1.99 AP4 6 Active 1.1.1.100 AP5 7 Active 1.1.2.101 AP6 8 Active 1.1.2.102 AP7 9 Active 1.1.2.103 AP8 10 Active 1.1.2.104 (6 rows) VAP Group idsvapgroup idsvapgroup testvapgroup testvapgroup testvapgroup testvapgroup Index 1 2 1 2 3 4 Master (true/false) false true false true false false
The X-Series Platform administrator then uses the following commands to assign a host name to each VAP in the VAP group called testvapgroup: CBS# CBS# CBS# CBS# CBS# configure configure configure configure host host host host 1.1.2.101 1.1.2.102 1.1.2.103 1.1.2.104 testhostvap1 testhostvap2 testhostvap3 testhostvap4
210
vap-group-password
Configures a user-defined Unix root password for the specified VAP group, assigns the CPMs Unix root password to all VAP groups configured on the X-Series Platform, or assigns the CPMs Unix root password to the specified VAP group. By default, VAP groups do not have Unix root passwords. A VAP groups Unix root password applies to every VAP in the group. To successfully log into a VAP using SSH, you must supply the Unix root password assigned to that VAP. NOTE: While you must use a VAPs Unix root password to log into the VAP using SSH, you do not have to supply a password to log into a VAP from the CPM using RSH. See Executing Unix Commands on a Designated VAP on page 892 for more information on using RSH to log into a VAP from the CPM. You use a VAPs Unix root password to access the Linux shell running on the VAP. To access and manage the application running on the VAP, you use the application management password that you specify when you install the application on the VAP group. The vap-group-password command performs one of three different operations, depending on the command syntax that you use: vap-group-password vap-group <VAP_group_name> Assigns a user-defined password to the specified VAP group. When you issue this command, the CLI prompts you twice to enter the password for the specified VAP group. NOTE: A VAP group password must be at least six characters in length and must meet IT industry standards for secure passwords. If you enter a password that does not meet these requirements, the CLI issues an error message and prompts you to enter a different password. vap-group-password source-cp Assigns the CPMs root password to all VAP groups configured on the X-Series Platform. vap-group-password source-cp vap-group <VAP_group_name> Assigns the CPMs root password to the specified VAP group.
Syntax
vap-group-password vap-group <VAP_group_name> vap-group-password source-cp [vap-group <VAP_group_name>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter vap-group <VAP_group_name> source-cp Description Configures a Unix root password only for the VAP group with the specified VAP group name. Assigns the CPMs Unix root password to all VAP groups or to the specified VAP group.
211
Restrictions
Default Privilege Level: 15
Examples
The following command configures a user-defined password for the VAP group called testvapgroup: CBS# vap-group-password vap-group testvapgroup Changing password for user root. New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. The following command assigns the CPMs root password to the VAP group called testvapgroup: CBS# vap-group-password source-cp vap-group testvapgroup CBS#
vap-group-password-expiration
Defines the password expiration interval for all VAP groups configured on the X-Series Platform or for the specified VAP group. A VAP groups password expiration interval is the number of days that the VAP groups Unix root password remains valid before it expires and must be changed. You can specify a user-defined password expiration interval or you can specify the source-cp parameter to use the CPMs Unix root password expiration interval as the VAP group Unix root password expiration interval.
Syntax
vap-group-password-expiration {<expiration_interval> | source-cp} [vap-group <VAP_group_name>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <expiration_interval> Description Amount of time, expressed in days, that the Unix root password remains valid for all VAP groups configured on the X-Series Platform or for the specified VAP group. When a VAP groups password is no longer valid, the password expires, and you must change the password the next time you log into a VAP in the group. Valid values for <expiration_interval> are from 0 to 65535. NOTE: An expiration interval of 0 means that the Unix root password for the VAP group(s) does not expire.
212
Description Specifies the CPMs root password expiration interval as the VAP group Unix root password expiration interval. Configures the specified Unix root password expiration interval only for the VAP group with the specified VAP group name. If you do not specify this parameter, the vap-group-password-expiration command configures a Unix root password expiration interval for all VAP groups configured on the X-Series Platform.
Restrictions
Default Privilege Level: 15
Example
The following command configures the Unix root password for the VAP group called testvapgroup to expire in 30 days. After 30 days have passed, the next time a user logs into a VAP in the group using SSH, the VAP will prompt the user to change the Unix root password. CBS# vap-group-password-expiration 30 vap-group testvapgroup CBS#
213
application
Performs one of the following operations: Installs an application on a VAP group. Configures an application running on a VAP group. Changes the state of an application running on a VAP group. (Starts, stops, or restarts the application.) Uninstalls an application from a VAP group.
Syntax
application <application_ID> [version <version_ID>] [release <release_#>] vap-group <VAP_group_name> {install | configure | start | stop | restart | uninstall}
Context
You can access this command from any CLI context.
214
Parameters
The following table lists the parameters used with this command. Parameter <application_ID> Description Application identifier assigned to the application that you want to install, configure, start, stop, restart, or uninstall on a VAP group. Use the show application command to display the application identifiers assigned to the applications that are currently loaded on the CPM. version <version_ID> Specifies the version of the application that you want to install, configure, start, stop, restart, or uninstall on a VAP group. NOTE: Not all applications use purely numeric version identifiers. For example, the version identifier for Check Point VPN-1 Power NGX R65 the version is NGXR65. Use the show application command to display the version identifiers assigned to the application installation packages currently loaded on the CPM. release <release_#> Specifies the release of the application that you want to install on a VAP group. NOTE: If the /crossbeam/apps/archive directory contains more than one CBI application bundle of the same version, and you do not specify a release, the installation process installs the most recent release by default. Use the show application command to display the release numbers assigned to the application installation packages currently loaded on the CPM. vap-group <VAP_group_name> Specifies the name assigned to the VAP group on which you want to install, configure, start, stop, restart, or uninstall an application.
215
Parameter install
Description Runs the Crossbeam installation script for the specified application on the specified VAP group. The Crossbeam installation script performs the following operations: 1. Verifies that the X-Series Platform meets the applications hardware, software, and network configuration requirements.
IMPORTANT: If the X-Series Platform does not meet these requirements, the installation will fail. Refer to your application installation and configuration guide for instructions on configuring the X-Series Platform to support the application. 2. Runs the installation interview script, prompting you to enter licensing and configuration information for your application. NOTE: Refer to your application installation and configuration guide for instructions on answering installation interview questions. 3. configure Installs and configures the application on the specified VAP group.
Displays the configuration menu for the specified application running on the specified VAP group. To change the current configuration for the application, choose an option from the configuration menu and enter information if prompted. NOTE: Each application has its own custom configuration menu, and each applications configuration menu may include different options, depending on the current state of the application. Refer to your application installation and configuration guide for instructions on using the configuration menu(s) for your application. NOTE: Some configuration changes do not take effect until after you reload the VAP group. The CLI issues a message if you must reload the VAP group to implement a configuration change.
start stop
Starts the specified application on the specified VAP group. Stops the specified application on the specified VAP group. NOTE: For some applications, using this command sets the Start on Boot flag to no. This value remains unchanged if you reload the VAP group or reboot the chassis. To reset the value to yes, use the start parameter with the application command.
restart
216
Parameter uninstall
Description Uninstalls the specified application from the specified VAP group. NOTE: Uninstalling an application from a VAP group does not remove the Crossbeam Installer (CBI) bundle from the CPM. You can always use the CBI bundle to reinstall the application. To remove an applications CBI bundle from the CPM, thereby preventing reinstallation of the application, use the application-remove command.
Restrictions
Default Privilege Level: 15
Examples
Example 1: Installing an Application The following command installs the Check Point VPN-1 Power NGX R65 firewall application on the VAP group called testvapgroup, which includes three VAPs: NOTE: After you install an application on a VAP group, you must reload the VAP group to start the application and implement the initial configuration that you create during the installation interview. See reload vap-group on page 593 for instructions on reloading a VAP group. CBS# application vpn1 vap-group testvapgroup install Check Point Software Technologies LTD., VPN-1 Power NGXR65 release 1.0.2.0-5 Checking Bundle Integrity: [####################] 100% [ ok ] Checking Dependencies: [####################] 100% [ ok ] Check Point Software Technologies Ltd. License Agreement V.NG.2 <License Agreement text> <Installation interview questions - see application installation and configuration guide for full text> ** A reboot is required for the change(s) to take affect. ** Extracting Bundle: [####################] 100% [ ok ] Installing vpn1 on VAP testvapgroup_3: [####################] 100% [ ok ] Installing vpn1 on VAP testvapgroup_2: [####################] 100% [ ok ] Installing vpn1 on VAP testvapgroup_1: [####################] 100% [ ok ] In order to successfully complete the application install, the XOS configuration must be saved. Any unsaved configuration will be lost. Do you want to save it to startup-config? <Y or N>[Y]: Y Saving configuration ... Please be patient.... CBS# Example 2: Configuring an Application The following command displays the configuration menu for the Check Point VPN-1 Power NGX R65 firewall application running on the VAP group called testvapgroup. Note that the available configuration options shown here reflect the current configuration for the application.
217
To change the applications configuration, enter the appropriate option number and then enter information if prompted. Then, enter 6 to exit the configuration menu, confirm the configuration changes that you made, and return to the CLI prompt. CBS# application vpn1 vap-group testvapgroup configure Check Point Software Technologies LTD., VPN-1 Power NGXR65 release 1.0.2.0-5 Checking Dependencies: [####################] 100% [ ok ] VPN-1 Power Configuration Menu 1. Licenses 2. Secure Internal Communication 3. High Availability/State Synchronization 4. Check Point Optional Packages 5. Check Point SecureXL 6. Exit Enter choice: 6 CBS# NOTE: You may need to reload the VAP group for your configuration changes to take effect. The CLI displays a message if your configuration changes require a VAP group reload. See reload vap-group on page 593 for instructions on reloading a VAP group. Example 3: Stopping an Application The following command stops the Check Point VPN-1 Power NGX R65 firewall application on the VAP group called testvapgroup: CBS# application Stopping vpn1 on Stopping vpn1 on Stopping vpn1 on CBS# vpn1 vap-group testvapgroup stop VAP testvapgroup_3: [####################] 100% [ ok ] VAP testvapgroup_2: [####################] 100% [ ok ] VAP testvapgroup_1: [####################] 100% [ ok ]
application-update
Installs the application on all members of the specified VAP group on which the application is not already installed. Each time you add new VAPs to a VAP group on which an application has been installed, you must use the application-update command to install the application on the new VAPs. NOTE: When you install the application on new VAPs in a VAP group, XOS copies the configuration files from the existing VAPs onto the new VAPs. An application always has the same configuration on all VAPs in a VAP group. IMPORTANT: After you install an application on new VAPs in a VAP group, you must reload the new VAPs to implement the application configuration and start running the application on the new VAPs.
Syntax
application-update vap-group <VAP_group_name>
Context
You can access this command from any CLI context.
218
Parameters
The following table lists the parameters used with this command. Parameter vap-group <VAP_group_name> Description Specifies the name of the VAP group on which you want to execute the application-update command.
Restrictions
Default Privilege Level: 15
Example
In this example, a firewall application has been installed on a VAP group called testvapgroup. This VAP group consisted of three VAPs at the time of the installation. A few months after the firewall application installation, the X-Series Platform administrator added a fourth VAP to the group. To install the firewall application on the fourth VAP in the VAP group called testvapgroup, the administrator issues the following command: CBS# application-update vap-group testvapgroup NOTE: You must reload the new VAPs to start running the application on the new VAPs in the VAP group.
application-upgrade
Upgrades the application on all members of the specified VAP group to a later version of the CBI. If you have previously installed a CBI application bundle, you can use the application-upgrade command to upgrade to a later version of the CBI. NOTE: After you upgrade the application, you may be required to reload the VAP group. The upgrade interview will request a reload, if required.
Syntax
application-upgrade <application_id> vap-group <VAP_group_name> [version <version_id>] [release <release_#>]
Context
You can access this command from any CLI context.
219
Parameters
The following table lists the parameters used with this command. Parameter <application_ID> Description Application identifier assigned to the application that you want to upgrade on a VAP group. Use the show application command to display the application identifiers assigned to the applications that are currently loaded on the CPM. vap-group <VAP_group_name> version <version_ID> Specifies the name of the VAP group on which you want to execute the application-upgrade command. Specifies the version of the application that you want to upgrade on a VAP group. NOTE: At present, application upgrades are supported only between different releases of the same application version. release <release_#> Specifies the release of the application to which you want to upgrade on a VAP group. NOTE: If the /crossbeam/apps/archive directory contains more than one CBI application bundle of the same version, and you do not specify a release, the upgrade process upgrades to the most recent release by default. Use the show application command to display the release numbers assigned to the application installation packages currently loaded on the CPM.
Restrictions
Default Privilege Level: 15
Example
In this example, a firewall application has been installed on a VAP group called testvapgroup. To upgrade to a new release of the firewall application on the VAP group called testvapgroup, the administrator places the new firewall application CBI in the /crossbeam/apps/archive directory on the X-Series platform and then issues the following command: CBS# application-upgrade <application_ID> vap-group testvapgroup
220
application-remove
Removes the specified applications Crossbeam Installer (CBI) bundle from the CPM. NOTE: This command does not uninstall an application running on a VAP group. To uninstall an application, you must use the application command with the uninstall parameter.
Syntax
application-remove <application_ID> [version <version_ID> [release <release_number>]]
Context
You can access this command from any CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <application_ID> Description Application identifier assigned to the application CBI bundle you want to remove from the CPM. Use the show application command to display the application identifiers assigned to the applications that are currently loaded on the CPM. version <version_ID> Version identifier assigned to the application CBI bundle you want to remove from the CPM. NOTE: You can specify the version parameter with or without the release parameter. release <release_number> Release identifier assigned to the application CBI bundle you want to remove from the CPM. NOTE: To specify the release parameter, you must include the version parameter.
Restrictions
Default Privilege Level: 15
Example
The following command removes the Check Point VPN-1 Power NGX R71.10 application CBI bundle from the CPM, thereby preventing reinstallation of that application: CBS# application-remove CPSG version R71.10 release 3.0.2.0-3 CBS#
221
show application
Displays information about the applications loaded onto the CPM on the X-Series Platform.
Syntax
show application
Context
You access this command from the main CLI context.
Output
This command displays information about each application loaded on the X-Series Platform, using the following format: App ID Name Version Release CBI Version : : : : : <application_identifier> <application_name> <application_version> <application_release_number> <CBI_version_number>
The following table describes the information provided in each column/row. Column/Row Heading App ID Information Provided Application identifier that Crossbeam has assigned to the application. When you use a CLI command to perform an operation on a specific application, you specify the application identifier as an argument to the CLI command. For example, to install Check Point VPN-1 Power NGX R65 on a VAP group, you specify the application identifier, vpn1, with the following command: CBS# application vpn1 version NGXR65 vap-group <VAP_group_name> install Name Version Release Application name. Application version. Application release number. NOTE: This row does not appear for applications that are installed using Application Development Framework (ADF) RPMs. CBI Version Version number assigned to the Crossbeam Installer (CBI) package used to install the application on a VAP group. NOTE: This row does not appear for applications that are installed using RPMs.
Restrictions
Default Privilege Level: 0
222
Example
The following command shows information about the two applications that are currently loaded on the CPM in an X-Series Platform: CBS# show application App ID : issprovg Name : IBM Proventia Network IPS Version : 2.0 Release : 1 CBI Version : 1.1.0.0 App ID Name Version Release CBI Version : : : : : vpn1 VPN-1 Power NGXR65 1.0.2.0-5 1.0.2.0
Syntax
show application vap-group [<VAP_group_name>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <VAP_group_name> Description Displays information about the application installed on the VAP group with the specified VAP group name. If you do not specify this parameter, the show application vap-group command displays information about all applications installed on VAP groups configured on the X-Series Platform.
Output
This command displays information about the application installed on a VAP group using the following format: VAP Group : App ID : Name : Version : Release : Start on Boot : App Monitor : App State (<VAP_group_name>_1): App State (<VAP_group_name>_2): .... App State (<VAP_group_name>_n):
XOS Command Reference Guide
<VAP_group_name> <application_identifier> {<application_name> | N/A} <application_version> {<application_release_number> | N/A} {yes | no} {on | off} {Up | Down | Initializing | Not Monitored} {Up | Down | Initializing | Not Monitored} {Up | Down | Initializing | Not Monitored}
223
The following table describes the information provided in each column/row. Column/Row Heading VAP Group App ID Information Provided Name of the VAP group on which the application is installed. Application identifier that Crossbeam has assigned to the application. When you use a CLI command to perform an operation on a specific application, you specify the application identifier as an argument to the CLI command. For example, to install Check Point VPN-1 Power NGX R65 on a VAP group, you specify the application identifier, vpn1, with the following command: CBS# application vpn1 version NGXR65 vap-group <VAP_group_name> install Name Application name. NOTE: N/A indicates that the application is installed using an RPM. Version Release Application version. Application release number. NOTE: N/A indicates that the application is installed using an RPM. Start on Boot Indicates whether the application automatically starts running when you boot up the VAP group: on Application automatically starts up when you boot up the VAP group. off You must manually start up the application each time you boot up the VAP group. App Monitor Indicates whether application monitoring is enabled (on) or disabled (off) on the VAP group on which the application is installed. By default, application monitoring is enabled (on). See application-monitor (config-vap-group context) on page 198 for more information about application monitoring and for instructions on enabling and disabling application monitoring on a VAP group.
224
Information Provided Indicates the current state of the application on the VAP with the VAP index number n. The show application vap-group command displays the current state of the application on each VAP on which an application is installed. Possible application states are: Up Application is running on the VAP. Down Application is not running on the VAP, but the APM on which the VAP is loaded is functional. Initializing The APM on which the VAP is loaded is rebooting. Not Monitored Application monitoring is disabled on the VAP group on which the application is installed. Therefore, XOS is unable to determine the current state of the application on any VAP. NOTE: These rows appear only for VAPs that are currently loaded onto APMs. NOTE: For applications that are installed using RPMs, this row has the format: <VAP_group_name>_n
Restrictions
Default Privilege Level: 0
Example
The following command shows information about the firewall application running on the VAP group called testvapgroup: CBS# show application vap-group testvapgroup VAP Group : testvapgroup App ID : vpn1 Name : VPN-1 Power Version : NGXR65 Release : 1.0.2.0-5 Start on Boot : yes App Monitor : on App State (testvapgroup_1) : Up App State (testvapgroup_2) : Up App State (testvapgroup_3) : Up CBS#
225
archive-vap-group backup
Backs up the specified VAP groups filesystems and saves them in an archive directory on the CPM. IMPORTANT: Before creating an archive, XOS verifies that the CPM has enough disk space available to store the new archive. If the CPM does not have enough disk space, the backup operation fails and the CLI issues an error message. During the VAP group backup operation, the application installed on the VAP group must be shut down. When you issue the archive-vap-group backup command, the CLI displays a message warning you that the VAP group will be disabled during the backup and prompts you to confirm or cancel the operation. If you confirm the operation, XOS shuts down the application running on the VAP group and then proceeds to back up the VAP groups filesystems and create an archive for the VAP group. All archive directories have the following structure: /tftpboot/archives/<VAP_group_name>/<archive_number> where <VAP_group_name> is the name of the archived VAP group and <archive_number> is the number that XOS assigns to the archive. XOS assigns the number 1 to the first archive that you create for a VAP group. XOS then increments the archive number by 1 for each subsequent archive that you create for the VAP group. For example, the second archive you create for a particular VAP group has archive number 2, and the third has archive number 3.
Syntax
archive-vap-group backup vap-group <VAP_group_name> [archive <archive_number>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter vap-group <VAP_group_name> archive <archive_number> Description Specifies the name assigned to the VAP group for which you want to create an archive. Backs up the specified VAP group using the specified archive number (1 - 99). By default, the X-Series Platform creates backups of VAP group file systems starting with archive number 1. If you do not specify an archive number, the X-Series Platform assigns the next unused archive number. You can specify any archive number, provided that the number is not being used by an existing archive.
Restrictions
Default Privilege Level: 15
226
Example
The following command backs up the filesystems for the VAP group called testvapgroup and stores the archive files on the CPM in a directory called /tftpboot/archives/testvapgroup/1: CBS# archive-vap-group backup vap-group testvapgroup Calculating available and required space...........+..Done During backup the vap-group will be disabled. Continue? <Y or N> [Y]: Y Waiting for vap group to go down...Done Backing up testvapgroup_1 Archive 1 to /tftpboot/archives/testvapgroup/1...........+...........+..Done Backing up testvapgroup_2 Archive 1 to /tftpboot/archives/testvapgroup/1...........+...........+..Done Backing up testvapgroup_3 Archive 1 to /tftpboot/archives/testvapgroup/1...........+...........+..Done Backing up testvapgroup_common Archive 1 to /tftpboot/archives/testvapgroup/1...........+...........+..Done Creating MD5 sum file......Done CBS#
archive-vap-group restore
Restores VAP group file systems using the most recent backup archive created for the VAP group or using the backup archive with the specified archive number. IMPORTANT: Before restoring a VAP group using an archive stored on an external server, XOS verifies that the CPM has enough memory available to store the archive files while the X-Series Platform performs the restore operation. If the CPM does not have enough memory, the restore operation fails and the CLI issues an error message. During the VAP group restore operation, the application installed on the VAP group must be shut down. When you issue the archive-vap-group restore command, the CLI displays a message warning you that the VAP group will be disabled during the restore operation and prompts you to confirm or cancel the operation. If you confirm the operation, XOS shuts down the application running on the VAP group and then proceeds to restore the VAP groups filesystems using the specified archive. By default, the X-Series Platform restores a VAP groups filesystems using the most recent archive created for that VAP group. Optionally, you can specify a less recent archive using its archive number. IMPORTANT: You must specify an archive created when the VAP group had the same VAP count, XOS version, VAP OS version, application name, application version, and application release number as it does now. The restore operation will fail if any of these VAP group configuration parameter values are not the same for the archived VAP group and the restored VAP group. Use the archive-vap-group show command to display the archive number and VAP group configuration parameter values for every archive created from the VAP group that you plan to restore.
Syntax
archive-vap-group restore vap-group <VAP_group_name> [archive <archive_number>]
227
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter vap-group <VAP_group_name> archive <archive_number> Description Specifies the name assigned to the VAP group whose filesystems you want to restore. Restores the specified VAP group using the archive with the specified archive number. By default, the X-Series Platform restores VAP group file systems using the most recent archive created for that VAP group. IMPORTANT: You must specify an archive created when the VAP group had the same VAP count, XOS version, VAP OS version, application name, application version, and application release number as it does now. The restore operation will fail if any of these VAP group configuration parameter values are not the same for the archived VAP group and the restored VAP group. Use the archive-vap-group show command to display the archive number and VAP group configuration parameter values for every archive created from the VAP group that you plan to restore.
Restrictions
Default Privilege Level: 15 You must restore a VAP group using an archive created when the VAP group had the same VAP count, XOS version, VAP OS version, application name, application version, and application release number as it does now. The restore operation will fail if any of these VAP group configuration parameter values are not the same for the archived VAP group and the restored VAP group.
Example
The following command restores the filesystems for the VAP group called testvapgroup using archive number 1, which is stored on the CPM in a directory called /tftpboot/archives/testvapgroup/1: CBS# archive-vap-group restore vap-group testvapgroup archive 1 Checking MD5 sums... Calculating available and required space.......Done During restore the vap-group will be disabled. Continue? <Y or N> [Y]: Y Waiting for vap group to go down...Done
228
Restoring vap-group testvapgroup archive 1. This may take several minutes... Removing old temporary files ...Done Extracting testvapgroup_1 archive...........+..Done Extracting testvapgroup_2 archive...........+....Done Extracting testvapgroup_3 archive...........+...Done Extracting testvapgroup_common archive...........+...Done Restoring VapGroup testvapgroup testvapgroup_common restoration has completed testvapgroup_1 restoration has completed testvapgroup_2 restoration has completed testvapgroup_3 restoration has completed VAP Group testvapgroup restoration completed Cleaning up temporary files...........+...........+...........+.Done CBS#
archive-vap-group delete
Deletes all of the specified VAP groups archives or deletes the specified VAP group archive.
Syntax
archive-vap-group delete vap-group <VAP_group_name> [archive <archive_number>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter vap-group <VAP_group_name> archive <archive_number> Description Specifies the name assigned to the VAP group whose archive(s) you want to delete from the CPM. Deletes the specified archive of the specified VAP group. You specify an archive using its archive number. Use the archive-vap-group show command to display the archive numbers assigned to the archives created for a specific VAP group. If you do not specify the archive parameter, the archive-vap-group delete command deletes all of the archives that were created for the specified VAP group.
Restrictions
Default Privilege Level: 15
Example
The following command deletes all archives that were created for the VAP group called testvapgroup: CBS# archive-vap-group delete vap-group testvapgroup archive 2 Deleting archive 2 for VAP Group testvapgroup Done CBS#
XOS Command Reference Guide 229
archive-vap-group show
Displays information about VAP group archive. An archive is a backup copy of all the filesystems used by a particular VAP group at a particular time. By default, this command displays information about all archives created for VAP groups configured on the X-Series Platform. Use the vap-group parameter to display information only about archives created for the specified VAP group. Use the vap-group parameter with the archive parameter to display information only about the specified archive of the specified VAP group.
Syntax
archive-vap-group show [vap-group <VAP_group_name> [archive <archive_number>]]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter vap-group <VAP_group_name> Description Displays information only about the archives created for the specified VAP group. If you do not specify this parameter, the archive-vap-group show command displays information about all archives created for all VAP groups configured on the X-Series Platform. archive <archive_number> Displays information only about the specified archive created for the specified VAP group. You specify an archive using its archive number. NOTE: A VAP groups archives are numbered from 1 to n, where n is the number of archives created for a VAP group. The first archive that you create for a VAP group is archive number 1, the second is 2, etc. If you do not specify the archive parameter with the vap-group parameter, the archive-vap-group show command displays information about all archives created for the specified VAP group.
Output
This command displays archive information in the following format: VAP Group : <VAP_group_name> Archive Number : <archive_number> VAP Count : <VAP_count> VAP OS version : {xslinux_v3 | xslinux_v5 | xslinux_v5_64 | xsve} XOS version : <XOS_version>
230
Application : <application_name> Application Version : <application_version_identifier> Application Release : <application_release_number> Date : <archive_creation_date> Archive Location : {<archive_directory_on_CPM> | <URL_for_archive_directory_on_external_server>} Archive Size : <number_of_bytes> The following table describes the information provided in each column/row. Column/Row Heading VAP Group Archive Number Information Provided Name of the VAP group that was backed up to create the archive. Archive number that XOS assigned to the archive. XOS assigns the number 1 to the first archive that you create for a VAP group. XOS then increments the archive number by 1 for each subsequent archive that you create for the VAP group. For example, the second archive you create for a VAP group is archive number 2, and the third is archive number 3. VAP Count VAP OS version XOS version Application Application Version Application Release Date Archive Location Number of VAPs in the archived VAP group at the time when the archive was created. VAP OS version running on the archived VAP group at the time when the archive was created. XOS version running on the X-Series Platform at the time when the archive was created. Name of the application running on the VAP group at the time when the archive was created. Version of the application running on the VAP group at the time when the archive was created. Release of the application running on the VAP group at the time when the archive was created. Day, date, and time at which the archive was created. Full path to the CPM directory in which the archive files are stored. NOTE: The archive-vap-group show command displays the location where the archive files were placed when the archive was created. If the archive files have been moved to another location, the archive-vap-group show command does not display the new location. Archive Size Total size of the contents of the archive directory, expressed in bytes.
Restrictions
Default Privilege Level: 15
231
Example
The following command displays information about the first archive (archive number 1) that was created for the VAP group called testvapgroup. CBS# show archive-vap-group vap-group testvapgroup archive 1 VAP Group : testvapgroup Archive Number : 1 VAP Count : 3 VAP OS version : xslinux_v3 XOS version : 9.5.1-xx Application : VPN-1 Power Application Version : NGXR65 Application Release : 1.0.2.0-5 Date : Mon Nov 29 14:53:25 EST 2010 Archive Location : /tftpboot/archives/testvapgroup/1 Archive Size : 419624 CBS#
232
Commands for Installing, Configuring, and Managing Routing Software and Routing Protocols on a VAP Group
This section describes the commands that you can use to: Install, configure, and manage the Crossbeam Routing Software (RSW) application on a VAP group. Install, configure, and manage routing protocols on a VAP group. This section contains the following command descriptions: routing-protocol vap-group install on page 234 routing-protocol vap-group update on page 235 routing-protocol vap-group configure on page 237 routing-protocol vap-group save on page 238 routing-protocol vap-group restore on page 240 routing-protocol vap-group uninstall on page 242 routing-protocol vap-group status on page 243 configure routing-protocol on page 244 routing-protocol-services vap-group configure on page 246 routing-protocol-services vap-group save on page 247 routing-protocol-services vap-group restore on page 248 routing-protocol-services vap-group status on page 250 routing-protocol-services vap-group upgrade on page 251 routing-protocol-services vap-group update on page 252
233
Syntax
routing-protocol <protocol> vap-group <VAP_group_name> install [<version>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <protocol> Description Specifies the routing protocol that you want to install. You must specify a protocol using one of the following parameters: bgp Border Gateway Protocol (BGP) routing protocol ospf Open Shortest Path First (OSPF) routing protocol rip Routing Information Protocol (RIP) routing protocol pim Protocol Independent Multicast (PIM) routing protocol ospf6 Open Shortest Path First (OSPF) routing protocol for IPv6 ripng Routing Information Protocol (RIP) for IPv6
234
Description Specifies the name of the VAP group on which you want to install the specified routing protocol. Specifies the routing protocol version that you want to install. Use this parameter if the /usr/os/rsw/rpm directory on the CPM contains more than one RPM package for the routing protocol that you want to install. If you do not specify a version, and the /usr/os/rsw/rpm directory on the CPM contains more than one RPM package for the specified routing protocol, the CLI prompts you to enter the routing protocol version that you want to install.
Restrictions
Default Privilege Level: 15 This command does not work unless at least one VAP in the specified VAP group is UP or Active.
Example
The following command installs the BGP routing protocol on the VAP group called testvapgroup: CBS# routing-protocol bgp vap-group testvapgroup install Install BGP version 7.5.3-7.1.0.21 on testvapgroup_1 Install BGP version 7.5.3-7.1.0.21 on testvapgroup_2 Install BGP version 7.5.3-7.1.0.21 on testvapgroup_3 Finished installing BGP version 7.5.3-7.1.0.21 on testvapgroup CBS#
Syntax
routing-protocol <protocol> vap-group <VAP_group_name> update
235
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <protocol> Description Specifies one of the routing protocols that you want to install on new VAPs added to a VAP group. You must specify a protocol using one of the following parameters: bgp Border Gateway Protocol (BGP) routing protocol ospf Open Shortest Path First (OSPF) routing protocol rip Routing Information Protocol (RIP) routing protocol pim Protocol Independent Multicast (PIM) routing protocol ospf6 Open Shortest Path First (OSPF) routing protocol for IPv6 ripng Routing Information Protocol (RIP) for IPv6 vap-group <VAP_group_name> Specifies the name of the VAP group that contains one or more new VAPs on which you want to install the specified routing protocol, and if necessary, install NSM.
Restrictions
Default Privilege Level: 15 This command requires at least one VAP in the specified VAP group to be UP or Active.
Example
In this example, the BGP routing protocol has been installed on a VAP group called testvapgroup, and therefore, XOS has also installed NSM on that VAP group. This VAP group consisted of three VAPs at the time of the installation. A few months after the BGP routing protocol and NSM installations, the X-Series Platform administrator added a fourth VAP to the group. To install the BGP routing protocol and the NSM on the fourth VAP in the VAP group called testvapgroup, the administrator issues the following command: CBS# routing-protocol bgp vap-group testvapgroup update Finished updating on vap-group testvapgroup CBS#
236
Syntax
routing-protocol <protocol> vap-group <VAP_group_name> configure
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <protocol> Description Specifies the routing protocol that you want to configure. You must specify a protocol using one of the following parameters: bgp Border Gateway Protocol (BGP) routing protocol ospf Open Shortest Path First (OSPF) routing protocol rip Routing Information Protocol (RIP) routing protocol pim Protocol Independent Multicast (PIM) routing protocol ospf6 Open Shortest Path First (OSPF) routing protocol for IPv6 ripng Routing Information Protocol (RIP) for IPv6 vap-group <VAP_group_name> Specifies the name of the VAP group on which you want to configure the specified routing protocol.
237
Restrictions
Default Privilege Level: 15 This command does not work unless at least one VAP in the specified VAP group is UP or Active.
Example
The following command launches the ZebOS CLI for the BGP routing protocol on the VAP group called testvapgroup: CBS# routing-protocol bgp vap-group testvapgroup configure Password: ***** bgpd> The following command enables privileged mode, which gives the user read/write privileges for the BGP routing protocols configuration file: bgpd>enable Password: ***** bgpd# After the user finishes configuring the protocol, he uses the following commands to save the configuration and exit the ZebOS CLI.: bgpd# write Configuration saved to /usr/os/etc/zebos/bgpd.conf bgpd# exit Connection closed by foreign host. Finished configuring BGP on vap-group testvapgroup Finished synchronizing configuration for BGP on vap-group testvapgroup CBS# NOTE: Refer to the ZebOS documentation for information on how to configure BGP.
Syntax
routing-protocol <protocol> vap-group <VAP_group_name> save {<config_file_name> | <full_path_name_of_config_file>}
Context
You access this command from the main CLI context.
238
Parameters
The following table lists the parameters used with this command. Parameter <protocol> Description Specifies the routing protocol whose configuration you want to save. You must specify a protocol using one of the following parameters: bgp Border Gateway Protocol (BGP) routing protocol ospf Open Shortest Path First (OSPF) routing protocol rip Routing Information Protocol (RIP) routing protocol pim Protocol Independent Multicast (PIM) routing protocol ospf6 Open Shortest Path First (OSPF) routing protocol for IPv6 ripng Routing Information Protocol (RIP) for IPv6 vap-group <VAP_group_name> {<config_file_name> | <full_path_name_of_config_file>} Specifies the name of the VAP group for which you want to save the configuration for the specified routing protocol. Specifies the file to which you want to write the routing protocol configuration. By default, when you are logged in as admin, the X-Series Platform saves the configuration file to the /tftpboot/.private/home/admin folder. However, you can write the file to a different directory by specifying the full path name of the configuration file. If you are logged in as a user other than admin, the default save path is /tftpboot/.private/home/<username>. NOTE: If you specify the full path name to the file, you must be sure that you have the correct permissions to access the directory in which you want to save the file.
Restrictions
Default Privilege Level: 15 This command does not work unless at least one VAP in the specified VAP group is UP or Active.
Example
The following command saves the configuration for the BGP routing protocol running on the VAP group called testvapgroup, and writes the configuration to a file called bgp.conf in the /testvapgroup/routingprotocols/bgp/savedconfigs/directory on the CPM: CBS# routing-protocol bgp vap-group testvapgroup save /testvapgroup/routingprotocols/bgp/savedconfigs/bgp.conf CBS#
239
Syntax
routing-protocol <protocol> vap-group <VAP_group_name> restore {<config_file_name> | <full_path_name_of_config_file>}
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <protocol> Description Specifies the routing protocol whose configuration you want to restore. You must specify a protocol using one of the following parameters: bgp Border Gateway Protocol (BGP) routing protocol ospf Open Shortest Path First (OSPF) routing protocol rip Routing Information Protocol (RIP) routing protocol pim Protocol Independent Multicast (PIM) routing protocol ospf6 Open Shortest Path First (OSPF) routing protocol for IPv6 ripng Routing Information Protocol (RIP) for IPv6 vap-group <VAP_group_name> Specifies the name of the VAP group for which you want to restore the configuration for the specified routing protocol.
240
Description Specifies the routing protocol configuration file that you want to use to restore the specified routing protocol configuration on the specified VAP group. By default, when you are logged in as admin, the X-Series Platform attempts to retrieve the specified routing protocol configuration file from the /tftpboot/.private/home/admin folder. If the desired routing protocol configuration file is in a different directory, you must specify the full path name to the file. If you are logged in as a user other than admin, the default restore path is /tftpboot/.private/home/<username>. NOTE: If you specify the full path name to the file, you must be sure that you have the correct permissions to access the directory from which you want to retrieve the file.
Restrictions
Default Privilege Level: 15 This command does not work unless at least one VAP in the specified VAP group is UP or Active. This command does not work unless the specified routing protocol is running on the specified VAP group.
Example
The following command restores the configuration for the BGP routing protocol running on the VAP group called testvapgroup. The X-Series Platform restores the BGP configuration using the configuration file called bgp.conf, which is stored on the CPM in a directory called /testvapgroup/routingprotocols/bgp/savedconfigs. CBS# routing-protocol bgp vap-group testvapgroup restore /testvapgroup/routingprotocols/bgp/savedconfigs/bgp.conf Shutting down bgpd: [ OK ] Starting bgpd: [ OK ] Finished restoring configuration for BGP on vap-group testvapgroup Finished synchronizing configuration for BGP on vap-group testvapgroup CBS#
241
Syntax
routing-protocol <protocol> vap-group <VAP_group_name> uninstall
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <protocol> Description Specifies the routing protocol that you intend to uninstall from a VAP group. You must specify a protocol using one of the following parameters: bgp Border Gateway Protocol (BGP) routing protocol ospf Open Shortest Path First (OSPF) routing protocol rip Routing Information Protocol (RIP) routing protocol pim Protocol Independent Multicast (PIM) routing protocol ospf6 Open Shortest Path First (OSPF) routing protocol for IPv6 ripng Routing Information Protocol (RIP) for IPv6 vap-group <VAP_group_name> Specifies the name of the VAP group from which you want to uninstall the specified routing protocol.
Restrictions
Default Privilege Level: 15 This command does not work unless at least one VAP in the specified VAP group is UP or Active. Before using this command to uninstall a routing protocol, you must remove that routing protocol from the XOS running configuration.
Commands for Configuring and Managing VAP Groups 242
Example
The following command uninstalls the BGP routing protocol from the VAP group called testvapgroup: CBS# routing-protocol Finished uninstalling Finished uninstalling Finished uninstalling Finished uninstalling CBS# bgp BGP BGP BGP BGP vap-group testvapgroup uninstall on vap testvapgroup_1 on vap testvapgroup_2 on vap testvapgroup_3 on vap-group testvapgroup
Syntax
routing-protocol <protocol> vap-group <VAP_group_name> status
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <protocol> Description Specifies the routing protocol whose current state you want to display. You must specify a protocol using one of the following parameters: bgp Border Gateway Protocol (BGP) routing protocol ospf Open Shortest Path First (OSPF) routing protocol rip Routing Information Protocol (RIP) routing protocol pim Protocol Independent Multicast (PIM) routing protocol vap-group <VAP_group_name> Specifies the name of the VAP group for which you want to display the current state of the specified routing protocol.
Output
This command displays the current state of the specified routing protocol on the specified VAP group, using one of the following formats: <protocol_name> is not installed <protocol_name> <RPM_package_name> is installed but not running <protocol_name> <RPM_package_name> is installed and running
XOS Command Reference Guide 243
where: <protocol_name> is the name of the routing protocol. <RPM_package_name> is the name of the RPM package used to install the specified routing protocol on the VAP group specified with the command. NOTE: The RPM package name includes the routing protocol name and the routing protocol version number.
Restrictions
Default Privilege Level: 15 This command does not work unless at least one VAP in the specified VAP group is UP or Active.
Example
The following command displays the current state of the BGP routing protocol on the VAP group called testvapgroup: CBS# routing-protocol bgp vap-group testvapgroup status BGP zebos-bgp-EL5-7.5.3-29.0.0.72 is installed and running CBS#
configure routing-protocol
Starts, stops, or restarts the specified routing protocol on the specified VAP group. NOTE: This command does not work unless at least one VAP in the specified VAP group is UP or Active. Use the show ap-vap-mapping command to display the current state of all VAPs in a VAP group. Use the configure no routing-protocol <protocol> vap-group <VAP_group_name> command to delete the XOS running configuration entry for the specified protocol installed on the specified VAP group. IMPORTANT: You must delete the XOS running configuration entry for a protocol installed on a VAP group before you can uninstall the protocol from the VAP group using the routing-protocol vap-group uninstall command.
Syntax
configure routing-protocol <protocol> vap-group <VAP_group_name> {start | stop | restart} configure no routing-protocol <protocol> vap-group <VAP_group_name>
Context
You access this command from the main CLI context.
244
Parameters
The following table lists the parameters used with this command. Parameter <protocol> Description Specifies the routing protocol that you want to start, stop, or restart, or specifies the routing protocol for which you want to delete the XOS configuration entry for a VAP group. You must specify a protocol using one of the following parameters: bgp Border Gateway Protocol (BGP) routing protocol ospf Open Shortest Path First (OSPF) routing protocol rip Routing Information Protocol (RIP) routing protocol pim Protocol Independent Multicast (PIM) routing protocol ospf6 Open Shortest Path First (OSPF) routing protocol for IPv6 ripng Routing Information Protocol (RIP) for IPv6 vap-group <VAP_group_name> Specifies the name of the VAP group on which you want to start, stop, or restart the specified routing protocol, or specifies the name of the VAP group for which you want to delete the XOS running configuration entry for the specified routing protocol. Starts the specified routing protocol on the specified VAP group. Stops the specified routing protocol on the specified VAP group. Restarts the specified routing protocol on the specified VAP group.
Restrictions
Default Privilege Level: 15 This command does not work unless at least one VAP in the specified VAP group is UP or Active.
Examples
The following command starts the BGP routing protocol on the VAP group called testvapgroup: CBS# configure routing protocol bgp vap-group testvapgroup start Are you sure you want to start protocol bgp? <Y or N> [Y]: Y CBS# The following command restarts the BGP routing protocol on the VAP group called testvapgroup: CBS# configure routing protocol bgp vap-group testvapgroup restart Are you sure you want to restart protocol bgp? <Y or N> [Y]: Y CBS#
245
The following command stops the BGP routing protocol on the VAP group called testvapgroup: CBS# configure routing protocol bgp vap-group testvapgroup stop Are you sure you want to stop protocol bgp? <Y or N> [Y]: Y CBS# The following command deletes the XOS running configuration entry for the BGP routing protocol installed on the VAP group called testvapgroup: CBS# configure no routing-protocol bgp vap-group testvapgroup CBS#
Syntax
routing-protocol-services vap-group <VAP_group_name> configure
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter vap-group <VAP_group_name> Description Specifies the name of the VAP group on which you want to configure NSM.
Restrictions
Default Privilege Level: 15 This command does not work unless at least one VAP in the specified VAP group is UP or Active.
246
Example
The following command launches the ZebOS CLI for the Network Services Module (NSM) on the VAP group called testvapgroup: CBS# routing-protocol-services vap-group testvapgroup configure Password: ***** Router> The following command enables privileged mode, which gives the user read/write privileges for the NSMs configuration file: Router>enable Password: ***** Router# After the user finishes configuring the protocol, he uses the following commands to save the configuration and exit the ZebOS CLI, thereby synchronizing the configuration changes on all members of the VAP group: Router# write Configuration saved to /usr/os/etc/zebos/nsm.conf Router# exit CBS# NOTE: Refer to the RSW Installation Guide for instructions on using the ZebOS CLI to configure a FIB Retain time for NSM. Refer to the ZebOS documentation located on the Crossbeam Routing Software (RSW) DVD for instructions on configuring other functionality for NSM.
Syntax
routing-protocol-services vap-group <VAP_group_name> save {<config_file_name> | <full_path_name_of_config_file>}
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter vap-group <VAP_group_name> Description Specifies the name of the VAP group for which you want to save the NSM configuration.
247
Description Specifies the file to which you want to write the NSM configuration. By default, if you are logged in as admin, the X-Series Platform saves the configuration file to the /tftpboot/.private/home/admin folder. However, you can write the file to a different directory by specifying the full path name of the configuration file. If you are logged in as a user other than admin, the default save path is /tftpboot/.private/home/<username>. NOTE: If you specify the full path name to the file, you must be sure that you have the correct permissions to access the directory in which you want to save the file.
Restrictions
Default Privilege Level: 15 This command does not work unless at least one VAP in the specified VAP group is UP or Active.
Example
The following command saves the NSM configuration for the VAP group called testvapgroup, and writes the configuration to a file called nsm.conf in the /testvapgroup/routingprotocols/nsm/savedconfigs/directory on the CPM: CBS# routing-protocol-services vap-group testvapgroup save /testvapgroup/routingprotocols/nsm/savedconfigs/nsm.conf CBS#
Syntax
routing-protocol-services vap-group <VAP_group_name> restore {<config_file_name> | <full_path_name_of_config_file>}
Context
You access this command from the main CLI context.
248
Parameters
The following table lists the parameters used with this command. Parameter vap-group <VAP_group_name> {<config_file_name> | <full_path_name_of_config_file>} Description Specifies the name of the VAP group for which you want to restore the NSM configuration. Specifies the NSM configuration file that you want to use to restore the NSM configuration for the specified VAP group. By default, if you are logged in as admin, the X-Series Platform attempts to retrieve the specified NSM configuration file from the /tftpboot/.private/home/admin folder. If the desired NSM configuration file is in a different directory, you must specify the full path name to the file. If you are logged in as a user other than admin, the default restore path is /tftpboot/.private/home/<username>. NOTE: If you specify the full path name to the file, you must be sure that you have the correct permissions to access the directory from which you want to retrieve the file.
Restrictions
Default Privilege Level: 15 This command does not work unless at least one VAP in the specified VAP group is UP or Active.
Example
The following command restores the NSM configuration for the VAP group called testvapgroup. The X-Series Platform restores the NSM configuration using the NSM configuration file called nsm.conf, which is stored on the CPM in a directory called /testvapgroup/routingprotocols/nsm/savedconfigs. CBS# routing-protocol-services vap-group testvapgroup restore /testvapgroup/routingprotocols/nsm/savedconfigs/nsm.conf Shutting down nsm: [ OK ] Shutting down bgpd: [ OK ] Starting bgpd: [ OK ] Finished restoring configuration for NSM on vap-group testvapgroup Finished synchronizing configuration for NSM on vap-group testvapgroup CBS#
249
Syntax
routing-protocol-services vap-group <VAP_group_name> status
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter vap-group <VAP_group_name> Description Specifies the name of the VAP group for which you want to display the current state of the NSM.
Output
This command displays the current state of the NSM on the specified VAP group, using one of the following formats: NSM is not installed NSM <RPM_package_name> is installed but not running NSM <RPM_package_name> is installed and running where <RPM_package_name> is the name of the RPM package used to install the NSM on the VAP group specified with the command. NOTE: The RPM package name includes the NSM version number.
Restrictions
Default Privilege Level: 15 This command does not work unless at least one VAP in the specified VAP group is UP or Active.
Example
The following command displays the current state of the NSM on the VAP group called testvapgroup: CBS# routing-protocol-services vap-group testvapgroup status NSM zebos-common-EL5-7.5.3-29.0.0.72 is installed and running CBS#
250
NOTE: Before undertaking an application upgrade, it is good practice to back up the configuration files. Use the routing-protocol-services vap-group save command to save the routing protocol configurations. Use the routing-protocol vap-group save command to save the NSM configuration.
Syntax
routing-protocol-services vap-group <VAP_group_name> upgrade
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter vap-group <VAP_group_name> Description Specifies the name of the VAP group on which you want to upgrade the routing software.
Restrictions
Default Privilege Level: 15 This command does not work unless at least one VAP in the specified VAP group is UP or Active.
Example
The following command upgrades NSM and any installed routing protocols on the VAP group called testvapgroup: CBS# routing-protocol-services vap-group testvapgroup upgrade Upgrade to version 7.7.1-8.0.0.x. Do you want to proceed <Y or N>[Y]: y XOS displays the following as it upgrades NSM and any installed routing protocols (in this example, PIM sparse-mode): Preparing packages for installation... zebos-common-EL5-7.7.1-8.0.0.x Preparing packages for installation... zebos-pim-EL5-7.7.1-8.0.0.x Finished upgrading version 7.7.1-8.0.0.x on vap-group testvapgroup
251
Syntax
routing-protocol-services vap-group <VAP_group_name> update
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter vap-group <VAP_group_name> Description Specifies the name of the VAP group that contains one or more new VAPs on which you want to install the routing protocols, and if necessary, install NSM.
Restrictions
Default Privilege Level: 15 This command does not work unless at least one VAP in the specified VAP group is UP or Active.
Example
In this example, the BGP and OSPF routing protocols have been installed on a VAP group called testvapgroup, and therefore, XOS has also installed NSM on that VAP group. This VAP group consisted of three VAPs at the time of the installation. A few months after the routing protocol and NSM installations, the X-Series Platform administrator added a fourth VAP to the group. To install the BGP and OSPF routing protocols and the NSM on the fourth VAP in the VAP group called testvapgroup, the administrator issues the following command: CBS# routing-protocol-services vap-group testvapgroup update Finished updating on vap-group testvapgroup CBS#
252
6
Commands for Configuring and Managing Flow Provisioning
You configure flow provisioning for the X-Series Platform by creating and configuring flow rules. The NPM uses flow rules to determine how to process a new traffic flow when it arrives on a logical interface. A flow rule is comprised of an action and a set of packet-matching criteria. The NPM performs the action on flows that meet the packet-matching criteria. You manage flow provisioning for the X-Series Platform by monitoring flows passing through the system, clearing unwanted flows from the system, and reconfiguring flow rules as necessary. This chapter describes the CLI commands that you can use to configure and manage flow provisioning for the X-Series Platform. This chapter contains the following sections: Commands for Configuring System-Level Flow Rules on page 254 Commands for Configuring VAP-Group Level Flow Rules on page 301 Commands for Monitoring Flows and Managing Flow Rule Conflicts on page 356 Commands for Clearing Flows from the X-Series Platform on page 388
253
254
configure system-ip-flow-rule
Creates or configures a system-level IP flow rule for the X-Series Platform. Places you into a context in which you can configure and activate the specified system-level IP flow rule. The NPM uses system-level IP flow rules to determine how to process each IP traffic flow that enters the NPM in the X-Series Platform. Each system-level IP flow rule is comprised of an action and a set of packet-matching criteria. The NPM performs the action on flows that meet the packet-matching criteria. For example, you can create a system-level IP flow rule that instructs the NPM to drop all packets that match a specific source IP address. By default, when you create a system-level IP flow rule, XOS configures that flow rules packet-matching criteria to match all flows. That is, by default, the NPM performs a system-level IP flow rules action on every flow entering the NPM. You must activate a system-level IP flow rule before it will take effect. By default, system-level IP flow rules are not activated. See activate (conf-system-ip-flow context) on page 277 for instructions on activating the system-level IP flow rule that you are configuring. Use the no parameter to delete the specified system-level IP flow rule. Use the show (conf-system-ip-flow context) command to display the current configuration for the system-level IP flow rule that you are configuring. Use the show system-ip-flow-rule command to display all system-level IP flow rules currently configured on the X-Series Platform.
Syntax
configure [no] system-ip-flow-rule <IP_flow_rule_name>
255
incoming-circuit-group (conf-system-ip-flow context) on page 271 timeout (conf-system-ip-flow context) on page 273 trace (conf-system-ip-flow context) on page 275 priority (conf-system-ip-flow context) on page 276 activate (conf-system-ip-flow context) on page 277 show (conf-system-ip-flow context) on page 278
Parameters
The following table lists the parameters used with this command. Parameter <IP_flow_rule_name> Description Name assigned to the system-level IP flow rule that you want to create or configure for the X-Series Platform.
Restrictions
Default Privilege Level: 15
Example
The following command creates a system-level IP flow rule called testsysipflow and places you in the context in which you can configure and activate that system-level IP flow rule: CBS# configure system-ip-flow-rule testsysipflow CBS(conf-system-ip-flow)#
Syntax
action drop
Context
You access this command from the conf-system-ip-flow context. You access this context from the main CLI context by issuing the configure system-ip-flow-rule command.
Restrictions
Default Privilege Level: 15
256
Example
The following command places you in the conf-system-ip-flow context in which you can configure the system-level IP flow rule called testsysipflow: CBS# configure system-ip-flow-rule testsysipflow CBS(conf-system-ip-flow)# The following command sets the action for the system-level IP flow rule called testsysipflow to drop: CBS(conf-system-ip-flow)# action drop CBS(conf-system-ip-flow)# The NPM drops all IP packets that meet the packet-matching criteria defined for the system-level IP flow rule called testsysipflow.
Syntax
action allow
Context
You access this command from the conf-system-ip-flow context. You access this context from the main CLI context by issuing the configure system-ip-flow-rule command.
Restrictions
Default Privilege Level: 15 If a system-level IP flow rules action is set to allow, the packet matching criterias traffic flow direction matching criteria must be set to outbound. NOTE: If a system-level IP flow rule does not meet this requirement, the CLI issues an error when you attempt to use the activate (conf-system-ip-flow context) command to activate that system-level IP flow rule.
257
Example
The following command places you in the conf-system-ip-flow context in which you can configure the system-level IP flow rule called testsysipflow: CBS# configure system-ip-flow-rule testsysipflow CBS(conf-system-ip-flow)# The following command sets the action for the system-level IP flow rule called testsysipflow to allow: CBS(conf-system-ip-flow)# action allow CBS(conf-system-ip-flow)# The NPM allows all IP packets that meet the packet-matching criteria for the system-level IP flow rule called testsysipflow to pass through the X-Series Platform and proceed to their destination IP addresses.
Syntax
action pass-to-masters
Context
You access this command from the conf-system-ip-flow context. You access this context from the main CLI context by issuing the configure system-ip-flow-rule command.
Restrictions
Default Privilege Level: 15
Example
The following command places you in the conf-system-ip-flow context in which you can configure the system-level IP flow rule called testsysipflow: CBS# configure system-ip-flow-rule testsysipflow CBS(conf-system-ip-flow)# The following command sets the action for the system-level IP flow rule called testsysipflow to pass-to-masters: CBS(conf-system-ip-flow)# action pass-to-masters CBS(conf-system-ip-flow)#
258
When the NPM encounters an IP packet that meets the packet-matching criteria defined for the system-level IP flow rule called testsysipflow, the NPM passes that IP packet to the master VAP in every VAP group configured on the X-Series Platform.
Syntax
action broadcast
Context
You access this command from the conf-system-ip-flow context. You access this context from the main CLI context by issuing the configure system-ip-flow-rule command.
Restrictions
Default Privilege Level: 15
Example
The following command places you in the conf-system-ip-flow context in which you can configure the system-level IP flow rule called testsysipflow: CBS# configure system-ip-flow-rule testsysipflow CBS(conf-system-ip-flow)# The following command sets the action for the system-level IP flow rule called testsysipflow to broadcast: CBS(conf-system-ip-flow)# action broadcast CBS(conf-system-ip-flow)# When the NPM encounters an IP packet that meets the packet-matching criteria defined for the system-level IP flow rule called testsysipflow, the NPM passes that IP packet to every VAP in every VAP group configured on the X-Series Platform.
259
Use this command to apply a system-level IP flow rules action only to IP traffic flowing in the specified direction (inbound to or outbound from the X-Series Platform). By default, the NPM applies a system-level IP flow rules action to both inbound and outbound IP traffic. Use the both parameter to restore this default behavior. Use the show (conf-system-ip-flow context) command to display the traffic flow direction packet-matching criteria for the system-level IP flow rule that you are configuring.
Syntax
direction {inbound | outbound | both}
Context
You access this command from the conf-system-ip-flow context. You access this context from the main CLI context by issuing the configure system-ip-flow-rule command.
Parameters
The following table lists the parameters used with this command. Parameter inbound Description Configures the packet-matching criteria for the system-level IP flow rule that you are configuring to match only inbound flows. The NPM applies the system-level IP flow rule only to IP packets coming into the X-Series Platform. outbound Configures the packet-matching criteria for the system-level IP flow rule that you are configuring to match only outbound IP traffic flows. The NPM applies the system-level IP flow rule only to IP packets exiting from the X-Series Platform. both Configures the packet-matching criteria for the system-level IP flow rule that you are configuring to match both inbound and outbound IP traffic flows. The NPM applies the system-level IP flow rule to all IP packets entering or exiting the X-Series Platform. This is the default setting.
Restrictions
Default Privilege Level: 15 When you issue the activate (conf-system-ip-flow context) command to activate a system-level IP flow rule, the CLI issues an error if the following conditions are not met: If the system-level IP flow rules action is set to allow, the flow rules traffic flow direction packet-matching criteria must be set to outbound. If the system-level IP flow rules traffic flow direction matching criteria is set to outbound, the flow rules action must be set to allow or drop. See action allow (conf-system-ip-flow context) on page 257 and action drop (conf-system-ip-flow context) on page 256 for more information about the allow and drop actions.
260
Example
The following command places you in the conf-system-ip-flow context in which you can configure the system-level IP flow rule called testsysipflow: CBS# configure system-ip-flow-rule testsysipflow CBS(conf-system-ip-flow)# The following command configures the packet-matching criteria for the system-level IP flow rule called testsysipflow to match only outbound IP traffic flows: CBS(conf-system-ip-flow)# direction outbound CBS(conf-system-ip-flow)#
Syntax
[no] skip-port-protocol
Context
You access this command from the conf-system-ip-flow context. You access this context from the main CLI context by issuing the configure system-ip-flow-rule command.
Restrictions
Default Privilege Level: 15
Example
The following command places you in the conf-system-ip-flow context in which you can configure the system-level IP flow rule called testsysipflow: CBS# configure system-ip-flow-rule testsysipflow CBS(conf-system-ip-flow)# The following command disables skip-port-protocol for the system-level IP flow rule called testsysipflow. CBS(conf-system-ip-flow)# no skip-port-protocol CBS(conf-system-ip-flow)# With skip-port-protocol disabled, the user can configure the packet matching criteria for testsysipflow to include source port, destination port, and protocol number matching criteria. The NPM applies the system-level IP flow rules action to an IP packet only if that packet matches these criteria.
261
Syntax
[no] generate-reversed-flow
Context
You access this command from the conf-system-ip-flow context. You access this context from the main CLI context by issuing the configure system-ip-flow-rule command.
Restrictions
Default Privilege Level: 15
Example
The following command places you in the conf-system-ip-flow context in which you can configure the system-level IP flow rule called testsysipflow: CBS# configure system-ip-flow-rule testsysipflow CBS(conf-system-ip-flow)# The following command enables bi-directional IP flow matching for the system-level IP flow rule called testsysipflow: CBS(conf-system-ip-flow)# generate-reversed-flow CBS(conf-system-ip-flow)# The user can now configure testsysipflow with packet-matching criteria for bi-directional IP flows. That is, the user can configure packet-matching criteria for both source and destination IP addresses and port numbers.
262
Syntax
source-addr {any | <IP_address> | <IP_address>/<0-32>} no source-addr
Context
You access this command from the conf-system-ip-flow context. You access this context from the main CLI context by issuing the configure system-ip-flow-rule command.
Parameters
The following table lists the parameters used with this command. Parameter any Description Sets the flow rules source IP address matching criteria to any source IP address. The NPM applies the system-level IP flow rules action without considering a packets source IP address. This is the default behavior for every system-level IP flow rule. <IP_address> Configures the flow rules source IP address matching criteria to include only the specified IP address. The NPM applies the system-level IP flow rules action to a packet only if its source IP address matches the specified IP address.
263
Parameter <IP_address>/<0-32>
Description Configures the flow rules source IP address matching criteria to include all IP addresses that belong to the specified IP network. The NPM applies the system-level IP flow rules action to a packet only if its source IP address matches one of the IP addresses that belong to the specified IP network. You specify the IP network using CIDR notation (for example, 10.15.0.0/16). NOTE: When configuring IP flow rules, do not configure either the source or destination address as a.b.c.d/0 where a.b.c.d is not 0.0.0.0. This address format (for example, 5.5.5.5/0) is not valid.
Restrictions
Default Privilege Level: 15 If you wish to configure a system-level IP flow rule with packet-matching criteria for both source and destination IP addresses, you must use the generate-reversed-flow (conf-system-ip-flow context) command to enable bi-directional IP flow matching for that system-level IP flow rule.
Example
The following command places you in the conf-system-ip-flow context in which you can configure the system-level IP flow rule called testsysipflow: CBS# configure system-ip-flow-rule testsysipflow CBS(conf-system-ip-flow)# The following command sets the source IP address matching criteria for the system-level IP flow rule called testsysipflow to include all IP addresses on the IP network, 10.170.53.0/24: CBS(conf-system-ip-flow)# source-addr 10.170.53.0/24 CBS(conf-system-ip-flow)# The NPM applies the action configured for testsysipflow only to IP packets whose source IP address matches one of the IP addresses that belong to the IP network, 10.170.53.0/24.
264
Syntax
destination-addr {any | <IP_address> | <IP_address>/<0-32>} no destination-addr
Context
You access this command from the conf-system-ip-flow context. You access this context from the main CLI context by issuing the configure system-ip-flow-rule command.
Parameters
The following table lists the parameters used with this command. Parameter any Description Sets the flow rules destination IP address matching criteria to any destination IP address. The NPM applies the system-level IP flow rules action without considering a packets destination IP address. This is the default behavior for every system-level IP flow rule. <IP_address> Configures the flow rules destination IP address matching criteria to include only the specified IP address. The NPM applies the system-level IP flow rules action to a packet only if its destination IP address matches the specified IP address. <IP_address>/<0-32> Configures the flow rules destination IP address matching criteria to include all IP addresses that belong to the specified IP network. The NPM applies the system-level IP flow rules action to a packet only if its destination IP address matches one of the IP addresses that belong to the specified IP network. You specify the IP network using CIDR notation (for example, 10.15.0.0/16). NOTE: When configuring IP flow rules, do not configure either the source or destination address as a.b.c.d/0 where a.b.c.d is not 0.0.0.0. This address format (for example, 5.5.5.5/0) is not valid.
Restrictions
Default Privilege Level: 15 If you wish to configure a system-level IP flow rule with packet matching criteria for both source and destination IP addresses, you must use the generate-reversed-flow (conf-system-ip-flow context) command to enable bi-directional IP flow matching for that system-level IP flow rule.
Example
The following command places you in the conf-system-ip-flow context in which you can configure the system-level IP flow rule called testsysipflow:
265
CBS# configure system-ip-flow-rule testsysipflow CBS(conf-system-ip-flow)# The following command sets the destination IP address matching criteria for the system-level IP flow rule called testsysipflow to include all IP addresses on the IP network, 10.170.53.0/24: CBS(conf-system-ip-flow)# destination-addr 10.170.53.0/24 CBS(conf-system-ip-flow)# The NPM applies the action configured for testsysipflow only to IP packets whose destination IP address matches one of the IP addresses that belong to the IP network, 10.170.53.0/24.
Syntax
source-port {any | <port_number>} no source-port
Context
You access this command from the conf-system-ip-flow context. You access this context from the main CLI context by issuing the configure system-ip-flow-rule command.
Parameters
The following table lists the parameters used with this command. Parameter any Description Sets the flow rules source port matching criteria to any source port number. The NPM applies the system-level IP flow rules action without considering a packets source port number. This is the default behavior for every system-level IP flow rule. <port_number> Sets the flow rules source port matching criteria to include only the specified port number. The NPM applies the system-level IP flow rules action to a packet only if its source port number matches the specified port number. Valid values are from 0-65535.
266
Restrictions
Default Privilege Level: 15 If you wish to configure a system-level IP flow rule with packet-matching criteria for both source and destination port numbers, you must use the generate-reversed-flow (conf-system-ip-flow context) command to enable bi-directional IP flow matching for that system-level IP flow rule.
Example
The following command places you in the conf-system-ip-flow context in which you can configure the system-level IP flow rule called testsysipflow: CBS# configure system-ip-flow-rule testsysipflow CBS(conf-system-ip-flow)# The following command configures the source port matching criteria for the system-level IP flow rule called testsysipflow to include only port 25: CBS(conf-system-ip-flow)# source-port 25 CBS(conf-system-ip-flow)# The NPM applies the action configured for testsysipflow only to IP packets whose source port number is 25.
Syntax
destination-port {any | <port_number>} no destination-port
Context
You access this command from the conf-system-ip-flow context. You access this context from the main CLI context by issuing the configure system-ip-flow-rule command.
267
Parameters
The following table lists the parameters used with this command. Parameter any Description Sets the flow rules destination port matching criteria to any destination port number. The NPM applies the system-level IP flow rules action without considering a packets destination port number. This is the default behavior for every system-level IP flow rule. <port_number> Configures the flow rules destination port matching criteria to include only the specified port number. The NPM applies the system-level IP flow rules action to a packet only if its destination port number matches the specified port number. Valid values are from 0-65535.
Restrictions
Default Privilege Level: 15 If you wish to configure a system-level IP flow rule with packet-matching criteria for both source and destination port numbers, you must use the generate-reversed-flow (conf-system-ip-flow context) command to enable bi-directional IP flow matching for that system-level IP flow rule.
Example
The following command places you in the conf-system-ip-flow context in which you can configure the system-level IP flow rule called testsysipflow: CBS# configure system-ip-flow-rule testsysipflow CBS(conf-system-ip-flow)# The following command configures the destination port matching criteria for the system-level IP flow rule called testsysipflow to include only port 25: CBS(conf-system-ip-flow)# destination-port 25 CBS(conf-system-ip-flow)# The NPM applies the action configured for testsysipflow only to IP packets whose destination port number is 25.
268
Use the show (conf-system-ip-flow context) command to display the protocol matching criteria defined for the system-level IP flow rule that you are configuring.
Syntax
protocol {any | <protocol_number>} no protocol
Context
You access this command from the conf-system-ip-flow context. You access this context from the main CLI context by issuing the configure system-ip-flow-rule command.
Parameters
The following table lists the parameters used with this command. Parameter any Description Sets the flow rules protocol matching criteria to any protocol number. The NPM applies the system-level IP flow rules action without considering a packets protocol number. This is the default behavior for every system-level IP flow rule. <protocol_number> Configures the flow rules protocol matching criteria to include only the specified protocol number. The NPM applies the system-level IP flow rules action to a packet only if its protocol number matches the specified protocol number. Valid values are from 1-255.
Restrictions
Default Privilege Level: 15
Example
The following command places you in the conf-system-ip-flow context in which you can configure the system-level IP flow rule called testsysipflow: CBS# configure system-ip-flow-rule testsysipflow CBS(conf-system-ip-flow)# The following command configures the protocol matching criteria for the system-level IP flow rule called testsysipflow to include only protocol number 41 (IPv6): CBS(conf-system-ip-flow)# protocol 41 CBS(conf-system-ip-flow)# The NPM applies the action configured for testsysipflow only to IP packets using protocol 41.
269
Syntax
domain {any | <domain_ID_number>} no domain
Context
You access this command from the conf-system-ip-flow context. You access this context from the main CLI context by issuing the configure system-ip-flow-rule command.
Parameters
The following table lists the parameters used with this command. Parameter any Description Sets the flow rules domain matching criteria to any domain ID number. The NPM applies the system-level IP flow rules action without considering a packets domain ID number. This is the default behavior for every system-level IP flow rule. <domain_ID_number> Configures the flow rules domain matching criteria to include only the specified domain ID number. The NPM applies the system-level IP flow rules action to a packet only if its domain ID number matches the specified domain ID number. Valid values are from 1-4095.
Restrictions
Default Privilege Level: 15
270
Example
The following command places you in the conf-system-ip-flow context in which you can configure the system-level IP flow rule called testsysipflow: CBS# configure system-ip-flow-rule testsysipflow CBS(conf-system-ip-flow)# The following command configures the domain matching criteria for the system-level IP flow rule called testsysipflow to include only domain ID number 2. Domain ID number 2 is assigned to the circuit called cctwan, which is one of the egress traffic circuits configured for the VAP group called testvapgroup. CBS(conf-system-ip-flow)# domain 2 CBS(conf-system-ip-flow)# The NPM applies the action configured for testsysipflow only to IP packets whose domain ID number is 2.
Syntax
incoming-circuit-group {any | <ICG_number>} no incoming-circuit-group
Context
You access this command from the conf-system-ip-flow context. You access this context from the main CLI context by issuing the configure system-ip-flow-rule command.
271
Parameters
The following table lists the parameters used with this command. Parameter any Description Sets the flow rules incoming circuit group (ICG) matching criteria to any ICG number. The NPM applies the system-level IP flow rules action without considering a packets ICG number. <ICG_number> Configures the flow rules incoming circuit group (ICG) matching criteria to include only the specified ICG number. The NPM applies the system-level IP flow rules action to a packet only if its ICG number matches the specified ICG number. Valid values are from 1-255. Default is 1.
Restrictions
Default Privilege Level: 15
Example
The following command places you in the conf-system-ip-flow context in which you can configure the system-level IP flow rule called testsysipflow: CBS# configure system-ip-flow-rule testsysipflow CBS(conf-system-ip-flow)# The following command configures the incoming circuit group (ICG) matching criteria for the system-level IP flow rule called testsysipflow to include only ICG number 2. ICG number 2 is assigned to the circuit called cctwan, which is one of the egress traffic circuits configured for the VAP group called testvapgroup. CBS(conf-system-ip-flow)# incoming-circuit-group 2 CBS(conf-system-ip-flow)# The NPM applies the action configured for testsysipflow only to IP packets whose ICG number is 2.
272
Syntax
timeout {auto | <idle_flow_timeout_interval>} no timeout
Context
You access this command from the conf-system-ip-flow context. You access this context from the main CLI context by issuing the configure system-ip-flow-rule command.
Parameters
The following table lists the parameters used with this command. Parameter auto Description Configures the NPMs IP flow classifier to automatically assign these idle flow timeout intervals to every new flow that matches the conditions defined in the packet matching criteria for the system-level IP flow rule that you are configuring. TCP 10 minutes UDP 1 minute Other 30 seconds
273
Parameter <idle_flow_timeout_interval>
Description Applies the specified idle flow timeout interval to all IP flows that match the conditions defined in the packet matching criteria for the system-level IP flow rule that you are configuring. An IP flows idle flow timeout interval is the amount of time that the IP flow can remain idle before the NPM deletes the IP flow from the Active Flow Table (AFT). You must specify an idle flow timeout interval using one of the following parameters: 30-seconds Sets the idle flow timeout interval to 30 seconds. Timeout occurs when a flow remains idle for approximately 30 seconds. 1-minute Sets the idle flow timeout interval to 1 minute. Timeout occurs when a flow remains idle for approximately 1 minute. 3-minutes Sets the idle flow timeout interval to 3 minutes. Timeout occurs when a flow remains idle for approximately 3 minutes. 5-minutes Sets the idle flow timeout interval to 5 minutes. Timeout occurs when a flow remains idle for approximately 5 minutes. 10-minutes Sets the idle flow timeout interval to 10 minutes. Timeout occurs when a flow remains idle for approximately 10 minutes. 20-minutes Sets the idle flow timeout interval to 20 minutes. Timeout occurs when a flow remains idle for approximately 20 minutes. 30-minutes Sets the idle flow timeout interval to 30 minutes. Timeout occurs when a flow remains idle for approximately 30 minutes. 1-hour Sets the idle flow timeout interval to 1 hour. Timeout occurs when a flow remains idle for approximately 1 hour.
Restrictions
Default Privilege Level: 15
Example
The following command places you in the conf-system-ip-flow context in which you can configure the system-level IP flow rule called testsysipflow: CBS# configure system-ip-flow-rule testsysipflow CBS(conf-system-ip-flow)# The following command sets the idle flow timeout interval for the system-level IP flow rule called testsysipflow to 10 minutes. CBS(conf-system-ip-flow)# timeout 10-minutes CBS(conf-system-ip-flow)#
274
The NPM deletes any IP flow from the Active Flow Table (AFT) if that flow matches the conditions defined in the packet matching criteria for testsysipflow and that flow remains idle for approximately 10 minutes.
Syntax
[no] trace
Context
You access this command from the conf-system-ip-flow context. You access this context from the main CLI context by issuing the configure system-ip-flow-rule command.
Restrictions
Default Privilege Level: 15
Example
The following command places you in the conf-system-ip-flow context in which you can configure the system-level IP flow rule called testsysipflow: CBS# configure system-ip-flow-rule testsysipflow CBS(conf-system-ip-flow)# The following command enables packet tracing for all IP packets that match the conditions defined in the packet matching criteria for the system-level IP flow rule called testsysipflow: CBS(conf-system-ip-flow)# trace CBS(conf-system-ip-flow)#
275
Syntax
priority <priority_level> no priority
Context
You access this command from the conf-system-ip-flow context. You access this context from the main CLI context by issuing the configure system-ip-flow-rule command.
Parameters
The following table lists the parameters used with this command. Parameter <priority_level> Description Specifies the priority level that you want to assign to the system-level IP flow rule that you are configuring. Valid values are from 10-20 and from 25-30. Default is 10.
Restrictions
Default Privilege Level: 15
Example
In this example, the X-Series Platform system administrator wants to configure the X-Series Platform so that the NPM drops all outbound IP packets that have the source IP address, 1.1.1.20, unless those packets also have the destination IP address, 1.1.1.35. If an IP packet has the desired source and destination IP addresses, the administrator wants the NPM to allow the IP packet to exit the X-Series Platform and proceed to the destination IP address. Therefore, the administrator has configured two system-level IP flow rules: testsysipflow Allows all outbound IP packets that have the source IP address, 1.1.1.20 and the destination IP address, 1.1.1.35, to exit the X-Series Platform and proceed to the destination IP address. dropsysipflow Drops all outbound IP packets that have the source IP address, 1.1.1.20.
276
The administrator now uses the following commands to configure the system-level IP flow rule called testsysipflow with a priority level of 15, and configure the system-level IP flow rule called dropsysipflow with a priority level of 14. CBS# configure system-ip-flow-rule testsysipflow CBS(conf-system-ip-flow)# priority 15 CBS(conf-system-ip-flow)# source-addr 1.1.1.20 CBS(conf-system-ip-flow)# destination-addr 1.1.1.35 CBS(conf-system-ip-flow)# action allow CBS(conf-system-ip-flow)# activate CBS(conf-system-ip-flow)# end CBS# configure system-ip-flow-rule dropsysipflow CBS(conf-system-ip-flow)# priority 14 CBS(conf-system-ip-flow)# source-addr 1.1.1.20 CBS(conf-system-ip-flow)# action drop CBS(conf-system-ip-flow)# activate CBS(conf-system-ip-flow)# end CBS# Now, the NPM applies the system-level IP flow rule called testsysipflow before applying the system-level IP flow rule called dropsysipflow. When the NPM encounters an outbound IP packet, the NPM first determines whether the packet matches the source and destination IP address matching criteria defined for the system-level IP flow rule called testsysipflow. If the packet has both the source IP address, 1.1.1.20, and the destination IP address, 1.1.1.35, the packet matches the conditions defined in the packet matching criteria, and the NPM allows the IP packet to exit the X-Series Platform and proceed to the destination IP address. If an outbound IP packet does not have the destination IP address, 1.1.1.35, that packet does not match all the conditions defined in the packet matching criteria for testsysipflow. In this case, the NPM does not apply the action (allow) for testsysipflow to the IP packet. Instead, the NPM proceeds to determine whether the packet matches the source IP address matching criteria defined for dropsysipflow. If the IP packet has the source IP address, 1.1.1.20, the packet matches the conditions defined in the packet matching criteria for dropsysipflow, and the NPM drops the packet.
Syntax
[no] activate
Context
You access this command from the conf-system-ip-flow context. You access this context from the main CLI context by issuing the configure system-ip-flow-rule command.
277
Restrictions
Default Privilege Level: 15 When you issue the activate command to activate a system-level IP flow rule, the CLI issues an error if the following conditions are not met: If the system-level IP flow rules action is set to allow, the flow rules traffic flow direction matching criteria must be set to outbound. If the system-level IP flow rules traffic flow direction matching criteria is set to outbound, the flow rules action must be set to allow or drop. See action allow (conf-system-ip-flow context) on page 257 and action drop (conf-system-ip-flow context) on page 256 for more information about the allow and drop actions.
Example
The following command places you in the conf-system-ip-flow context in which you can configure the system-level IP flow rule called testsysipflow: CBS# configure system-ip-flow-rule testsysipflow CBS(conf-system-ip-flow)# The following command activates the system-level IP flow rule called testsysipflow: CBS(conf-system-ip-flow)# activate CBS(conf-system-ip-flow)# The NPM now applies this system-level IP flow rules action to all new IP flows that match the conditions defined in the packet matching criteria for the system-level IP flow rule.
Syntax
show
Context
You access this command from the conf-system-ip-flow context. You access this context from the main CLI context by issuing the configure system-ip-flow-rule command.
Output
The output for this command has the following format: System IP Flow Rule Destination Address Destination Address High Destination Port Destination Port High Source Address Source Address High Source Port Source Port High Incoming Circuit Group : : : : : : : : : : <IP_flow_rule_name> {<IP_address> | <IP_address>/<0-32>} 255.255.255.255 <port_number> 65535 {<IP_address> | <IP_address>/<0-32>} 255.255.255.255 <port_number> 65535 <ICG_number>
278
Protocol : Protocol High : Domain : Domain High : : Action Activate (true/false) : Priority : Skip Protocol (true/false) : Skip Port (true/false) : Skip Port Protocol (true/false) : Timeout : Trace (true/false) : Generate Reversed Flow(true/false): Direction : (1 row)
The following table describes the information provided in each column/row. Column/Row Heading System IP Flow Rule Information Provided Name of the system-level IP flow rule. See configure system-ip-flow-rule on page 255 for information on assigning a name to a new system-level IP flow rule. Destination Address Destination IP address matching criteria for the system-level IP flow rule. This row may display one of the following: 0.0.0.0 Default value. Defines the lowest IP address that meets the destination IP address matching criteria. In this case, the highest matching destination IP address is 255.255.255.255. The NPM applies the system-level IP flow rules action without considering a packets destination IP address. Single, non-zero IP address NPM applies the system-level IP flow rules action only to IP packets that have the specified destination IP address. IP network address displayed in CIDR format NPM applies the system-level IP flow rules action only to IP packets whose destination IP address matches one of the IP addresses that belong to the specified IP network. See destination-addr (conf-system-ip-flow context) on page 264 for information on configuring destination IP address matching criteria for a system-level IP flow rule.
279
Information Provided This row shows the default address if the user has not defined destination IP address matching criteria for the system-level IP flow rule. This row may display one of the following: 255.255.255.255 Default value. Defines the highest IP address that meets the destination IP address matching criteria. In this case, the highest matching destination IP address is 255.255.255.255. In this case, the Destination Address is 0.0.0.0 and Destination Address High is 255.255.255.255. This indicates that the flow rules destination IP address matching criteria includes all IP addresses from 0.0.0.0 to 255.255.255.255 (that is, all IP addresses). The NPM applies the system-level IP flow rules action without considering a packets destination IP address. Single, non-zero IP address NPM applies the system-level IP flow rules action only to IP packets within the range specified by the destination IP address and the destination high IP address. See destination-addr (conf-system-ip-flow context) on page 264 for information on configuring destination IP address matching criteria for a system-level IP flow rule.
Destination Port
Destination port matching criteria for the system-level IP flow rule. This row may display one of the following: 0 Default value. Defines the lowest port number that meets the destination port matching criteria. In this case, the highest matching destination port number is 65535. The NPM applies the system-level IP flow rules action without considering a packets destination port number. Single, non-zero port number NPM applies the system-level IP flow rules action only to IP packets that have the specified destination port number. See destination-port (conf-system-ip-flow context) on page 267 for information on configuring destination port matching criteria for a system-level IP flow rule.
280
Information Provided This row appears only if the user has not defined destination port matching criteria for the system-level IP flow rule. In this case, the Destination Port is 0 and Destination Port High is 65535. This indicates that the flow rules destination port matching criteria includes all port numbers from 0 to 65535 (that is, all valid port numbers). The NPM applies the system-level IP flow rules action without considering a packets destination port number. See destination-port (conf-system-ip-flow context) on page 267 for information on configuring destination port matching criteria for a system-level IP flow rule.
Source Address
Source IP address matching criteria for the system-level IP flow rule. This row may display one of the following: 0.0.0.0 Default value. Defines the lowest IP address that meets the source IP address matching criteria for the system-level IP flow rule. In this case, the highest matching source IP address is 255.255.255.255. The NPM applies the system-level IP flow rules action without considering a packets source IP address. Single, non-zero IP address NPM applies the system-level IP flow rules action only to IP packets that have the specified source IP address. IP network address displayed in CIDR format NPM applies the system-level IP flow rules action only to IP packets whose source IP address matches one of the IP addresses that belong to the specified IP network. See source-addr (conf-system-ip-flow context) on page 263 for information on configuring source IP address matching criteria for a system-level IP flow rule.
This row appears only if the user has not defined source IP address matching criteria for the system-level IP flow rule. In this case, the Source Address is 0.0.0.0 and Source Address High is 255.255.255.255. This indicates that the system-level IP flow rules source IP address matching criteria includes all IP addresses from 0.0.0.0 to 255.255.255.255 (that is, all IP addresses). The NPM applies the system-level IP flow rules action without considering a packets source IP address. See source-addr (conf-system-ip-flow context) on page 263 for information on configuring source IP address matching criteria for a system-level IP flow rule.
281
Information Provided Source port matching criteria for the system-level IP flow rule. This row may display one of the following: 0 Default value. Defines the lowest port number that meets the source port matching criteria for the flow rule. In this case, the highest matching source port number is 65535. The NPM applies the system-level IP flow rules action without considering a packets source port number. Single, non-zero port number NPM applies the system-level IP flow rules action only to IP packets that have the specified source port number. See source-port (conf-system-ip-flow context) on page 266 for information on configuring source port matching criteria for a system-level IP flow rule.
This row appears only if the user has not defined source port matching criteria for the system-level IP flow rule. In this case, the Source Port is 0 and Source Port High is 65535. This indicates that the system-level IP flow rules source port matching criteria includes all port numbers from 0 to 65535 (that is, all valid port numbers). The NPM applies the system-level IP flow rules action without considering a packets source port number. See source-port (conf-system-ip-flow context) on page 266 for information on configuring source port matching criteria for a system-level IP flow rule.
Incoming circuit group (ICG) matching criteria for the system-level IP flow rule. The NPM applies the system-level IP flow rules action only to IP packets with the specified ICG number. Default is 1. See incoming-circuit-group (conf-system-ip-flow context) on page 271 for information on setting ICG matching criteria for a system-level IP flow rule.
282
Information Provided Protocol matching criteria for the system-level IP flow rule. This row may display one of the following: 1 Default value. Defines the lowest protocol number that meets the protocol matching criteria for the flow rule. In this case, the highest matching protocol number is 255. The NPM applies the system-level IP flow rules action without considering a packets protocol number. Single, non-zero protocol number NPM applies the system-level IP flow rules action only to IP packets that have the specified protocol number. See protocol (conf-system-ip-flow context) on page 268 for information on configuring protocol matching criteria for a system-level IP flow rule.
Protocol High
This row appears only if the user has not defined protocol matching criteria for the system-level IP flow rule. In this case, the Protocol is 1 and Protocol High is 255. This indicates that the system-level IP flow rules protocol matching criteria includes all protocol numbers from 1 to 255 (that is, all valid protocol numbers). The NPM applies the system-level IP flow rules action without considering a packets protocol number. See protocol (conf-system-ip-flow context) on page 268 for information on configuring protocol matching criteria for a system-level IP flow rule.
Domain
Domain matching criteria for the system-level IP flow rule. This row may display one of the following: 1 Default value. Defines the lowest domain ID number that meets the domain matching criteria for the system-level IP flow rule. In this case, the highest matching domain ID number is 4095. The NPM applies the system-level IP flow rules action without considering a packets domain ID number. Single, non-zero domain ID number NPM applies the system-level IP flow rules action only to IP packets that have the specified domain ID number. See domain (conf-system-ip-flow context) on page 270 for information on configuring domain matching criteria for a system-level IP flow rule.
283
Information Provided This row appears only if the user has not defined domain matching criteria for the system-level IP flow rule. In this case, the Domain is 1 and Domain High is 4095. This indicates that the system-level IP flow rules domain matching criteria includes all domain ID numbers from 1 to 4095 (that is, all valid domain ID numbers). The NPM applies the system-level IP flow rules action without considering a packets domain ID number. See domain (conf-system-ip-flow context) on page 270 for information on configuring domain matching criteria for a system-level IP flow rule.
Action
Specifies the action configured for the system-level IP flow rule (drop, allow, pass-to-masters or broadcast). Default is drop. See the following sections for information on configuring an action for a system-level IP flow rule: action drop (conf-system-ip-flow context) on page 256 action allow (conf-system-ip-flow context) on page 257 action pass-to-masters (conf-system-ip-flow context) on page 258 action broadcast (conf-system-ip-flow context) on page 259
Activate (true/false)
Indicates whether the system-level IP flow rule is activated (t) or deactivated (f). Default is deactivated (f). See activate (conf-system-ip-flow context) on page 277 for information on activating and deactivating a system-level IP flow rule.
Priority
Priority level assigned to the system-level IP flow rule. Default is 10, which is the lowest valid priority level. See priority (conf-system-ip-flow context) on page 276 for information about setting priority levels for the system-level IP flow rules configured on an X-Series Platform.
Indicates whether skip-protocol is enabled (t) or disabled (f) for the system-level IP flow rule. Default is enabled (t). See skip-port-protocol (conf-system-ip-flow context) on page 261 for information on enabling or disabling skip-protocol.
Indicates whether skip-port is enabled (t) or disabled (f) for the system-level IP flow rule. Default is enabled (t). See skip-port-protocol (conf-system-ip-flow context) on page 261 for information on enabling or disabling skip-port.
Indicates whether skip-port-protocol is enabled (t) or disabled (f) for the system-level IP flow rule. Default is enabled (t). See skip-port-protocol (conf-system-ip-flow context) on page 261 for information on enabling and disabling skip-port-protocol for a system-level IP flow rule.
284
Information Provided Displays the idle flow timeout interval configuration for the system-level IP flow rule. This row may display one of the following: auto Default value. Indicates that the NPMs IP flow classifier assigns an appropriate idle flow timeout interval to every new IP flow that meets the matching criteria defined for the system-level IP flow rule. Idle flow time interval keyword A keyword that indicates the user-defined idle flow timeout interval configured for the system-level IP flow rule. The NPM applies the user-defined idle flow timeout interval to each IP flow that meets the matching criteria defined in the system-level IP flow rule. See timeout (conf-system-ip-flow context) on page 273 for information on configuring an idle flow timeout interval for a system-level IP flow rule.
Trace (true/false)
Indicates whether packet tracing is enabled (t) or disabled (f) for IP packets that match the conditions defined in the packet matching criteria for the system-level IP flow rule. Default is disabled (f). See trace (conf-system-ip-flow context) on page 275 for information on enabling and disabling packet tracing for a system-level IP flow rule.
Indicates whether bi-directional flow matching is enabled (t) or disabled (f) for the system-level IP flow rule. Default is disables (f). See generate-reversed-flow (conf-system-ip-flow context) on page 262 for information on enabling and disabling bi-directional flow matching for a system-level IP flow rule.
285
Information Provided Indicates the IP flow direction matching criteria defined for the system-level IP flow rule. This row displays one of the following keywords: both Default setting. Direction matching criteria includes both inbound and outbound IP flows. The NPM applies the system-level IP flow rule to IP packets without considering whether the packet is coming into or out of the X-Series Platform. inbound IP flow direction matching criteria includes only inbound IP flows. The NPM applies the system-level IP flow rule only to IP packets coming into the X-Series Platform. outbound IP flow direction matching criteria includes only outbound IP flows. The NPM applies the system-level IP flow rule only to IP packets exiting the X-Series Platform. See direction (conf-system-ip-flow context) on page 259 for information on setting IP flow direction matching criteria for a system-level IP flow rule.
Restrictions
Default Privilege Level: 15
Example
The following command places you in the conf-system-ip-flow context in which you can configure the system-level IP flow rule called testsysipflow: CBS# configure system-ip-flow-rule testsysipflow CBS(conf-system-ip-flow)# The following command displays the configuration settings for the system-level IP flow rule called testsysipflow. NOTE: The example output displays the configuration settings that you would create for testsysipflow if you issued all the example commands that we have provided throughout this section. CBS(conf-system-ip-flow)# show System IP Flow Rule Destination Address Destination Address High Destination Port Destination Port High Source Address Source Address High Source Port Source Port High Incoming Circuit Group Protocol Protocol High Domain : : : : : : : : : : : : : testsysipflow 1.1.1.35 255.255.255.255 25 65535 1.1.1.20 255.255.255.255 25 65535 2 41 255 2
286
Domain High Action Activate (true/false) Priority Skip Protocol (true/false) Skip Port (true/false) Skip Port Protocol (true/false) Timeout Trace (true/false) Generate Reversed Flow (true/false) Direction Core Assignment (1 row) CBS(conf-system-ip-flow)#
: : : : : : : : : : : :
configure system-non-ip-flow-rule
Creates or configures a system-level non-IP flow rule for the X-Series Platform. Places you into a context in which you can configure and activate the specified system-level non-IP flow rule. The NPM uses system-level non-IP flow rules to determine how to process each non-IP traffic flow (such as an IPX or Spanning Tree Protocol traffic flow) that arrives on a logical interface configured on the X-Series Platform. Each system-level non-IP flow rule is comprised of an action and a set of packet matching criteria. The NPM performs the action on flows that match the conditions defined in the packet matching criteria. For example, you can create a system-level non-IP flow rule that instructs the NPM to send all Spanning-Tree-Protocol-related traffic to the master VAP in every VAP group configured on the X-Series Platform. You must configure each system-level non-IP flow rule with one of three link encapsulation types: ethernet Enables the NPM to process Ethernet encapsulated packets. Configures the NPM to apply the system-level non-IP flow rules action only to Ethernet encapsulated packets that meet the flow rules destination Ethernet protocol matching criteria. lsap Enables the NPM to process LSAP encapsulated packets. Configures the NPM to apply the system-level non-IP flow rules action only to LSAP encapsulated packets that meet the flow rules Destination Service Access Point (DSAP) and Source Service Access Point (SSAP) matching criteria. snap Enables the NPM to process SNAP encapsulated packets. Configures the NPM to apply the system-level non-IP flow rules action only to SNAP encapsulated packets that meet the flow rules destination Ethernet protocol and Organization Unique Identifier (OUI) matching criteria. NOTE: By default, the link encapsulation type for all system-level non-IP flow rules is ethernet, and the destination Ethernet protocol matching criteria is set to any Ethernet protocol number. Use the show (conf-system-non-ip-flow context) command to display the link encapsulation type and packet matching criteria defined for the system-level non-IP flow that you are configuring. You must activate a system-level non-IP flow rule before it will take effect. By default, system-level non-IP flow rules are not activated. See activate (conf-system-non-ip-flow context) on page 296 for instructions on activating the system-level non-IP flow rule that you are configuring. Use the no parameter to delete the specified system-level non-IP flow rule.
287
Use the show (conf-system-non-ip-flow context) command to display the current configuration for the system-level non-IP flow rule that you are configuring. Use the show system-non-ip-flow-rule command to display all system-level non-IP flow rules currently configured on the X-Series Platform.
Syntax
configure [no] system-non-ip-flow-rule <non_IP_flow_rule_name>
Parameters
The following table lists the parameters used with this command. Parameter <non_IP_flow_rule_name> Description Name assigned to the system-level non-IP flow rule that you want to create or configure.
Restrictions
Default Privilege Level: 15
Example
The following command creates a system-level non-IP flow rule called testsysnonipflow and places you in the context in which you can configure and activate that system-level non-IP flow rule: CBS# configure system-non-ip-flow-rule testsysnonipflow CBS(conf-system-non-ip-flow)#
288
Syntax
action drop
Context
You access this command from the conf-system-non-ip-flow context. You access this context from the main CLI context by issuing the configure system-non-ip-flow-rule command.
Restrictions
Default Privilege Level: 15
Example
The following command places you in the conf-system-non-ip-flow context in which you can configure the system-level non-IP flow rule called testsysnonipflow: CBS# configure system-non-ip-flow-rule testsysnonipflow CBS(conf-system-non-ip-flow)# The following command sets the action for the system-level non-IP flow rule called testsysnonipflow to drop: CBS(conf-system-non-ip-flow)# action drop CBS(conf-system-non-ip-flow)# The NPM drops all non-IP packets that match the conditions defined in the packet matching criteria for the system-level non-IP flow rule called testsysnonipflow.
289
Syntax
action pass-to-masters
Context
You access this command from the conf-system-non-ip-flow context. You access this context from the main CLI context by issuing the configure system-non-ip-flow-rule command.
Restrictions
Default Privilege Level: 15
Example
The following command places you in the conf-system-non-ip-flow context in which you can configure the system-level non-IP flow rule called testsysnonipflow: CBS# configure system-non-ip-flow-rule testsysnonipflow CBS(conf-system-non-ip-flow)# The following command sets the action for the system-level non-IP flow rule called testsysnonipflow to pass-to-masters: CBS(conf-system-non-ip-flow)# action pass-to-masters CBS(conf-system-non-ip-flow)# When the NPM encounters a non-IP packet that matches the conditions defined in the packet matching criteria for the system-level non-IP flow rule called testsysnonipflow, the NPM passes that non-IP packet to the master VAP in every VAP group configured on the X-Series Platform.
290
Syntax
action broadcast
Context
You access this command from the conf-system-non-ip-flow context. You access this context from the main CLI context by issuing the configure system-non-ip-flow-rule command.
Restrictions
Default Privilege Level: 15
Example
The following command places you in the conf-system-non-ip-flow context in which you can configure the system-level non-IP flow rule called testsysnonipflow: CBS# configure system-non-ip-flow-rule testsysnonipflow CBS(conf-system-non-ip-flow)# The following command sets the action for the system-level non-IP flow rule called testsysnonipflow to broadcast: CBS(conf-system-non-ip-flow)# action broadcast CBS(conf-system-non-ip-flow)# When the NPM encounters a non-IP packet that matches the conditions defined in the packet matching criteria for the system-level non-IP flow rule called testsysnonipflow, the NPM passes that non-IP packet to every VAP in every VAP group configured on the X-Series Platform.
291
Syntax
encapsulation ethernet {any | type <Ethernet_protocol_number>}
Context
You access this command from the conf-system-non-ip-flow context. You access this context from the main CLI context by issuing the configure system-non-ip-flow-rule command.
Parameters
The following table lists the parameters used with this command. Parameter any Description Sets the flow rules destination Ethernet protocol matching criteria to any Ethernet protocol number. The NPM applies the system-level non-IP flow rules action to all Ethernet encapsulated packets. This is the default behavior for all system-level non-IP flow rules configured with the link encapsulation type, ethernet. type <Ethernet_protocol_number> Configures the flow rules destination Ethernet protocol matching criteria to include only the specified Ethernet protocol number. The NPM applies the system-level non-IP flow rules action only to Ethernet encapsulated packets whose destination Ethernet protocol number matches the specified Ethernet protocol number. Valid values are from 1519 to 65535, except for 2048 and 2054.
Restrictions
Default Privilege Level: 15 2048 and 2054 are not valid values for destination Ethernet protocol matching criteria for system-level non-IP flow rules.
Commands for Configuring and Managing Flow Provisioning 292
Example
The following command places you in the conf-system-non-ip-flow context in which you can configure the system-level non-IP flow rule called testsysnonipflow: CBS# configure system-non-ip-flow-rule testsysnonipflow CBS(conf-system-non-ip-flow)# The following command sets the link encapsulation type for the system-level non-IP flow rule called testsysnonipflow to ethernet and configures the flow rules destination Ethernet protocol matching criteria to include only Ethernet protocol number 2000: CBS(conf-system-non-ip-flow)# encapsulation ethernet type 2000 CBS(conf-system-non-ip-flow)# The NPM applies the system-level non-IP flow rule called testsysnonipflow only to Ethernet encapsulated packets whose destination Ethernet protocol number is 2000.
Syntax
encapsulation lsap {any | dsap <DSAP_number> ssap <SSAP_number>}
Context
You access this command from the conf-system-non-ip-flow context. You access this context from the main CLI context by issuing the configure system-non-ip-flow-rule command.
293
Parameters
The following table lists the parameters used with this command. Parameter any Description Sets the flow rules DSAP and SSAP matching criteria to any destination service access point number and any source service access point number. The NPM applies the system-level non-IP flow rules action to all LSAP encapsulated packets. This is the default behavior for all system-level non-IP flow rules configured with the link encapsulation type, lsap. dsap <DSAP_number> Configures the flow rules Destination Service Access Point (DSAP) matching criteria to include only the specified DSAP number. The NPM applies the system-level non-IP flow rules action only to LSAP encapsulated packets whose DSAP number matches the specified DSAP number. Valid values are from 0 to 255. ssap <DSAP_number> Configures the flow rules Source Service Access Point (SSAP) matching criteria to include only the specified SSAP number. The NPM applies the system-level non-IP flow rules action only to LSAP encapsulated packets whose SSAP number matches the specified SSAP number. Valid values are from 0 to 255.
Restrictions
Default Privilege Level: 15
Example
The following command places you in the conf-system-non-ip-flow context in which you can configure the system-level non-IP flow rule called testsysnonipflow: CBS# configure system-non-ip-flow-rule testsysnonipflow CBS(conf-system-non-ip-flow)# The following command sets the link encapsulation type for the system-level non-IP flow rule called testsysnonipflow to lsap, configures the flow rules DSAP matching criteria to include only DSAP number 10, and configures the flow rules SSAP matching criteria to include only SSAP number 15: CBS(conf-system-non-ip-flow)# encapsulation lsap dsap 10 ssap 15 CBS(conf-system-non-ip-flow)# The NPM applies the system-level non-IP flow rule called testsysnonipflow only to LSAP encapsulated packets with Destination Service Access Point number 10 and Source Service Access Point number 15.
294
Syntax
encapsulation snap {any | type <Ethernet_protocol_number> [oui <OUI_number>]}
Context
You access this command from the conf-system-non-ip-flow context. You access this context from the main CLI context by issuing the configure system-non-ip-flow-rule command.
Parameters
The following table lists the parameters used with this command. Parameter any Description Sets the flow rules destination Ethernet protocol matching criteria to any Ethernet protocol number and sets the OUI matching criteria to 0. (No OUI matching criteria are used.) The NPM applies the system-level non-IP flow rules action to all SNAP encapsulated packets. This is the default behavior for all system-level non-IP flow rules configured with the link encapsulation type, snap. type <Ethernet_protocol_number> Sets the flow rules destination Ethernet protocol matching criteria to include only the specified Ethernet protocol number. The NPM applies the system-level non-IP flow rules action only to SNAP encapsulated packets whose destination Ethernet protocol number matches the specified Ethernet protocol number. Valid values are from 1519 to 65535.
295
Description Sets the flow rules Organization Unique Identifier (OUI) matching criteria to include only the specified OUI number. The NPM applies the system-level non-IP flow rules action only to SNAP encapsulated packets whose OUI number matches the specified OUI number. Valid values are from 0-16777215. Default is 0. (Do not include OUI number matching criteria in the packet matching criteria definition.)
Restrictions
Default Privilege Level: 15
Example
The following command places you in the conf-system-non-ip-flow context in which you can configure the system-level non-IP flow rule called testsysnonipflow: CBS# configure system-non-ip-flow-rule testsysnonipflow CBS(conf-system-non-ip-flow)# The following command sets the link encapsulation type for the system-level non-IP flow rule called testsysnonipflow to snap, configures the flow rules destination Ethernet protocol matching criteria to include only Ethernet protocol number 2000, and configures the flow rules OUI matching criteria to include only OUI number 10: CBS(conf-system-non-ip-flow)# encapsulation snap type 2000 oui 10 CBS(conf-system-non-ip-flow)# The NPM applies the system-level non-IP flow rule called testsysnonipflow only to SNAP encapsulated packets whose destination Ethernet protocol number is 2000 and whose Organization Unique Identifier is 10.
Syntax
[no] activate
Context
You access this command from the conf-system-non-ip-flow context. You access this context from the main CLI context by issuing the configure system-non-ip-flow-rule command.
296
Restrictions
Default Privilege Level: 15
Example
The following command places you in the conf-system-non-ip-flow context in which you can configure the system-level non-IP flow rule called testsysnonipflow: CBS# configure system-non-ip-flow-rule testsysnonipflow CBS(conf-system-non-ip-flow)# The following command activates the system-level non-IP flow rule called testsysnonipflow: CBS(conf-system-non-ip-flow)# activate CBS(conf-system-non-ip-flow)# The NPM now applies this system-level non-IP flow rules action to all new non-IP flows that use the flow rules link encapsulation type and that match the conditions defined in the flow rules packet matching criteria.
Syntax
show
Context
You access this command from the conf-system-non-ip-flow context. You access this context from the main CLI context by issuing the configure system-non-ip-flow-rule command.
Output
This command displays information about a system-level non-IP flow rule using one of the following formats: Output for system-level non-IP flow rules with a link encapsulation type, ethernet: System Non IP Flow Rule Encapsulation Type Action Activate (true/false) (1 row) : : : : : <non_IP_flow_rule_name> ethernet <destination_Ethernet_protocol_number> {drop | pass-to-masters | broadcast} {t | f}
Output for system-level non-IP flow rules with a link encapsulation type, lsap: System Non IP Flow Rule Encapsulation Type Action Activate (true/false) (1 row) : : : : : <non_IP_flow_rule_name> lsap 10/15 (dsap/ssap) {drop | pass-to-masters | broadcast} {t | f}
Output for system-level non-IP flow rules with a link encapsulation type, snap: System Non IP Flow Rule Encapsulation Type OUI Action Activate (true/false) (1 row)
XOS Command Reference Guide
: : : : : :
The following table describes the information provided in each column/row. Column/Row Heading System Non IP Flow Rule Information Provided Name assigned to the system-level non-IP flow rule. See configure system-non-ip-flow-rule on page 287 for information on assigning a name to a new system-level non-IP flow rule. Encapsulation Link encapsulation type (ethernet, lsap, or snap) defined for the system-level non-IP flow rule. Default is ethernet. Refer to the following three sections for information about each link encapsulation type: encapsulation ethernet (conf-system-non-ip-flow context) on page 292 encapsulation lsap (conf-system-non-ip-flow context) on page 293 encapsulation snap (conf-system-non-ip-flow context) on page 295 Type (when link encapsulation type is ethernet or snap) Destination Ethernet protocol matching criteria defined for the system-level non-IP flow rule. This row displays one of the following types of destination Ethernet protocol matching criteria: any Default setting. Destination Ethernet protocol matching criteria is set to any Ethernet protocol number. The NPM applies the system-level non-IP flow rules action to all Ethernet encapsulated packets or all SNAP encapsulated packets. User-defined destination Ethernet protocol number Destination Ethernet protocol matching criteria includes only the specified Ethernet protocol number. NPM applies the system-level non-IP flow rules action only to Ethernet or SNAP encapsulated packets with the specified destination Ethernet protocol number. See encapsulation ethernet (conf-system-non-ip-flow context) on page 292 for information on setting destination Ethernet protocol matching criteria for Ethernet encapsulation system-level non-IP flow rules. See encapsulation snap (conf-system-non-ip-flow context) on page 295 for information on setting destination Ethernet protocol matching criteria for SNAP encapsulation system-level non-IP flow rules.
298
Information Provided Destination Service Access Point (DSAP) and Source Service Access Point (SSAP) matching criteria defined for the system-level non-IP flow rule. This row displays one of the following types of DSAP and SSAP matching criteria: any Default setting. DSAP matching criteria is set to any DSAP number, and SSAP matching criteria is set to any SSAP number. The NPM applies the system-level non-IP flow rules action to all LSAP encapsulated packets. User-defined DSAP and SSAP numbers DSAP and SSAP matching criteria includes only the specified DSAP and SSAP numbers. NPM applies the system-level non-IP flow rules action only to LSAP encapsulated packets with the specified DSAP and SSAP numbers. See encapsulation lsap (conf-system-non-ip-flow context) on page 293 for information on setting DSAP and SSAP matching criteria for LSAP encapsulation system-level non-IP flow rules.
OUI
Organization Unique Identifier (OUI) matching criteria defined for the system-level non-IP flow rule. NPM applies the system-level non-IP flow rules action only to SNAP encapsulated packets with the specified OUI number. NOTE: This row appears only if OUI matching criteria is defined for the system-level non-IP flow rule. See encapsulation snap (conf-system-non-ip-flow context) on page 295 for information on setting OUI matching criteria for SNAP encapsulation system-level non-IP flow rules.
Action
Specifies the action for the system-level non-IP flow rule (drop, pass-to-masters, or broadcast). Default is drop. Refer to the following sections for information about these actions: action drop (conf-system-non-ip-flow context) on page 289 action pass-to-masters (conf-system-non-ip-flow context) on page 290 action broadcast (conf-system-non-ip-flow context) on page 291
Activate (true/false)
Specifies whether the system-level non-IP flow rule is activated (t) or deactivated (f). Default is deactivated (f). See activate (conf-system-non-ip-flow context) on page 296 for information on enabling and disabling system-level non-IP flow rules.
299
Restrictions
Default Privilege Level: 15
Examples
The following command places you in the conf-system-non-ip-flow context in which you can configure the system-level non-IP flow rule called testsysnonipflow: CBS# configure system-non-ip-flow-rule testsysnonipflow CBS(conf-system-non-ip-flow)# The following command displays configuration settings for the system-level non-IP flow rule called testsysnonipflow, with that flow rule configured for Ethernet link encapsulation: CBS(conf-system-non-ip-flow)# show System Non IP Flow Rule : testsysnonipflow Encapsulation : ethernet Type : 2000 Action : drop Activate (true/false) : t (1 row) The following command displays configuration settings for the system-level non-IP flow rule called testsysnonipflow, with that flow rule configured for LSAP link encapsulation: CBS(conf-system-non-ip-flow)# show System Non IP Flow Rule : testsysnonipflow Encapsulation : lsap Type : 10/15 (dsap/ssap) Action : drop Activate (true/false) : t (1 row) The following command displays configuration settings for the system-level non-IP flow rule called testsysnonipflow, with that flow rule configured for SNAP link encapsulation: CBS(conf-system-non-ip-flow)# show System Non IP Flow Rule : testsysnonipflow Encapsulation : snap Type : 2000 OUI : 10 Action : drop Activate (true/false) : t (1 row)
300
301
Syntax
[no] ip-flow-rule <IP_flow_rule_name>
302
source-addr (ip-flow-rule context) on page 314 destination-addr (ip-flow-rule context) on page 315 source-port (ip-flow-rule context) on page 317 destination-port (ip-flow-rule context) on page 318 protocol (ip-flow-rule context) on page 319 domain (ip-flow-rule context) on page 321 incoming-circuit-group (ip-flow-rule context) on page 322 timeout (ip-flow-rule context) on page 324 trace (ip-flow-rule context) on page 326 activate (ip-flow-rule context) on page 330 show (ip-flow-rule context) on page 331
Parameters
The following table lists the parameters used with this command. Parameter <IP_flow_rule_name> Description Name assigned to the IP flow rule that you want to create or configure for the VAP group that you are configuring.
Restrictions
Default Privilege Level: 15
Example
The following command places you in the config-vap-grp context in which you can configure the existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# The following command creates an IP flow rule for the VAP group called testvapgroup and places you in the context in which you can configure and activate that IP flow rule (called testiprule): CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)#
303
Syntax
action load-balance
Context
You access this command from the ip-flow-rule context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the ip-flow-rule (config-vap-grp context) command to configure a specific IP flow rule for the VAP group.
Restrictions
Default Privilege Level: 15
Example
The following commands place you in the ip-flow-rule context from which you can configure an existing IP flow rule called testiprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)# The following command sets the action for the IP flow rule called testiprule to load-balance: CBS(ip-flow-rule)# action load-balance CBS(ip-flow-rule)# The NPM load-balances all IP flows that match the conditions defined in the packet matching criteria for testiprule across all members of the VAP group called testvapgroup.
304
Syntax
action drop
Context
You access this command from the ip-flow-rule context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the ip-flow-rule (config-vap-grp context) command to configure a specific IP flow rule for the VAP group.
Restrictions
Default Privilege Level: 15
Example
The following commands place you in the ip-flow-rule context from which you can configure an existing IP flow rule called testiprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)# The following command sets the action for the IP flow rule called testiprule to drop: CBS(ip-flow-rule)# action drop CBS(ip-flow-rule)# The NPM drops all IP flows destined for the VAP group called testvapgroup that match the conditions defined in the packet matching criteria for testiprule.
305
Syntax
action allow
Context
You access this command from the ip-flow-rule context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the ip-flow-rule (config-vap-grp context) command to configure a specific IP flow rule for the VAP group.
Restrictions
Default Privilege Level: 15 If an IP flow rules action is set to allow, the flow rules traffic flow direction matching criteria must be set to outbound. NOTE: If an IP flow rule does not meet this requirement, the CLI issues an error when you attempt to use the activate (ip-flow-rule context) command to activate that IP flow rule.
Example
The following commands place you in the ip-flow-rule context from which you can configure an existing IP flow rule called testiprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)# The following command sets the action for the IP flow rule called testiprule to allow: CBS(ip-flow-rule)# action allow CBS(ip-flow-rule)# The NPM allows all IP packets that match the conditions defined in the packet matching criteria for the IP flow rule called testsysipflow to pass through the VAP group called testvapgroup and proceed to their destination IP addresses.
306
Syntax
action pass-to-master
Context
You access this command from the ip-flow-rule context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the ip-flow-rule (config-vap-grp context) command to configure a specific IP flow rule for the VAP group.
Restrictions
Default Privilege Level: 15
Example
The following commands place you in the ip-flow-rule context from which you can configure an existing IP flow rule called testiprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)# The following command sets the action for the IP flow rule called testiprule to pass-to-master: CBS(ip-flow-rule)# action pass-to-master CBS(ip-flow-rule)# When the NPM encounters an IP packet destined for the VAP group called testvapgroup, and the IP packet matches the conditions defined in the packet matching criteria for the IP flow rule called testsysipflow, the NPM passes the IP packet to the master VAP in the VAP group called testvapgroup.
307
Syntax
action pass-to-vap <VAP_index_number>
Context
You access this command from the ip-flow-rule context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the ip-flow-rule (config-vap-grp context) command to configure a specific IP flow rule for the VAP group.
Parameters
The following table lists the parameters used with this command. Parameter <VAP_index_number> Description Index number assigned to the VAP to which you want to send IP packets that match the conditions defined in the packet matching criteria for the VAP group IP flow rule that you are configuring.
Restrictions
Default Privilege Level: 15
Example
The following commands place you in the ip-flow-rule context from which you can configure an existing IP flow rule called testiprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)# The following command sets the action for the IP flow rule called testiprule to pass-to-vap 1: CBS(ip-flow-rule)# action pass-to-vap 1 CBS(ip-flow-rule)#
308
When the NPM encounters an IP packet destined for the VAP group called testvapgroup, and the IP packet matches the conditions defined in the packet matching criteria for the IP flow rule called testsysipflow, the NPM passes the IP packet to VAP number 1 in the VAP group called testvapgroup.
Syntax
action broadcast
Context
You access this command from the ip-flow-rule context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the ip-flow-rule (config-vap-grp context) command to configure a specific IP flow rule for the VAP group.
Restrictions
Default Privilege Level: 15
Example
The following commands place you in the ip-flow-rule context from which you can configure an existing IP flow rule called testiprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)# The following command sets the action for the IP flow rule called testiprule to broadcast: CBS(ip-flow-rule)# action broadcast CBS(ip-flow-rule)# When the NPM encounters an IP packet destined for the VAP group called testvapgroup, and the IP packet matches the conditions defined in the packet matching criteria for the IP flow rule called testiprule, the NPM passes the IP packet to every VAP in the VAP group called testvapgroup.
309
Syntax
bypass-tcp-flow-setup-validation
Restrictions
Default Privilege Level: 15
Example
CBS# configure chassis-resource-protection CBS(conf-resource-protection)# tcp-flow-validation CBS(conf-rp-tcp-flow)# bypass-tcp-flow-setup-validation CBS(conf-rp-tcp-flow)#
Syntax
direction {inbound | outbound | both}
Context
You access this command from the ip-flow-rule context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the ip-flow-rule (config-vap-grp context) command to configure a specific IP flow rule for the VAP group.
310
Parameters
The following table lists the parameters used with this command. Parameter inbound Description Configures the packet matching criteria for the VAP group IP flow rule that you are configuring to match only inbound flows. The NPM applies the IP flow rule only to IP packets coming into the VAP group. outbound Configures the packet matching criteria for the VAP group IP flow rule that you are configuring to match only outbound IP traffic flows. The NPM applies the IP flow rule only to IP packets exiting from the VAP group. both Configures the packet matching criteria for the VAP group IP flow rule that you are configuring to match both inbound and outbound IP traffic flows. The NPM applies the IP flow rule to all IP packets entering or exiting the VAP group. This is the default setting.
Restrictions
Default Privilege Level: 15 When you issue the activate (ip-flow-rule context) command to activate a VAP group IP flow rule, the CLI issues an error if the following conditions are not met: If the IP flow rules action is set to allow, the flow rules traffic flow direction matching criteria must be set to outbound. If the IP flow rules traffic flow direction matching criteria is set to outbound, the flow rules action must be set to allow or drop. See action allow (ip-flow-rule context) on page 306 and action drop (ip-flow-rule context) on page 305 for more information about the allow and drop actions.
Example
The following commands place you in the ip-flow-rule context from which you can configure an existing IP flow rule called testiprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)# The following command configures the packet matching criteria for the IP flow rule called testirule to match only outbound IP traffic flows: CBS(ip-flow-rule)# direction outbound CBS(ip-flow-rule)#
311
Syntax
[no] skip-port-protocol
Context
You access this command from the ip-flow-rule context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the ip-flow-rule (config-vap-grp context) command to configure a specific IP flow rule for the VAP group.
Restrictions
Default Privilege Level: 15
Example
The following commands place you in the ip-flow-rule context from which you can configure an existing IP flow rule called testiprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)# The following command disables skip-port-protocol for the IP flow rule called testiprule. CBS(ip-flow-rule)# no skip-port-protocol CBS(ip-flow-rule)# With skip-port-protocol disabled, the user can configure the packet matching criteria for testiprule to include source port, destination port, and protocol number matching criteria. The NPM applies the IP flow rules action to an IP packet only if that packet matches these criteria.
312
If bi-directional IP flow matching is disabled for a VAP group IP flow rule, you must configure its packet matching criteria for uni-directional flows. This means that you can configure packet matching criteria for either source IP address and source port number or destination IP address and destination port number. Use the show (ip-flow-rule context) command to determine whether bi-directional IP flow matching is enabled for the IP flow rule that you are configuring.
Syntax
[no] generate-reversed-flow
Context
You access this command from the ip-flow-rule context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the ip-flow-rule (config-vap-grp context) command to configure a specific IP flow rule for the VAP group.
Restrictions
Default Privilege Level: 15
Example
The following commands place you in the ip-flow-rule context from which you can configure an existing IP flow rule called testiprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)# The following command enables bi-directional IP flow matching for the IP flow rule called testiprule: CBS(conf-system-ip-flow)# generate-reversed-flow CBS(conf-system-ip-flow)# The user can now configure testiprule with packet matching criteria for bi-directional IP flows. That is, the user can configure packet matching criteria for both source and destination IP addresses and port numbers.
313
Syntax
source-addr {any | <IP_address> | <IP_address>/<0-32>} no source-addr
Context
You access this command from the ip-flow-rule context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the ip-flow-rule (config-vap-grp context) command to configure a specific IP flow rule for the VAP group.
Parameters
The following table lists the parameters used with this command. Parameter any Description Sets the flow rules source IP address matching criteria to any source IP address. The NPM applies the IP flow rules action without considering a packets source IP address. This is the default behavior for every VAP group IP flow rule. <IP_address> Configures the flow rules source IP address matching criteria to include only the specified IP address. The NPM applies the IP flow rules action to a packet only if its source IP address matches the specified IP address. <IP_address>/<0-32> Configures the flow rules source IP address matching criteria to include all IP addresses that belong to the specified IP network. The NPM applies the IP flow rules action to a packet only if its source IP address matches one of the IP addresses that belong to the specified IP network. You specify the IP network using CIDR notation (for example, 10.15.0.0/16). NOTE: When configuring IP flow rules, do not configure either the source or destination address as a.b.c.d/0 where a.b.c.d is not 0.0.0.0. This address format (for example, 5.5.5.5/0) is not valid.
314
Restrictions
Default Privilege Level: 15 If you wish to configure packet matching criteria for both source and destination IP addresses, you must use the generate-reversed-flow (ip-flow-rule context) command to enable bi-directional IP flow matching for the IP flow rule.
Example
The following commands place you in the ip-flow-rule context from which you can configure an existing IP flow rule called testiprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)# The following command sets the source IP address matching criteria for the IP flow rule called testiprule to include all IP addresses on the IP network, 10.170.54.0/24: CBS(ip-flow-rule)# source-addr 10.170.54.0/24 CBS(ip-flow-rule)# The NPM applies the action configured for testiprule only to IP packets whose source IP address matches one of the IP addresses that belong to the IP network, 10.170.54.0/24.
Syntax
destination-addr {any | <IP_address> | <IP_address>/<0-32>} no destination-addr
Context
You access this command from the ip-flow-rule context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the ip-flow-rule (config-vap-grp context) command to configure a specific IP flow rule for the VAP group.
315
Parameters
The following table lists the parameters used with this command. Parameter any Description Sets the flow rules destination IP address matching criteria to any destination IP address. The NPM applies the IP flow rules action without considering a packets destination IP address. This is the default behavior for every VAP group IP flow rule. <IP_address> Configures the flow rules destination IP address matching criteria to include only the specified IP address. The NPM applies the IP flow rules action to a packet only if its destination IP address matches the specified IP address. <IP_address>/<0-32> Configures the flow rules destination IP address matching criteria to include all IP addresses that belong to the specified IP network. The NPM applies the IP flow rules action to a packet only if its destination IP address matches one of the IP addresses that belong to the specified IP network. You specify the IP network using CIDR notation (for example, 10.15.0.0/16). NOTE: When configuring IP flow rules, do not configure either the source or destination address as a.b.c.d/0 where a.b.c.d is not 0.0.0.0. This address format (for example, 5.5.5.5/0) is not valid.
Restrictions
Default Privilege Level: 15 If you wish to configure packet matching criteria for both source and destination IP addresses, you must use the generate-reversed-flow (ip-flow-rule context) command to enable bi-directional IP flow matching for the IP flow rule.
Example
The following commands place you in the ip-flow-rule context from which you can configure an existing IP flow rule called testiprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)# The following command sets the destination IP address matching criteria for the IP flow rule called testiprule to include all IP addresses on the IP network, 10.170.53.0/24: CBS(ip-flow-rule)# destination-addr 10.170.53.0/24 CBS(ip-flow-rule)# The NPM applies the action configured for testiprule only to IP packets whose destination IP address matches one of the IP addresses that belong to the IP network, 10.170.53.0/24.
316
Syntax
source-port {any | <port_number>} no source-port
Context
You access this command from the ip-flow-rule context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the ip-flow-rule (config-vap-grp context) command to configure a specific IP flow rule for the VAP group.
Parameters
The following table lists the parameters used with this command. Parameter any Description Sets the flow rules source port matching criteria to any source port number. The NPM applies the IP flow rules action without considering a packets source port number. This is the default behavior for every VAP group IP flow rule. <port_number> Configures the flow rules source port matching criteria to include only the specified port number. The NPM applies the IP flow rules action to a packet only if its source port number matches the specified port number. Valid values are from 0-65535.
Restrictions
Default Privilege Level: 15 If you wish to configure packet matching criteria for both source and destination port numbers, you must use the generate-reversed-flow (ip-flow-rule context) command to enable bi-directional IP flow matching for the IP flow rule.
Example
The following commands place you in the ip-flow-rule context from which you can configure an existing IP flow rule called testiprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)#
XOS Command Reference Guide 317
The following command sets the source port matching criteria for the IP flow rule called testiprule to include only port 25: CBS(ip-flow-rule)# source-port 25 CBS(ip-flow-rule)# The NPM applies the action configured for testiprule only to IP packets whose source port number is 25.
Syntax
destination-port {any | <port_number>} no destination-port
Context
You access this command from the ip-flow-rule context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the ip-flow-rule (config-vap-grp context) command to configure a specific IP flow rule for the VAP group.
Parameters
The following table lists the parameters used with this command. Parameter any Description Sets the flow rules destination port matching criteria to any destination port number. The NPM applies the IP flow rules action without considering a packets destination port number. This is the default behavior for every VAP group IP flow rule. <port_number> Configures the flow rules destination port matching criteria to include only the specified port number. The NPM applies the IP flow rules action to a packet only if its destination port number matches the specified port number. Valid values are from 0-65535.
318
Restrictions
Default Privilege Level: 15 If you wish to configure packet matching criteria for both source and destination port numbers, you must use the generate-reversed-flow (ip-flow-rule context) command to enable bi-directional IP flow matching for the IP flow rule.
Example
The following commands place you in the ip-flow-rule context from which you can configure an existing IP flow rule called testiprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)# The following command sets the destination port matching criteria for the IP flow rule called testiprule to include only port 25: CBS(ip-flow-rule)# destination-port 25 CBS(ip-flow-rule)# The NPM applies the action configured for testiprule only to IP packets whose destination port number is 25.
Syntax
protocol {any | <protocol_number>} no protocol
Context
You access this command from the ip-flow-rule context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the ip-flow-rule (config-vap-grp context) command to configure a specific IP flow rule for the VAP group.
319
Parameters
The following table lists the parameters used with this command. Parameter any Description Sets the flow rules protocol matching criteria to any protocol number. The NPM applies the IP flow rules action without considering a packets protocol number. This is the default behavior for every VAP group IP flow rule. <protocol_number> Configures the flow rules protocol matching criteria to include only the specified protocol number. The NPM applies the IP flow rules action to a packet only if its protocol number matches the specified protocol number. Valid values are from 1-255.
Restrictions
Default Privilege Level: 15
Example
The following commands place you in the ip-flow-rule context from which you can configure an existing IP flow rule called testiprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)# The following command sets the protocol matching criteria for the IP flow rule called testiprule to include only protocol number 41 (IPv6): CBS(conf-system-ip-flow)# protocol 41 CBS(conf-system-ip-flow)# The NPM applies the action configured for testiprule only to IP packets using protocol 41.
320
Syntax
domain {any | <domain_ID_number>} no domain
Context
You access this command from the ip-flow-rule context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the ip-flow-rule (config-vap-grp context) command to configure a specific IP flow rule for the VAP group.
Parameters
The following table lists the parameters used with this command. Parameter any Description Sets the flow rules domain matching criteria to any domain ID number. The NPM applies the IP flow rules action without considering a packets domain ID number. This is the default behavior for every VAP group IP flow rule. <domain_ID_number> Configures the flow rules domain matching criteria to include only the specified domain ID number. The NPM applies the IP flow rules action to a packet only if its domain ID number matches the specified domain ID number. Valid values are from 1-4095.
Restrictions
Default Privilege Level: 15
Example
The following commands place you in the ip-flow-rule context from which you can configure an existing IP flow rule called testiprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)#
XOS Command Reference Guide 321
The following command sets the domain matching criteria for the VAP group IP flow rule called testiprule to include only domain ID number 2. Domain ID number 2 is assigned to the circuit called cctwan, which is one of the egress traffic circuits configured for the VAP group called testvapgroup. CBS(ip-flow-rule)# domain 2 CBS(ip-flow-rule)# The NPM applies the action configured for testiprule only to IP packets whose domain ID number is 2.
Syntax
incoming-circuit-group {any | <ICG_number>} no incoming-circuit-group
Context
You access this command from the ip-flow-rule context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the ip-flow-rule (config-vap-grp context) command to configure a specific IP flow rule for the VAP group.
Parameters
The following table lists the parameters used with this command. Parameter any Description Sets the flow rules incoming circuit group (ICG) matching criteria to any ICG number. The NPM applies the IP flow rules action without considering a packets ICG number. This is the default behavior for every VAP group IP flow rule.
322
Parameter <ICG_number>
Description Configures the flow rules incoming circuit group (ICG) matching criteria to include only the specified ICG number. The NPM applies the IP flow rules action to a packet only if its ICG number matches the specified ICG number. Valid values are from 1-255.
Restrictions
Default Privilege Level: 15
Example
The following commands place you in the ip-flow-rule context from which you can configure an existing IP flow rule called testiprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)# The following command sets the incoming circuit group (ICG) matching criteria for the VAP group IP flow rule called testiprule to include only ICG number 2. ICG number 2 is assigned to the circuit called cctwan, which is one of the egress traffic circuits configured for the VAP group called testvapgroup. CBS(ip-flow-rule)# incoming-circuit-group 2 CBS(ip-flow-rule)# The NPM applies the action configured for testiprule only to IP packets whose ICG number is 2.
323
Syntax
timeout {auto | <idle_flow_timeout_interval>} no timeout
Context
You access this command from the ip-flow-rule context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the ip-flow-rule (config-vap-grp context) command to configure a specific IP flow rule for the VAP group.
Parameters
The following table lists the parameters used with this command. Parameter auto Description Configures the NPMs IP flow classifier to automatically assign an appropriate idle flow timeout interval to every new flow that matches the conditions defined in the packet matching criteria for the VAP group IP flow rule that you are configuring. TCP 10 minutes UDP 1 minute Other 30 seconds
324
Parameter <idle_flow_timeout_interval>
Description Applies the specified idle flow timeout interval to all IP flows that match the conditions defined in the packet matching criteria for the VAP group IP flow rule that you are configuring. An IP flows idle flow timeout interval is the amount of time that the IP flow can remain idle before the NPM deletes the IP flow from the Active Flow Table (AFT). You must specify an idle flow timeout interval using one of the following parameters: 30-seconds Sets the idle flow timeout interval to 30 seconds. Timeout occurs when a flow remains idle for approximately 30 seconds. 1-minute Sets the idle flow timeout interval to 1 minute. Timeout occurs when a flow remains idle for approximately 1 minute. 3-minutes Sets the idle flow timeout interval to 3 minutes. Timeout occurs when a flow remains idle for approximately 3 minutes. 5-minutes Sets the idle flow timeout interval to 5 minutes. Timeout occurs when a flow remains idle for approximately 5 minutes. 10-minutes Sets the idle flow timeout interval to 10 minutes. Timeout occurs when a flow remains idle for approximately 10 minutes. 20-minutes Sets the idle flow timeout interval to 20 minutes. Timeout occurs when a flow remains idle for approximately 20 minutes. 30-minutes Sets the idle flow timeout interval to 30 minutes. Timeout occurs when a flow remains idle for approximately 30 minutes. 1-hour Sets the idle flow timeout interval to 1 hour. Timeout occurs when a flow remains idle for approximately 1 hour.
Restrictions
Default Privilege Level: 15
Example
The following commands place you in the ip-flow-rule context from which you can configure an existing IP flow rule called testiprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)# The following command sets the idle flow timeout interval for the VAP group IP flow rule called testiprule to 10 minutes. CBS(ip-flow-rule)# timeout 10-minutes CBS(ip-flow-rule)# The NPM deletes any IP flow from the Active Flow Table (AFT) if that flow matches the conditions defined in the packet matching criteria for testiprule and that flow remains idle for approximately 10 minutes.
XOS Command Reference Guide 325
Syntax
[no] trace
Context
You access this command from the ip-flow-rule context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the ip-flow-rule (config-vap-grp context) command to configure a specific IP flow rule for the VAP group.
Restrictions
Default Privilege Level: 15
Example
The following commands place you in the ip-flow-rule context from which you can configure an existing IP flow rule called testiprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)# The following command enables packet tracing for all IP packets that match the conditions defined in the packet matching criteria for the VAP group IP flow rule called testiprule: CBS(ip-flow-rule)# trace CBS(ip-flow-rule)#
326
Syntax
priority <priority_level> no priority
Context
You access this command from the ip-flow-rule context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the ip-flow-rule (config-vap-grp context) command to configure a specific IP flow rule for the VAP group.
Parameters
The following table lists the parameters used with this command. Parameter <priority_level> Description Specifies the priority level that you want to assign to the VAP group IP flow rule that you are configuring. Valid values are from 10-20 and from 25-30. Default is 10.
Restrictions
Default Privilege Level: 15
Example
In this example, the X-Series Platform system administrator wants to configure flow provisioning for the VAP group called testvapgroup so that the NPM drops all IP packets exiting from the VAP group that have the source IP address, 10.170.54.20, unless those packets also have the destination IP address, 10.150.53.35. If an IP packet has the desired source and destination IP addresses, the administrator wants the NPM to allow the IP packet to exit the VAP group called testvapgroup and proceed to the destination IP address.
327
Therefore, the administrator has configured two IP flow rules for the VAP group called testvapgroup: testiprule Allows all outbound IP packets that have the source IP address, 10.170.54.20 and the destination IP address, 10.170.53.35, to exit the VAP group called testvapgroup and proceed to the destination IP address. dropiprule Drops all of the VAP groups outbound IP packets that have the source IP address, 10.170.54.20. The administrator now uses the following commands to configure the IP flow rule called testiprule with a priority level of 15, and configure the IP flow rule called dropiprule with a priority level of 14. CBS# configure vap-group testvapgroup CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)# priority 15 CBS(ip-flow-rule)# source-addr 10.170.54.20 CBS(ip-flow-rule)# destination-addr 10.170.53.35 CBS(ip-flow-rule)# action allow CBS(ip-flow-rule)# activate CBS(ip-flow-rule)# exit CBS(config-vap-grp)# ip-flow-rule dropiprule CBS(ip-flow-rule)# priority 14 CBS(ip-flow-rule)# source-addr 10.170.54.20 CBS(ip-flow-rule)# action drop CBS(ip-flow-rule)# activate CBS(ip-flow-rule)# end CBS# Now, when an IP packet arrives on a logical interface assigned to an egress circuit on the VAP group called testvapgroup, the NPM applies the IP flow rule called testiprule to the packet before applying the IP flow rule called dropiprule to that packet. When the NPM encounters an outbound IP packet, the NPM first determines whether the packet matches the source and destination IP address matching criteria defined in the VAP group IP flow rule called testiprule. If the packet has both the source IP address, 10.170.54.20, and the destination IP address, 10.170.53.35, the packet matches the conditions defined in the packet matching criteria, and the NPM allows the IP packet to exit the VAP group called testvapgroup and proceed to the destination IP address. If an outbound IP packet does not have the destination IP address, 10.170.53.35, that packet does not match all the conditions defined in the packet matching criteria for testiprule. In this case, the NPM does not apply the action (allow) for testiprule to the IP packet. Instead, the NPM proceeds to determine whether the packet matches the source IP address matching criteria defined for dropiprule. If the IP packet has the source IP address, 10.170.54.20, the packet matches the conditions defined in the packet matching criteria for dropiprule, and the NPM drops the packet.
328
Syntax
[no] core-assignment {random-single-core | multi-core-processing | multi-proc-processing}
Context
You access this command from the ip-flow-rule context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the ip-flow-rule (config-vap-grp context) command to configure a specific IP flow rule for the VAP group.
Parameters
The following table lists the parameters used with this command. Parameter random-single-core multi-core-processing multi-proc-processing Description Directs all packets of an IP flow to a single core on the APM that has been selected for this flow (default) Distributes packets of an IP flow cross all cores on a single processor on the APM that has been selected for this flow. Distributes packets of an IP flow across all cores on all processors on the APM that has been selected for this flow.
Restrictions
Default Privilege Level: 15
Example
In this example, the X-Series Platform system administrator wants to configure flow provisioning for the VAP group called testvapgroup so that all cores on one of the APM processors is used. CBS# configure vap-group testvapgroup CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)# core-assignment random-single-core CBS(ip-flow-rule)# end CBS#
329
Syntax
[no] activate
Context
You access this command from the ip-flow-rule context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the ip-flow-rule (config-vap-grp context) command to configure a specific IP flow rule for the VAP group.
Restrictions
Default Privilege Level: 15 When you issue the activate command to activate an IP flow rule for a VAP group, the CLI issues an error if the following conditions are not met: If the IP flow rules action is set to allow, the flow rules traffic flow direction matching criteria must be set to outbound. If the IP flow rules traffic flow direction matching criteria is set to outbound, the flow rules action must be set to allow or drop. See action allow (ip-flow-rule context) on page 306 and action drop (ip-flow-rule context) on page 305 for more information about the allow and drop actions.
Example
The following commands place you in the ip-flow-rule context from which you can configure an existing IP flow rule called testiprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)# The following command activates the IP flow rule called testiprule for the VAP group called testvapgroup: CBS(ip-flow-rule)# activate CBS(ip-flow-rule)# The NPM now applies this IP flow rules action to all new IP flows assigned to the VAP group called testvapgroup that match the conditions defined in the packet matching criteria for the IP flow rule.
330
Syntax
bypass-tcp-flow-setup-validation
Restrictions
Default Privilege Level: 15
Example
CBS# configure vap-group test_vap_group CBS(conf-vap-grp)# ip-flow-rule test_flow_rule CBS(ip-flowrule)# bypass-tcp-flow-setup-validation CBS(ip-flowrule)#
Syntax
show
Context
You access this command from the ip-flow-rule context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the ip-flow-rule (config-vap-grp context) command to configure a specific IP flow rule for the VAP group.
Output
The output for this command has the following format: IP Flow Rule VAP Group Destination Address Destination Address High Destination Port Destination Port High Source Address Source Address High Source Port Source Port High Incoming Circuit Group Protocol : : : : : : : : : : : : <IP_flow_rule_name> <VAP_group_name> {<IP_address> | <IP_address>/<0-32>} 255.255.255.255 <port_number> 65535 {<IP_address> | <IP_address>/<0-32>} 255.255.255.255 <port_number> 65535 <ICG_number> <protocol_number>
331
VAP Index : Activate (true/false) : Priority : Skip Protocol (true/false) : Skip Port (true/false) : Skip Port Protocol (true/false) : Timeout : Trace (true/false) : Generate Reversed Flow (true/false): Direction : Bypass-tcp-flow-setup-validation : Core Assignment : (1 row)
The following table describes the information provided in each column/row. Column/Row Heading IP Flow Rule Information Provided Name of the IP flow rule. See ip-flow-rule (config-vap-grp context) on page 302 for information on assigning a name to a new IP flow rule configured for a VAP group. VAP Group Name of the VAP group for which the IP flow rule is configured. See configure vap-group on page 173 for information on assigning a name to a new VAP group. Destination Address Destination IP address matching criteria for the VAP group IP flow rule. This row may display one of the following: 0.0.0.0 Default value. Defines the lowest IP address that meets the flow rules destination IP address matching criteria. In this case, the highest matching destination IP address is 255.255.255.255. The NPM applies the IP flow rules action without considering a packets destination IP address. Single, non-zero IP address NPM applies the IP flow rules action only to IP packets that have the specified destination IP address. IP network address displayed in CIDR format NPM applies the IP flow rules action only to IP packets whose destination IP address matches one of the IP addresses that belong to the specified IP network. See destination-addr (ip-flow-rule context) on page 315 for information on configuring destination IP address matching criteria for an IP flow rule configured for a VAP group.
332
Information Provided This row appears only if the user has not defined destination IP address matching criteria for the IP flow rule. In this case, the Destination Address is 0.0.0.0 and Destination Address High is 255.255.255.255. This indicates that the flow rules destination IP address matching criteria includes all IP addresses from 0.0.0.0 to 255.255.255.255 (that is, all IP addresses). The NPM applies the IP flow rules action without considering a packets destination IP address. See destination-addr (ip-flow-rule context) on page 315 for information on configuring destination IP address matching criteria for an IP flow rule configured for a VAP group.
Destination Port
Destination port matching criteria for the IP flow rule. This row may display one of the following: 0 Default value. Defines the lowest port number that meets the IP flow rules destination port matching criteria. In this case, the highest matching destination port number is 65535. The NPM applies the IP flow rules action without considering a packets destination port number. Single, non-zero port number NPM applies the IP flow rules action only to IP packets that have the specified destination port number. See destination-port (ip-flow-rule context) on page 318 for information on configuring destination port matching criteria for a system-level IP flow rule.
This row appears only if the user has not defined destination port matching criteria for the IP flow rule. In this case, the Destination Port is 0 and Destination Port High is 65535. This indicates that the flow rules destination port matching criteria includes all port numbers from 0 to 65535 (that is, all valid port numbers). The NPM applies the IP flow rules action without considering a packets destination port number. See destination-port (ip-flow-rule context) on page 318 for information on configuring destination port matching criteria for an IP flow rule configured for a VAP group.
333
Information Provided Source IP address matching criteria for the IP flow rule. This row may display one of the following: 0.0.0.0 Default value. Defines the lowest IP address that meets the IP flow rules source IP address matching criteria. In this case, the highest matching source IP address is 255.255.255.255. The NPM applies the IP flow rules action without considering a packets source IP address. Single, non-zero IP address NPM applies the IP flow rules action only to IP packets that have the specified source IP address. IP network address displayed in CIDR format NPM applies the IP flow rules action only to IP packets whose source IP address matches one of the IP addresses that belong to the specified IP network. See source-addr (ip-flow-rule context) on page 314 for information on configuring source IP address matching criteria for an IP flow rule configured for a VAP group.
This row appears only if the user has not defined source IP address matching criteria for the IP flow rule. In this case, the Source Address is 0.0.0.0 and Source Address High is 255.255.255.255. This indicates that the flow rules source IP address matching criteria includes all IP addresses from 0.0.0.0 to 255.255.255.255 (that is, all IP addresses). The NPM applies the IP flow rules action without considering a packets source IP address. See source-addr (ip-flow-rule context) on page 314 for information on configuring source IP address matching criteria for an IP flow rule configured for a VAP group.
Source Port
Source port matching criteria for the IP flow rule. This row may display one of the following: 0 Default value. Defines the lowest port number that meets the IP flow rules source port matching criteria. In this case, the highest matching source port number is 65535. The NPM applies the IP flow rules action without considering a packets source port number. Single, non-zero port number NPM applies the IP flow rules action only to IP packets that have the specified source port number. See source-port (ip-flow-rule context) on page 317 for information on configuring source port matching criteria for an IP flow rule configured for a VAP group.
334
Information Provided This row appears only if the user has not defined source port matching criteria for the IP flow rule. In this case, the Source Port is 0 and Source Port High is 65535. This indicates that the IP flow rules source port matching criteria includes all port numbers from 0 to 65535 (that is, all valid port numbers). The NPM applies the IP flow rules action without considering a packets source port number. See source-port (ip-flow-rule context) on page 317 for information on configuring source port matching criteria for an IP flow rule configured for a VAP group.
Incoming circuit group (ICG) matching criteria for the IP flow rule. The NPM applies the IP flow rules action only to IP packets with the specified ICG number. Default is 1. See incoming-circuit-group (ip-flow-rule context) on page 322 for information on setting ICG matching criteria for an IP flow rule configured for a VAP group.
Protocol
Protocol matching criteria for the IP flow rule. This row may display one of the following: 1 Default value. Defines the lowest protocol number that meets the IP flow rules protocol matching criteria. In this case, the highest matching protocol number is 255. The NPM applies the IP flow rules action without considering a packets protocol number. Single, non-zero protocol number NPM applies the IP flow rules action only to IP packets that have the specified protocol number. See protocol (ip-flow-rule context) on page 319 for information on configuring protocol matching criteria for an IP flow rule configured for a VAP group.
Protocol High
This row appears only if the user has not defined protocol matching criteria for the IP flow rule. In this case, the Protocol is 1 and Protocol High is 255. This indicates that the IP flow rules protocol matching criteria includes all protocol numbers from 1 to 255 (that is, all valid protocol numbers). The NPM applies the IP flow rules action without considering a packets protocol number. See protocol (ip-flow-rule context) on page 319 for information on configuring protocol matching criteria for an IP flow rule configured for a VAP group.
335
Information Provided Domain matching criteria for the IP flow rule. This row may display one of the following: 1 Default value. Defines the lowest domain ID number that meets the IP flow rules domain matching criteria. In this case, the highest matching domain ID number is 4095. The NPM applies the IP flow rules action without considering a packets domain ID number. Single, non-zero domain ID number NPM applies the IP flow rules action only to IP packets that have the specified domain ID number. See domain (ip-flow-rule context) on page 321 for information on configuring domain matching criteria for an IP flow rule configured for a VAP group.
Domain High
This row appears only if the user has not defined domain matching criteria for the IP flow rule. In this case, the Domain is 1 and Domain High is 4095. This indicates that the IP flow rules domain matching criteria includes all domain ID numbers from 1 to 4095 (that is, all valid domain ID numbers). The NPM applies the IP flow rules action without considering a packets domain ID number. See domain (ip-flow-rule context) on page 321 for information on configuring domain matching criteria for an IP flow rule configured for a VAP group.
Action
Specifies the action configured for the VAP group IP flow rule (load-balance, drop, allow, pass-to-master, pass-to-vap, or broadcast). Default is drop. See the following sections for information on configuring an action for a VAP group IP flow rule: action load-balance (ip-flow-rule context) on page 304 action drop (ip-flow-rule context) on page 305 action allow (ip-flow-rule context) on page 306 action pass-to-master (ip-flow-rule context) on page 307 action pass-to-vap (ip-flow-rule context) on page 308 action broadcast (ip-flow-rule context) on page 309
336
Information Provided This row appears only if the IP flow rules action is pass-to-vap. This row displays the VAP index number assigned to the VAP to which the NPM sends IP packets that match the conditions defined in the packet matching criteria for the IP flow rule. See action pass-to-vap (ip-flow-rule context) on page 308 for information on configuring a VAP group IP flow rule to pass IP packets to a specific VAP in the VAP group if those packets match the conditions defined in the IP flow rules packet matching criteria.
Activate (true/false)
Indicates whether the IP flow rule is activated (t) or deactivated (f) for the VAP group. Default is deactivated (f). See activate (ip-flow-rule context) on page 330 for information on activating and deactivating an IP flow rule for a VAP group.
Priority
Priority level assigned to the VAP group IP flow rule. Default is 10, which is the lowest valid priority level. See priority (ip-flow-rule context) on page 327 for information about setting priority levels for the IP flow rules configured for a VAP group.
Indicates whether skip-protocol is enabled (t) or disabled (f) for the IP flow rule. Default is enabled (t). See skip-port-protocol (ip-flow-rule context) on page 312 for information on enabling or disabling skip-protocol.
Indicates whether skip-port is enabled (t) or disabled (f) for the IP flow rule. Default is enabled (t). See skip-port-protocol (ip-flow-rule context) on page 312 for information on enabling or disabling skip-port.
Indicates whether skip-port-protocol is enabled (t) or disabled (f) for the IP flow rule. Default is enabled (t). See skip-port-protocol (ip-flow-rule context) on page 312 for information on enabling and disabling skip-port-protocol for an IP flow rule configured for a VAP group.
337
Information Provided Displays the idle flow timeout interval configuration for the IP flow rule. This row may display one of the following: auto Default value. Indicates that the NPMs IP flow classifier assigns an appropriate idle flow timeout interval to every new IP flow that meets the matching criteria defined for the IP flow rule. Idle flow time interval keyword A keyword that indicates the user-defined idle flow timeout interval configured for the IP flow rule. The NPM applies the user-defined idle flow timeout interval to each IP flow that meets the IP flow rules packet matching criteria. See timeout (ip-flow-rule context) on page 324 for information on configuring an idle flow timeout interval for an IP flow rule configured for a VAP group.
Trace (true/false)
Indicates whether packet tracing is enabled (t) or disabled (f) for IP packets that match the conditions defined in the packet matching criteria for the IP flow rule. Default is disabled (f). See trace (ip-flow-rule context) on page 326 for information on enabling and disabling packet tracing for an IP flow rule configured for a VAP group.
Indicates whether bi-directional flow matching is enabled (t) or disabled (f) for the IP flow rule. Default is disabled (f). See generate-reversed-flow (ip-flow-rule context) on page 312 for information on enabling and disabling bi-directional flow matching for an IP flow rule configured for a VAP group.
Direction
Indicates the IP flow direction matching criteria defined for the IP flow rule. This row displays one of the following keywords: both Default setting. Direction matching criteria includes both inbound and outbound IP flows. The NPM applies the IP flow rule to IP packets without considering whether the packet is coming into or out of the VAP group. inbound IP flow direction matching criteria includes only inbound IP flows. The NPM applies the IP flow rule only to IP packets coming into the VAP group. outbound IP flow direction matching criteria includes only outbound IP flows. The NPM applies the IP flow rule only to IP packets exiting the VAP group. See direction (ip-flow-rule context) on page 310 for information on setting IP flow direction matching criteria for an IP flow rule configured for a VAP group.
338
Information Provided Indicates whether tcp-flow-setup-validation during flow setup is enabled (t) or disabled (f) for the IP flow rule. Default is disabled (f). Indicates how packets are processed by the cores and processors on an APM for the IP flow rule. This row displays one of the following options: random-single-core Directs all packets in the flow to a single core. multi-core-processing Distributes packets across all cores on a single processor on the APM that has been selected for this flow. multi-proc-processing Distributes packets across all cores on all processors on the APM that has been selected for this flow. See core-assignment (ip-flow-rule context) on page 329 for information on setting core and processor assignments for IP flows.
Core Assignment
Restrictions
Default Privilege Level: 15
Example
The following commands place you in the ip-flow-rule context from which you can configure an existing IP flow rule called testiprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# ip-flow-rule testiprule CBS(ip-flow-rule)# The following command displays the configuration settings for the IP flow rule called testiprule, which is configured for the VAP group called testvapgroup. NOTE: The example output displays the configuration settings that you would create for testiprule if you issued all the example commands that we have provided throughout this section. CBS(ip-flow-rule)# show IP Flow Rule VAP Group Destination Address Destination Address High Destination Port Destination Port High Source Address Source Address High Source Port Source Port High Incoming Circuit Group Protocol Protocol High Domain Domain High : : : : : : : : : : : : : : : testiprule testvapgroup 1.1.1.35 255.255.255.255 25 65535 1.1.1.20 255.255.255.255 25 65535 2 41 4095 2 4095
339
Action Activate (true/false) Priority Skip Protocol (true/false) Skip Port (true/false) Skip Port Protocol (true/false) Timeout Trace (true/false) Generate Reversed Flow (true/false) Direction Bypass-tcp-flow-setup-validation (true/false) Core Assignment (1 row) CBS(ip-flow-rule)#
: : : : : : : : : : : :
340
Use the show (non-ip-flow context) command to display the current configuration for the VAP group non-IP flow rule that you are configuring. Use the show non-ip-flow command to display all non-IP flow rules currently configured for VAP groups configured on the X-Series Platform.
Syntax
[no] non-ip-flow-rule <non_IP_flow_rule_name>
Parameters
The following table lists the parameters used with this command. Parameter <non_IP_flow_rule_name> Description Name assigned to the non-IP flow rule that you want to create or configure for the VAP group that you are configuring.
Restrictions
Default Privilege Level: 15
Example
The following command places you in the config-vap-grp context in which you can configure the existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# The following command creates a non-IP flow rule for the VAP group called testvapgroup and places you in the context in which you can configure and activate that IP flow rule (called testnoniprule): CBS(config-vap-grp)# non-ip-flow-rule testnoniprule CBS(non-ip-flow)#
341
Syntax
action drop
Context
You access this command from the non-ip-flow context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the non-ip-flow-rule (config-vap-grp context) command to configure a specific non-IP flow rule for the VAP group.
Restrictions
Default Privilege Level: 15
Example
The following commands place you in the non-ip-flow context from which you can configure an existing non-IP flow rule called testnoniprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# non-ip-flow-rule testnoniprule CBS(non-ip-flow-rule)# The following command sets the action for the non-IP flow rule called testnoniprule to drop: CBS(conf-system-non-ip-flow)# action drop CBS(conf-system-non-ip-flow)# The NPM drops all non-IP packets that arrive on a logical interface configured for the VAP group called testvapgroup and that match the conditions defined in the packet matching criteria for the non-IP flow rule called testnoniprule.
342
Syntax
action pass-to-master
Context
You access this command from the non-ip-flow context. You access this context from the main CLI context by issuing the configure vap-group command and then entering non-ip-flow-rule <non_ip_flow_rule_name>.
Restrictions
Default Privilege Level: 15
Example
The following command places you in the non-ip-flow context in which you can configure the non-IP flow rule called testipflow: CBS# configure vap-group vapgrp1 CBS(conf-vap-grp)# non-ip-flow-rule testipflow CBS(non-ip-flow)# The following command sets the action for the non-IP flow rule called testipflow to pass-to-master: CBS(non-ip-flow)# action pass-to-master CBS(non-ip-flow)# When the NPM encounters a non-IP packet that meets the packet-matching criteria defined for the non-IP flow rule called testflow, the NPM passes that non-IP packet to the master VAP in the associated VAP group.
Syntax
action broadcast no action
343
Context
You access this command from the non-ip-flow context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the non-ip-flow-rule (config-vap-grp context) command to configure a specific non-IP flow rule for the VAP group.
Restrictions
Default Privilege Level: 15
Example
The following commands place you in the non-ip-flow context from which you can configure an existing non-IP flow rule called testnoniprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# non-ip-flow-rule testnoniprule CBS(non-ip-flow)# The following command sets the action for the non-IP flow rule called testnoniprule to broadcast: CBS(non-ip-flow)# action broadcast CBS(non-ip-flow)# When the NPM encounters a non-IP packet arriving on a logical interface configured for the VAP group called testvapgroup, if that IP packet matches the conditions defined in the packet matching criteria for the non-IP flow rule called testnoniprule, the NPM passes that non-IP packet to every VAP in the VAP group.
344
Syntax
encapsulation ethernet {any | type <Ethernet_protocol_number>}
Context
You access this command from the non-ip-flow context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the non-ip-flow-rule (config-vap-grp context) command to configure a specific non-IP flow rule for the VAP group.
Parameters
The following table lists the parameters used with this command. Parameter any Description Sets the flow rules destination Ethernet protocol matching criteria to any Ethernet protocol number. The NPM applies the non-IP flow rules action to all Ethernet encapsulated packets arriving on the VAP groups logical interfaces. This is the default behavior for all VAP group non-IP flow rules configured with the link encapsulation type, ethernet. type <Ethernet_protocol_number> Configure the non-IP flow rules destination Ethernet protocol matching criteria to include only the specified Ethernet protocol number. The NPM applies the non-IP flow rules action only to Ethernet encapsulated packets whose destination Ethernet protocol number matches the specified Ethernet protocol number. Valid values are from 1519 to 65535, except for 2048 and 2054.
345
Restrictions
Default Privilege Level: 15 2048 and 2054 are not valid values for destination Ethernet protocol matching criteria for Ethernet encapsulation non-IP flow rules.
Example
The following commands place you in the non-ip-flow context from which you can configure an existing non-IP flow rule called testnoniprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# non-ip-flow-rule testnoniprule CBS(non-ip-flow)# The following command sets the link encapsulation type for the non-IP flow rule called testnoniprule to ethernet and configures the flow rules destination Ethernet protocol matching criteria to include only Ethernet protocol number 2000: CBS(non-ip-flow)# encapsulation ethernet type 2000 CBS(non-ip-flow)# The NPM applies the non-IP flow rule called testnoniprule only to Ethernet encapsulated packets that arrive on logical interfaces configured for the VAP group called testvapgroup and that have destination Ethernet protocol number 2000.
Syntax
encapsulation lsap {any | dsap <DSAP_number> ssap <SSAP_number>}
Context
You access this command from the non-ip-flow context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the non-ip-flow-rule (config-vap-grp context) command to configure a specific non-IP flow rule for the VAP group.
346
Parameters
The following table lists the parameters used with this command. Parameter any Description Sets the non-IP flow rules DSAP and SSAP matching criteria to any destination service access point number and any source service access point number. The NPM applies the non-IP flow rules action to all LSAP encapsulated packets arriving on the VAP groups logical interfaces. This is the default behavior for all VAP group non-IP flow rules configured with the link encapsulation type, lsap. dsap <DSAP_number> Configures the flow rules Destination Service Access Point (DSAP) matching criteria to include only the specified DSAP number. The NPM applies the non-IP flow rules action only to LSAP encapsulated packets whose DSAP number matches the specified DSAP number. Valid values are from 0 to 255. ssap <DSAP_number> Configures the flow rules Source Service Access Point (SSAP) matching criteria to include only the specified SSAP number. The NPM applies the non-IP flow rules action only to LSAP encapsulated packets whose SSAP number matches the specified SSAP number. Valid values are from 0 to 255.
Restrictions
Default Privilege Level: 15
Example
The following commands place you in the non-ip-flow context from which you can configure an existing non-IP flow rule called testnoniprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# non-ip-flow-rule testnoniprule CBS(non-ip-flow)# The following command sets the link encapsulation type for the non-IP flow rule called testnoniprule to lsap, configures the flow rules DSAP matching criteria to include only DSAP number 10, and configures the flow rules SSAP matching criteria to include only SSAP number 15: CBS(non-ip-flow)# encapsulation lsap dsap 10 ssap 15 CBS(non-ip-flow)# The NPM applies the non-IP flow rule called testnoniprule only to LSAP encapsulated packets that arrive on a logical interface configured for the VAP group called testvapgroup and that have Destination Service Access Point number 10 and Source Service Access Point number 15.
347
Syntax
encapsulation snap {any | type <Ethernet_protocol_number> [oui <OUI_number>]}
Context
You access this command from the non-ip-flow context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the non-ip-flow-rule (config-vap-grp context) command to configure a specific non-IP flow rule for the VAP group.
Parameters
The following table lists the parameters used with this command. Parameter any Description Sets the non-IP flow rules destination Ethernet protocol matching criteria to any Ethernet protocol number and sets the OUI matching criteria to 0. (No OUI matching criteria are used.) The NPM applies the non-IP flow rules action to all SNAP encapsulated packets arriving on the VAP groups logical interfaces. This is the default behavior for all VAP group non-IP flow rules configured with the link encapsulation type, snap.
348
Parameter
Description
type <Ethernet_protocol_number> Configures the flow rules destination Ethernet protocol matching criteria to include only the specified Ethernet protocol number. The NPM applies the non-IP flow rules action only to SNAP encapsulated packets whose destination Ethernet protocol number matches the specified Ethernet protocol number. Valid values are from 1519 to 65535. oui <OUI_number> Configures the flow rules Organization Unique Identifier (OUI) matching criteria to include only the specified OUI number. The NPM applies the non-IP flow rules action only to SNAP encapsulated packets whose OUI number matches the specified OUI number. Valid values are from 0-16777215. Default is 0. (Do not include OUI number matching criteria in the packet matching criteria definition.)
Restrictions
Default Privilege Level: 15
Example
The following commands place you in the non-ip-flow context from which you can configure an existing non-IP flow rule called testnoniprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# non-ip-flow-rule testnoniprule CBS(non-ip-flow)# The following command sets the link encapsulation type for the non-IP flow rule called testnoniprule to snap, configures the flow rules destination Ethernet protocol matching criteria to include only Ethernet protocol number 2000, and configures the flow rules OUI matching criteria to include only OUI number 10: CBS(non-ip-flow)# encapsulation snap type 2000 oui 10 CBS(non-ip-flow)# The NPM applies the non-IP flow rule called testnoniprule only to SNAP encapsulated packets that arrive on a logical interface configured for the VAP group called testvapgroup and that have destination Ethernet protocol number 2000 and Organization Unique Identifier 10.
349
Syntax
[no] core-assignment {random-single-core | multi-core-processing | multi-proc-processing}
Context
You access this command from the non-ip-flow-rule context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the non-ip-flow-rule (config-vap-grp context) command to configure a specific IP flow rule for the VAP group.
Parameters
The following table lists the parameters used with this command. Parameter random-single-core multi-core-processing Description Directs all packets of a non-IP flow to a single core on the APM that has been selected for this flow Distributes packets of a non-IP flow across all cores on a single processor on the APM that has been selected for this flow Distributes packets across all cores on all processors on the APM that has been selected for this flow
multi-proc-processing
Restrictions
Default Privilege Level: 15
Example
In this example, the X-Series Platform system administrator wants to configure flow provisioning for the VAP group called testvapgroup so that all cores on the APM processor selected for the flow are used. CBS# configure vap-group testvapgroup CBS(config-vap-grp)# non-ip-flow-rule testnoniprule CBS(non-ip-flow)# core-assignment multi-core-processing CBS(non-ip-flow)# end CBS#
350
Syntax
[no] activate
Context
You access this command from the non-ip-flow context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the non-ip-flow-rule (config-vap-grp context) command to configure a specific non-IP flow rule for the VAP group.
Restrictions
Default Privilege Level: 15
Example
The following commands place you in the non-ip-flow context from which you can configure an existing non-IP flow rule called testnoniprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# non-ip-flow-rule testnoniprule CBS(non-ip-flow)# The following command activates the non-IP flow rule called testnoniprule for the VAP group called testvapgroup: CBS(non-ip-flow)# activate CBS(non-ip-flow)# The NPM now applies this non-IP flow rules action to all new non-IP flows that arrive on logical interfaces configured for the VAP group called testvapgroup, that use the flow rules link encapsulation type, and that match the conditions defined in the flow rules packet matching criteria.
Syntax
show
351
Context
You access this command from the non-ip-flow context. You access this context from the main CLI context by issuing the configure vap-group command to configure a specific VAP group and then issuing the non-ip-flow-rule (config-vap-grp context) command to configure a specific non-IP flow rule for the VAP group.
Output
This command displays information about a VAP group non-IP flow rule using one of the following formats: Output for VAP group non-IP flow rules with a link encapsulation type, ethernet: Non IP Flow Rule VAP Group Encapsulation Type Action Activate (true/false) Core Assignment (1 row) : : : : : : : <non_IP_flow_rule_name> <VAP_group_name> ethernet <destination_Ethernet_protocol_number> {drop | broadcast | pass-to-master} {t | f} <core_assignment_method>
Output for VAP group non-IP flow rules with a link encapsulation type, lsap: Non IP Flow Rule VAP Group Encapsulation Type Action Activate (true/false) Core Assignment (1 row) : : : : : : : <non_IP_flow_rule_name> <VAP_group_name> lsap 10/15 (dsap/ssap) {drop | broadcast | pass-to-master} {t | f} <core_assignment_method>
Output for VAP group non-IP flow rules with a link encapsulation type, snap: Non IP Flow Rule VAP Group Encapsulation Type OUI Action Activate (true/false) Core Assignment (1 row) : : : : : : : : <non_IP_flow_rule_name> <VAP_group_name> snap <destination_Ethernet_protocol_number> <OUI_number> {drop | broadcast | pass-to-master} {t | f} <core_assignment_method>
The following table describes the information provided in each column/row. Column/Row Heading Non IP Flow Rule Information Provided Name assigned to the non-IP flow rule. See configure system-non-ip-flow-rule on page 287 for information on assigning a name to a new system-level non-IP flow rule. VAP Group Name assigned to the VAP group for which the non-IP flow rule is configured. See configure vap-group on page 173 for information on assigning a name to a new VAP group.
352
Information Provided Link encapsulation type (ethernet, lsap, or snap) defined for the non-IP flow rule. Default is ethernet. Refer to the following three sections for information about each link encapsulation type: encapsulation ethernet (non-ip-flow context) on page 345 encapsulation lsap (non-ip-flow context) on page 346 encapsulation snap (non-ip-flow context) on page 348
Destination Ethernet protocol matching criteria defined for the VAP group non-IP flow rule. This row displays one of the following types of destination Ethernet protocol matching criteria: any Default setting. Destination Ethernet protocol matching criteria is set to any Ethernet protocol number. The NPM applies the non-IP flow rules action to all Ethernet encapsulated packets or all SNAP encapsulated packets arriving on the VAP groups logical interfaces. User-defined destination Ethernet protocol number Destination Ethernet protocol matching criteria includes only the specified Ethernet protocol number. NPM applies the non-IP flow rules action only to Ethernet or SNAP encapsulated packets with the specified destination Ethernet protocol number. See encapsulation ethernet (non-ip-flow context) on page 345 for information on setting destination Ethernet protocol matching criteria for Ethernet encapsulation non-IP flow rules configured for a VAP group. See encapsulation snap (non-ip-flow context) on page 348 for information on setting destination Ethernet protocol matching criteria for SNAP encapsulation non-IP flow rules configured for a VAP group.
353
Information Provided Destination Service Access Point (DSAP) and Source Service Access Point (SSAP) matching criteria defined for the VAP group non-IP flow rule. This row displays one of the following types of DSAP and SSAP matching criteria: any Default setting. DSAP matching criteria is set to any DSAP number, and SSAP matching criteria is set to any SSAP number. The NPM applies the non-IP flow rules action to all LSAP encapsulated packets arriving on the VAP groups logical interfaces. User-defined DSAP and SSAP numbers DSAP and SSAP matching criteria include only the specified DSAP and SSAP numbers. NPM applies the non-IP flow rules action only to LSAP encapsulated packets with the specified DSAP and SSAP numbers. See encapsulation lsap (non-ip-flow context) on page 346 for information on setting DSAP and SSAP matching criteria for LSAP encapsulation non-IP flow rules configured for a VAP group.
OUI
Organization Unique Identifier (OUI) matching criteria defined for the VAP group non-IP flow rule. NPM applies the non-IP flow rules action only to SNAP encapsulated packets with the specified OUI number. NOTE: This row appears only if OUI matching criteria is defined for the non-IP flow rule. See encapsulation snap (non-ip-flow context) on page 348 for information on setting OUI matching criteria for SNAP encapsulation non-IP flow rules configured for a VAP group.
Action
Specifies the action for the VAP groups non-IP flow rule (drop or broadcast). Default is drop. Refer to the following sections for information about these actions: action drop (non-ip-flow context) on page 342 action broadcast (non-ip-flow context) on page 343 action pass-to-master (non-ip-flow context) on page 342
Activate (true/false)
Specifies whether the VAP group non-IP flow rule is activated (t) or deactivated (f). Default is deactivated (f). See activate (non-ip-flow context) on page 351 for information on enabling and disabling non-IP flow rules configured for a VAP group.
Restrictions
Default Privilege Level: 15
354
Examples
The following commands place you in the non-ip-flow context from which you can configure an existing non-IP flow rule called testnoniprule for an existing VAP group called testvapgroup: CBS# configure vap-group testvapgroup CBS(config-vap-grp)# non-ip-flow-rule testnoniprule CBS(non-ip-flow)# The following command displays configuration settings for the non-IP flow rule called testnoniprule, with that flow rule configured for Ethernet link encapsulation: CBS(non-ip-flow)# show Non IP Flow Rule VAP Group Encapsulation Type Action Activate (true/false) (1 row) : : : : : : testnoniprule testvapgroup ethernet 2000 drop t
The following command displays configuration settings for the non-IP flow rule called testnoniprule, with that flow rule configured for LSAP link encapsulation: CBS(non-ip-flow)# show Non IP Flow Rule VAP Group Encapsulation Type Action Activate (true/false) (1 row) : : : : : : testnoniprule testvapgroup lsap 10/15 (dsap/ssap) drop t
The following command displays configuration settings for the system-level non-IP flow rule called testnoniprule, with that flow rule configured for SNAP link encapsulation: CBS(non-ip-flow)# show Non IP Flow Rule VAP Group Encapsulation Type OUI Action Activate (true/false) (1 row) : : : : : : : testnoniprule testvapgroup snap 2000 10 drop t
355
356
By default, this command lists the active flows in the order in which they appear in the AFT. Use the sort parameter to sort the list of flows, as described in Parameters on page 358.
Syntax
show flow active [verbose] [poll <polling_interval>] [source-address {<IP_address> | <lowest_IP_address> <highest_IP_address>}] [destination-address {<IP_address> | <lowest_IP_address> <highest_IP_address>}] [source-port {<port_number> | <lowest_port_number> <highest_port_number>}] [destination-port {<port_number> | <lowest_port_number> <highest_port_number>}] [protocol {<protocol_number> | <lowest_protocol_number> <highest_protocol_number>}] [domain {<domain_ID> | <lowest_domain_ID> <highest_domain_ID>}]
357
[circuit-id {<cct_ID_number> | <lowest_cct_ID_number> <highest_cct_ID_number>}] [module {<npm_slot_number> | <lowest_npm_slot_number> <highest_npm_slot_number>}] [master-npm {<np_slot_number> | <lowest_np_slot_number> <highest_np_slot_number>}] [fast-path-only] [sort] [validated | validation-pending | no-validation]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter verbose Description Changes the format in which the CLI displays the output of the command and displays additional information about flows sent to a VAP in a VAP group. See Default Output on page 361 for more details. poll <polling_interval> Polls the NPMs continuously and displays updated information every <polling_interval> seconds. NOTE: Press Ctrl-y to stop polling the NPMs and return to the CLI prompt. Valid values for <polling_interval> are from 1-3600. source-address {<IP_address> | <lowest_IP_address> <highest_IP_address>} Filters the command output using the specified source IP address matching criteria. Specify a single IP address to display information only about active flows that have the specified source IP address. Specify a range of IP addresses to display information only about active flows whose source IP addresses are within the specified range. destination-address {<IP_address> | <lowest_IP_address> <highest_IP_address>} Filters the command output using the specified destination IP address matching criteria. Specify a single IP address to display information only about active flows that have the specified destination IP address. Specify a range of IP addresses to display information only about active flows whose destination IP addresses are within the specified range. source-port {<port_number> | <lowest_port_number> <highest_port_number>} Filters the command output using the specified source port matching criteria. Specify a single port number to display information only about active flows that have the specified source port number. Specify a range of port numbers to display information only about active flows whose source port numbers are within the specified range.
358
Description Filters the command output using the specified destination port matching criteria. Specify a single port number to display information only about active flows that have the specified destination port number. Specify a range of port numbers to display information only about active flows whose destination port numbers are within the specified range.
Filters the command output using the specified protocol matching criteria. Specify a single protocol number to display information only about active flows that have the specified protocol number. Specify a range of protocol numbers to display information only about active flows whose protocol numbers are within the specified range.
Filters the command output using the specified domain matching criteria. Specify a single domain ID number to display information only about active flows received on circuits with the specified domain ID number. Specify a range of domain ID numbers to display information only about active flows received on circuits whose domain ID numbers are within the specified range. Use the show circuit command to display the domain ID numbers assigned to circuits configured on the X-Series Platform NOTE: By default, XOS assigns all new circuits to domain number 1. You can assign a circuit to a different domain by specifying the domain parameter with the configure circuit command. If you assign a single domain ID to all of the circuits configured for a VAP group, you can use the show flow active command to monitor the status of all of the flows that arrive on that VAP group. This is particularly useful when monitoring flows that pass through multiple, serialized VAP groups, since you can assign a unique domain ID to each VAP groups circuits.
359
Description Filters the command output using the specified circuit ID matching criteria. Specify a single circuit ID number to display information only about active flows received on the circuit with the specified circuit ID number. Specify a range of circuit ID numbers to display information only about active flows received on the circuits whose circuit ID numbers are within the specified range. Use the show circuit command to display the circuit ID numbers assigned to circuits configured on the X-Series Platform NOTE: XOS assigns a default circuit ID number to every new circuit. You can assign a new circuit ID number to a circuit by specifying the circuit-id parameter with the configure circuit command.
Filters the command output using the specified originating NPM matching criteria. Specify a single NPM slot number to display information only about active flows that originate on the NPM with the specified slot number. Specify a range of NPM slot numbers to display information only about active flows that originate on the NPMs whose slot numbers are within the specified range.
Filters the command output using the specified master NPM matching criteria. Specify a single NPM slot number to display information only about active flows whose master NPM has the specified slot number. Specify a range of NPM slot numbers to display information only about active flows whose master NPM has a slot number within the specified range.
fast-path-only
Filters the command output to display information only about active flows that originate on an NPM and are processed using the Fast Path. NOTE: Refer to the XOS Configuration Guide for more information about Fast Path flow processing.
sort
Sorts the list of active flows that the command displays, using the following criteria, in the order shown. The CLI sorts the list of flows: 1. 2. 3. 4. 5. first by destination IP address then by source IP address then by protocol number then by destination port then by source port
360
Description Displays flows that have been validated by the TCP flow setup validation scheme. Displays flows that are subject to validation but have not yet been validated by the TCP flow setup validation scheme. Displays flows that are not subject to the TCP flow setup validation scheme. Included are non-TCP flows.
Default Output
By default, the show flow active command displays information in a table, using the following format:.
Module <NPM_or_VAP_name1>
Source <IP>:<port>
Destination <IP>:<port>
Prot <#>
Dom
TTI/MAX
<NPM_or_VAP_name2>
<IP>:<port>
<IP>:<port>
<#>
The format shown in the entry for <NPM_or_VAP_name1> is used if the flow is received by an NPM or VAP and then transferred to a VAP for processing. The format shown in the entry for <NPM_or_VAP_name2> is used if the flow is received by an NPM or VAP and then rerouted to an external system or dropped. The following table describes the information provided in each column/row/field in the command output. Column/Row Heading or Field Module <NPM_or_VAP_nameN> Information Provided Name of the NPM or VAP from which the flow originates. An NPM name has the format: np<NPM_slot_number> Use the show chassis command to display the module names assigned to the NPMs installed in the X-Series Platform. A VAP name has the format: <VAP_group_name>_<VAP_index_number> Use the show ap-vap-mapping command to display the index numbers assigned to the VAPs in each VAP group configured on the X-Series Platform. Source <IP>:<port> Source IP address and source port number for the flow.
361
Column/Row Heading or Field Destination <IP>:<port> Prot <#> Dom <ID#> TTI/MAX <mm:ss>/<mm:ss>
Information Provided Destination IP address and destination port number for the flow. Numeric identifier for the protocol that the flow uses.
Domain ID number assigned to the circuit on which the originating NPM or VAP receives the flow. TTI Time to idle: the amount of time that the flow can remain idle before the NPM deletes that flow from the AFT MAX Maximum idle time: the maximum amount of time that the flow be idle before the NPM deletes that flow from the AFT Both TTI and MAX are displayed in minutes and seconds, using the format, mm:ss. For example, 8 minutes and 7 seconds has the format, 08:07. TTI is equal to MAX when the flow is active. When the flow becomes idle, TTI begins to count down to 00:00. If TTI reaches 00:00 before the flow becomes active again, the NPM deletes the flow from the AFT.
Name(s) of the VAPs to which the originating NPM or VAP transfers the flow.
362
Information Provided
{Re-routing | Drop(<drop_reason_ID>)} Indicates one of the following: Re-routing Originating NPM or VAP re-routes the flow to an external system. Drop(<drop_reason_ID>) Originating NPM or VAP drops the flow for the reason specified by <drop_reason_ID>. Possible values for <drop_reason_ID> are: No L2 policy match There are no non-IP flow rules that apply to this layer 2 flow. NOTE: Circuit information is not displayed for flows with this drop reason ID. No L3 policy match There are no IP flow rules that apply to this layer 3 flow. NOTE: Circuit information is not displayed for flows with this drop reason ID. L3 drop policy This layer 3 flow matches the conditions defined in the packet matching criteria for an IP flow rule configured with the action, drop. PS2Master failed A VAP group IP flow rule configured with the action, pass-to-master, or a system-level IP flow rule with the action, pass-to-masters, applies to this flow. The NPM attempted to send this flow to one or more master VAPs, but the operation failed because none of the master VAPs were in the Active state. PS2IDX failed A VAP group IP flow rule configured with the action, pass-to-vap, applies to this flow. The NPM attempted to send this flow to the appropriate VAP, but the operation failed because the VAP was not in the Active state. Load-balance failed A VAP group IP flow rule configured with the action, load-balance, applies to this flow. The NPM attempted to load balance this flow across the VAPs in the appropriate VAP group, but the operation failed because there were no active VAPs in the group or because there were no VAPs in the VAP groups load-balance VAP list. Broadcast failed A flow rule configured with the action, broadcast, applies to this flow. The NPM attempted to broadcast this flow to all VAPs in one VAP group or to all VAPs in all VAP groups, but the operation failed because none of the VAPs to which the NPM sent the flow were in the Active state. No Reason One or more flow rules were successfully applied to this flow, and none of those IP flow rules are configured with the action, drop.
363
Information Provided Circuit ID number assigned to the circuit on which the flow is received. Use the show circuit command to display the circuit ID numbers assigned to the circuits configured on the X-Series Platform.
Master NPM assigned to the flow. Fast Path Y Indicates that the flow originates on an NPM and that the NPM processes the flow using the Fast Path. NOTE: Refer to the XOS Configuration Guide for more information about Fast Path flow processing.
rx packets <#>
Number of packets that the originating NPM or VAP has received as part of this flow.
Verbose Output
The verbose output for this command has the following format: <NPM_or_VAP_Name1> Source Addr <IP_address>, Destination Addr <IP_address> Protocol <prot_name> (<#>), Dest Port {<#> | <port_prot>(<#>)}, Source Port {<#> | <port_prot>(<#>)}, Domain <ID#> TTI <tti_mm:ss> out of <max_mm:ss> configured Modules <VAP_name1>, <VAP_name2> ... Rx Available Slots <VAP_name1>, <VAP_name2> ... Ageout <#_of_seconds> rx circuit <ID#> Master <NPM_name> Fast Path {Y|N} rx packets <#> <NPM_or_VAP_Name2> Source Addr <IP_address>, Destination Addr <IP_address> Protocol <prot_name> (<#>), Dest Port {<#> | <port_prot>(<#>)}, Source Port {<#> | <port_prot>(<#>)}, Domain <ID#> TTI <tti_mm:ss> out of <max_mm:ss> configured {Re-routing | Drop(<drop_reason_ID>)} Rx Available Slots <VAP_name1>, <VAP_name2> ... Ageout <#_of_seconds> rx circuit <ID#> Master <NPM_name> Fast Path {Y|N} rx packets <#> The format shown in the entry for <NPM_or_VAP_name1> is used if the flow is received by an NPM or VAP and then transferred to a VAP for processing. The format shown in the entry for <NPM_or_VAP_name2> is used if the flow is received by an NPM or VAP and then rerouted to an external system or dropped.
364
The following table describes the information provided in each column/row/field in the command output. Column/Row Heading or Field <NPM_or_VAP_nameN> Information Provided Name of the NPM or VAP from which the flow originates. An NPM name has the format: np<NPM_slot_number> Use the show chassis command to display the module names assigned to the NPMs installed in the X-Series Platform. A VAP name has the format: <VAP_group_name>_<VAP_index_number> Use the show ap-vap-mapping command to display the index numbers assigned to the VAPs in each VAP group configured on the X-Series Platform. Source Addr <IP_address> Destination Addr <IP_address> Protocol <prot_name> (<#>) Source IP address for the flow. Destination IP address for the flow. Name of the protocol that the flow uses and the numeric identifier for that protocol. For example, if the flow uses UDP, this field displays: Protocol udp (17) Dest Port {<#> | <port_prot>(<#>)} Destination port number for the flow or destination port protocol and port number for the flow. NOTE: Destination port protocol appears only if the destination port has a standard protocol. For example, if the destination port is 80, this field displays: Dest Port http (80) Source Port {<#> | <port_prot>(<#>)} Source port number for the flow or source port protocol and port number for the flow. NOTE: Source port protocol appears only if the source port has a standard protocol. For example, if the source port is 80, this field displays: Dest Port http (80) Domain <ID#> Domain ID number assigned to the circuit on which the originating NPM or VAP receives the flow.
365
Information Provided <tti_mm:ss> Time to idle (TTI): the amount of time that the flow can remain idle before the NPM deletes that flow from the AFT <max_mm:ss> Maximum idle time: the maximum amount of time that the flow be idle before the NPM deletes that flow from the AFT Both TTI and maximum idle time are displayed in minutes and seconds, using the format, mm:ss. For example, 8 minutes and 7 seconds has the format, 08:07. TTI is equal to maximum idle time when the flow is active. When the flow becomes idle, TTI begins to count down to 00:00. If TTI reaches 00:00 before the flow becomes active again, the NPM deletes the flow from the AFT.
Name(s) of the VAPs to which the originating NPM or VAP transfers the flow.
366
Information Provided
{Re-routing | Drop(<drop_reason_ID>)} Indicates one of the following: Re-routing Originating NPM or VAP re-routes the flow to an external system. Drop(<drop_reason_ID>) Originating NPM or VAP drops the flow for the reason specified by <drop_reason_ID>. Possible values for <drop_reason_ID> are: No L2 policy match There are no non-IP flow rules that apply to this layer 2 flow. NOTE: Circuit information is not displayed for flows with this drop reason ID. No L3 policy match There are no IP flow rules that apply to this layer 3 flow. NOTE: Circuit information is not displayed for flows with this drop reason ID. L3 drop policy This layer 3 flow matches the conditions defined in the packet matching criteria for an IP flow rule configured with the action, drop. PS2Master failed A VAP group IP flow rule configured with the action, pass-to-master, or a system-level IP flow rule with the action, pass-to-masters, applies to this flow. The NPM attempted to send this flow to one or more master VAPs, but the operation failed because none of the master VAPs were in the Active state. PS2IDX failed A VAP group IP flow rule configured with the action, pass-to-vap, applies to this flow. The NPM attempted to send this flow to the appropriate VAP, but the operation failed because the VAP was not in the Active state. Load-balance failed A VAP group IP flow rule configured with the action, load-balance, applies to this flow. The NPM attempted to load balance this flow across the VAPs in the appropriate VAP group, but the operation failed because there were no active VAPs in the group or because there were no VAPs in the VAP groups load-balance VAP list. Broadcast failed A flow rule configured with the action, broadcast, applies to this flow. The NPM attempted to broadcast this flow to all VAPs in one VAP group or to all VAPs in all VAP groups, but the operation failed because none of the VAPs to which the NPM sent the flow were in the Active state. No Reason One or more flow rules were successfully applied to this flow, and none of those IP flow rules are configured with the action, drop. Rx Available Slots <VAP_name1>, <VAP_name2> ... VAPs that can be used to transmit packets.
367
Information Provided Number of seconds the flow will remain in the active flow table. Circuit ID number assigned to the circuit on which the flow is received. Use the show circuit command to display the circuit ID numbers assigned to the circuits configured on the X-Series Platform.
Master NPM assigned to the flow. Fast Path Y Indicates that the flow originates on an NPM and that the NPM processes the flow using the Fast Path. NOTE: Refer to the XOS Configuration Guide for more information about Fast Path flow processing.
rx packets <#>
Number of packets that the originating NPM or VAP has received as part of this flow.
Restrictions
Default Privilege Level: 0
Examples
Example 1: Displaying all Active Flows Using the Default Command Output Format The following command displays information about all active flows on an X-Series Platform on which a VAP group called testvapgroup is currently running a firewall application: CBS# show flow active This command may take a few minutes. Module testvapgroup_1 Source 0.0.0.0:8116 Do you want to continue? <Y or N> [Y]: Y Destination 3.3.3.0:8116 Prot 17 Dom 1 TTI/MAX 01:00/01:00
rx packets 732
00:25/00:30
rx packets 0
np3
09:12/10:00
rx packets 24
368
Example 2: Filtering the Default Command Output Format The following command displays information only about the active flows using protocol 17: CBS# show flow active protocol 17 This command may take a few minutes. Module testvapgroup_1 Source 0.0.0.0:8116 Do you want to continue? <Y or N> [Y]: Y Destination 3.3.3.0:8116 Prot 17 Dom 1 TTI/MAX 01:00/01:00
Modules testvapgroup_2, testvapgroup_3 rx circuit 1026 Master np1 Fast Path N CBS#
rx packets 732
Example 3: Displaying all Active Flows Using the Verbose Command Output Format The following command displays information about all active flows on an X-Series Platform on which a VAP group called testvapgroup is currently running a firewall application: CBS# show flow active verbose This command may take a few minutes. Do you want to continue? <Y or N> [Y]: Y
testvapgroup_1 Source Addr 0.0.0.0, Destination Addr 3.3.3.0 Protocol udp (17), Dest Port 8116, Source Port 8116, Domain 1 TTI 01:00 out of 01:00 configured Modules testvapgroup_2, testvapgroup_3 Rx Available Slots testvapgroup_1 Ageout 60 rx circuit 1026 Master np1 Fast Path N rx packets 856 testvapgroup_1 Source Addr 3.3.3.6, Destination Addr 224.0.0.22 Protocol tcp (6), Dest Port 0, Source Port 0, Domain 1 TTI 00:15 out of 00:30 configured Drop(No reason) rx circuit 1026 Master np1 Fast Path N rx packets 0 np3 Source Addr 192.168.5.1, Destination Addr 192.168.5.4:397 Protocol tcp (6), Dest Port 397, Source Port 257, Domain 1 TTI 10:00 out of 10:00 configured Modules testvapgroup_1 Rx Available Slots testvapgroup_2, testvapgroup_3 Ageout 88 rx circuit 1025 Master np1 Fast Path Y rx packets 934 CBS#
369
By default, this command lists the active flows in the order in which they appear in the AFT. Use the sort parameter to sort the list of flows, as described in Parameters on page 371.
370
Syntax
show flow-path active [verbose] [poll <polling_interval>] [source-address {<IP_address> | <lowest_IP_address> <highest_IP_address>}] [destination-address {<IP_address> | <lowest_IP_address> <highest_IP_address>}] [source-port {<port_number> | <lowest_port_number> <highest_port_number>}] [destination-port {<port_number> | <lowest_port_number> <highest_port_number>}] [protocol {<protocol_number> | <lowest_protocol_number> <highest_protocol_number>}] [domain {<domain_ID> | <lowest_domain_ID> <highest_domain_ID>}] [circuit-id {<cct_ID_number> | <lowest_cct_ID_number> <highest_cct_ID_number>}] [module {<np_slot_number> | <lowest_np_slot_number> <highest_np_slot_number>}] [master-npm {<np_slot_number> | <lowest_np_slot_number> <highest_np_slot_number>}] [sort]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter verbose Description Changes the format in which the CLI displays the output of the command and displays information about the full path for each active flow, from ingress NPM interface to egress NPM interface. See Default Output on page 374 for more details. poll <polling_interval> Polls the NPMs continuously and displays updated information every <polling_interval> seconds. NOTE: Press Ctrl-y to stop polling the NPMs and return to the CLI prompt. Valid values for <polling_interval> are from 1-3600. source-address {<IP_address> | <lowest_IP_address> <highest_IP_address>} Filters the command output using the specified source IP address matching criteria. Specify a single IP address to display flow path information only for active flows that have the specified source IP address. Specify a range of IP addresses to display flow path information only for active flows whose source IP addresses are within the specified range.
371
Description Filters the command output using the specified destination IP address matching criteria. Specify a single IP address to display flow path information only for active flows that have the specified destination IP address. Specify a range of IP addresses to display flow path information only for active flows whose destination IP addresses are within the specified range.
Filters the command output using the specified source port matching criteria. Specify a single port number to display flow path information only for active flows that have the specified source port number. Specify a range of port numbers to display flow path information only for active flows whose source port numbers are within the specified range.
Filters the command output using the specified destination port matching criteria. Specify a single port number to display flow path information only for active flows that have the specified destination port number. Specify a range of port numbers to display flow path information only for active flows whose destination port numbers are within the specified range.
Filters the command output using the specified protocol matching criteria. Specify a single protocol number to display flow path information only for active flows that have the specified protocol number. Specify a range of protocol numbers to display flow path information only for active flows whose protocol numbers are within the specified range.
372
Description Filters the command output using the specified domain matching criteria. Specify a single domain ID number to display flow path information only for active flows received on circuits with the specified domain ID number. Specify a range of domain ID numbers to display flow path information only for active flows received on circuits whose domain ID numbers are within the specified range. Use the show circuit command to display the domain ID numbers assigned to circuits configured on the X-Series Platform NOTE: By default, XOS assigns all new circuits to domain number 1. You can assign a circuit to a different domain by specifying the domain parameter with the configure circuit command. If you assign a single domain ID to all of the circuits configured for a VAP group, you can use the show flow-path active command to monitor the status of all of the flows that pass through that VAP group. This is particularly useful when monitoring flows that pass through multiple, serialized VAP groups, since you can assign a unique domain ID to each VAP groups circuits.
Filters the command output using the specified circuit ID matching criteria. Specify a single circuit ID number to display flow path information only for active flows received on the circuit with the specified circuit ID number. Specify a range of circuit ID numbers to display flow path information only for active flows received on the circuits whose circuit ID numbers are within the specified range. Use the show circuit command to display the circuit ID numbers assigned to circuits configured on the X-Series Platform NOTE: XOS assigns a default circuit ID number to every new circuit. You can assign a new circuit ID number to a circuit by specifying the circuit-id parameter with the configure circuit command.
Filters the command output using the specified originating NPM matching criteria. Specify a single NPM slot number to display flow path information only for active flows that originate on the NPM with the specified slot number. Specify a range of NPM slot numbers to display information only about active flows that originate on the NPMs whose slot numbers are within the specified range.
373
Description Filters the command output using the specified master NPM matching criteria. Specify a single NPM slot number to display flow path information only for active flows whose master NPM has the specified slot number. Specify a range of NPM slot numbers to display flow path information only for active flows whose master NPM has a slot number within the specified range.
sort
Sorts the list of active flow paths that the command displays, using the following criteria, in the order shown. The CLI sorts the list of flow paths: 1. 2. 3. 4. 5. first by destination IP address then by source IP address then by protocol number then by destination port then by source port
Default Output
By default, the show flow-path active command displays information in a table, using the following format: Module <NPM_name1> Source:port <IP>:<port> Destination:port <IP>:<port> Prot <#> Dom <ID#>
rx circuit <ID#> rx active <VAP_name> [rx passive] tx_port <slot>_<port> master <NPM_name> <NPM_name2> <IP>:<port> <IP>:<port> <#> <ID#>
Drop(<drop_reason>)
The output has the format shown in the entry for <NPM_name1> if the originating NPM transfers the flow to a VAP for processing. The output has the format shown in the entry for <NPM_name2> if the originating NPM drops the flow. The following table describes the information provided in each column/row/field in the command output. Column/Row Heading or Field Module <NPM_nameN> Information Provided Name of the NPM from which the flow originates. An NPM name has the format: np<NPM_slot_number> Use the show chassis command to display the module names assigned to the NPMs installed in the X-Series Platform. Source:port <IP>:<port> Source IP address and source port number for the flow.
374
Column/Row Heading or Field Destination:port <IP>:<port> Prot <#> Dom <ID#> rx circuit <ID#>
Information Provided Destination IP address and destination port number for the flow. Numeric identifier for the protocol that the flow uses.
Domain ID number assigned to the first circuit on which the flow enters an active VAP group. Circuit ID number assigned to the first circuit on which the flow enters an active VAP group. Use the show circuit command to display the circuit ID numbers assigned to the circuits configured on the X-Series Platform.
Name of the first active VAP that receives the flow. If a Tap is configured on the circuit on which the flow enters the active VAP group, the name of the TAP appears in the rx_passive field. If no tap is configured, this field is blank. NOTE: A VAP name has the format: <VAP_group_name>_<VAP_Index_Number> Use the show ap-vap-mapping command to display the index numbers assigned to the VAPs in each VAP group configured on the X-Series Platform.
tx_port <slot>_<port>
NPM slot number and port number for the NPM interface on which the flow exits the X-Series Platform. Use the verbose parameter with the show ip-mapping command to determine which NPM interfaces are mapped to circuit IP addresses configured for an active VAP group.
375
Information Provided Indicates that the originating NPM drops the flow for the reason specified by <drop_reason_ID>. Possible values for <drop_reason_ID> are: No L2 policy match There are no non-IP flow rules that apply to this layer 2 flow. NOTE: Circuit information is not displayed for flows with this drop reason ID. No L3 policy match There are no IP flow rules that apply to this layer 3 flow. NOTE: Circuit information is not displayed for flows with this drop reason ID. L3 drop policy This layer 3 flow matches the conditions defined in the packet matching criteria for an IP flow rule configured with the action, drop. PS2Master failed A VAP group IP flow rule configured with the action, pass-to-master, or a system-level IP flow rule with the action, pass-to-masters, applies to this flow. The NPM attempted to send this flow to one or more master VAPs, but the operation failed because none of the master VAPs were in the Active state. PS2IDX failed A VAP group IP flow rule configured with the action, pass-to-vap, applies to this flow. The NPM attempted to send this flow to the appropriate VAP, but the operation failed because the VAP was not in the Active state. Load-balance failed A VAP group IP flow rule configured with the action, load-balance, applies to this flow. The NPM attempted to load balance this flow across the VAPs in the appropriate VAP group, but the operation failed because there were no active VAPs in the group or because there were no VAPs in the VAP groups load-balance VAP list. Broadcast failed A flow rule configured with the action, broadcast, applies to this flow. The NPM attempted to broadcast this flow to all VAPs in one VAP group or to all VAPs in all VAP groups, but the operation failed because none of the VAPs to which the NPM sent the flow were in the Active state. No Reason One or more flow rules were successfully applied to this flow, and none of those IP flow rules are configured with the action, drop.
Master <NPM_name>
376
Verbose Output
The verbose output for this command has the following format: <NPM_Name1> Source Addr <IP_address>, Destination Addr <IP_address> Protocol <prot_name> (<#>), Dest Port {<#> | <port_prot>(<#>)}, Source Port {<#> | <port_prot>(<#>)}, Domain <ID#> rx circuit <ID#1> rx active <VAP_name1> [rx passive] rx circuit <ID#2> rx active <VAP_name2> [rx passive] ... rx circuit <ID#N> rx active <VAP_nameN> [rx passive] rx circuit <ID#NPM> rx active <NPM_name> [rx passive] tx_port <slot>_<port> master <NPM_name> <NPM_or_VAP_Name2> Source Addr <IP_address>, Destination Addr <IP_address> Protocol <prot_name> (<#>), Dest Port {<#> | <port_prot>(<#>)}, Source Port {<#> | <port_prot>(<#>)}, Domain <ID#> rx circuit <ID#1> Drop(<drop_reason>) master <NPM_name> The format shown in the entry for <NPM_or_VAP_name1> is used if the flow is received by an NPM or VAP and then transferred to a VAP for processing. The format shown in the entry for <NPM_or_VAP_name2> is used if the flow is received by an NPM or VAP and then rerouted to an external system or dropped. The following table describes the information provided in each column/row/field in the command output. Column/Row Heading or Field <NPM_nameN> Information Provided Name of the NPM from which the flow originates. An NPM name has the format: np<NPM_slot_number> Use the show chassis command to display the module names assigned to the NPMs installed in the X-Series Platform. Source Addr <IP_address> Destination Addr <IP_address> Protocol <prot_name> (<#>) Source IP address for the flow. Destination IP address for the flow. Name of the protocol that the flow uses and the numeric identifier for that protocol. For example, if the flow uses UDP, this field displays: Protocol udp (17) Dest Port {<#> | <port_prot>(<#>)} Destination port number for the flow or destination port protocol and port number for the flow. NOTE: Destination port protocol appears only if the destination port has a standard protocol. For example, if the destination port is 80, this field displays: Dest Port http (80)
377
Information Provided
Source Port {<#> | <port_prot>(<#>)} Source port number for the flow or source port protocol and port number for the flow. NOTE: Source port protocol appears only if the source port has a standard protocol. For example, if the source port is 80, this field displays: Dest Port http (80) Domain <ID#> rx circuit <ID#1> rx active <VAP_name1> [rx passive] rx circuit <ID#2> rx active <VAP_name2> [rx passive] ... rx circuit <ID#N> rx active <VAP_nameN> [rx passive] Domain ID number assigned to the first circuit on which the flow enters an active VAP group. Sequence of paths that the flow uses to enter an active VAP group on the X-Series Platform and then pass through one or more additional active VAP groups. The paths are listed in the order in which the active VAP groups configured on the X-Series Platform receive and process the flow. The CLI displays the following information about each path that the flow uses to pass through an active VAP group before arriving at its final egress interface on the NPM: rx circuit <ID#N> Circuit ID number assigned to the circuit on which the flow enters the active VAP group. Use the show circuit command to display the circuit ID numbers assigned to the circuits configured on the X-Series Platform. Use the verbose parameter with the show ip-mapping command to determine which NPM interfaces are mapped to the circuit IP addresses configured for a VAP group. rx active <VAP_nameN> Name of the active VAP that receives the flow. A VAP name has the format: <VAP_group_name>_<VAP_Index_Number> Use the show ap-vap-mapping command to display the index numbers assigned to the VAPs in each VAP group configured on the X-Series Platform. rx passive If a Tap is configured on the circuit on which the flow enters the active VAP group, the name of the TAP appears in the rx_passive field. If no tap is configured, this field is blank.
378
Information Provided Path that the flow uses to arrive at its egress interface on the NPM. The egress interface is the physical interface that the flow uses to exit the X-Series Platform. The CLI displays the following information about this path: rx circuit <ID#NPM> Circuit ID number assigned to the circuit mapped to the egress interface on the NPM. NOTE: This circuit is mapped to the last VAP group that the flow passes through before exiting the X-Series Platform. Use the show circuit command to display the circuit ID numbers assigned to the circuits configured on the X-Series Platform. Use the verbose parameter with the show ip-mapping command to determine which NPM interfaces are mapped to the circuit IP addresses configured for a VAP group. rx active <NPM_name> Name of the NPM from which the flow exits the X-Series Platform. A VAP name has the format: <VAP_group_name>_<VAP_Index_Number> Use the show ap-vap-mapping command to display the index numbers assigned to the VAPs in each VAP group configured on the X-Series Platform. rx passive This field contains the name of the Tap if one is configured on the circuit mapped to the flows egress interface on the NPM. If no Tap is configured, this field is blank.
tx_port <slot>_<port>
NPM slot number and port number for the NPM interface on which the flow exits the X-Series Platform. NOTE: This interface is mapped to a circuit that is mapped to the last VAP group that the flow passes through before exiting the X-Series Platform. Use the show circuit command to display the circuit ID numbers assigned to the circuits configured on the X-Series Platform. Use the verbose parameter with the show ip-mapping command to determine which NPM interfaces are mapped to the circuit IP addresses configured for a VAP group.
379
Information Provided Indicates that the originating NPM drops the flow for the reason specified by <drop_reason_ID>. Possible values for <drop_reason_ID> are: No L2 policy match There are no non-IP flow rules that apply to this layer 2 flow. NOTE: Circuit information is not displayed for flows with this drop reason ID. No L3 policy match There are no IP flow rules that apply to this layer 3 flow. NOTE: Circuit information is not displayed for flows with this drop reason ID. L3 drop policy This layer 3 flow matches the conditions defined in the packet matching criteria for an IP flow rule configured with the action, drop. PS2Master failed A VAP group IP flow rule configured with the action, pass-to-master, or a system-level IP flow rule with the action, pass-to-masters, applies to this flow. The NPM attempted to send this flow to one or more master VAPs, but the operation failed because none of the master VAPs were in the Active state. PS2IDX failed A VAP group IP flow rule configured with the action, pass-to-vap, applies to this flow. The NPM attempted to send this flow to the appropriate VAP, but the operation failed because the VAP was not in the Active state. Load-balance failed A VAP group IP flow rule configured with the action, load-balance, applies to this flow. The NPM attempted to load balance this flow across the VAPs in the appropriate VAP group, but the operation failed because there were no active VAPs in the group or because there were no VAPs in the VAP groups load-balance VAP list. Broadcast failed A flow rule configured with the action, broadcast, applies to this flow. The NPM attempted to broadcast this flow to all VAPs in one VAP group or to all VAPs in all VAP groups, but the operation failed because none of the VAPs to which the NPM sent the flow were in the Active state. No Reason One or more flow rules were successfully applied to this flow, and none of those IP flow rules are configured with the action, drop.
Master <NPM_name>
Restrictions
Default Privilege Level: 15
380
Examples
Example 1: Displaying all Active Flow Paths Using the Default Command Output Format The following command displays the initial entry path and the egress NPM interface for every active flow that the X-Series Platform is currently processing. In this example, a VAP group called testvapgroup is currently configured on the X-Series Platform and is running a firewall application. CBS# show flow-path active This command may take a few minutes. Do you want to continue? <Y or N> [Y]: Y Module Source:port Destination:port Prot Dom np2 172.16.10.100:2009 172.16.20.240:80 6 1 rx circuit 1027 rx active testvapgroup_2 tx_port 4_2 master np2 np4 172.16.20.240:80 rx passive
172.16.10.144:53814 rx passive
rx circuit 1028 rx active testvapgroup_1 tx_port 2_2 master np2 np2 rx circuit 1029 master np2 CBS# 172.16.10.207:31754 Drop(PS2IDX failed)
172.16.20.240:80
Example 2: Filtering the Default Command Output Format The following command displays initial entry path and egress NPM interface information only for the active flows whose source port number is 80: CBS# show flow-path active source-port 80 This command may take a few minutes. Do you want to continue? <Y or N> [Y]: Y Module Source:port Destination:port Prot Dom np4 172.16.20.240:80 172.16.10.144:53814 6 1 rx circuit 1028 rx active testvapgroup_1 tx_port 2_2 master np2 CBS# rx passive
Example 3: Displaying all Active Flow Paths Using the Verbose Command Output Format The following command displays the complete flow path for every active flow that the X-Series Platform is currently processing. In this example, a VAP group called testvapgroup is currently configured on the X-Series Platform and is running a firewall application. CBS# show flow-path active verbose This command may take a few minutes. np4 Do you want to continue? <Y or N> [Y]: Y
Source Addr 172.16.10.100, Destination Addr 172.16.20.240 Protocol tcp (6), Dest Port http(80), Source Port 2009, Domain 1 rx circuit 1027 rx active testvapgroup_2 rx passive rx circuit 1030 rx active np2 rx passive tx_port 2_2 master np2 np2 Source Addr 172.16.20.240, Destination Addr 172.16.10.144 Protocol tcp (6), Dest Port 53814, Source Port http(80), Domain 1 rx circuit 1028 rx active testvapgroup_1 rx passive rx circuit 1031 rx active np4 rx passive tx_port 4_2 master np2
XOS Command Reference Guide 381
np2
Source Addr 172.16.10.207, Destination Addr 172.16.20.240 Protocol tcp (6), Dest Port http(80), Source Port 31754, Domain 1 rx circuit 1029 Drop(PS2IDX failed) master np2 CBS#
Syntax
show flow distribution [sort {vap-group | apm-slot}]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter sort {vap-group | apm-slot} Description Sorts the list of VAP flow assignments. Use one of the following keywords to specify the method used to sort the list: vap-group Sorts the list of VAP flow assignments first by VAP group name, then by VAP index number, and then by APM slot number. apm-slot Sorts the list of VAP flow assignments first by APM slot number, then by VAP group name, and then by VAP index number.
Output
This command displays information in a table, using the following format. The command output shows the number of flows that each NPM assigns to each VAP in each VAP group. NOTE: Table entries appear only for the NPMs that are actually installed in the X-Series Platform. New Flows Rate VAP ============= <name1> <Delta_#flows> <name1> <Delta_#flows> Aged Flows Rate ============= <Delta_#flows> <Delta_#flows> Flows ===== <#> <#>
382
The following table describes the information provided in each column/row. Column/Row Heading NP Information Provided Name of the NPM that assigns flows to a VAP. Use the show chassis command to display the NPM names assigned to the NPMs installed in your X-Series Platform. Uptime Amount of time that the NPM has been in the UP state, in days, hours, and minutes. Hours and minutes are expressed in the format: mm:ss. For example, 9 hours and 7 minutes is 09:07. Slot VAP Slot number for the APM assigned to the VAP to which the NPM assigns flows. Name of the VAP to which the NPM assigns flows. A VAP name has the format: <VAP_group_name>_<VAP_Index_Number> Use the show ap-vap-mapping command to display the index numbers assigned to the VAPs in each VAP group configured on the X-Series Platform. New Flows Rate The change in the number of new flows that the NPM assigns to the VAP, since the past second. A negative value indicates that the number of new flows that the NPM currently assigns to the VAP is lower than the number of new flows that the NPM assigned to the VAP a second ago. For example, if an NPM assigns 10 new flows to the VAP now, but the NPM assigned 15 new flows to that VAP a second ago, the New Flows Rate is -5. Aged Flows Rate The change in the number of existing flows that the NPM assigns to the VAP, since the past second. A negative value indicates that the number of existing flows that the NPM currently assigns to the VAP is lower than the number of existing flows that the NPM assigned to the VAP a second ago. For example, if an NPM assigns 10 existing flows to the VAP now, but the NPM assigned 15 existing flows to that VAP a second ago, the Aged Flows Rate is -5. Flows Total number of flows that the NPM currently assigns to the VAP.
383
Restrictions
Default Privilege Level: 0
Examples
Example 1: Default Command Output The following command displays the number of flows that each Network Processor Module (NPM) installed in the X-Series Platform has assigned to each VAP in each VAP group configured on the X-Series Platform, and display the rates at which each NPM assigns new and existing flows to each VAP. There are two VAP groups configured on this X-Series Platform one called testvapgroup, which has three VAPs, and one called ipsvapgroup, which has two VAPs. CBS# show flow distribution New Flows Rate ========== 0 7344 0 6340 0 5733 0 5223 0 -5463 0 -4253 0 0 0 0 0 0 0 0 Aged Flows Rate ========== 0 5133 0 5538 0 5670 0 5041 0 -4210 0 -3452 0 0 0 0 0 0 0 0 Flows ========= 0 72043 0 79002 0 69182 0 68423 0 0 0 0 0 0 0 0 0 0 0 0
NP np1 np2 np3 np4 np1 np2 np3 np4 np1 np2 np3 np4 np1 np2 np3 np4 np1 np2 np3 np4 CBS#
0 3 0 3 0 3 0 3 0 3 0 3 0 3 0 3 0 3 0 3
Uptime days, 00:00 days, 19:17 days, 00:00 days, 19:17 days, 00:00 days, 19:17 days, 00:00 days, 19:17 days, 00:00 days, 19:17 days, 00:00 days, 19:17 days, 00:00 days, 19:17 days, 00:00 days, 19:17 days, 00:00 days, 19:17 days, 00:00 days, 19:17
Slot 7 7 7 7 8 8 8 8 9 9 9 9 5 5 5 5 6 6 6 6
VAP testvapgroup_1 testvapgroup_1 testvapgroup_1 testvapgroup_1 testvapgroup_2 testvapgroup_2 testvapgroup_2 testvapgroup_2 testvapgroup_3 testvapgroup_3 testvapgroup_3 testvapgroup_3 ipsvapgroup_1 ipsvapgroup_1 ipsvapgroup_1 ipsvapgroup_1 ipsvapgroup_2 ipsvapgroup_2 ipsvapgroup_2 ipsvapgroup_2
Example 2: Sorting the Command Output Based on the default command output shown in Example 1, an X-Series Platform administrator can see that none of the NPMs are assigning flows to the VAPs in the VAP group called ipsvapgroup. The administrator expects this output because he has just reloaded that VAP group, and it has not yet come up. However, the default output also reveals a major problem. The NPMs have suddenly stopped assigning new and existing flows to one of the VAPs in the VAP group called testvapgroup, and the NPMs are now assigning many more new and existing flows to the other two VAPs in the group. To more clearly see this pattern, the X-Series Platform administrator executes the following command to sort the above list of NPM-to-VAP assignments first by APM slot number, then by VAP group name, and then by VAP index number.
384
CBS# show flow distribution apm-slot New Flows Rate ========== 0 0 0 0 0 0 0 0 0 5337 0 5340 0 4733 0 4733 0 -5463 0 -4253 Aged Flows Rate ========== 0 0 0 0 0 0 0 0 0 4212 0 3538 0 3670 0 3040 0 -4210 0 -3452 Flows ========= 0 0 0 0 0 0 0 0 0 49667 0 79002 0 43182 0 68423 0 0 0 0
NP np1 np2 np3 np4 np1 np2 np3 np4 np1 np2 np3 np4 np1 np2 np3 np4 np1 np2 np3 np4 CBS#
0 3 0 3 0 3 0 3 0 3 0 3 0 3 0 3 0 3 0 3
Uptime days, 00:00 days, 19:17 days, 00:00 days, 19:17 days, 00:00 days, 19:17 days, 00:00 days, 19:17 days, 00:00 days, 19:17 days, 00:00 days, 19:17 days, 00:00 days, 19:17 days, 00:00 days, 19:17 days, 00:00 days, 19:17 days, 00:00 days, 19:17
Slot 5 5 5 5 6 6 6 6 7 7 7 7 8 8 8 8 9 9 9 9
VAP ipsvapgroup_1 ipsvapgroup_1 ipsvapgroup_1 ipsvapgroup_1 ipsvapgroup_2 ipsvapgroup_2 ipsvapgroup_2 ipsvapgroup_2 testvapgroup_1 testvapgroup_1 testvapgroup_1 testvapgroup_1 testvapgroup_2 testvapgroup_2 testvapgroup_2 testvapgroup_2 testvapgroup_3 testvapgroup_3 testvapgroup_3 testvapgroup_3
The sorted command output clearly shows that there is a problem with the APM in slot 9. This APM is probably down. The change in the number of new and existing flows assigned to the other APMs assigned to testvapgroup suggests that the NPMs have moved all of the failed APMs flows onto the remaining two APMs assigned to the group. The administrator can confirm the above hypothesis by using the show chassis command to display the current state of all modules installed in the chassis.
show npm-originated-flow-stats
This command displays statistics for IP flows originated from the NPMs on an X-Series Platform. The command displays statistics for each NPM in the X-Series chassis. Flow counts represent a snapshot of changes. NOTE: Flow counts are uni-directional.
Syntax
show npm-originated-flow-stats
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0
385
Output
The output for the show npm-originated-flow-stats command has the following format: CBS# show npm-originated-flow-stats Originated flows from slot 1 Total flows count: TCP flows : 0 UDP flows : 79525 ICMP flows : 13027 Other-IP flows : 0 New flows rate (per second): TCP flows : 0 UDP flows : 0 ICMP flows : 0 Other-IP flows : 0 Aged flows rate (per second): TCP flows : 0 UDP flows : 0 ICMP flows : 0 Other-IP flows : 0 Originated flows from Total flows count: TCP flows UDP flows ICMP flows Other-IP flows slot 2 : : : : 0 162723 12820 0
New flows rate (per second): TCP flows : 0 UDP flows : 0 ICMP flows : 0 Other-IP flows : 0 Aged flows rate (per second): TCP flows : 0 UDP flows : 0 ICMP flows : 0 Other-IP flows : 0 The following table describes the information provided in each column/row:. Column/Row Heading Originated flows from slot Total flows count New flows rate (per second) Aged flows rate (per second Information Provided Number of the slot that contains an NPM. The number of flows in the flow table. The number of new flows entering the flow table. The number of existing flows removed from the flow table. NOTE: Flows are removed due to inactivity or flow termination. TCP flows IP flows from TCP traffic.
386
Information Provided IP flows from UDP traffic. IP flows from ICMP traffic. IP flows from any source other than TCP, UDP, or ICMP.
configure check-flow-rule
Enables or disables (using no) flow rule checking for the X-Series Platform. Flow rule checking is enabled by default. NOTE: If flow rule checking has been disabled and is then enabled, all the activated flow rules are checked for conflicts. The purpose of flow rule checking is to ensure that the NPM can successfully apply existing flow rules to every flow that arrives on a logical interface configured on the X-Series Platform. If the NPM is unable to successfully apply any flow rules to a flow that arrives on a logical interface, the NPM drops that flow. The NPM can apply only one flow rule to a flow at any given time. If a single flow meets the matching criteria for multiple flow rules, the NPM uses the priority levels assigned to those flow rules to determine the order in which to apply them to the flow. If the flow rules have the same priority level, the NPM cannot determine the order in which to apply them, and the NPM drops the flow. If flow rule checking is enabled, each time you issue the activate command to activate a flow rule, XOS checks for policy conflicts between the flow rule that you are attempting to activate and the flow rules that are currently activated on the X-Series Platform. If XOS detects a policy conflict, the activate operation fails and the CLI issues an error message. Two flow rules have conflicting policies if all of the following conditions are true: Both flow rules apply to the same virtual application processor (VAP) group. NOTE: System-level flow rules apply to all VAP groups configured on the X-Series Platform. VAP group flow rules apply only to the VAP group for which they are configured. The two flow rules have overlapping matching criteria; both flow rules can apply to the same flow. Both flow rules have the same priority level. Use the show check-flow-rule command to determine whether flow rule checking is enabled on your X-Series Platform.
Syntax
[no] configure check-flow-rule
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 15
Example
The following command disables flow rule checking for the X-Series Platform: CBS# configure no check-flow-rule CBS#
XOS Command Reference Guide 387
clear flow-active
Deletes connection and load-balancing information for all active flows that match the specified filtering criteria. You specify filtering criteria using the parameters listed below. If you do not specify filtering criteria, this command deletes all active flow connection and load-balancing information from all Network Processor Modules (NPMs) installed in the X-Series Platform.
Caution: If you do not specify filtering criteria, the clear flow-active command stops all traffic, and in most cases, it causes a complete service interruption that may last for several minutes. You should consider these risks carefully before issuing this command. Crossbeam Systems recommends that you use this command only after consulting with a Crossbeam Systems Customer Support or Professional Services representative.
Syntax
clear flow-active [source-address <IP_address>/<0-32>] [destination-address <IP_address>/<0-32>] [source-port <lowest_port_number> <highest_port_number>] [destination-port <lowest_port_number> <highest_port_number>] [protocol <lowest_protocol_number> <highest_protocol_number>] [domain <lowest_domain_ID> <highest_domain_ID>] [circuit-id <lowest_circuit_ID> <highest_circuit_ID>] [module <lowest_slot_number> <highest_slot_number>] [master-npm <lowest_slot_number> <highest_slot_number>] [fast-path-only]
Context
You access this command from the main CLI context.
388
Parameters
The following table lists the parameters used with this command. Parameter source-address <IP_address>/<0-32> Description Deletes active flow connection and load-balancing information only for flows whose source IP addresses belong to the specified IP network. You must specify the source IP network address and subnet mask using CIDR format. NOTE: When using the clear flow-active command, do not configure either the source or destination address as a.b.c.d/0 where a.b.c.d is not 0.0.0.0. This address format (for example, 5.5.5.5/0) is not valid. destination-address <IP_address>/<0-32> Deletes active flow connection and load-balancing information only for flows whose destination IP addresses belong to the specified IP network. You must specify the destination IP network address and subnet mask using CIDR format. NOTE: When using the clear flow-active command, do not configure either the source or destination address as a.b.c.d/0 where a.b.c.d is not 0.0.0.0. This address format (for example, 5.5.5.5/0) is not valid. source-port <lowest_port_number> <highest_port_number> destination-port <lowest_port_number> <highest_port_number> protocol <lowest_protocol_number> <highest_protocol_number> domain <lowest_domain_ID> <highest_domain_ID> Deletes active flow connection and load-balancing information only for flows whose source port numbers are within the specified range of port numbers. Deletes active flow connection and load-balancing information only for flows whose destination port numbers are within the specified range of port numbers. Deletes active flow connection and load-balancing information only for flows whose protocol numbers are within the specified range of protocol numbers. Deletes active flow connection and load-balancing information only for flows assigned to circuits whose domain ID numbers are within the specified range of domain ID numbers. Deletes active flow connection and load-balancing information only for flows assigned to circuits whose circuit ID numbers are within the specified range of circuit ID numbers. Deletes active flow connection and load-balancing information only flows whose originating modules are installed in the specified range of slots in the X-Series Platform. Deletes active flow connection and load-balancing information only for flows whose master NPMs have slot numbers within the specified range.
389
Parameter fast-path-only
Description Deletes active flow connection and load-balancing information only for flows being processed using the Fast Path. See the XOS Configuration Guide for information about the Fast Path.
Restrictions
Default Privilege Level: 15
Example
The following command deletes all connection and load-balancing information for all active flows whose source IP address belongs to the IP network, 10.170.54.0/24, and whose destination IP addresses belong to the network 10.170.101.0/24: CBS# clear flow-active source-address 10.170.54.0/24 destination-address 10.170.101.0/24 CBS#
clear interface
Clears the total, processed, and dropped packet counters for all interfaces configured on the X-Series Platform or for the specified interface. NOTE: This command clears packet counters only for the current CLI console session. Use the show interface command to display the date and time at which you last cleared an interfaces packet counters during the current CLI console session.
Syntax
clear interface {all | gigabitethernet <slot>/<port> | 10gigabitethernet <slot>/<port> high-availability}
Context
You access this command from the main CLI context.
Inline Commands
The following table lists the CLI commands used inline with the clear interface command. Command all gigabitethernet <slot>/<port> Description Clears the total, processed, and dropped packet counters for all interfaces configured on the X-Series Platform. Clears the total, processed, and dropped packet counters only for the Gigabit Ethernet interface configured on the specified port on the NPM in the specified slot. Clears the total, processed, and dropped packet counters only for the 10 Gigabit Ethernet interface configured on the specified port on the NPM in the specified slot.
10gigabitethernet <slot>/<port>
390
Command high-availability
Description Clears the total, processed, and dropped packet counters for the High Availability port on the primary CPM.
Restrictions
Default Privilege Level: 15
Example
In this example, the X-Series Platform administrator wants to determine the number of packets that an interface receives in one hour and calculate the percentage of packets that the interface drops during that time. The administrator first issues the following command to clear the total, processed, and dropped packet counters only for the interface for which he wants to calculate the percentage of packets dropped per hour the Gigabit Ethernet interface configured on port 1 on the NPM in slot 1 in the X-Series Platform. CBS# clear interface gigabitethernet 1/1 CBS# The administrator issues the following command to ensure that the interfaces packet counters have been cleared: CBS# show interface gigabitethernet 1/1 Gigabitethernet 1/1 is up Interface is in use Hardware address is N/A SFP info: phy_present|phy_good Media Type: Copper, Vendor Name: Methode Elec. MTU 1500 bytes, BW 1 Gigabit, full-duplex, auto-negotiation is enabled Last clearing of "show interface" counters Fri Feb 12 20:33:34 2010 PHY stats: Statistics on physical line Received: Total frames 0 (bytes 0) Broadcast frames 0 Undersized frames 0 Oversized frames 0 Throttles 0 Total errors 0 Frame check sequence (FCS) errors 0 Frame errors 0 Overrun errors 0 Ignored errors 0 Transmitted: Total frames 0 (bytes 0) Underrun errors 0 Total errors 0 Collisions 0 Next, the administrator waits one hour, and then issues the show interface command again: CBS# show interface gigabitethernet 1/1 Gigabitethernet 1/1 is up Interface is in use Hardware address is N/A
391
SFP info: phy_present|phy_good Media Type: Copper, Vendor Name: Methode Elec. MTU 1500 bytes, BW 1 Gigabit, full-duplex, auto-negotiation is enabled Last clearing of "show interface" counters Fri Feb 12 20:33:34 2010 PHY stats: Statistics on physical line Received: Total frames 517305 (bytes 33877872) Broadcast frames 143 Undersized frames 0 Oversized frames 0 Throttles 0 Total errors 0 Frame check sequence (FCS) errors 0 Frame errors 0 Overrun errors 0 Ignored errors 0 Transmitted: Total frames 0 (bytes 0) Underrun errors 0 Total errors 0 Collisions 0 CBS#
clear netstat
Clears all network protocol statistics counters for the X-Series Platform. NOTE: This command clears network protocol statistics counters only for the current CLI console session. Use the show netstat command to display the date and time at which you last cleared the network protocol statistics counters during the current CLI console session.
Syntax
clear netstat
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 15
Example
The following command clears all network protocol statistics for the current CLI console session: CBS# clear netstat CBS#
392
clear switch-data-path
Clears all switch data path (SDP) statistics counters for one or more Control Processor Modules (CPMs) and/or Application Processor Modules (APMs) installed in the X-Series Platform. NOTE: This command clears SDP statistics counters only for the current CLI console session. Use the show switch-data-path command to display the date and time at which you last cleared the SDP statistics counters during the current CLI console session.
Syntax
clear switch-data-path {all | module {<slot_number> | <lowest_slot_number> <highest_slot_number>}}
Context
You access this command from the main CLI context.
Inline Commands
The following table lists the CLI commands used inline with the command_name command. Command all module {<slot_number> | <lowest_slot_number> <highest_slot_number>} Description Clears all SDP statistics counters for all CPMs and APMs installed in the X-Series Platform. Clears all SDP statistics counters only for one or more specific APMs and/or CPMs. Specify a single CPM or APM slot number to clear all SDP statistics counters only for the CPM or APM installed in that slot. Specify a range of slot numbers to clear all SDP statistics counters only for the CPMs and/or APMs installed in the specified range of slots. Valid slot numbers are from 1-14.
Restrictions
Default Privilege Level: 15
Example
The following command clears all SDP statistics counters for the APMs installed in slots 7-9. In this example, these APMs are assigned to the VAP group called testvapgroup: CBS# clear switch-data-path module 7 9 CBS#
clear vdf-status
This command clears the virtual defragmentation (VDF) statistics counters on NPMs and APMs.
393
By default, this command clears information about all NPMs, APMs, and VAP groups. You can use one of the following parameters to selectively clear information for specific modules or VAP groups. module VAP-group-member NOTE: The statistics are cleared for the current session only and are note cleared on the module.
Syntax
clear vdf-status [module <module_name>] [vap-group-member <VAP_group_name>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter module Description (Optional) Clears VDF statistics for the specified modules. Specify a module (APM or NPM) or list of modules separated by spaces for which VDF statistics are to be cleared. An NPM name has the format: np<NPM_number> An APM name has the format: ap<APM_number> Use the show chassis command to display the module names assigned to the NPMs and APMs installed in the X-Series Platform. vap-group-member (Optional) Clears VDF statistics for all member VAPs in the specified VAP group. Specify the name of a VAP group to clear the VDF status for all member VAPs.
Restrictions
Default Privilege Level: 15
Example
The following command clears the virtual defragmentation statistics counters for all modules: CBS# clear vdf-status The following command clears the virtual defragmentation statistics counters for an NPM and an APM: CBS# clear vdf-status module np2 ap3 The following command clears the virtual defragmentation statistics counters for all VAPs in a VAP group: CBS# clear vdf-status vap-group-member <VAP_group_name>
394
7
Commands for Configuring Interfaces for a VAP Group
You must create and configure interfaces for a virtual application processor (VAP) group to enable the members of that VAP group to send and receive traffic. A VAP group interface has three parts: Circuit A virtualized Ethernet connection configured for members of a VAP group. The primary purpose of a circuit is to provide a connection between the members of a VAP group and a physical interface on a Network Processor Module (NPM). However, you can also configure a circuit to provide an internal connection between members of one or more VAP groups configured on the same X-Series Platform. You create and configure a circuit, assign the circuit to one or more VAP groups, and configure each VAP group to process traffic passing through the circuit. When you assign a circuit to a VAP group, XOS creates a Virtual Network Device (VND) for that circuit on each VAP in the group. The VAP operating system and the application running on a VAP use VNDs as Linux networking interfaces. NOTE: Some circuit configuration settings change VND configuration settings, thereby changing the configuration of the Linux networking device on each VAP in the VAP group. Physical interface An Ethernet port on an NPM that you configure to pass traffic between the X-Series Platform and an external network. Logical interface An interface that logically links a circuits VNDs to a physical interface on an NPM. You configure a logical interface on a physical interface and then map the logical interface to a circuit that you have assigned to one or more VAP groups. An NPM uses logical interface mapping to identify the VNDs that send and receive traffic over each of its physical interfaces. NOTE: You can map only one circuit to each logical interface. However, you can map multiple logical interfaces to the same physical interface, allowing multiple circuits to pass traffic over a single physical interface. You can also use link aggregation to bond multiple physical interfaces to a single logical interface, allowing one circuit to pass traffic over multiple physical interfaces. This chapter describes the CLI commands that you can use to create and configure circuits, physical interfaces, and logical interfaces for a VAP group. This chapter contains the following sections: Commands for Configuring Circuits on page 396 Commands for Configuring IP Routes and Managing Destination MAC Address Resolution for VAP Groups on page 451 Commands for Configuring Physical and Logical Interfaces for a VAP Group on page 466 Commands for Configuring Interface Redundancy on page 541
395
396
configure circuit
Creates and configures a new circuit or configures the specified existing circuit. Places you in the conf-cct context in which you can configure the specified circuit and assign it to one or more virtual application processor (VAP) groups. A circuit is a virtualized Ethernet connection configured for members of a VAP group. The primary purpose of a circuit is to provide a connection between the members of a VAP group and a physical interface on a Network Processor Module (NPM). However, you can also configure a circuit to provide an internal connection between members of one or more VAP groups configured on the same X-Series Platform. When you assign a circuit to a VAP group, XOS creates a Virtual Network Device (VND) for that circuit on each VAP in the group. The VAP operating system and the application running on a VAP use VNDs as Linux networking interfaces. NOTE: Some circuit configuration settings change VND configuration settings, thereby changing the configuration of a VAP groups Linux networking devices. By default, when you create a new circuit, XOS assigns that circuit to domain 1. Optionally, you can use the domain parameter to assign a different domain to the circuit that you are configuring. An Active Flow Table (AFT) entry for an active flow includes six flow classification criteria: source and destination IP address, source and destination port, protocol, and circuit domain. A circuit domain serves as a unique identifier for the flows that the NPM assigns to a particular circuit. When a packet enters an NPM, the NPM uses the information in its AFT to determine which system-level and VAP group flow rules apply to the packet and to determine how to process the packet. NOTE: You should use the domain parameter to assign unique domains to circuits only if your network configuration allows a single flow to ingress the X-Series Platform twice, using two different circuits. The X-Series Platform uses a circuits ID number to identify that circuit and the flows that pass through it. By default, XOS automatically assigns a unique circuit ID number to each new circuit that you create. Optionally, you can use the circuit-id parameter to assign a different circuit ID number to a new circuit. Use the configure no circuit <circuit_name> command to delete the specified circuit.
Syntax
configure circuit <circuit_name> [domain <domain_ID_number>] [circuit-id <circuit_ID_number>] configure no circuit <circuit_name>
397
Parameters
The following table lists the parameters used with this command. Parameter <circuit_name> domain <domain_ID_number> Description Name assigned to the circuit that you wish to create or configure. Assigns the specified domain ID number to the circuit that you are configuring. Valid values are from 1 to 4095. Default is 1. NOTE: You should use the domain parameter to assign unique domains to circuits only if your network configuration allows a single flow to ingress the X-Series Platform twice, using two different circuits. circuit-id <circuit_ID_number> Assigns the specified user-defined circuit ID number to the circuit that you are configuring. NOTE: You cannot use this parameter to change the ID number assigned to an existing circuit. Valid values for user-defined circuit ID numbers are from 1 to 4095. By default, XOS creates each new circuit with a unique circuit ID number between 1025 and 4095. NOTE: Crossbeam recommends configuring circuits with user-defined circuit ID numbers between 1 and 1024 to avoid duplicating default circuit ID numbers.
Restrictions
Default Privilege Level: 15 You cannot use the circuit-id parameter to change the ID number assigned to an existing circuit.
Example
The following command creates a new circuit named testcct with circuit ID number 1: CBS# configure circuit testcct circuit-id 1 CBS(conf-cct)#
398
Syntax
device-name <device_name> no device-name
Context
You access this command from the conf-cct context. You access this context from the main CLI context by issuing the configure circuit command.
Parameters
The following table lists the parameters used with this command. Parameter <device_name> Description Device name that you want to assign to the VNDs that XOS creates for the circuit that you are configuring. A circuits default device name is vnd<ID#>, where <ID#> is the circuit ID number assigned to the circuit. NOTE: Do not use sit0 or gre0 as the name of the circuit. These are reserved names.
Restrictions
Default Privilege Level: 15 After you prefix a circuits device name with wrp, you cannot change that device name. Instead, you must delete the circuit and recreate it with a new device name. A circuits device name cannot be lo, gre0, or sit0. A circuits device name cannot begin with eth. A circuits device name cannot be more than 12 characters in length.
399
Example
The following command places you in the conf-cct context in which you can configure the existing circuit called testcct: CBS# configure circuit testcct CBS(conf-cct)# The following command changes the device name for the circuit called testcct from the default name, vnd<ID#>, to the user-defined name, testcct: CBS(conf-cct)# device-name testcct CBS(conf-cct)# When you assign the circuit called testcct to a VAP group, XOS creates a Virtual Network Device (VND) for that circuit on each VAP in the group, and assigns the user-defined device name, testcct, to each of these VNDs. The VAP operating system and the application running on the VAP group use these VNDs as Linux networking interfaces; each interface has the user-defined device name, testcct.
400
Syntax
[no] link-state-resistant
Context
You access this command from the conf-cct context. You access this context from the main CLI context by issuing the configure circuit command.
Restrictions
Default Privilege Level: 15
Example
The following command places you in the conf-cct context, from which you can configure the existing circuit called testcct: CBS# configure circuit testcct CBS(conf-cct)# The following command sets the default link state to Up for all VNDs that XOS creates for the circuit called testcct, and decouples the link state of the VNDs that XOS creates for the circuit called testcct from the link state of the physical interfaces whose logical interfaces are mapped to that circuit: CBS(conf-cct)# link-state-resistant CBS(conf-cct)# If you map the circuit called testcct to a logical interface configured for a physical interface on an NPM and the link state of the physical interface is Down, the circuit stops processing traffic passing through that interface. However, the link state of the circuits VNDs remains Up. This allows testcct to continue processing traffic passing between VAPs in a single VAP group and/or between multiple VAP groups configured on the X-Series Platform.
401
Syntax
[no] proxy-arp
Context
You access this command from the conf-cct context. You access this context from the main CLI context by issuing the configure circuit command.
Restrictions
Default Privilege Level: 15
Example
The following command places you in the conf-cct context in which you can configure the existing circuit called testcct: CBS# configure circuit testcct CBS(conf-cct)# The following command enables Proxy ARP for the circuit called testcct: CBS(conf-cct)# proxy-arp CBS(conf-cct)# A VAP group can use the circuit called testcct to reply to ARP requests for NATed IP addresses that are defined in Check Point but not in XOS. Thus, the VAP group acts as a proxy for the ARP requests for NATed IP addresses.
402
NOTE: Some applications require an additional circuit for RST injection. Refer to your application documentation for specific requirements.
Syntax
tcp-rst-injection [no] tcp-rst-injection
Context
You access this command from the conf-cct context. You access this context from the main CLI context by issuing the configure circuit command.
Restrictions
Default Privilege Level: 15
Example
The following command places you in the conf-cct context in which you can configure the existing circuit called testcct: CBS# configure circuit testcct CBS(conf-cct)# The following command enables tcp-rst-injection on testcct. CBS(conf-cct)# tcp-rst-injection CBS(conf-cct)#
Syntax
incoming-circuit-group <ICG_number> no incoming-circuit-group
403
Context
You access this command from the conf-cct context. You access this context from the main CLI context by issuing the configure circuit command.
Parameters
The following table lists the parameters used with this command. Parameter <ICG_number> Description Incoming circuit group number that you want to assign to the circuit that you are configuring. Valid values are from 1 to 255. Default is 1.
Restrictions
Default Privilege Level: 15
Example
The following command places you in the conf-cct context in which you can configure the existing circuit called testcct: CBS# configure circuit testcct CBS(conf-cct)# The following command assigns the circuit called testcct to incoming circuit group number 5: CBS(conf-cct)# incoming-circuit-group 5 CBS(conf-cct)#
404
configure incoming-circuit-group-name
Configures the name of a specified incoming circuit group. To display a list of incoming circuit groups along with any assigned names, use the show incoming-circuit-group-name command.
Syntax
configure incoming-circuit-group-name <ICG_number> <ICG_name> configure no incoming-circuit-group-name <ICG_number> <ICG_name>
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <ICG_number> Description Specifies the number of the incoming circuit group (ICG) to which you want to apply a name. Range: 2255 <ICG_name> Specifies the name that you want to apply to the incoming circuit group (ICG).
Restrictions
Default Privilege Level: 15 Warning messages are displayed in each of the following instances: Assigning a circuit to an unconfigured ICG Deleting an ICG-name that is currently in use Changing an existing ICG-name In each of these cases, the command will successfully execute, however, a warning message will appear in the CLI. If the warning appears, check your configuration for potential conflicts in ICG naming.
Example
The following command assigns the name internal to incoming circuit group 3. CBS# configure incoming-circuit-group-name 3 internal
405
Syntax
[no] vap-group <VAP_group_name>
406
Parameters
The following table lists the parameters used with this command. Parameter <VAP_group_name> Description Specifies the name of the existing VAP group that you want to assign to the circuit that you are configuring, or specifies the name of the existing VAP group from which you want to remove the circuit that you are configuring.
Restrictions
Default Privilege Level: 15 You must use the configure vap-group command to create and configure a VAP group before assigning a circuit to that VAP group.
Example
The following command places you in the conf-cct context in which you can configure the existing circuit called testcct: CBS# configure circuit testcct CBS(conf-cct)# The following command assigns the circuit called testcct to the VAP group called testvapgroup, and places you in the conf-cct-vapgroup context in which you can configure the VAP group called testvapgroup to process traffic passing through the circuit called testcct: CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-vapgroup)#
407
VAP index 2 IP address 2.2.2.36 VAP index 3 IP address 2.2.2.37 IMPORTANT: To assign a primary circuit IP address to every VAP in a group, the number of primary circuit IP addresses in the specified range must be equal to or greater than the number of VAPs in the group. If the number of primary circuit IP addresses in the specified range is greater than the number of VAPs in the group, XOS reserves the unused primary circuit IP addresses. Each time you add a new VAP to the VAP group, XOS assigns one of the unused primary circuit IP addresses to the new VAP. You use the increment-per-vap parameter when configuring a circuit for application management traffic. Assigning a unique management IP address to each VAP lets you access and manage each VAP as a separate instance of an application. You can also use the increment-per-vap parameter when configuring a circuit to pass traffic between different VAPs in a VAP group. For example, you must use this parameter when configuring a synchronization circuit for a Check Point firewall application. By default, XOS determines the primary broadcast IP address for a circuit by applying the subnet mask specified for the primary IP addresses. Optionally, you can specify a user-defined broadcast IP address. Each time you assign one or more primary circuit IP addresses to a VAP group, XOS generates a default IP flow rule for that VAP group. XOS defines this default IP flow rule as follows: Flow matching criteria: Destination IP address matches at least one of the primary circuit IP addresses that configured for the VAP group. Source IP address does not match the network or broadcast IP address. Action: load-balance See action load-balance (ip-flow-rule context) on page 304 for more information on this action. Default IP flow rule priority level: 10 Use the ip-flow-rule-priority (conf-cct-vapgroup context) command to change this default priority level. Use the no ip command to delete all primary IP address(es) currently assigned to the VNDs that XOS creates for the circuit on the VAP group that you are configuring. Use the show (conf-cct context) command to display the primary IP addresses assigned to the VNDs that XOS creates for the circuit that you are configuring on each VAP group assigned to the circuit.
Syntax (IPv4)
ip {<IP_address> <netmask> | <IP_address>/<0-32>} [<broadcast_IP_address>] [increment-per-vap <IP_address>] ip {<lowest_IP_address> <netmask> | <lowest_IP_address>/<0-32>} [<broadcast_IP_address>] [increment-per-vap <highest_IP_address>] no ip
Syntax (IPv6)
ip {<IP_address>/<0-128>} no ip
408
Parameters
The following table lists the parameters used with this command. Parameter {<IP_address> <netmask> | <IP_address>/<0-32>} Description Assigns the specified primary IP address to each VND that XOS creates for the circuit on the VAP group that you are configuring. You must specify the subnet mask for the primary IP address. You can specify a subnet mask in dotted-quad format (for example, 10.15.3.5 255.255.0.0), or you can specify an IP network using CIDR notation (for example, 10.15.0.0/16). NOTE: You cannot specify the subnet mask, 0.0.0.0. If you specify an IP network using CIDR notation, you cannot use /0. {<lowest_IP_address> <netmask> | <lowest_IP_address>/<0-32>} increment-per-vap <highest_IP_address> Assigns the specified range of consecutive primary IP addresses to the VNDs that XOS creates for the circuit on the VAP group that you are configuring. When you specify this parameter, XOS assigns a unique primary IP address to each VND. XOS assigns consecutive primary circuit IP addresses to consecutive VAP index numbers, with the lowest primary circuit IP address number assigned to VAP index number 1. You must specify the subnet mask for the lowest primary IP address in the range. You can specify a subnet mask in dotted-quad format (for example, 10.15.3.5 255.255.0.0), or you can specify an IP network using CIDR notation (for example, 10.15.0.0/16). NOTE: You cannot specify the subnet mask, 0.0.0.0. If you specify an IP network using CIDR notation, you cannot use /0.
409
Parameter <broadcast_IP_address>
Description Assigns the specified primary broadcast IP address to the circuit for the VAP group that you are currently configuring. By default, XOS determines the primary broadcast IP address for a circuit by the applying the subnet mask specified for the primary IP address(es). NOTE: The broadcast IP must match the primary IP, VRRP IP, Virtual IP, and alias IP addresses assigned to a circuit for a VAP group.
Restrictions
Default Privilege Level: 15 If you assign an IPv4 primary address to a circuit, you can assign either IPv4 or IPv6 alias addresses. If you assign an IPv6 primary address, you can assign only IPv6 alias addresses. A primary IP address cannot have the subnet mask, 0.0.0.0. If you specify an IP network for a primary IP address using CIDR notation, you cannot use /0. A primary circuit IP address cannot be in the same network as the X-Series Platforms configured and operational system internal network IP addresses. Use the show system-internal-network command to display the current configured and operational system internal network IP addresses for your X-Series Platform. The broadcast IP, primary IP, VRRP IP, Virtual IP, and alias IP addresses assigned to a circuit for a VAP group must all belong to the same subnet.
Example
The following commands place you in the conf-cct-vapgroup context in which you can configure the VAP group called testvapgroup to process traffic passing through the circuit called testcct: CBS# configure circuit testcct CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-vapgroup)# The following command assigns a range of four primary IP addresses to the VNDs that XOS creates for the circuit called testcct on the VAP group called testvapgroup, assigning a unique primary IP address to each VND. This command also places you in the CLI context in which you can configure an alias IP address for each of the VNDs that XOS creates for the circuit called testcct on the VAP group called testvapgroup. NOTE: Since the VAP group called testvapgroup consists of only three VAPs, this command assigns the first three primary circuit IP addresses in the range to VAP index numbers 1, 2, and 3 and reserves the fourth primary circuit IP address. If you add a fourth VAP to this group, XOS assigns the fourth primary circuit IP address to the new VAP. CBS(conf-cct-vapgroup)# ip 2.2.2.35/24 increment-per-vap 2.2.2.38 CBS(conf-cct-vapgroup-ip)# NOTE: To assign an IPv6 address, use this command: CBS(conf-cct-vapgroup)# ip fd00:1900:4545:3:200:f8ff:fe21:67ca The increment-per-vap sub-command is not supported for IPv6. All VAPs in a VAP group must share one IP address.
410
Syntax (IPv4)
[no] alias {<IP_address> <netmask> | <IP_address>/<0-32>} [<broadcast_IP_address>] {[increment-per-vap <IP_address>] | [floating]}
Syntax (IPv6)
[no] alias <IP_address>/<0-128>
411
Context
You access this command from the conf-cct-vapgroup-ip context. You access this context from the main CLI context, as follows: 1. 2. 3. Issue the configure circuit command to configure a specific circuit. Issue the vap-group (conf-cct context) command to configure a specific VAP group to process traffic passing through the circuit. Issue the ip (conf-cct-vapgroup context) (IPv6 and IPv4) command to assign a primary IP address to each of the VNDs that XOS creates for the circuit on the VAP group that you are configuring.
Parameters
The following table lists the parameters used with this command. Parameter (IPv4) {<IP_address> <netmask> | <IP_address>/<0-32>} Description Assigns the specified alias IP address to each VND that XOS creates for the circuit on the VAP group that you are configuring. You must specify the subnet mask for the alias IP address. You can specify a subnet mask in dotted-quad format (for example, 10.15.3.5 255.255.0.0), or you can specify an IP network using CIDR notation (for example, 10.15.0.0/16). NOTE: You cannot specify the subnet mask, 0.0.0.0. If you specify an IP network using CIDR notation, you cannot use /0. {<lowest_IP_address> <netmask> | <lowest_IP_address>/<0-32>} increment-per-vap <highest_IP_address> Assigns the specified range of consecutive alias IP addresses to the VNDs that XOS creates for the circuit on the VAP group that you are configuring. When you specify this parameter, XOS assigns a unique alias IP address to each VND. XOS assigns consecutive alias circuit IP addresses to consecutive VAP index numbers, with the lowest alias circuit IP address number assigned to VAP index number 1. You must specify the subnet mask for the lowest alias IP address in the range. You can specify a subnet mask in dotted-quad format (for example, 10.15.3.5 255.255.0.0), or you can specify an IP network using CIDR notation (for example, 10.15.0.0/16). NOTE: You cannot specify the subnet mask, 0.0.0.0. If you specify an IP network using CIDR notation, you cannot use /0.
412
Description Assigns the specified alias broadcast IP address to the circuit for the VAP group that you are currently configuring. By default, XOS determines the alias broadcast IP address for a circuit by the applying the subnet mask specified for the alias IP address(es). NOTE: The broadcast IP must match the primary IP, VRRP IP, Virtual IP, and alias IP addresses assigned to a circuit for a VAP group.
floating
Assigns the alias IP address to the master VAP, allowing traffic, cluster management, and synchronization communication to go directly to the master VAP. If a new master VAP is elected, the address floats to the new master. NOTE: This parameter can be used only with an IPv4 address. NOTE: This parameter cannot be used with increment-per-vap. NOTE: Only one floating address can be used for any one circuit.
Description Assigns the specified alias IP address to each VND that XOS creates for the circuit on the VAP group that you are configuring. You must specify the subnet mask for the alias IP address. You can specify an IP network using CIDR notation (for example, fd00:1545:be72:e5af::cf33:54aa/64). NOTE: If you specify an IP network using CIDR notation, you cannot use /0.
Restrictions
Default Privilege Level: 15 An alias IP address cannot have the subnet mask, 0.0.0.0. If you specify an IP network for an alias IP address using CIDR notation, you cannot use /0. A alias circuit IP address cannot be in the same network as the X-Series Platforms configured and operational system internal network IP addresses. Use the show system-internal-network command to display the current configured and operational system internal network IP addresses for your X-Series Platform. The broadcast IP, primary IP, VRRP IP, Virtual IP, and alias IP addresses assigned to a circuit for a VAP group must all belong to the same subnet.
413
Example (IPv4)
The following commands place you in the conf-cct-vapgroup context in which you can configure the VAP group called testvapgroup to process traffic passing through the circuit called testcct: CBS# configure circuit testcct CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-vapgroup)# The following command assigns a range of four primary IP addresses to the VNDs that XOS creates for the circuit called testcct on the VAP group called testvapgroup, assigning a unique primary IP address to each VND. This command also places you in the CLI context in which you can configure an alias IP address for each of the VNDs that XOS creates for the circuit called testcct on the VAP group called testvapgroup. NOTE: Since the VAP group called testvapgroup consists of only three VAPs, this command assigns the first three primary circuit IP addresses in the range to VAP index numbers 1, 2, and 3 and reserves the fourth primary circuit IP address. If you add a fourth VAP to this group, XOS assigns the fourth primary circuit IP address to the new VAP. CBS(conf-cct-vapgroup)# ip 2.2.2.35/24 increment-per-vap 2.2.2.38 CBS(conf-cct-vapgroup-ip)# The following command assigns a single alias IP address to each of the VNDs that XOS creates for the circuit called testcct on the VAP group called testvapgroup: CBS(conf-cct-vapgroup-ip)# alias 6.6.6.35/24 CBS(conf-cct-vapgroup-ip)#
Example (IPv6)
The following commands place you in the conf-cct-vapgroup context in which you can configure the VAP group called testvapgroup to process traffic passing through the circuit called testcct: CBS# configure circuit testcct CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-vapgroup)# The following command assigns a single IPv6 address to the VNDs that XOS creates for the circuit called testcct on the VAP group called testvapgroup, assigning the same primary IP address to each VND. This command also places you in the CLI context in which you can configure an alias IP address for each of the VNDs that XOS creates for the circuit called testcct on the VAP group called testvapgroup. NOTE: Since the VAP group called testvapgroup consists of only three VAPs, this command assigns the first three primary circuit IP addresses in the range to VAP index numbers 1, 2, and 3 and reserves the fourth primary circuit IP address. If you add a fourth VAP to this group, XOS assigns the fourth primary circuit IP address to the new VAP. CBS(conf-cct-vapgroup)# ip fd00:1545:be72:e5af::cf33:54aa/64 CBS(conf-cct-vapgroup-ip)# The following command assigns a single alias IPv6 address to each of the VNDs that XOS creates for the circuit called testcct on the VAP group called testvapgroup: CBS(conf-cct-vapgroup-ip)# alias fd00:1545:be72:e5af::cf33:33ff/64 CBS(conf-cct-vapgroup-ip)#
414
Syntax
ip-flow-rule-priority <priority_level> no ip-flow-rule-priority
Context
You access this command from the conf-cct-vapgroup context. You access this context from the main CLI context by issuing the configure circuit command to configure a specific circuit and then issuing the vap-group (conf-cct context) command to configure a specific VAP group to process traffic passing through the circuit.
415
Parameters
The following table lists the parameters used with this command. Parameter <priority_level> Description Priority level that you want to assign to the default VAP group IP flow rule that XOS creates when you assign a primary circuit IP address to the VAP group that you are configuring. Valid values are from 0 to 31. Default is 21.
Restrictions
Default Privilege Level: 15
Example
The following commands place you in the conf-cct-vapgroup context in which you can configure the VAP group called testvapgroup to process traffic passing through the circuit called testcct: CBS# configure circuit testcct CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-testvapgroup)# The following command assigns priority level 15 to the default IP flow rule that XOS creates for the VAP group called testvapgroup when you assign a primary IP address to the VAP group for the circuit called testcct: CBS(conf-cct-testvapgroup)# ip-flow-rule-priority 15 CBS(conf-cct-testvapgroup)#
Syntax
[no] verify-next-hop-ip <IP_address>
416
Context
You access this command from the conf-cct-vapgroup context. You access this context from the main CLI context by issuing the configure circuit command to configure a specific circuit and then issuing the vap-group (conf-cct context) command to configure a specific VAP group to process traffic passing through the circuit.
Parameters
The following table lists the parameters used with this command. Parameter <IP_address> Description Specifies the next-hop IP address that you want to assign to the circuit for the VAP group that you are configuring. The X-Series Platform verifies connectivity to the next-hop IP address.
Restrictions
Default Privilege Level: 15
Example
The following commands place you in the conf-cct-vapgroup context in which you can configure the VAP group called testvapgroup to process traffic passing through the circuit called testcct: CBS# configure circuit testcct CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-testvapgroup)# The following command configures the VAP group called testvapgroup to verify connectivity to the next-hop IPv4 address, 10.10.10.5, through the circuit called testcct. This command also configures the X-Series Platform to treat a next-hop IP address health check failure as a redundant interface failover trigger for the physical interface logically linked to the circuit called testcct. CBS(conf-cct-testvapgroup)# verify-next-hop-ip 10.10.10.5 CBS(conf-cct-testvapgroup)# The following command configures the VAP group called testvapgroup to verify connectivity to the next-hop IPv6 address, 3000:AC10::3713, through the circuit called testcct. This command also configures the X-Series Platform to treat a next-hop IP address health check failure as a redundant interface failover trigger for the physical interface logically linked to the circuit called testcct. CBS(conf-cct-testvapgroup)# verify-next-hop-ip 3000:AC10::3713 CBS(conf-cct-testvapgroup)#
417
The default-egress-vlan-tag command configures a VAP group to use the specified VLAN tag as the default VLAN tag for traffic egressing the VAP group through the circuit that you are configuring. The VAP groups circuit VNDs assign the specified default egress VLAN tag to all untagged packets egressing the VAP group through the circuit. Optionally, you can specify the hide-vlan-header parameter to configure the VAP group to remove the VLAN tag from the header of every packet ingressing the VAP group through the circuit that you are configuring. NOTE: Use the hide-vlan-header parameter for circuits mapped to VAP groups on which installed applications require the removal of VLAN tags from packet headers for proper operation. By default, a VAP group does not apply a VLAN tag to a packet passing through a circuit; untagged packets always remain untagged after passing through a circuit. Use the no default-egress-vlan-tag command to restore this default behavior for a VAP group assigned to the circuit that you are configuring. Use the show (conf-cct context) command to display the default egress VLAN tag configuration (if any) for each VAP group assigned to the circuit that you are configuring.
Syntax
default-egress-vlan-tag <VLAN_ID> [hide-vlan-header] no default-egress-vlan-tag
Context
You access this command from the conf-cct-vapgroup context. You access this context from the main CLI context by issuing the configure circuit command to configure a specific circuit and then issuing the vap-group (conf-cct context) command to configure a specific VAP group to process traffic passing through the circuit.
Parameters
The following table lists the parameters used with this command. Parameter <VLAN_ID> Description VLAN tag that you want to apply to untagged packets egressing the VAP group through the circuit that you are configuring. The VAP groups circuit VNDs assign the specified default egress VLAN tag to all untagged packets egressing the VAP group through the circuit. Valid values are from 0 to 4094.
418
Parameter hide-vlan-header
Description Configures the VAP group to remove the VLAN tag from the header of every packet ingressing the VAP group through the circuit that you are configuring. NOTE: Use the hide-vlan-header parameter for circuits mapped to VAP groups on which installed applications require the removal of VLAN tags from packet headers for proper operation. To delete this parameter from an existing circuit configuration for a VAP group, you must re-enter the default-egress-vlan-tag command without specifying this parameter.
Restrictions
Default Privilege Level: 15 Each egress VLAN tag that you configure must be unique. You cannot use the same default egress VLAN tag for multiple circuits configured on the X-Series Platform. Use the show (conf-cct context) command to display the default and replacement egress VLAN tag configuration (if any) for each VAP group assigned to the circuit that you are configuring.
Example
The following commands place you in the conf-cct-vapgroup context in which you can configure the VAP group called testvapgroup to process traffic passing through the circuit called testcct: CBS# configure circuit testcct CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-testvapgroup)# The following command configures the VAP group called testvapgroup to use the default egress VLAN tag, 1660, for traffic passing through the circuit called testcct. The testcct VNDs assign VLAN tag 1660 to all untagged packets egressing the VAP group called testvapgroup through the circuit called testcct: CBS(conf-cct-testvapgroup)# default-egress-vlan-tag 1660 CBS(conf-cct-testvapgroup)#
419
By default, a VAP group does not use a specific egress VLAN tag for traffic passing through a circuit; a packets ingress and egress VLAN tags are the same, and untagged packets remain untagged after passing through a circuit. Use the no replace-vlan-tag command to restore this default behavior for a VAP group assigned to the circuit that you are configuring.
Syntax
replace-vlan-tag <VLAN_ID> no replace-vlan-tag
Context
You access this command from the conf-cct-vapgroup context. You access this context from the main CLI context by issuing the configure circuit command to configure a specific circuit and then issuing the vap-group (conf-cct context) command to configure a specific VAP group to process traffic passing through the circuit.
Parameters
The following table lists the parameters used with this command. Parameter <VLAN_ID> Description Specifies the egress VLAN tag with which you want to replace the ingress VLAN tag assigned to each packet that ingresses the VAP group through the circuit that you are configuring. Valid values are from 0 to 4094.
Restrictions
Default Privilege Level: 15 Each egress VLAN tag that you configure must be unique. You cannot use the same replacement egress VLAN tag for multiple circuits configured on the X-Series Platform. Use the show (conf-cct context) command to display the default and replacement egress VLAN tag configurations (if any) for each VAP group assigned to the circuit that you are configuring.
Example
The following commands place you in the conf-cct-vapgroup context in which you can configure the VAP group called testvapgroup to process traffic passing through the circuit called testcct: CBS# configure circuit testcct CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-testvapgroup)# The following command removes all ingress VLAN tags from packets ingressing on the VAP group called testvapgroup through the circuit called testcct, and replaces those ingress VLAN tags with the egress VLAN ID number 1670: CBS(conf-cct-testvapgroup)# replace-vlan-tag 1670 CBS(conf-cct-testvapgroup)#
420
Syntax
[no] management-circuit
Context
You access this command from the conf-cct-vapgroup context. You access this context from the main CLI context by issuing the configure circuit command to configure a specific circuit and then issuing the vap-group (conf-cct context) command to configure a specific VAP group to process traffic passing through the circuit.
Restrictions
Default Privilege Level: 15
Example
The following commands place you in the conf-cct-vapgroup context in which you can configure the VAP group called testvapgroup to process traffic passing through the circuit called testcct: CBS# configure circuit testcct CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-testvapgroup)# The following command configures the VAP group called testvapgroup to use the circuit called testcct for application management traffic: CBS(conf-cct-testvapgroup)# management-circuit CBS(conf-cct-testvapgroup)#
421
Syntax
[no] dhcp-relay
Context
You access this command from the conf-cct-vapgroup context. You access this context from the main CLI context by issuing the configure circuit command to configure a specific circuit and then issuing the vap-group (conf-cct context) command to configure a specific VAP group to process traffic passing through the circuit.
Restrictions
Default Privilege Level: 15
Example
The following commands place you in the conf-cct-vapgroup context in which you can configure the VAP group called testvapgroup to process traffic passing through the circuit called testcct: CBS# configure circuit testcct CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-testvapgroup)# The following command configures the VAP group called testvapgroup to use the circuit called testcct to listen for DHCP broadcasts: CBS(conf-cct-testvapgroup)# dhcp-relay CBS(conf-cct-testvapgroup)#
422
Syntax
promiscuous-mode [active] no promiscuous-mode
Context
You access this command from the conf-cct-vapgroup context. You access this context from the main CLI context by issuing the configure circuit command to configure a specific circuit and then issuing the vap-group (conf-cct context) command to configure a specific VAP group to process traffic passing through the circuit.
Parameters
The following table lists the parameters used with this command. Parameter active Description Configures the VAP group to accept packets passing through the circuit and forward them to another interface. Use this parameter to configure a circuit to support a bridging application, such as an Intrusion Prevention System (IPS).
423
Restrictions
Default Privilege Level: 15 A circuit can be configured for a VAP group using only one of the following commands: promiscuous-mode promiscuous-mode active ip-forwarding See ip-forwarding (conf-cct-vapgroup context) on page 428 for more information about the ip-forwarding command.
Example
The following commands place you in the conf-cct-vapgroup context in which you can configure the VAP group called testvapgroup to process traffic passing through the circuit called testcct: CBS# configure circuit testcct CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-testvapgroup)# The following command configures the VAP group called testvapgroup to accept every packet received on the circuit called testcct, without considering the packets destination MAC address. This command also configures the VAP group called testvapgroup to forward packets received on the circuit called testvapgroup to another interface configured for that VAP group. CBS(conf-cct-testvapgroup)# promiscuous-mode active CBS(conf-cct-testvapgroup)#
424
YY is the system identifier assigned to the X-Series Platform. Use the show system-identifier command to display the system ID assigned to your X-Series Platform. The show running-config command displays user-defined MAC addresses that are not part of the system-reserved pool. This command does not display the system-reserved MAC addresses for the X-Series Platform. By default, XOS assigns a single system-reserved MAC address to all of the VNDs that it creates for a circuit on a VAP group. Use the no mac-addr command to restore the default MAC address for the VNDs that XOS creates for the circuit on the VAP group that you are configuring. Use the show (conf-cct context) command to display the MAC addresses assigned to the VNDs that XOS creates for the circuit that you are configuring on each VAP group assigned to that circuit.
425
Syntax
mac-addr <MAC_address> [system-reserved] no mac-addr
Context
You access this command from the conf-cct-vapgroup context. You access this context from the main CLI context by issuing the configure circuit command to configure a specific circuit and then issuing the vap-group (conf-cct context) command to configure a specific VAP group to process traffic passing through the circuit.
Parameters
The following table lists the parameters used with this command. Parameter <MAC_address> Description User-defined MAC address that you want to assign to each of the VNDs that XOS creates for the circuit on the VAP group that you are configuring. You must specify the MAC address using standard hexadecimal MAC address format (aa:bb:cc:dd:ee:ff). NOTE: The specified MAC address cannot contain all 0s (0:0:0:0:0:0) or all fs (ff:ff:ff:ff:ff:ff). system-reserved Enables the specified user-defined MAC address to be a system-reserved MAC address. Specify the all-series parameter with the show running-config command to display the system-reserved MAC addresses for your X-Series Platform.
Restrictions
Default Privilege Level: 15 A MAC address cannot contain only 0s (0:0:0:0:0:0) or only fs (ff:ff:ff:ff:ff:ff). The VNDs that XOS creates for a specific circuit on a specific VAP group must have a unique MAC address. Use the show circuit command to display the MAC address assigned to the VNDs that XOS creates for each circuit on each VAP group configured on the X-Series Platform.
Example
The following commands place you in the conf-cct-vapgroup context in which you can configure the VAP group called testvapgroup to process traffic passing through the circuit called testcct: CBS# configure circuit testcct CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-testvapgroup)# The following command assigns the MAC address, aa:bb:cc:dd:ee:ff, to each of the VNDs that XOS creates for the circuit called testcct on the VAP group called testvapgroup: CBS(conf-cct-testvapgroup)# mac-addr aa:bb:cc:dd:ee:ff CBS(conf-cct-testvapgroup)#
426
Syntax
mtu <size> no mtu
Context
You access this command from the conf-cct-vapgroup context. You access this context from the main CLI context by issuing the configure circuit command to configure a specific circuit and then issuing the vap-group (conf-cct context) command to configure a specific VAP group to process traffic passing through the circuit.
Parameters
The following table lists the parameters used with this command. Parameter <size> Description Maximum Transmission Unit (MTU) size, in bytes, that you want to apply to the VNDs that XOS creates for the circuit on the VAP group that you are configuring. Valid values are from 68 to 9000. Default is 1500. NOTE: If IPv6 has been enabled for the VAP group, the minimum MTU size is 1280. If you attempt to configure a number smaller than 1280, an error message appears.
Restrictions
Default Privilege Level: 15
Example
The following commands place you in the conf-cct-vapgroup context in which you can configure the VAP group called testvapgroup to process traffic passing through the circuit called testcct: CBS# configure circuit testcct CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-testvapgroup)#
427
The following command sets the Maximum Transmission Unit (MTU) size to 4000 bytes for each VND that XOS creates for the circuit called testcct on the VAP group called testvapgroup: CBS(conf-cct-testvapgroup)# mtu 4000 CBS(conf-cct-testvapgroup)#
Syntax
[no] ip-forwarding
Context
You access this command from the conf-cct-vapgroup context. You access this context from the main CLI context by issuing the configure circuit command to configure a specific circuit and then issuing the vap-group (conf-cct context) command to configure a specific VAP group to process traffic passing through the circuit.
Restrictions
Default Privilege Level: 15 A circuit can be configured for a VAP group using only one of the following commands: promiscuous-mode promiscuous-mode active ip-forwarding
428
See promiscuous-mode (conf-cct-vapgroup context) on page 423 for more information about the promiscuous-mode and promiscuous-mode active command.
Example
The following commands place you in the conf-cct-vapgroup context in which you can configure the VAP group called testvapgroup to process traffic passing through the circuit called testcct: CBS# configure circuit testcct CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-testvapgroup)# The following command configures the VAP group called testvapgroup to forward IP packets received on the circuit called testcct: CBS(conf-cct-testvapgroup)# ip-forwarding CBS(conf-cct-testvapgroup)#
icmp-redirect (conf-cct-vapgroup)
Configures a VAP group to accept ICMP redirect packets received on the circuit that you are configuring. NOTE: ICMP redirect packets change information in a hosts routing table. Therefore, configuring a host to accept ICMP redirect packets is often considered to be a security risk. By default, a VAP group drops all ICMP redirect packets received on a circuit. Use the no parameter to restore this default circuit behavior for the VAP group that you are configuring. Use the show (conf-cct context) command to determine whether any VAP groups are configured to accept ICMP redirect packets received on the circuit that you are configuring.
Syntax
[no] icmp-redirect
Context
You access this command from the conf-cct-vapgroup context. You access this context from the main CLI context by issuing the configure circuit command to configure a specific circuit and then issuing the vap-group (conf-cct context) command to configure a specific VAP group to process traffic passing through the circuit.
Restrictions
Default Privilege Level: 15
Example
The following commands place you in the conf-cct-vapgroup context in which you can configure the VAP group called testvapgroup to process traffic passing through the circuit called testcct: CBS# configure circuit testcct CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-testvapgroup)#
429
The following command configures the VAP group called testvapgroup to accept ICMP redirect packets received on the circuit called testcct: CBS(conf-cct-testvapgroup)# icmp-redirect CBS(conf-cct-testvapgroup)#
enable (conf-cct-vapgroup)
When you assign a circuit to a VAP group, XOS creates a Virtual Network Device (VND) for that circuit on each VAP in the group. The VAP operating system and the application running on a VAP use VNDs as Linux networking interfaces. This command enables or disables (using no) all of the VNDs that XOS creates for the circuit on the VAP group that you are configuring. A circuits VNDs are enabled by default. This command is useful when changing an applications mode of operation requires changing the VAP groups interface configuration. You can configure circuits to support multiple modes of operation and then disable the circuits that are not required to support the applications current mode of operation. For example, you can use this technique to facilitate operating mode changes for an application that can run in either Intrusion Detection System (IDS) mode or Intrusion Prevention System (IPS) mode. Use the show (conf-cct context) command to determine whether the VNDs that XOS creates for the circuit that you are configuring are enabled or disabled on each VAP group assigned to the circuit.
Syntax
[no] enable
Context
You access this command from the conf-cct-vapgroup context. You access this context from the main CLI context by issuing the configure circuit command to configure a specific circuit and then issuing the vap-group (conf-cct context) command to configure a specific VAP group to process traffic passing through the circuit.
Restrictions
Default Privilege Level: 15
Example
The following commands place you in the conf-cct-vapgroup context in which you can configure the VAP group called testvapgroup to process traffic passing through the circuit called testcct: CBS# configure circuit testcct CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-testvapgroup)# The following command disables the VNDs that XOS creates for the circuit called testcct on the VAP group called testvapgroup: CBS(conf-cct-testvapgroup)# no enable CBS(conf-cct-testvapgroup)#
430
Syntax
show
Context
You access this command from the conf-cct context. You access this context from the main CLI context by issuing the configure circuit command.
Output
This command displays the current circuit configuration settings for each VAP group assigned to the circuit that you are configuring, using the following format: Circuit Name Circuit-Id Device Name Incoming Circuit Group Link State Resistant (true/false) Promiscuous Mode Proxy ARP Enabled (true/false) IP Forwarding (true/false) ICMP Redirect (true/false) Reclassify NAT Flows (true/false) IP Flow Rule Priority IP Flow Rule No Failover (true/false) VAP Group Verify Next Hop IP Aggregation Mode Domain New Flow Control (true/false) DHCP Relay (true/false) Default Egress Vlan Tag Hide VLAN Header (true/false) Replace Egress Vlan Tag MAC Address MTU Management Circuit (true/false) Enable (true/false) Primary Type IP Address IP Broadcast Address Increment-per-vap Mode (true/false) IP Address High Alias Index IP Address IP Broadcast Address Increment-per-vap Mode (true/false) IP Address High : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : <circuit_name> <ID_number> <device_name> <ICG_number> {t | f} {unknown | no promiscuous | promiscuous | promiscuous active} {t | f} [t | f] [t | f] [t | f] [<priority_level>] [t | f] [<VAP_group_name>] [<next_hop_IP_address>] {none | multi-link} <domain_ID_number> {t | f} [t | f] [N/A | <VLAN_ID>] {N/A | t | f} [N/A | <VLAN_ID>] [<MAC_address> [(system-reserved)]] [<MTU_size>] [t | f] [t | f] [primary | ip-less] [<primary_IP_address>/<0-32>](IPv4) [<primary_IP_address>/<0-128>](IPv6) [<primary_broadcast_IP_address>] [t | f] [<primary_IP_address>] <alias_index_number> <alias_IP_address>/<0-32> (IPv4) <alias_IP_address>/<0-128> (IPv6) <alias_broadcast_IP_address> {t | f} <alias_IP_address>
431
The following table describes the information provided in each column/row. Row Heading Circuit Name Information Provided Name of the circuit that you are configuring. See configure circuit on page 397 for instructions on assigning a name to a new circuit. NOTE: You cannot change the name of an existing circuit. Circuit-Id Circuit ID number assigned to the circuit. Default is a system-assigned number between 1025 and 4095. See configure circuit on page 397 for information about assigning a user-defined circuit ID to a new circuit. NOTE: You cannot change the ID number assigned to an existing circuit. Device Name Device name assigned to the VNDs that XOS creates for the circuit on each VAP group to which the circuit is assigned. Default device name is vnd<ID#>, where <ID#> is the circuit ID number assigned to the circuit. See device-name (conf-cct context) on page 399 for information about configuring a device name for a circuit. Incoming Circuit Group ID number for the incoming circuit group (ICG) to which the circuit is assigned. Default is 1. See incoming-circuit-group (conf-cct context) on page 403 for information about assigning a circuit to an ICG. Link State Resistant (true/false) Indicates whether the Virtual Network Devices (VNDs) that XOS creates for the circuit on a VAP group are configured as virtualized internal interfaces that function independently of the physical interfaces on the Network Processor Modules (NPMs). This row displays either f (false) or t (true): f (false) Default setting. The VNDs that XOS creates for the circuit on a VAP group cannot function without a logical link to a physical interface. The VNDs have a default link state of Down, and the link state of the circuits VNDs always matches the link state of the physical interface mapped to the circuit. t (true) The VNDs that XOS creates for the circuit on a VAP group are configured as link-state-resistant interfaces that have a default link state of Up, and the link state of the VNDs is not dependent on the link state of any physical interface. See link-state-resistant (conf-cct context) on page 400 for information about configuring a circuit to enable its VNDs to function as virtualized internal interfaces.
432
Information Provided VAP group promiscuous mode setting for the circuit: unknown Circuit is not assigned to a VAP group. no promiscuous Default VAP group setting. Each VAP in the VAP group can accept a packet received on the circuit only if one of the following conditions is true: The packets destination MAC address matches the MAC address assigned to the VND on which the VAP receives the packet. The packets destination MAC address is a broadcast MAC address. The packets destination MAC address is a multicast MAC address. promiscuous VAP group is configured to accept every packet received on the circuit, without considering the packets destination MAC address. VAP group accepts packets passing through the circuit without forwarding them to any other interfaces. promiscuous active VAP group is configured to accept every packet received on the circuit, without considering the packets destination MAC address. VAP group accepts packets passing through the circuit and forwards them to another interface configured for the VAP group. See promiscuous-mode (conf-cct-vapgroup context) on page 423 for information about setting the promiscuous mode for a VAP group assigned to a circuit.
Indicates whether Proxy ARP is enabled (t) or disabled (f) for the circuit. Default is disabled (f). See proxy-arp (conf-cct context) on page 402 for information about enabling and disabling Proxy ARP for a circuit.
IP Forwarding (true/false)
This row is blank if the circuit is not assigned to a VAP group. Indicates whether IP forwarding is enabled (t) or disabled (f) on the circuit for the VAP group. Default is disabled (f). See ip-forwarding (conf-cct-vapgroup context) on page 428 for information about configuring a VAP group to forward IP packets received on a circuit. NOTE: Enabling IP forwarding for a VAP group, enables IP forwarding on all of the VAP groups circuits. Use the show vap-group command to determine whether IP forwarding is enabled for a VAP group. See ip-forwarding (config-vap-grp context) on page 192 for information about enabling and disabling IP forwarding for a VAP group.
433
Information Provided This row is blank if the circuit is not assigned to a VAP group. Indicates whether acceptance of ICMP redirect packets is enabled (t) or disabled (f) on the circuit for the VAP group. Default is disabled (f). See icmp-redirect (conf-cct-vapgroup) on page 429 for information about configuring a VAP group to accept ICMP redirect packets received on a circuit.
This row is blank if the circuit is not assigned to a VAP group. Indicates whether reclassification of NAT flows is enabled (t) or disabled (f) on the circuit for the VAP group. Default is disabled (f). NOTE: You can change this setting only if the X-Series Platform is running in Series-2 NPM mode. Therefore, you cannot change this setting on an X-Series Platform running XOS V8.5 or later.
This row is blank if the circuit is not assigned to a VAP group. Priority level assigned to the default IP flow rule that XOS creates for the VAP group when one or more primary IP addresses is assigned to the VAP group for this circuit. Default IP flow rule priority level for a new circuit is 10. Default setting for a user-configured IP flow rule priority level is 21. See ip-flow-rule-priority (conf-cct-vapgroup context) on page 415 for information about configuring the priority level for a default IP flow rule that XOS creates for a VAP group.
This row is blank if the circuit is not assigned to a VAP group. Indicates whether the circuit-level IP flow rule, no-failover, is enabled (t) or disabled (f) for the VAP group. Default is disabled (f). NOTE: You can change this setting only if the X-Series Platform is running in Series-2 NPM mode. Therefore, you cannot change this setting on an X-Series Platform running XOS V8.5 or later.
VAP Group
This row is blank if the circuit is not assigned to a VAP group. Name of the VAP group to which this circuit configuration applies. See vap-group (conf-cct context) on page 406 for information about assigning a VAP group to a circuit and configuring that VAP group to process traffic passing through a circuit.
434
Information Provided This row is blank if a next-hop IP address is not assigned to the circuit for this VAP group or if the circuit is not assigned to a VAP group. Next-hop IP address assigned to the circuit for the VAP group. NOTE: The system verifies connectivity to this IP address and triggers a redundant interface failover if the next-hop IP address health check fails. See verify-next-hop-ip (conf-cct-vapgroup context) (IPv6 and IPv4) on page 416 for information about assigning a next-hop IP address to a VAP group.
Aggregation Mode
Indicates whether the circuit is mapped to a group interface configured for the VAP group, and if so, displays the mode configured for that group interface. This row displays one of the following keywords: none Circuit is not mapped to a group interface configured for the VAP group. multi-link Circuit is mapped to a group interface configured for the VAP group, and the group interface is configured in multi-link mode. See mode (conf-group-intf context) on page 497 for information about configuring a group interface mode and mapping a circuit to a group interface.
Domain
ID number for the domain to which the circuit is assigned. Default is 1. See configure circuit on page 397 for information about assigning a circuit to a domain.
Indicates whether New Flow Control is enabled (t) or disabled (f) for the circuit. Default is enabled (t). NOTE: You can change this setting only if the X-Series Platform is running in Series-2 NPM mode. Therefore, you cannot change this setting on an X-Series Platform running XOS V8.5 or later.
This row is blank if the circuit is not assigned to a VAP group. Indicates whether DHCP Relay is enabled (t) or disabled (f) on the circuit for the VAP group. Default is disabled (f). If DHCP Relay is enabled, the VAP group can use the circuit to listen for DHCP broadcasts and forward them to the servers in the VAP groups DHCP relay server list. See dhcp-relay (conf-cct-vapgroup context) on page 422 for information about enabling and disabling DHCP Relay on a circuit for a VAP group. See dhcp-relay-server-list (config-vap-grp context) on page 201 for instructions on configuring a DHCP relay server list for a VAP group.
435
Information Provided This row is blank if the circuit is not assigned to a VAP group. If the circuit is assigned to a VAP group, this row displays one of the following: N/A Default setting. Indicates that the VAP group does not apply a VLAN tag to untagged packets passing through the circuit. VLAN ID number Default egress VLAN tag configured for the VAP group for the circuit. The VAP group applies the specified VLAN tag to all untagged packets egressing the VAP group through the circuit. See default-egress-vlan-tag (conf-cct-vapgroup context) on page 417 for information about configuring a VAP group with a default egress VLAN tag for a circuit.
Displays one of the following Hide VLAN Header settings: N/A VAP group is not configured with a default egress VLAN tag for this circuit. t Hide VLAN Header is enabled. The VAP group is configured with a default egress VLAN tag for the circuit, and the VAP group removes the VLAN tag from the header of every packet ingressing the VAP group through the circuit. NOTE: This setting is also displayed when a circuit is not assigned to a VAP group. f Default setting. Hide VLAN Header is disabled. The VAP group is configured with a default egress VLAN tag for the circuit, but the VAP group does not remove VLAN tags from the headers of packets ingressing the VAP group through the circuit. See default-egress-vlan-tag (conf-cct-vapgroup context) on page 417 for information on enabling and disabling Hide VLAN Header for a VAP group configured with a default egress VLAN tag for a circuit.
436
Information Provided This row is blank if the circuit is not assigned to a VAP group. If the circuit is assigned to a VAP group, this row displays one of the following: N/A Default setting. Indicates that the VAP group does not use a specific egress VLAN tag for traffic passing through the circuit. A packets ingress and egress VLAN tags are the same, and untagged packets remain untagged after passing through the circuit. VLAN ID number Replacement egress VLAN tag configured for the VAP group for the circuit. The VAP group applies the specified egress VLAN tag to all packets passing through the circuit. The VAP group removes all VLAN tags assigned to packets ingressing the VAP group through the circuit and replaces those VLAN tags with the specified egress VLAN tag. See replace-vlan-tag (conf-cct-vapgroup context) on page 419 for information about configuring a VAP group with a replacement egress VLAN tag for a circuit.
This row is blank if the circuit is not assigned to a VAP group. <MAC_address> is the MAC address assigned to the Virtual Network Devices (VNDs) that XOS creates for the circuit on the VAP group. The system-reserved keyword indicates that the MAC address belongs to the X-Series Platforms pool of system-reserved MAC addresses. By default, XOS assigns a single system-reserved MAC address to all of the VNDs that it creates for a circuit on a VAP group. See mac-addr (conf-cct-vapgroup context) on page 424 for information about configuring a MAC address for the VNDs that XOS creates for a circuit on a VAP group.
MTU
This row is blank if the circuit is not assigned to a VAP group. Maximum Transfer Unit size, in bytes, for the VNDs that XOS creates for the circuit on the VAP group. Default is 1500. NOTE: If IPv6 has been enabled for the VAP group, the minimum MTU size is 1280. If you attempt to configure a number smaller than 1280, an error message appears. See mtu (conf-cct-vapgroup context) on page 427 for information about setting the MTU size for the VNDs that XOS creates for a circuit on a VAP group.
437
Information Provided This row is blank if the circuit is not assigned to a VAP group. Indicates one of the following: f Default setting. Application installed on the VAP group inspects all traffic passing through the circuit. t VAP group circuit configuration includes the management-circuit command. The application installed on the VAP group treats all traffic passing through the circuit as management traffic, and does not inspect the traffic. See management-circuit (conf-cct-vapgroup context) on page 421 for information about this VAP group circuit configuration setting.
Enable (true/false)
This row is blank if the circuit is not assigned to a VAP group. Indicates whether the Virtual Network Devices (VNDs) that XOS creates for the circuit on the VAP group are enabled (t) or disabled (f). Default is enabled (t). See enable (conf-cct-vapgroup) on page 430 for information about enabling and disabling a VAP groups VNDs for a circuit.
Primary Type
This row is blank if the circuit is not assigned to a VAP group. If the circuit is assigned to a VAP group, this row displays one of the following keywords: ip-less Default setting. The VNDs that XOS creates for the circuit on the VAP group do not have primary IP addresses assigned to them. primary A primary IP address is assigned to each of the VNDs that XOS creates for the circuit on the VAP group. See ip (conf-cct-vapgroup context) (IPv6 and IPv4) on page 407 for information about assigning a primary IP address to each of the VNDs that XOS creates for a circuit on a VAP group.
438
Information Provided This row is blank if the circuit is not assigned to a VAP group. This row does not appear if the VNDs that XOS creates for the circuit on the VAP group do not have primary IP addresses assigned to them. If this row appears in a VAP groups circuit configuration, this row displays one of the following: The single primary IP address and subnet mask assigned to each of the VAP groups VNDs for the circuit. The lowest primary IP address in the range of consecutive primary IP addresses assigned to the VAP groups VNDs for the circuit and the subnet mask for those primary IP addresses. NOTE: If a range of consecutive primary IP addresses is assigned to the VAP groups VNDs for a circuit, XOS assigns a unique primary circuit IP address to each VAP in the group. XOS assigns consecutive primary circuit IP addresses to consecutive VAP index numbers, with the lowest primary circuit IP address number assigned to VAP index number 1. See ip (conf-cct-vapgroup context) (IPv6 and IPv4) on page 407 for information about assigning a primary IP address to each of the VNDs that XOS creates for a circuit on a VAP group.
This row does not appear if the IP address is IPv6. This row is blank if the circuit is not assigned to a VAP group. This row does not appear if the VNDs that XOS creates for the circuit on the VAP group do not have primary IP addresses assigned to them. If this row appears in a VAP groups circuit configuration, this row displays the primary broadcast IP address assigned to the circuit for the VAP group. By default, XOS determines the primary broadcast IP address for a circuit by applying the subnet mask specified for the primary IP addresses assigned to the VAP groups VNDs for the circuit. See ip (conf-cct-vapgroup context) (IPv6 and IPv4) on page 407 for information about assigning a user-defined primary broadcast IP address to a circuit for a VAP group.
439
Information Provided This row is blank if the circuit is not assigned to a VAP group. If the circuit is assigned to a VAP group, this row indicates whether increment-per-vap is enabled (t) or disabled (f) for the primary IP addresses assigned to the VNDs that XOS creates for the circuit on the VAP group. Default is disabled (f). If increment-per-vap is enabled, a range of consecutive primary IP addresses is assigned to the VNDs that XOS creates for the circuit on the VAP group. NOTE: XOS assigns a unique primary circuit IP address to each VAP in the group. XOS assigns consecutive primary circuit IP addresses to consecutive VAP index numbers, with the lowest primary circuit IP address number assigned to VAP index number 1. See ip (conf-cct-vapgroup context) (IPv6 and IPv4) on page 407 for information about assigning a unique primary IP address to each of the VNDs that XOS creates for a circuit on a VAP group.
This row is blank if the circuit is not assigned to a VAP group. This row does not appear if increment-per-vap is disabled (f) for the primary IP addresses assigned to the VNDs that XOS creates for the circuit on the VAP group. If this row appears in a VAP groups circuit configuration, this row displays the highest primary IP address in the range of consecutive primary IP addresses assigned to the VNDs that XOS creates for the circuit on the VAP group. NOTE: If a range of consecutive primary IP addresses is assigned to the VAP groups VNDs for a circuit, XOS assigns a unique primary circuit IP address to each VAP in the group. XOS assigns consecutive primary circuit IP addresses to consecutive VAP index numbers, with the lowest primary circuit IP address number assigned to VAP index number 1. See ip (conf-cct-vapgroup context) (IPv6 and IPv4) on page 407 for information about assigning a unique primary IP address to each of the VNDs that XOS creates for a circuit on a VAP group.
Alias Index
This row appears only if an alias IP address is assigned to each of the VNDs that XOS creates for the circuit on the VAP group. This row displays the lowest VAP index number to which an alias circuit IP address is currently assigned. Default is 1. See alias (conf-cct-vapgroup-ip context) (IPv6 and IPv4) on page 411 for information about assigning an alias IP address to each of the VNDs that XOS creates for a circuit on a VAP group.
440
Information Provided This row appears only if an alias IP address is assigned to each of the VNDs that XOS creates for the circuit on the VAP group. This row displays one of the following: The single alias IP address and subnet mask assigned to each of the VAP groups VNDs for the circuit. The lowest alias IP address in the range of consecutive alias IP addresses assigned to the VAP groups VNDs for the circuit and the subnet mask for those alias IP addresses. NOTE: If a range of consecutive alias IP addresses is assigned to the VAP groups VNDs for a circuit, XOS assigns a unique alias circuit IP address to each VAP in the group. XOS assigns consecutive alias circuit IP addresses to consecutive VAP index numbers, with the lowest alias circuit IP address number assigned to VAP index number 1. See alias (conf-cct-vapgroup-ip context) (IPv6 and IPv4) on page 411 for information about assigning an alias IP address to each of the VNDs that XOS creates for a circuit on a VAP group.
This row appears only if an alias IP address is assigned to each of the VNDs that XOS creates for the circuit on the VAP group. This row displays the alias broadcast IP address assigned to the circuit for the VAP group. By default, XOS determines the alias broadcast IP address for a circuit by applying the subnet mask specified for the alias IP addresses assigned to the VAP groups VNDs for the circuit. See alias (conf-cct-vapgroup-ip context) (IPv6 and IPv4) on page 411 for information about assigning a user-defined alias broadcast IP address to a circuit for a VAP group.
441
Row Heading Increment-per-vap Mode (true/false) (Under the Alias Index field)
Information Provided This row appears only if an alias IP address is assigned to each of the VNDs that XOS creates for the circuit on the VAP group. This row indicates whether increment-per-vap is enabled (t) or disabled (f) for the alias IP addresses assigned to the VNDs that XOS creates for the circuit on the VAP group. Default is disabled (f). If increment-per-vap is enabled, a range of consecutive alias IP addresses is assigned to the VNDs that XOS creates for the circuit on the VAP group. NOTE: XOS assigns a unique alias circuit IP address to each VAP in the group. XOS assigns consecutive alias circuit IP addresses to consecutive VAP index numbers, with the lowest alias circuit IP address number assigned to VAP index number 1. See alias (conf-cct-vapgroup-ip context) (IPv6 and IPv4) on page 411 for information about assigning a unique alias IP address to each of the VNDs that XOS creates for a circuit on a VAP group.
This row appears only if an alias IP address is assigned to each of the VNDs that XOS creates for the circuit on the VAP group, and increment-per-vap is enabled (t) for those alias IP addresses. This row displays the highest alias IP address in the range of consecutive alias IP addresses assigned to the VNDs that XOS creates for the circuit on the VAP group. NOTE: If a range of consecutive alias IP addresses is assigned to the VAP groups VNDs for a circuit, XOS assigns a unique alias circuit IP address to each VAP in the group. XOS assigns consecutive alias circuit IP addresses to consecutive VAP index numbers, with the lowest alias circuit IP address number assigned to VAP index number 1. See alias (conf-cct-vapgroup-ip context) (IPv6 and IPv4) on page 411 for information about assigning a unique alias IP address to each of the VNDs that XOS creates for a circuit on a VAP group.
Restrictions
Default Privilege Level: 15
442
Example (IPv4)
The following command places you in the conf-cct context in which you can configure the existing circuit called testcct: CBS# configure circuit testcct CBS(conf-cct)# The following command displays the current configuration settings for the circuit called testcct for the VAP group called testvapgroup (which is the only VAP group to which that circuit is assigned). NOTE: This example output displays some (though not all) of the configuration settings that you would create if you issued the commands that we have provided throughout this section. CBS(conf-cct)# show Circuit Name Circuit-Id Device Name Incoming Circuit Group Promiscuous Mode Proxy ARP Enabled (true/false) IP Forwarding (true/false) ICMP Redirect (true/false) Reclassify NAT Flows (true/false) IP Flow Rule Priority IP Flow Rule No Failover (true/false) VAP Group Verify Next Hop IP Aggregation Mode Domain New Flow Control (true/false) DHCP Relay (true/false) Default Egress Vlan Tag Hide VLAN Header (true/false) Replace Egress Vlan Tag MAC Address MTU Management Circuit (true/false) Enable (true/false) Primary Type IP Address IP Broadcast Address Increment-per-vap Mode (true/false) IP Address High
: : : : : : : : : : : : : : : : : : : : : : : : : : : : :
testcct 1 testcct 1 no promiscuous f f f f 15 f testvapgroup 10.10.10.5 none 1 t f 1660 f N/A 00:03:d2:e0:02:02 (system-reserved) 4000 f t primary 2.2.2.35/24 2.2.2.255 f 2.2.2.38
: : : :
1 6.6.6.35/24 6.6.6.255 f
CBS(conf-cct)#
443
Example (IPv6)
The following command places you in the conf-cct context in which you can configure the existing circuit called testcct: CBS# configure circuit testcct CBS(conf-cct)# The following command displays the current configuration settings for the circuit called testcct for the VAP group called testvapgroup (which is the only VAP group to which that circuit is assigned). NOTE: This example output displays some (though not all) of the configuration settings that you would create if you issued the commands that we have provided throughout this section. CBS(conf-cct)# show Circuit Name Circuit-Id Device Name Incoming Circuit Group Promiscuous Mode Proxy ARP Enabled (true/false) IP Forwarding (true/false) ICMP Redirect (true/false) Reclassify NAT Flows (true/false) IP Flow Rule Priority IP Flow Rule No Failover (true/false) VAP Group Verify Next Hop IP Aggregation Mode Domain New Flow Control (true/false) DHCP Relay (true/false) Default Egress Vlan Tag Hide VLAN Header (true/false) Replace Egress Vlan Tag MAC Address MTU Management Circuit (true/false) Enable (true/false) Primary Type IP Address Increment-per-vap Mode (true/false)
: : : : : : : : : : : : : : : : : : : : : : : : : : :
testcct 1 testcct 1 no promiscuous f f f f 15 f testvapgroup 10.10.10.5 none 1 t f 1660 f N/A 00:03:d2:e0:02:02 (system-reserved) 4000 f t primary fd00:1545:be72:e5af::cf33:54aa/64 f
: 1 : fd00:1545:be72:e5af::cf33:12/64 : f
CBS(conf-cct)#
444
configure bridge-mode
When you assign a circuit to a virtual application processor (VAP) group, XOS creates a Virtual Network Device (VND) for that circuit on each VAP in the group. The VAP operating system and the application running on a VAP use VNDs as Linux networking interfaces. XOS supports bridging interfaces that connect members of a VAP group to different segments of the same LAN. To bridge interfaces on a VAP group, use the configure bridge-mode command to configure a template circuit as a virtualized network bridging device for a VAP group, and configure that device to bridge the VNDs that XOS creates for a pair of traffic circuits assigned to the VAP group. Then, configure logical interfaces for the physical interfaces that are connected to the LAN segments that you want to bridge, and map each traffic circuit to a logical interface. NOTE: Either or both of the two bridged traffic circuits can be mapped to a logical interface configured for a link aggregation group (LAG), allowing each circuit to pass traffic over multiple physical interfaces. The configure bridge-mode command configures the specified template circuit as a new virtualized network bridging device, or configures the existing device created using the specified template circuit. This command also places you in the conf-bridge-mode context in which you can map traffic circuits to the specified virtualized network bridging device. See circuit (conf-bridge-mode context) on page 447 for instructions on mapping traffic circuits to a virtualized network bridging device. IMPORTANT: You must create and configure a template circuit before configuring it as a virtual network bridging device. To create and configure a template circuit, perform the following steps: 1. 2. 3. Use the configure circuit command to create the circuit. Use the device-name (conf-cct context) command to assign a device name to each of the circuits VNDs. Use the vap-group (conf-cct context) command to assign the circuit to the VAP group for which you want to configure the virtualized network bridging device. NOTE: For applications requiring an IP address on the virtual network bridging device, assign the IP address to the template circuit before creating the bridge. Refer to your application documentation for IP address requirements. By default, the configure bridge-mode command configures a new virtualized network bridging device in bridge mode; in this mode, XOS creates the bridge between the VNDs for the two traffic circuits mapped to the bridging device. Use the transparent parameter to configure a virtualized network bridging device in transparent mode; in this mode the application installed on the VAP group creates the bridge between the VNDs for the two traffic circuits mapped to the bridging device. NOTE: After you configure a virtualized network bridging device in transparent mode, you cannot reconfigure it in bridge mode. Instead, you must delete the device and recreate it in bridge mode. Use the no parameter to delete the virtualized network bridging device created using the specified template circuit. Use the show (conf-bridge-mode context) command to display the current configuration settings for the virtualized network bridging device that you are configuring.
Syntax
configure [no] bridge-mode <template_circuit_name> [transparent]
445
Parameters
The following table lists the parameters used with this command. Parameter <template_circuit_name> transparent Description Name of the template circuit used to create the virtualized network bridging device that you are configuring. Configures the specified template circuit as a virtualized network bridging device in transparent mode; in this mode the application installed on the VAP group creates the bridge between the VNDs for the two traffic circuits mapped to the bridging device. NOTE: After you configure a virtualized network bridging device in transparent mode, you cannot reconfigure it in bridge mode. Instead, you must delete the device and recreate it in bridge mode.
Restrictions
Default Privilege Level: 15 You must create and configure a template circuit before using the configure bridge-mode command to configure that template circuit as a virtualized network bridging device. After you configure a virtualized network bridging device in transparent mode, you cannot reconfigure it in bridge mode. Instead, you must delete the device and recreate it in bridge mode.
Example
The following commands create and configure a template circuit called testbridge and assign that circuit to the VAP group called testvapgroup: CBS# configure circuit testbridge CBS(conf-cct)# device-name testbridge CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-vapgroup)# end CBS# The following command configures the template circuit called testbridge as a new virtualized network bridging device for the VAP group called testvapgroup, and configures the new device in transparent mode. This command also places you in the conf-bridge-mode context in which you can map two traffic circuits to the virtualized network bridging device created using the template circuit called testbridge. CBS# configure bridge-mode testbridge transparent CBS(conf-bridge-mode)#
446
For information about configuring bridged configurations for serialization, see the XOS Configuration Guide and the Serialization Cookbook: IPS and Firewall.
When you map two traffic circuits to the same virtualized network bridging device, the VAP group forwards packets received on each traffic circuit to the VNDs that XOS creates on the VAP group for the other traffic circuit. Thus, the device bridges the two LAN segments connected to the physical interfaces that are logically linked to the VNDs for the two traffic circuits. NOTE: You can map only two traffic circuits to each virtualized network bridging device that you create and configure using the circuit (conf-bridge-mode context) command. Use the no parameter to remove the specified traffic circuit from the configuration for the virtualized network bridging device that you are currently configuring. Use the show (conf-bridge-mode context) command to display the current configuration settings for the virtualized network bridging device that you are configuring.
447
Syntax
[no] circuit <circuit_name>
Context
You access this command from the conf-bridge-mode context. You access this context from the main CLI context by issuing the configure bridge-mode command.
Parameters
The following table lists the parameters used with this command. Parameter <circuit_name> Description Name of the traffic circuit that you wish to map to or remove from the virtualized network bridging device that you are configuring.
Restrictions
Default Privilege Level: 15 You must create and configure each traffic circuit before mapping it to a virtualized network bridging device. Each traffic circuit mapped to a virtualized network bridging device must be IP-less. You must include the promiscuous-mode active command in the VAP group circuit configuration for each traffic circuit mapped to a virtualized network bridging device configured for that VAP group. Use the show circuit command to determine whether a VAP group circuit configuration includes the promiscuous-mode active command See promiscuous-mode (conf-cct-vapgroup context) on page 423 for information about this command. You can map only two traffic circuits to each virtualized network bridging device that you create using the circuit (conf-bridge-mode context) command. Use the show (conf-bridge-mode context) command to list the circuits currently mapped to the virtualized network bridging device that you are configuring.
Example
The following commands create two IP-less traffic circuits called testbridgecct1 and testbridgecct2, assign the circuits to the VAP group called testvapgroup, and configure the VAP group to use the two circuits to support a bridging application: CBS# configure circuit testbridgecct1 CBS(conf-cct)# device-name testbrcct1 CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-vapgroup)# promiscuous-mode active CBS(conf-cct-vapgroup)# end CBS# configure circuit testbridgecct2 CBS(conf-cct)# device-name testbrcct2 CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-vapgroup)# promiscuous-mode active CBS(conf-cct-vapgroup)# end
448
The following command places you in the conf-bridge-mode context in which you can map traffic circuits to the existing virtualized network bridging device created using the template circuit called testbridge: CBS# configure bridge-mode testbridge transparent CBS(conf-bridge-mode)# The following commands map the two traffic circuits called testbridgecct1 and testbridgecct2 to the virtualized network bridging device created using the template circuit called testbridge: CBS(conf-bridge-mode)# circuit testbridgecct1 CBS(conf-bridge-mode)# circuit testbridgecct2 CBS(conf-bridge-mode)#
Syntax
show
Context
You access this command from the conf-bridge-mode context. You access this context from the main CLI context by issuing the configure bridge-mode command.
Output
The output for this command has the following format: Bridge Mode Name Mode Member Circuit Member Circuit (1 row) : : : : <template_circuit_name> {bridge | transparent} <bridged_traffic_circuit_name1> <bridged_traffic_circuit_name2>
The following table describes the information provided in each column/row. Column/Row Heading Bridge Mode Name Mode Information Provided Name of the template circuit used to create the virtualized network bridging device. Indicates the current operating mode configured for the virtualized network bridging device: bridge Default setting. The virtualized network bridging device is operating in bridge mode. In this mode, XOS creates the bridge between the VNDs for the two traffic circuits mapped to the bridging device. transparent The virtualized network bridging device is operating in transparent mode. In this mode the application installed on the VAP group creates the bridge between the VNDs for the two traffic circuits mapped to the bridging device.
449
Column/Row Heading
Information Provided
Member Circuit : Name of the first (or only) traffic circuit mapped to the <bridged_traffic_circuit_name1> virtualized network bridging device. This row appears only if at least one traffic circuit is mapped to the virtualized network bridging device. See circuit (conf-bridge-mode context) on page 447 for information about mapping traffic circuits to a virtualized network bridging device. Member Circuit : Name of the second traffic circuit mapped to the virtualized <bridged_traffic_circuit_name2> network bridging device. This row appears only if two traffic circuits are mapped to the virtualized network bridging device. See circuit (conf-bridge-mode context) on page 447 for information about mapping traffic circuits to a virtualized network bridging device.
Restrictions
Default Privilege Level: 15
Example
The following command places you in the conf-bridge-mode context in which you can map traffic circuits to the existing virtualized network bridging device created using the template circuit called testbridge: CBS# configure bridge-mode testbridge transparent CBS(conf-bridge-mode)# The following command displays the current configuration for the virtualized network bridging device created using the template circuit called testbridge. NOTE: This command displays the virtualized network bridging device configuration settings that you would create if you issued the example commands that we have provided under the circuit (conf-bridge-mode context) command. CBS(conf-bridge-mode)# show Bridge Mode Name : testbridge Mode : transparent Member Circuit : testbridgecct1 Member Circuit : testbridgecct2 (1 row)
450
Commands for Configuring IP Routes and Managing Destination MAC Address Resolution for VAP Groups
This section describes the CLI commands that you can use to configure IP routes and manage destination MAC address resolution for one or more VAP groups. This section contains the following command descriptions: configure ip route (IPv6 and IPv4) on page 452 metric (config-ip-route context) on page 454 verify-next-hop (config-ip-route context) on page 455 configure ip default-network (IPv6 and IPv4) on page 456 metric (conf-ip-default-network context) on page 458 verify-next-hop (conf-ip-default-network context) on page 459 configure arp on page 460 configure neighbor-discovery (IPv6) on page 461 configure ipv6-tunnel (IPv6) on page 463
451
Syntax (IPv4)
configure ip route {<IP_address> <subnet_mask> | <IP_address>/<0-32>} <next_hop_IP_address> [domain <domain_ID>] [circuit <circuit_name>] [vap-group <VAP_group_name>] [description <description>] configure no ip route {<IP_address> <subnet_mask> | <IP_address>/<0-32>} <next_hop_IP_address>
Syntax (IPv6)
configure ip route <IP_address>/<0-128> <next_hop_IP_address> [domain <domain_ID>] [circuit <circuit_name>] [vap-group <VAP_group_name>] [description <description>] configure no ip route <IP_address>/<0-128> <next_hop_IP_address>
452
Parameters
The following table lists the parameters used with this command. Parameter {<IP_address> <subnet_mask> | <IP_address>/<0-32>} Description Destination network for which you want to define a static IP route. You must specify the subnet mask for the primary IP address. You can specify the destination network with a subnet mask in dotted-quad format (for example, 10.15.3.5 255.255.0.0), or you can specify the network using CIDR notation (for example, 10.15.0.0/16). (IPv6) <IP_address>/<0-128> Destination network for which you want to define a static IP route. You must specify the IPv6 address using CIDR notation. Entering an address and subnet mask is not acceptable. Example: fd00::200:f8ff:fe21:67cf/64 <next_hop_IP_address> domain <domain_ID> Next hop IP address that packets must use to reach the destination network. Configures the static IP route to apply only to traffic passing through the circuits that belong to the specified domain. Valid values for <domain_ID> are from 1 to 4095. Default is 1. Use the show circuit command to display the domain ID assigned to each circuit configured on the X-Series Platform. By default, all circuits belong to domain 1. Use the configure circuit command to assign a circuit to a different domain. circuit <circuit_name> vap-group <VAP_group_name> description <description> Configures the static IP route to apply only to traffic passing through the specified circuit. Configures the static IP route to apply only to traffic passing through the specified VAP group. Creates a textual description and associates that description with the destination network that you have defined for the static IP route. You can use this description to help you identify the destination network in the list of static IP routes displayed when you issue the show ip route command.
453
Restrictions
Default Privilege Level: 15 An IP route is considered to be invalid if either of the following conditions is true: The next-hop IP address belongs to the same network as the destination IP address. The destination network IP address is the same as a primary circuit IP address or a virtual circuit IP address configured for a VAP group. The destination IP address configured for an IP route cannot be the same as either the configured system internal network IP address or the operational system internal network IP address. Use the show system-internal-network command to display the configured and operational system internal network IP addresses assigned to your X-Series Platform.
Example (IPv4)
The following command creates a static IP route for packets passing through the Virtual Network Devices (VNDs) that XOS creates for the circuit called testcct on the VAP group called testvapgroup and places you in the config-ip-route context in which you can configure the specified static IP route: CBS# configure ip route 2.2.2.0/24 192.213.212.111 vap-group testvapgroup circuit testcct CBS(config-ip-route)#
Example (IPv6)
The following command creates a static IP route for packets passing through the Virtual Network Devices (VNDs) that XOS creates for the circuit called testcct on the VAP group called testvapgroup and places you in the config-ip-route context in which you can configure the specified static IP route: CBS# configure ip route fd00::200:f8ff:fe21:67cf/64 fd00::192.213.212.111 vap-group testvapgroup circuit testcct CBS(config-ip-route)#
Syntax
metric <metric_value> no metric
454
Context
You access this command from the config-ip-route context. You access this context from the main CLI context by issuing the configure ip route (IPv6 and IPv4) command.
Parameters
The following table lists the parameters used with this command. Parameter <metric_value> Description Metric value that you want to assign to the static IP route that you are configuring. Valid values are: IPv4: 1 to 255, inclusive, with a default of 0 (zero) IPv6: 257 to 511, inclusive with a default value of 256
Restrictions
Default Privilege Level: 15
Example
The following command creates a static IP route for packets passing through the Virtual Network Devices (VNDs) that XOS creates for the circuit called testcct on the VAP group called testvapgroup and places you in the config-ip-route context in which you can configure the specified static IP route: CBS# configure ip route 2.2.2.0/24 192.213.212.111 vap-group testvapgroup circuit testcct CBS(config-ip-route)# The following command assigns the metric value 10 to the above static IP route: CBS(config-ip-route)# metric 10 CBS(config-ip-route)#
Syntax
[no] verify-next-hop
455
Context
You access this command from the config-ip-route context. You access this context from the main CLI context by issuing the configure ip route (IPv6 and IPv4) command.
Restrictions
Default Privilege Level: 15
Example
The following command creates a static IP route for packets passing through the Virtual Network Devices (VNDs) that XOS creates for the circuit called testcct on the VAP group called testvapgroup and places you in the config-ip-route context in which you can configure the specified static IP route: CBS# configure ip route 2.2.2.0/24 192.213.212.111 vap-group testvapgroup circuit testcct CBS(config-ip-route)# The following command directs the VNDs that XOS creates for the circuit called testcct on the VAP group called testvapgroup to send an ARP request to 192.213.212.111 before sending a packet to that next-hop IP address. If an ARP request fails, XOS increases the metric value of the above IP route; if other IP routes are defined for the destination network, 2.2.2.0/24, the members of testvapgroup will use those alternate routes to send traffic to the destination network. CBS(config-ip-route)# verify-next-hop CBS(config-ip-route)#
456
Syntax
configure ip default-network <next_hop_IP_address> [circuit <circuit_name>] [vap-group <VAP_group_name>] [description <description>] configure no ip default-network <next_hop_IP_address>
Parameters
The following table lists the parameters used with this command. Parameter <next_hop_IP_address> circuit <circuit_name> vap-group <VAP_group_name> description <description> Description Next hop IP address that you want to use for the default IP route that you are configuring. Configures the default IP route to apply only to traffic passing through the specified circuit. Configures the default IP route to apply only to traffic passing through the specified VAP group. Creates a textual description and associates that description with the next-hop IP address for the default IP route that you have defined. You can use this description to help you identify the next-hop IP address in the list of default IP routes displayed when you issue the show ip default-network command.
Restrictions
Default Privilege Level: 15
Example
The following command creates a default IP route for packets passing through the VNDs that XOS creates for the circuit called testcct on the VAP group called testvapgroup and places you in the conf-ip-default-network context in which you can configure the specified default IP route: IPv4 CBS# configure ip default-network 10.10.100.1 vap-group testvapgroup circuit testcct CBS(conf-ip-default-network)# IPv6 CBS# configure ip default-network fd00:1230:4545:213:145:f800:ba21:25fa vap-group testvapgroup circuit testcct CBS(conf-ip-default-network)#
457
Syntax
metric <metric_value> no metric
Context
You access this command from the conf-ip-default-network context. You access this context from the main CLI context by issuing the configure ip default-network (IPv6 and IPv4) command.
Parameters
The following table lists the parameters used with this command. Parameter <metric_value> Description Metric value that you want to assign to the static IP route that you are configuring. Valid values are: IPv4: 1 to 255, inclusive, with a default of 0 (zero) IPv6: 257 to 511, inclusive with a default value of 256
Restrictions
Default Privilege Level: 15
Example
The following command creates a default IP route for packets passing through the VNDs that XOS creates for the circuit called testcct on the VAP group called testvapgroup and places you in the conf-ip-default-network context in which you can configure the specified default IP route: IPv4 CBS# configure ip default-network 10.10.100.1 vap-group testvapgroup circuit testcct CBS(conf-ip-default-network)# IPv6 CBS# configure ip default-network fd00:1230:4545:213:145:f800:ba21:25fa vap-group testvapgroup circuit testcct CBS(conf-ip-default-network)#
458
The following command assigns the metric value 15 to the above default IP route: CBS(conf-ip-default-network)# metric 15 CBS(conf-ip-default-network)#
Syntax
[no] verify-next-hop
Context
You access this command from the conf-ip-default-network context. You access this context from the main CLI context by issuing the configure ip default-network (IPv6 and IPv4) command.
Restrictions
Default Privilege Level: 15
Example
The following command creates a default IP route for packets passing through the VNDs that XOS creates for the circuit called testcct on the VAP group called testvapgroup and places you in the conf-ip-default-network context in which you can configure the specified default IP route: IPv4 CBS# configure ip default-network 10.10.100.1 vap-group testvapgroup circuit testcct CBS(conf-ip-default-network)# IPv6 CBS# configure ip default-network fd00:1230:4545:213:145:f800:ba21:25fa vap-group testvapgroup circuit testcct CBS(conf-ip-default-network)# The following command directs the VNDs that XOS creates for the circuit called testcct on the VAP group called testvapgroup to send an ARP request to 10.10.100.1 before sending a packet to that next-hop IP address. If an ARP request fails, XOS increases the metric value of the above IP route; if other default IP routes are defined, the members of testvapgroup will use those alternate default IP routes. CBS(conf-ip-default-network)# verify-next-hop CBS(conf-ip-default-network)#
459
configure arp
When you assign a circuit to a virtual application processor (VAP) group, XOS creates a Virtual Network Device (VND) for that circuit on each VAP in the group. The VAP operating system and the application running on a VAP use VNDs as Linux networking interfaces. The configure arp command adds a new static Address Resolution Protocol (ARP) entry or configures an existing static ARP entry in the ARP cache that the X-Series Platform uses to resolve MAC addresses for IP packets destined for the members of a VAP group. By default, an NPM can apply a static ARP entry to any packet passing between the members of a VAP group and a physical interface on an NPM. You can use the following parameters to apply a static ARP entry only to packets destined for specific VAP group interfaces: domain Applies the static ARP entry only to packets destined for the VNDs that XOS creates for the circuits that belong to the specified domain. Use the show circuit command to display the domain ID assigned to each circuit configured on the X-Series Platform. By default, all circuits belong to domain 1. Use the configure circuit command to assign a circuit to a different domain. circuit Applies the static ARP entry only to packets destined for the VNDs that XOS creates for the specified circuit. vap-group Applies the static ARP entry only to packets destined for the circuit VNDs that XOS creates on the specified VAP group. Use the configure no arp command to delete the specified static ARP entry from the ARP cache. Use the show arp command to display the static ARP entries currently stored in the ARP cache on the X-Series Platform.
Syntax
configure arp <IP_address> <MAC_address> [domain <domain_ID>] [vap-group <VAP_group_name>] [circuit <circuit_name>] configure no arp <IP_address> <MAC_address>
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <IP_address> Description Destination IP address for the static ARP entry that you are configuring.
460
Parameter <MAC_address>
Description Destination MAC address for the static ARP entry that you are configuring. The NPM assigns this destination MAC address to each packet whose destination IP address matches the one that you define in the ARP entry. NOTE: You cannot specify a MAC address that contains only 0s or only fs.
domain <domain_ID>
Configures the specified static ARP entry to apply only to packets destined for the VNDs that XOS creates for the circuits that belong to the specified domain. Valid values for <domain_ID> are from 1 to 4095. Default value is 1. Use the show circuit command to display the domain ID assigned to each circuit configured on the X-Series Platform. By default, all circuits belong to domain 1. Use the configure circuit command to assign a circuit to a different domain.
Configures the specified static ARP entry only to packets destined for the VNDs that XOS creates for the specified circuit. Configures the specified static ARP entry to apply only to packets destined for the circuit VNDs that XOS creates on the specified VAP group.
Restrictions
Default Privilege Level: 15 An ARP entry cannot include a MAC address that contains only 0s (0:0:0:0:0:0) or only fs (ff:ff:ff:ff:ff:ff).
Example
The following command configures a new static ARP entry that maps the IP address 1.1.2.20 to the MAC address 00:03:d2:00:02:0d. This command also configures the new ARP entry to apply only to packets destined for VNDs that XOS creates for the circuit called testcct on the VAP group called testvapgroup: CBS# configure arp 1.1.2.20 00:03:d2:00:02:0d vap-group testvapgroup circuit testcct CBS#
461
Syntax
configure neighbor-discovery <IP_address> <MAC_address> [domain <domain_ID>] [vap-group <VAP_group_name>] [circuit <circuit_name>] configure no neighbor-discovery <IP_address> <MAC_address>
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <IP_address> <MAC_address> Description Destination IP address for the static neighbor-discovery entry that you are configuring. Destination MAC address for the static neighbor-discovery entry that you are configuring. The NPM assigns this destination MAC address to each packet whose destination IP address matches the one that you define in the ARP entry. NOTE: You cannot specify a MAC address that contains only 0s or only fs. domain <domain_ID> Configures the specified static neighbor-discovery entry to apply only to packets destined for the VNDs that XOS creates for the circuits that belong to the specified domain. Valid values for <domain_ID> are from 1 to 4095. Default value is 1. Use the show circuit command to display the domain ID assigned to each circuit configured on the X-Series Platform. By default, all circuits belong to domain 1. Use the configure circuit command to assign a circuit to a different domain. vap-group <VAP_group_name> circuit <circuit_name> Configures the specified static neighbor-discovery entry to apply only to packets destined for the specified VAP group. Configures the specified static neighbor-discovery entry to apply only to packets destined for the specified circuit.
Restrictions
Default Privilege Level: 15 A neighbor entry cannot include a MAC address that contains only 0s (0:0:0:0:0:0) or only fs (ff:ff:ff:ff:ff:ff).
Example
The following command configures a new static neighbor entry that maps the IP address fd00::330:f3cb:fb31:56ab to the MAC address 00:03:d2:00:02:0d. This command also configures the new neighbor entry to apply only to packets destined for VNDs that XOS creates for the circuit called testcct on the VAP group called testvapgroup:
462
CBS# configure neighbor-discovery fd00::330:f3cb:fb31:56ab 00:03:d2:00:02:0d vap-group testvapgroup circuit testcct CBS#
Syntax
configure ipv6-tunnel {6to4 | gre | ipv6ip | isatap} circuit <circuit_name> vap-group <VAP_group_name> configure no ipv6-tunnel {6to4 | gre | ipv6ip | isatap} circuit <circuit_name> vap-group <VAP_group_name> NOTE: Both 6to4 and isatap ipv6 tunnels provide automatic detection of next hop IPv6 addresses. When configuring these tunnels, you need to provide only the source address.
Parameters
The following table lists the parameters used with this command. Parameter 6to4 | gre | ipv6ip | isatap Description 6to4 Specifies IPv6 automatic tunneling. gre Uses Generic Route Encapsulation (GRE) protocol. ipv6ip Uses IPv6 over IPv4 encapsulation protocol. isatap Uses Intra-Site Automatic Tunneling Addressing Protocol (ISATAP). NOTE: An isatap tunnel can be configured in the CLI but the user must also configure the RSW software (NSM) to perform router advertisements. circuit <circuit_name> vap-group <VAP_group_name> Associates the tunnel with the specified circuit. Associates the tunnel with the specified VAP group.
463
Restrictions
Default Privilege Level: 15
Examples
This example creates an IPv6 6to4 tunnel and associates it with vap-group vg1. CBS# CBS# configure circuit tun1 CBS(conf-cct)# vap-group vg1 CBS(conf-cct-vapgroup)# ip 2002:c0a8:022a::1/48 %WARNING: IPv6 primary address was configured. No IPv4 aliases will be allowed for this circuit CBS(conf-cct-vapgroup-ip)# end CBS# CBS# configure circuit tunb CBS(conf-cct)# vap-group vg1 CBS(conf-cct-vapgroup)# ip 192.168.2.42/24 CBS(conf-cct-vapgroup-ip)# end CBS# configure ipv6-tunnel 6to4 circuit tun1 vap-group vg1 CBS(conf-tunnel-6to4)# source-address 192.168.2.42 CBS(conf-tunnel-6to4)# NOTE: There are two requirements for 6to4 tunnels: The IPv6 address for circuit tun1 must begin with 2002:. In the IP address of the tun1 circuit (2002:c0a8:022a::1/48), the second and third fields must be hexadecimal conversions of the IPv4 address of the tunb circuit (192.168.2.42/24). In this example: c0 corresponds to 192 a8 corresponds to 168 02 corresponds to 2 2a corresponds to 42
Syntax
[no] path-mtu-discovery
Context
You access this command from the conf-tunnel-<tunnel_type> context. You access this context from the main CLI context by issuing the configure ipv6-tunnel (IPv6) command.
Restrictions
Default Privilege Level: 15
464
Syntax
[no] source-address <source_address> [destination-address <destination_address>]
Context
You access this command from the conf-tunnel-<tunnel_type> context. You access this context from the main CLI context by issuing the configure ipv6-tunnel (IPv6) command.
Parameters
The following table lists the parameters used with this command. Parameter destination-address <destination_address> Description Specifies the other end point address of the tunnel. NOTE: Does not apply to 6to4 or ISATAP tunnels.
Restrictions
Default Privilege Level: 15
Syntax
[no] time-to-live
Context
You access this command from the conf-tunnel-<tunnel_type> context. You access this context from the main CLI context by issuing the configure ipv6-tunnel (IPv6) command.
Restrictions
Default Privilege Level: 15
465
Commands for Configuring Physical and Logical Interfaces for a VAP Group
This section describes the CLI commands that you can use to create and configure logical and physical interfaces for a VAP group. This section contains the following command descriptions: configure interface on page 467 logical (conf-intf-gig or conf-intf-10gig context) on page 469 circuit (intf-gig-logical or intf-10gig-logical context) on page 471 show (intf-gig-logical or intf-10gig-logical context) on page 473 logical-all (conf-intf-gig or conf-intf-10gig context) on page 475 circuit (intf-gig-logical-all or intf-10gig-logical-all context) on page 477 standby-only (conf-intf-gig or conf-intf-10gig context) on page 479 pause-frame (conf-intf-gig or conf-intf-10gig context) on page 480 auto-negotiate (conf-intf-gig context) on page 481 duplex-mode (conf-intf-gig context) on page 482 media-speed (conf-intf-gig context) on page 483 enable (conf-intf-gig or conf-intf-10gig context) on page 485 show (conf-intf-gig or conf-intf-10gig context) on page 485 configure interface-internal on page 488 logical (conf-intf-internal context) on page 490 logical-all (conf-intf-internal context) on page 492 circuit (conf-intf-internal-log or conf-intf-internal-log-all context) on page 494 configure group-interface on page 496 mode (conf-group-intf context) on page 497 interface-type (conf-group-intf context) on page 500 pause-frame (conf-grp-intf-gig or conf-grp-intf-10gig context) on page 502 auto-negotiate (conf-grp-intf-gig context) on page 503 duplex-mode (conf-grp-intf-gig context) on page 504 media-speed (conf-grp-intf-gig context) on page 506 interface (conf-group-intf context) on page 510 enable (conf-grp-intf-intf context) on page 512 logical (conf-group-intf context) on page 514 circuit (conf-group-intf-logical context) on page 516 show (conf-group-intf context) on page 519 configure acl-interface on page 524 direction (conf-acl-intf context) on page 526 vlan (conf-acl-intf context) on page 527 ether-type (conf-acl-intf context) on page 529 source-mac (conf-acl-intf context) on page 531 destination-mac (conf-acl-intf context) on page 533 configure redundancy-interface on page 541 failovermode (conf-intf-redun context) on page 545
466
configure interface
When you assign a circuit to a virtual application processor (VAP) group, XOS creates a Virtual Network Device (VND) for that circuit on each VAP in the group. The VAP operating system and the application running on a VAP use VNDs as Linux networking interfaces. The configure interface command configures a single Ethernet port on a Network Processor Module (NPM) to pass traffic between the X-Series Platform and an external network. This command also places you in the CLI context in which you can configure settings for the specified Ethernet interface, and create and configure one or more logical interfaces for the specified Ethernet interface. NOTE: An NPM uses logical interfaces to identify the circuit VNDs that send and receive traffic over a specific physical interface. See the following sections for more information about configuring a logical interface to create a logical link between a circuits VNDs and a physical interface on an NPM: logical (conf-intf-gig or conf-intf-10gig context) on page 469 logical-all (conf-intf-gig or conf-intf-10gig context) on page 475 for Use the no parameter to delete the XOS configuration for the specified Ethernet interface. Use the show (conf-intf-gig or conf-intf-10gig context) command to display the current configuration settings for the Ethernet interface that you are configuring.
Syntax
configure [no] interface {gigabitethernet | 10gigabitethernet} <slot>/<port>
467
Inline Commands
The following table lists the CLI commands used inline with the configure interface command. Command gigabitethernet Description Configures a Gigabit Ethernet port on an NPM to pass traffic between the X-Series Platform and an external network. Configures a 10 Gigabit Ethernet port on an NPM to pass traffic between the X-Series Platform and an external network.
10gigabitethernet
Parameters
The following table lists the parameters used with this command. Parameter <slot> Description Chassis slot number assigned to the NPM on which you want to configure an Ethernet port to pass traffic between the X-Series Platform and an external network. NPM port number assigned to the Ethernet interface that you want to configure. NOTE: On an NPM-86x0, only ports 11 and 12 are 10 Gigabit Ethernet interfaces. All other NPM ports are Gigabit Ethernet ports.
<port>
Restrictions
Default Privilege Level: 15
Example
The following command configures 10 Gigabit Ethernet port number 12 on the NPM installed in slot number 1 to pass traffic between the X-Series Platform and an external network. This command also places you in the conf-intf-10gig context in which you can configure settings for the 10 Gigabit Ethernet interface, and create and configure logical interfaces for that interface. CBS# configure interface 10gigabitethernet 1/12 CBS(conf-intf-10gig)#
468
469
Syntax
logical <logical_name> [ingress-vlan-tag {<VLAN_ID> | <lowest_VLAN_ID> <highest_VLAN_ID>}] no logical <logical_name>
Parameters
The following table lists the parameters used with this command. Parameter <logical_name> ingress-vlan-tag {<VLAN_ID> | <lowest_VLAN_ID> <highest_VLAN_ID>} Description Name assigned to the logical interface that you wish to create, configure, or delete. Configures the logical interface to create a logical link between a circuits VNDs and either a single VLAN or a range of VLANs. Specify a single VLAN tag, <VLAN_ID>, to enable the circuit mapped to the logical interface to accept only packets with the specified VLAN tag. Specify this parameter with a range of VLAN tags, <lowest_VLAN_ID> <highest_VLAN_ID>, to enable the circuit mapped to the logical interface to accept only packets whose VLAN tags are within the specified range. Valid values for <VLAN_ID>, <lowest_VLAN_ID>, and <highest_VLAN_ID> are from 0 to 4094. NOTE: A single physical interface cannot have multiple logical interfaces configured with overlapping VLAN tag ranges.
Restrictions
Default Privilege Level: 15 A single physical interface cannot have multiple logical interfaces configured with overlapping VLAN tag ranges. An interface redundancy configuration consists of one backup interface and one or more master interfaces that use the backup interface. Multiple interfaces participating in the same interface redundancy configuration cannot be configured to pass traffic in the same broadcast domain.
470
Therefore, in an interface redundancy configuration: Only one interface can have logical interfaces configured to enable circuits to accept untagged packets. Multiple interfaces cannot have logical interfaces configured with the same VLAN tag or with overlapping VLAN tag ranges. NOTE: Logical interfaces that are not configured with the ingress-vlan-tag parameter are assigned to the VLAN tag range, 0-0.
Example
The following command configures 10 Gigabit Ethernet port number 12 on the NPM installed in slot number 1 to pass traffic between the X-Series Platform and an external network. This command also places you in the conf-intf-10gig context in which you can configure settings for the 10 Gigabit Ethernet interface, and create and configure logical interfaces for that interface. CBS# configure interface 10gigabitethernet 1/12 CBS(conf-intf-10gig)# The following command configures a logical interface for the above physical interface, and configures that logical interface to create a link between a circuits VNDs and the VLAN with the ID number 1660, which is connected to the physical interface. This command also places you in the intf-10gig-logical context in which you can map a circuit to the new logical interface (called testlogical). CBS(conf-intf-10gig)# logical testlogical ingress-vlan-tag 1660 CBS(intf-10gig-logical)# A circuit mapped to the logical interface called testlogical can accept packets arriving on 10 Gigabit Ethernet interface 1/12 only if those packets have the VLAN tag, 1660.
471
Use the no parameter to remove the specified circuit from the logical interface that you are configuring.
Syntax
[no] circuit <circuit_name>
Contexts
You access this command from either the intf-gig-logical context or the intf-10gig-logical context. You access the intf-gig-logical context from the main CLI context, as follows: 1. 2. Issue the gigabitethernet command inline with the configure interface command to configure a Gigabit Ethernet port on an NPM to pass traffic between the X-Series Platform and an external network. Issue the logical (conf-intf-gig or conf-intf-10gig context) command to configure a logical interface for the specified Gigabit Ethernet interface.
You access the intf-10gig-logical context from the main CLI context, as follows: 1. 2. Issue the 10gigabitethernet command inline with the configure interface command to configure a 10 Gigabit Ethernet port on an NPM to pass traffic between the X-Series Platform and an external network. Issue the logical (conf-intf-gig or conf-intf-10gig context) command to configure a logical interface for the specified 10 Gigabit Ethernet interface.
Parameters
The following table lists the parameters used with this command. Parameter <circuit_name> Description Name of the circuit that you wish to map to the logical interface that you are configuring. Use the show circuit command to display all current circuit configurations.
Restrictions
Default Privilege Level: 15 A circuit can be assigned to only one logical interface. NOTE: You can map multiple logical interfaces to the same physical interface, allowing multiple circuits to pass traffic over a single physical interface. You can also use link aggregation to bond multiple physical interfaces to a single logical interface, allowing one circuit to pass traffic over multiple physical interfaces.
Example
The following command configures 10 Gigabit Ethernet port number 12 on the NPM installed in slot number 1 to pass traffic between the X-Series Platform and an external network. This command also places you in the conf-intf-10gig context in which you can configure settings for the 10 Gigabit Ethernet interface, and create and configure logical interfaces for that interface. CBS# configure interface 10gigabitethernet 1/12 CBS(conf-intf-10gig)#
472
The following command configures a logical interface for the above physical interface, and configures that logical interface to create a link between a circuits VNDs and the VLAN with the ID number 1660, which is connected to the physical interface. This command also places you in the intf-10gig-logical context in which you can map a circuit to the new logical interface (called testlogical). CBS(conf-intf-10gig)# logical testlogical ingress-vlan-tag 1660 CBS(intf-10gig-logical)# The following command maps the circuit called testvlan1660 to the logical interface called testlogical on 10 Gigabit Ethernet interface 1/12: CBS(intf-10gig-logical)# circuit testvlan1660 CBS(intf-10gig-logical)# The circuit called testvlan1660 is mapped to the VAP group called testvapgroup. The VNDs that XOS creates for the circuit called testvlan1660 on the VAP group called testvapgroup will process traffic arriving on 10 Gigabit Ethernet interface 1/12 from VLAN 1660.
Syntax
show
Contexts
You access this command from either the intf-gig-logical context or the intf-10gig-logical context. You access the intf-gig-logical context from the main CLI context, as follows: 1. 2. Issue the gigabitethernet command inline with the configure interface command to configure a Gigabit Ethernet port on an NPM to pass traffic between the X-Series Platform and an external network. Issue the logical (conf-intf-gig or conf-intf-10gig context) command to configure a logical interface for the specified Gigabit Ethernet interface.
You access the intf-10gig-logical context from the main CLI context, as follows: 1. 2. Issue the 10gigabitethernet command inline with the configure interface command to configure a 10 Gigabit Ethernet port on an NPM to pass traffic between the X-Series Platform and an external network. Issue the logical (conf-intf-gig or conf-intf-10gig context) command to configure a logical interface for the specified 10 Gigabit Ethernet interface.
Output
The output for this command has the following format: Logical Line : Interface : Ingress VLAN Tag Range : Circuit Name : (1 row) <logical_name> {gigabitethernet | 10gigabitethernet} <slot>/<port> {none | <lowest_VLAN_ID> : <highest_VLAN_ID>} [<circuit_name>]
473
The following table describes the information provided in each column/row. Column/Row Heading Logical Line Information Provided Name assigned to the logical interface. See logical (conf-intf-gig or conf-intf-10gig context) on page 469 for information on assigning a name to a new logical interface. Interface Displays the following information about the physical interface for which the logical interface is configured. Interface type (Gigabit Ethernet or 10 Gigabit Ethernet) NPM slot number Ethernet port number See configure interface on page 467 for information about configuring an Ethernet port on an NPM to pass traffic between the X-Series Platform and an external network. Ingress VLAN Tag Range Indicates the range of VLANs (if any) from which a circuit mapped to this logical interface can accept traffic. This row displays one of the following: none Indicates that a circuit mapped to this logical interface accepts only untagged traffic arriving on the physical interface for which the logical interface is configured. <lowest_VLAN_ID> : <highest_VLAN_ID> The range of VLANs from which a circuit mapped to this logical interface can accept traffic arriving on the physical interface for which the logical interface is configured. NOTE: If both VLAN ID numbers are the same, the circuit accepts traffic only from the specified VLAN. See logical (conf-intf-gig or conf-intf-10gig context) on page 469 for information about configuring a logical interface to enable a circuits VNDs to accept packets from a single VLAN or a range of VLANs connected to a physical interface. Circuit Name Name of the circuit mapped to the logical interface. This row is blank if the logical interface is not mapped to a circuit. See circuit (intf-gig-logical or intf-10gig-logical context) on page 471 for information about mapping a circuit to a physical interface configured with the logical command.
Restrictions
Default Privilege Level: 15
474
Example
The following command configures 10 Gigabit Ethernet port number 12 on the NPM installed in slot number 1 to pass traffic between the X-Series Platform and an external network. This command also places you in the conf-intf-10gig context in which you can configure settings for the 10 Gigabit Ethernet interface, and create and configure logical interfaces for that interface. CBS# configure interface 10gigabitethernet 1/12 CBS(conf-intf-10gig)# The following command configures a logical interface for the above physical interface, and configures that logical interface to create a link between a circuits VNDs and the VLAN with the ID number 1660, which is connected to the physical interface. This command also places you in the intf-10gig-logical context in which you can map a circuit to the new logical interface (called testlogical). CBS(conf-intf-10gig)# logical testlogical ingress-vlan-tag 1660 CBS(intf-10gig-logical)# The following command displays the current configuration settings and circuit mapping for the logical interface called testlogical. NOTE: This example output displays the configuration settings that you would create if you issued the example commands that we have provided for the configure interface, logical (conf-intf-gig or conf-intf-10gig context), and circuit (intf-gig-logical or intf-10gig-logical context) commands. CBS(intf-10gig-logical)# Logical Line : Interface : Ingress VLAN Tag Range : Circuit Name : (1 row) CBS(intf-10gig-logical)# show testlogical 10gigabitethernet 1/12 1660 : 1660 testvlan1660
475
You use the logical (conf-intf-gig or conf-intf-10gig context) command to configure a logical interface to enable a circuits VNDs to accept untagged packets or to enable a circuits VNDs to accept VLAN-tagged packets from one or more specific VLANs (instead of accepting all tagged and untagged packets). NOTE: While you can configure multiple logical interfaces for the same physical interface, each physical interface can have only one logical interface configured with the logical-all command. After you configure a logical interface, you cannot change its VLAN tag configuration. Instead, you must delete the existing logical interface and recreate it with the desired configuration. Use the no parameter to delete the specified logical interface from the physical interface that you are configuring.
Syntax
[no] logical-all <logical_name>
Parameters
The following table lists the parameters used with this command. Parameter <logical_name> Description Name assigned to the logical interface that you want to create, configure, or delete.
Restrictions
Default Privilege Level: 15 A physical interface can have only one logical interface configured with the logical-all command. If a physical interface has a logical interface configured with the logical-all command, that physical interface cannot be configured as a redundant interface.
Example
The following command configures 10 Gigabit Ethernet port number 11 on the NPM installed in slot number 1 to pass traffic between the X-Series Platform and an external network. This command also places you in the conf-intf-10gig context in which you can configure settings for the 10 Gigabit Ethernet interface, and create and configure logical interfaces for that interface. CBS# configure interface 10gigabitethernet 1/11 CBS(conf-intf-10gig)#
476
The following command configures a logical interface for the above physical interface, and configures that logical interface to create a link between a circuits VNDs and all VLANs connected to the physical interface. This command also places you in the intf-10gig-logical-all context in which you can map a circuit to the new logical interface (called testlogicalall). CBS(conf-intf-10gig)# logical-all testlogicalall CBS(intf-10gig-logical-all)# A circuit mapped to the logical interface called testlogicalall can accept all VLAN-tagged packets arriving on 10 Gigabit Ethernet interface 1/11.
Syntax
[no] circuit <circuit_name>
Contexts
You access this command from either the intf-gig-logical-all context or the intf-10gig-logical-all context. You access the intf-gig-logical-all context from the main CLI context, as follows: 1. Issue the gigabitethernet command inline with the configure interface command to configure a Gigabit Ethernet port on an NPM to pass traffic between the X-Series Platform and an external network.
477
2.
Issue the logical-all (conf-intf-gig or conf-intf-10gig context) command to configure a logical interface for the specified Gigabit Ethernet interface.
You access the intf-10gig-logical-all context from the main CLI context, as follows: 1. 2. Issue the 10gigabitethernet command inline with the configure interface command to configure a 10 Gigabit Ethernet port on an NPM to pass traffic between the X-Series Platform and an external network. Issue the logical-all (conf-intf-gig or conf-intf-10gig context) command to configure a logical interface for the specified 10 Gigabit Ethernet interface.
Parameters
The following table lists the parameters used with this command. Parameter <circuit_name> Description Name of the circuit that you wish to map to the logical interface that you have just configured with the logical-all command. Use the show circuit command to display all current circuit configurations.
Restrictions
Default Privilege Level: 15 A circuit can be assigned to only one logical interface. NOTE: You can map multiple logical interfaces to the same physical interface, allowing multiple circuits to pass traffic over a single physical interface. However, a physical interface can have only one logical interface configured with the logical-all command. All other logical interfaces must be configured with the logical (conf-intf-gig or conf-intf-10gig context) command. Whether you configure a logical interface with the logical or logical-all command, you can always use link aggregation to bond multiple physical interfaces to a single logical interface, allowing one circuit to pass traffic over multiple physical interfaces.
Example
The following command configures 10 Gigabit Ethernet port number 11 on the NPM installed in slot number 1 to pass traffic between the X-Series Platform and an external network. This command also places you in the conf-intf-10gig context in which you can configure settings for the 10 Gigabit Ethernet interface, and create and configure logical interfaces for that interface. CBS# configure interface 10gigabitethernet 1/11 CBS(conf-intf-10gig)# The following command configures a logical interface for the above physical interface, and configures that logical interface to create a link between a circuits VNDs and all VLANs connected to the physical interface. This command also places you in the intf-10gig-logical-all context in which you can map a circuit to the new logical interface (called testlogicalall). CBS(conf-intf-10gig)# logical-all testlogicalall CBS(intf-10gig-logical-all)#
478
The following command maps the circuit called testallvlans to the logical interface called testlogicalall on 10 Gigabit Ethernet interface 1/11: CBS(intf-10gig-logical-all)# circuit testallvlans CBS(intf-10gig-logical-all)# The circuit called testallvlans is mapped to the VAP group called testvapgroup. The VNDs that XOS creates for the circuit called testallvlans on the VAP group called testvapgroup will process all tagged and untagged traffic arriving on 10 Gigabit Ethernet interface 1/11.
Syntax
[no] standby-only
Context
You access this command from the conf-intf-gig or conf-intf-10gig context. You can access either of these contexts by issuing the configure interface command.
479
Restrictions
Default Privilege Level: 15 A master interface cannot be configured with the standby-only command. Members of a group interface cannot be configured as backup interfaces. However, members of a group interface can be configured as master interfaces. A redundant interface cannot have a logical interface configured with the logical-all (conf-intf-gig or conf-intf-10gig context) command. Multiple interfaces participating in the same interface redundancy configuration cannot be configured to pass traffic in the same broadcast domain. Therefore, in an interface redundancy configuration: Only one interface can have logical interfaces configured to enable circuits to accept untagged packets. Multiple interfaces cannot have logical interfaces configured with the same VLAN tag or with overlapping VLAN tag ranges. NOTE: Logical interfaces that are not configured with the ingress-vlan-tag parameter are assigned to the VLAN tag range, 0-0.
Example
The following command configures 10 Gigabit Ethernet port number 12 on the NPM installed in slot number 2 to pass traffic between the X-Series Platform and an external network. This command also places you in the conf-intf-10gig context in which you can configure settings for the 10 Gigabit Ethernet interface, and create and configure logical interfaces for that interface. CBS# configure interface 10gigabitethernet 2/12 CBS(conf-intf-10gig)# The following command configures the X-Series Platform to use the above interface as a backup interface in an interface redundancy configuration. NOTE: The master interface in this configuration will be 10 Gigabit Ethernet port number 12 on the NPM installed in slot number 1. See the example under configure redundancy-interface on page 541 for more information about this interface redundancy configuration. CBS(conf-intf-10gig)# standby-only CBS(conf-intf-10gig)#
Syntax
[no] pause-frame
480
Context
You access this command from the conf-intf-gig or conf-intf-10gig context. You can access either of these contexts from the main CLI context by issuing the configure interface command.
Restrictions
Default Privilege Level: 15
Example
The following command configures Gigabit Ethernet port number 1 on the NPM installed in slot number 1 to pass traffic between the X-Series Platform and an external network. This command also places you in the conf-intf-gig context in which you can configure settings for the Gigabit Ethernet interface, and create and configure logical interfaces for that interface. CBS# configure interface gigabitethernet 1/1 CBS(conf-intf-gig)# The following command disables PAUSE frame support on Gigabit Ethernet interface 1/1: CBS(conf-intf-gig)# no pause-frame CBS(conf-intf-gig)#
Syntax
[no] auto-negotiate
Context
You access this command from the conf-intf-gig context. You access this context from the main CLI context by issuing the gigabitethernet command inline with the configure interface command.
481
Restrictions
Default Privilege Level: 15 This setting is not configurable on 10 Gigabit Ethernet interfaces.
Example
The following command configures Gigabit Ethernet port number 1 on the NPM installed in slot number 1 to pass traffic between the X-Series Platform and an external network. This command also places you in the conf-intf-gig context in which you can configure settings for the Gigabit Ethernet interface, and create and configure logical interfaces for that interface. CBS# configure interface gigabitethernet 1/1 CBS(conf-intf-gig)# The following command disables auto-negotiation on Gigabit Ethernet interface 1/1: CBS(conf-intf-gig)# no auto-negotiate CBS(conf-intf-gig)#
Syntax
duplex-mode {full | half} no duplex-mode
Context
You access this command from the conf-intf-gig context. You access this context from the main CLI context by issuing the gigabitethernet command inline with the configure interface command.
482
Parameters
The following table lists the parameters used with this command. Parameter full Description Configures the Gigabit Ethernet interface to operate in full-duplex mode. This is the default setting. half Configures the Gigabit Ethernet interface to operate in half-duplex mode.
Restrictions
Default Privilege Level: 15 This setting applies only to Gigabit Ethernet interfaces with copper connectors. This setting is not configurable for 10 Gigabit Ethernet interfaces. This setting has no effect if auto-negotiation is enabled on the interface that you are configuring. Use the show (conf-intf-gig or conf-intf-10gig context) command to determine whether auto-negotiation is enabled or disabled on the interface that you are configuring. See auto-negotiate (conf-intf-gig context) on page 481 for information about enabling and disabling auto-negotiation on an interface.
Example
The following command configures Gigabit Ethernet port number 1 on the NPM installed in slot number 1 to pass traffic between the X-Series Platform and an external network. This command also places you in the conf-intf-gig context in which you can configure settings for the Gigabit Ethernet interface, and create and configure logical interfaces for that interface. CBS# configure interface gigabitethernet 1/1 CBS(conf-intf-gig)# The following command configures Gigabit Ethernet interface 1/1 to operate in half-duplex mode: CBS(conf-intf-gig)# duplex-mode half CBS(conf-intf-gig)#
483
Use the show (conf-intf-gig or conf-intf-10gig context) command to display the media speed setting for the interface that you are configuring.
Syntax
media-speed {10 | 100 | 1000} no media-speed
Context
You access this command from the conf-intf-gig context. You access this context from the main CLI context by issuing the gigabitethernet command inline with the configure interface command.
Parameters
The following table lists the parameters used with this command. Parameter 10 100 1000 Description Sets the media speed to 10 Mbps for the Gigabit Ethernet interface that you are configuring. Sets the media speed to 100 Mbps for the Gigabit Ethernet interface that you are configuring. Sets the media speed to 1 Gbps for the Gigabit Ethernet interface that you are configuring. This is the default setting.
Restrictions
Default Privilege Level: 15 This setting applies only to Gigabit Ethernet interfaces with copper connectors. This setting is not configurable for 10 Gigabit Ethernet interfaces. This setting has no effect if auto-negotiation is enabled on the interface that you are configuring. Use the show (conf-intf-gig or conf-intf-10gig context) command to determine whether auto-negotiation is enabled or disabled on the interface that you are configuring. See auto-negotiate (conf-intf-gig context) on page 481 for information about enabling and disabling auto-negotiation on an interface.
Example
The following command configures Gigabit Ethernet port number 1 on the NPM installed in slot number 1 to pass traffic between the X-Series Platform and an external network. This command also places you in the conf-intf-gig context in which you can configure settings for the Gigabit Ethernet interface, and create and configure logical interfaces for that interface. CBS# configure interface gigabitethernet 1/1 CBS(conf-intf-gig)# The following command sets the media speed to 10 Mbps for Gigabit Ethernet interface 1/1: CBS(conf-intf-gig)# media-speed 10 CBS(conf-intf-gig)#
484
Syntax
[no] enable
Context
You access this command from the conf-intf-gig or conf-intf-10gig context. You can access either of these contexts from the main CLI context by issuing the configure interface command.
Restrictions
Default Privilege Level: 15
Example
The following command configures Gigabit Ethernet port number 1 on the NPM installed in slot number 1 to pass traffic between the X-Series Platform and an external network. This command also places you in the conf-intf-gig context in which you can configure settings for the Gigabit Ethernet interface, and create and configure logical interfaces for that interface. CBS# configure interface gigabitethernet 1/1 CBS(conf-intf-gig)# The following command temporarily disables Gigabit Ethernet interface 1/1: CBS(conf-intf-gig)# no enable CBS(conf-intf-gig)# The NPM will not allow traffic to pass through Gigabit Ethernet interface 1/1 until you issue the following commands: CBS# configure interface gigabitethernet 1/1 CBS(conf-intf-gig)# enable CBS(conf-intf-gig)#
Syntax
show
485
Context
You access this command from the conf-intf-gig or conf-intf-10gig context. You can access either of these contexts from the main CLI context by issuing the configure interface command.
Output
The output for this command has the following format for a gigabitethernet interface: Interface Enable (true/false) Auto Negotiate Enabled (true/false) Media Speed (Mbits) Duplex Mode Pause Frame (true/false) Standby Only (true/false) (1 row) : : : : : : : {gigabitethernet} <slot>/<port> {t | f} {t | f} {auto | 100 | 10} {auto | full | half} {t | f} {t | f}
The output for this command has the following format for a 10gigabitethernet interface: Interface Enable (true/false) Pause Frame (true/false) Standby Only (true/false) (1 row) : : : : {10gigabitethernet} <slot>/<port> {t | f} {t | f} {t | f}
The following table describes the information provided in each column/row. Column/Row Heading Interface Information Provided Ethernet interface type, NPM slot number, and port number assigned to the interface that you are configuring. This row displays information in the following format: {gigabitethernet | 10gigabitethernet} <slot>/<port> where: {gigabitethernet | 10gigabitethernet} indicates whether this is a Gigabit Ethernet interface or a 10 Gigabit Ethernet interface. <slot> is the chassis slot number assigned to the NPM on which you are configuring the interface. <port> is the NPM port number assigned to the interface. See configure interface on page 467 for information about configuring an Ethernet port on an NPM to pass traffic between the X-Series Platform and an external network. Auto Negotiate Enabled (true/false) Indicates whether auto-negotiation is enabled (t) or disabled (f) on the interface that you are configuring. Default is enabled (t). See auto-negotiate (conf-intf-gig context) on page 481 for information about enabling and disabling auto-negotiation on an interface.
486
Information Provided Media speed setting for the interface that you are configuring. This row displays one of the following keywords: auto Indicates that auto-negotiation is enabled on the interface. When an external system establishes a connection with the X-Series Platform using this interface, the X-Series Platform works with the external system to choose the optimal media speed for that connection. 100 Media speed is 100 Mbps. This the default setting when auto-negotiation is disabled. 10 Media speed is 10 Mbps. See media-speed (conf-intf-gig context) on page 483 for information about setting the media speed for an interface.
Duplex Mode
Duplex mode setting for the interface that you are configuring. This row displays one of the following keywords: auto Indicates that auto-negotiation is enabled on the interface. When an external system establishes a connection with the X-Series Platform using this interface, the X-Series Platform works with the external system to choose the optimal duplex mode for that connection. full Interface is operating in full-duplex mode. This the default setting when auto-negotiation is disabled. half Interface is operating in half-duplex mode. See duplex-mode (conf-intf-gig context) on page 482 for information about setting the duplex mode for an interface.
Indicates whether PAUSE frame support is enabled (t) or disabled (f) for the interface that you are configuring. Default is enabled (t). See pause-frame (conf-intf-gig or conf-intf-10gig context) on page 480 for information about enabling and disabling PAUSE frame support for an interface.
Indicates whether Standby Only is enabled (t) or disabled (f) for the interface that you are configuring. Default is disabled (f). If Standby Only is enabled for an interface, the interface can be used as a backup interface in an interface redundancy configuration. See standby-only (conf-intf-gig or conf-intf-10gig context) on page 479 for information about enabling and disabling Standby Only for an interface.
Restrictions
Default Privilege Level: 15
Example
The following command configures Gigabit Ethernet port number 1 on the NPM installed in slot number 1 to pass traffic between the X-Series Platform and an external network. This command also places you in the conf-intf-gig context in which you can configure settings for the Gigabit Ethernet interface, and create and configure logical interfaces for that interface.
487
CBS# configure interface gigabitethernet 1/1 CBS(conf-intf-gig)# The following command displays the current configuration settings for Gigabit Ethernet interface 1/1. NOTE: This command displays the interface configuration settings that you would create if you issued the example commands that we have provided throughout this section. CBS(conf-intf-gig)# show Interface Enable (true/false) Auto Negotiate Enabled (true/false) Media Speed (Mbits) Duplex Mode Pause Frame (true/false) Standby Only (true/false) (1 row) CBS(conf-intf-gig)# : : : : : : : gigabitethernet 1/1 t f 10 half f t
configure interface-internal
An interface-internal defines an interface that can be used for internal connectivity between VAPs. Like an external interface, an interface-internal can be segmented into separate logical interfaces. Each logical interface can be configured to handle a range of VLAN traffic, non-VLAN traffic, or all traffic, tagged or untagged. You can use interface-internal to configure a synchronization circuit to connect member VAPs within a VAP group. For example, you use this type of circuit for Check Point cluster synchronization. You can also use an interface-internal to configure serialization. Serialization refers to the flow of data traffic from one application to a second application installed on the same X-Series Platform. You install and configure each application on a separate virtual application processor (VAP) group and connect the two VAP groups internally, in series. Traffic passes from one application to the next, allowing multi-layered, in-depth inspection, consistent with a user-defined security policy. In serialization, an interface-internal is a virtualized interface used to pass traffic from an application installed on one VAP group to another application installed on another VAP group configured on the same X-Series Platform. To create and configure an interface-internal, you perform the following steps: 1. Make sure you have created the circuits required by your configuration. For a synchronization circuit, create the circuit and assign it to the VAP group (for example, the VAP group associated with a Check Point firewall application). For serialization, create a bridge circuit if required (e.g. for Layer 2 to Layer 3 serialization), and two traffic circuits, and assign one of the traffic circuits to both VAP groups for which you want to configure serialization. 2. 3. 4. 5. Configure an interface-internal. Configure one or more logical or logical-all interfaces for the interface-internal, and segment VLAN and non-VLAN traffic among the logical interfaces as required. Assign the appropriate circuits to the logical interfaces. Configure options to override the flow-table-limit, fragment-handling-options, and packet-validation settings for each circuit on this interface (optional).
488
The interface-internal command creates and configures an internal interface and maps the specified logical lines to the internal interface. Circuits are then assigned to these logical lines. You can create multiple logical interfaces for the interface-internal. A logical interface can be configured to handle a range of VLAN traffic, non-VLAN traffic, or both VLAN and non-VLAN traffic: A logical interface configured with an ingress-vlan-tag accepts VLAN traffic for the specified VLAN tag or range. A logical interface configured without an ingress-vlan-tag accepts only non-VLAN traffic. A logical interface configured with the logical-all command accepts VLAN and non-VLAN traffic not handled by other logical lines. When you create and configure an interface-internal, XOS creates the interface on the applications VAP group that is assigned to a circuit mapped through a logical interface to the internal interface. XOS creates an internal interface for a VAP group by creating a Virtual Network Device (VND) on each VAP in the group. The VAP operating system and the application running on the VAP group use the internal interface VNDs as Linux networking interfaces. Use the no interface-internal command to delete the internal interface.
Syntax
configure interface-internal <internal_interface_name> configure no interface-internal <internal_interface_name>
Parameters
The following table lists the parameters used with this command. Parameter <internal_interface_name> Description Specifies a unique name for the internal interface.
Restrictions
Default Privilege Level: 15 A circuit mapped to an interface-internal must meet the following configuration requirements: The circuit must be assigned to both VAP groups for which you want to configure serialization, or the circuit must be assigned to a single VAP group for internal communication among the member VAPs. The circuit configuration for a bridging applications VAP group must include the promiscuous-mode active command. (See promiscuous-mode (conf-cct-vapgroup context) on page 423 for more information about this command.)
489
Example
In this example, we are configuring an interface-internal to configure synchronization for a firewall application. The following commands create a circuit sync1 and assign it to the VAP group fw1: CBS# configure circuit sync1 CBS(conf-cct)# device-name sync1 CBS(conf-cct)# vap-group fw1 CBS(conf-cct-vapgroup)# end CBS# The following commands create an interface-internal if_sync, assign it to the logical-all interface log_if_sync, and map it to the circuit sync1. CBS# configure interface-internal if_sync CBS(conf-intf-internal)# logical-all log_if_sync CBS(conf-intf-internal-log-all)# circuit sync1 CBS(conf-intf-int-log-all-cct)# end CBS# For information about configuring an interface-internal for serialization or bridged configurations, see the XOS Configuration Guide and the Serialization Cookbook: IPS and Firewall.
490
You can configure multiple logical interfaces with the ingress-vlan-tag parameter to provide a VAP group with a separate virtualized Ethernet connection for each VLAN connected to the interface-internal. To do this, you configure a separate logical interface for each VLAN, and then map one of the VAP groups circuits to each VLAN-tagged logical interface. NOTE: A single interface-internal cannot have multiple logical interfaces configured with overlapping VLAN tag ranges. You can use the logical-all command to configure a logical interface to enable a circuits VNDs to accept all tagged and untagged packets. (See logical-all (conf-intf-internal context) on page 492 for more information about this command.) After you configure a logical interface, you cannot change its VLAN tag configuration. Instead, you must delete the existing logical interface and recreate it with the desired VLAN tag configuration. Use the no logical command to delete the specified logical interface from the physical interface that you are configuring.
Syntax
logical <logical_name> [ingress-vlan-tag {<VLAN_ID> | <lowest_VLAN_ID> <highest_VLAN_ID>}] no logical <logical_name>
Parameters
The following table lists the parameters used with this command. Parameter <logical_name> Description Name assigned to the logical interface that you wish to create, configure, or delete.
491
Description Configures the logical interface to create a logical link between a circuits VNDs and either a single VLAN or a range of VLANs. Specify a single VLAN tag, <VLAN_ID>, to enable the circuit mapped to the logical interface to accept only packets with the specified VLAN tag. Specify this parameter with a range of VLAN tags, <lowest_VLAN_ID> <highest_VLAN_ID>, to enable the circuit mapped to the logical interface to accept only packets whose VLAN tags are within the specified range. Valid values for <VLAN_ID>, <lowest_VLAN_ID>, and <highest_VLAN_ID> are from 0 to 4094. NOTE: A single physical interface cannot have multiple logical interfaces configured with overlapping VLAN tag ranges.
Restrictions
Default Privilege Level: 15 A single interface-internal cannot have multiple logical interfaces configured with overlapping VLAN tag ranges.
Example
The following command creates an interface-internal named if_test. This command also places you in the conf-intf-internal context in which you can create and configure logical interfaces for that interface. CBS# configure interface-internal if_test CBS(conf-intf-internal)# The following command configures a logical interface called testlogical for the above interface-internal, and configures that logical interface to create a link between a circuits VNDs and the VLAN with the ID number 1660, which is connected to the interface-internal. This command also places you in the conf-intf-internal-log context in which you can map a circuit to the new logical interface. CBS(conf-intf-internal)# logical testlogical ingress-vlan-tag 1660 CBS(conf-intf-internal-log)# A circuit mapped to the logical interface called testlogical can accept packets arriving on the interface-internal if_test only if those packets have the VLAN tag, 1660.
492
The logical-all command creates and configures a new logical interface or configures the specified existing logical interface for the interface-internal that you are configuring. This command also places you in the conf-intf-internal-log-all context in which you can map a circuit to the specified logical interface. When you map a circuit to a logical interface, you create a logical link between that circuits VNDs and the interface-internal that you are configuring. When you use the logical-all command to configure a logical interface for an interface-internal, the VNDs that XOS creates for a circuit mapped to that logical interface can accept all tagged and untagged packets arriving on the interface-internal. NOTE: You can map only one circuit to each logical interface. See circuit (conf-intf-internal-log or conf-intf-internal-log-all context) on page 494 for more information about mapping a circuit to a logical interface configured with the logical-all command. You use the logical (conf-intf-internal context) command to configure a logical interface to enable a circuits VNDs to accept untagged packets or to enable a circuits VNDs to accept VLAN-tagged packets from one or more specific VLANs (instead of accepting all tagged and untagged packets). NOTE: While you can configure multiple logical interfaces for the same physical interface, each physical interface can have only one logical interface configured with the logical-all command. After you configure a logical interface, you cannot change its VLAN tag configuration. Instead, you must delete the existing logical interface and recreate it with the desired configuration. Use the no parameter to delete the specified logical interface from the physical interface that you are configuring.
Syntax
[no] logical-all <logical_name>
Parameters
The following table lists the parameters used with this command. Parameter <logical_name> Description Name assigned to the logical interface that you want to create, configure, or delete.
493
Restrictions
Default Privilege Level: 15 A physical interface can have only one logical interface configured with the logical-all command. If a physical interface has a logical interface configured with the logical-all command, that physical interface cannot be configured as a redundant interface.
Example
The following command creates an interface-internal named if_test. This command also places you in the conf-intf-internal context in which you can create and configure logical interfaces for that interface. CBS# configure interface-internal if_test CBS(conf-intf-internal)# The following command configures a logical interface called testlogicalall for the above interface-internal. This command also places you in the conf-intf-internal-log-all context in which you can map a circuit to the new logical interface. CBS(conf-intf-internal)# logical-all testlogicalall CBS(conf-intf-internal-log-all)# A circuit mapped to the logical interface called testlogicalall can accept all tagged and untagged packets arriving on the interface-internal if_test.
Syntax
[no] circuit <circuit_name> [[no] flow-table-limit] [[no] fragment-handling-options] [[no] packet-validation]
Contexts
You access this command from either the conf-intf-internal-log context or the conf-intf-internal-log-all context. You access the conf-intf-internal-log context from the main CLI context, as follows: 1. 2. Issue the configure interface-internal command to create or specify an interface-internal. Issue the logical (conf-intf-internal context) command to configure a logical interface for the specified interface-internal.
You access the conf-intf-internal-log-all context from the main CLI context, as follows: 1. 2. Issue the configure interface-internal command to create or specify an interface-internal. Issue the logical-all (conf-intf-internal context) command to configure a logical interface for the specified interface-internal.
494
Parameters
The following table lists the parameters used with this command. Parameter <circuit_name> Description Name of the circuit that you wish to map to the logical interface that you are configuring. Use the show circuit command to display all current circuit configurations. [no] flow-table-limit Overrides the global action when the flow table limit has reached. Has this additional parameter: alternative-action pass Specifies that traffic should be passed after the flow table limit has been exceeded. [no] fragment-handling-options [no] packet-validation Enables or disables (using no) fragment handling protection which overwrites the global settings Enables or disables (using no) packet validation which overwrites the global settings. Has these additional parameters: [no] validate-ip-packet Overrides the global action for the invalid IP packets [no] validate-tcp-packet Overrides the global action for the invalid TCP packets [no] validate-tcp-xsum Overrides the global action for invalid TCP packets with respect to checksum
Restrictions
Default Privilege Level: 15 A circuit can be assigned to only one logical interface. NOTE: You can map multiple logical interfaces to the same interface-internal, allowing multiple circuits to pass traffic over a single interface-internal.
Example
The following command creates an interface-internal named if_test. This command also places you in the conf-intf-internal context in which you can create and configure logical interfaces for that interface. CBS# configure interface-internal if_test CBS(conf-intf-internal)# The following command configures a logical interface called testlogicalall for the above interface-internal. This command also places you in the conf-intf-internal-log-all context in which you can map a circuit to the new logical interface. CBS(conf-intf-internal)# logical-all testlogicalall CBS(conf-intf-internal-log-all)#
495
The following command maps the circuit testall_cct to the logical interface testlogicalall that is mapped to the interface-internal if_test. This command also places you in the conf-intf-int-log-cct context, in which you can CBS(conf-intf-internal-log)# circuit testall_cct CBS(conf-intf-int-log-cct)# A circuit mapped to the logical interface called testlogicalall can accept all tagged and untagged packets arriving on the interface-internal if_test.
configure group-interface
Creates and configures a new group interface or configures the specified existing group interface. Places you in the conf-group-intf context in which you can configure the specified group interface. A group interface is a set of interfaces that are logically linked to one another, and are collectively used to pass traffic between an external network and the members of one or more virtual application processor (VAP) groups. You can configure a group interface to perform the following function: Link Aggregation You configure the group interface to link two or more physical interfaces to create a link aggregation group (LAG). XOS bonds all interfaces in a LAG to a single logical interface, allowing one circuit to pass traffic over all interfaces in the LAG. See mode (conf-group-intf context) on page 497 for information about configuring a group interface to create a LAG. Use the configure bridge-mode command to add a LAG to a bridged configuration. Use the show (conf-group-intf context) command to display the current configuration for the group interface that you are configuring. Use the no parameter to delete the specified group interface.
Syntax
configure [no] group-interface <group_interface_name>
496
This command places you in the conf-group-intf context in which you can configure the specified group interface. You can access the following commands from this context: mode (conf-group-intf context) on page 497 interface-type (conf-group-intf context) on page 500 interface (conf-group-intf context) on page 510 logical (conf-group-intf context) on page 514 show (conf-group-intf context) on page 519
Parameters
The following table lists the parameters used with this command. Parameter <group_interface_name> Description Name assigned to the group interface that you want to create, configure, or delete.
Restrictions
Default Privilege Level: 15
Example
The following command creates a new group interface named testgrpint, and places you in the conf-group-intf context in which you can configure the new group interface: CBS# configure group-interface testgrpint CBS(conf-group-intf)#
497
XOS creates a logical link between the template circuit VND and the group interface member VNDs on each VAP in each VAP group to which the template circuit is assigned. Each VAP uses its template circuit VND as a link aggregation device that links the group interface member VNDs to create a virtualized link aggregation group (LAG) XOS creates and configures a single logical interface for each group interface, and maps all group interface member VNDs to that logical interface. The logical interface provides a logical link between the physical interfaces that belong to the group and the VNDs that XOS creates for all members of the group. NOTE: The logical interface also provides a logical link between all group interface member VNDs and all VLANs connected to the physical interfaces that belong to the group. This enables group interface member VNDs to accept all tagged and untagged packets received on the physical interfaces that belong to the group. To use separate circuits for specific VLANs connected to the physical interfaces that belong to a group interface, you must configure additional logical interfaces for the group interface and map each logical interface to a single circuit. You can configure each additional logical interface to provide a link between its circuits VNDs and one or more VLANs. See logical (conf-group-intf context) on page 514 for more information about configuring a logical interface for a group interface. You configure a group interface to operate in Multi-link Mode. Use the show (conf-group-intf context) command to display the current operating mode for the group interface that you are configuring.
Multi-link Mode
In multi-link mode, a group interface links two or more physical interfaces to create a link aggregation group (LAG). XOS bonds all interfaces in a LAG to a single logical interface, allowing one circuit to pass traffic over all interfaces in the LAG. Before configuring a group interface to operate in multi-link mode, you create and configure a template circuit, assign it to one or more VAP groups, and configure each VAP group to process traffic passing through the circuit. XOS creates a Virtual Network Device (VND) for the template circuit on each VAP in each VAP group to which you assign the circuit. NOTE: See Commands for Configuring Circuits for information about creating a circuit, assigning it to a VAP group, and configuring the VAP group to process traffic passing through the circuit. When you configure a group interface to operate in multi-link mode, XOS configures the template circuit as a virtualized link aggregation device for each VAP group to which the template circuit is assigned. XOS uses the template circuit configuration to create and configure a VND for each group interface member on each VAP in each VAP group to which the template circuit is assigned. The VAP operating system and the application running on a VAP use group interface member VNDs as Linux networking interfaces. On each VAP, XOS links the group interface template circuit VND with all of the group interface member VNDs. The template circuit VND functions as a link aggregation device that links the group interface member VNDs to create a virtual link aggregation group (LAG) on the VAP. XOS creates and configures a single logical interface for each multi-link mode group interface, and maps all group interface member VNDs to that logical interface. The logical interface provides a logical link between the physical interfaces configured as members of the LAG and the VNDs that XOS creates for those physical interfaces. Thus, the physical interfaces in a multi-link mode group interface are configured as members of a LAG. This LAG passes traffic between an external network and the members of the VAP groups to which the template circuit is assigned.
498
NOTE: The logical interface for a multi-link mode group interface also provides a logical link between the group interface member VNDs and all VLANs connected to the physical interfaces in the LAG. This enables the group interface member VNDs to accept all tagged and untagged packets received on the physical interfaces in the LAG. If you wish to break up a VLAN trunk into multiple VLAN circuits, you must configure the group interface with a separate logical interface for each VLAN circuit, and configure each logical interface to create a logical link between its circuits VNDs and one or more VLANs. See logical (conf-group-intf context) on page 514 for information about configuring a logical interface for a group interface. A VAP group treats a LAG as if it were a single interface. Therefore, if you configure a group interface to operate in multi-link mode, you can configure that group interface (LAG) as a member of a bridge-mode configuration.
Syntax
mode multi-link circuit <template_circuit_name>
Context
You access this command from the conf-group-intf context. You access this context from the main CLI context by issuing the configure group-interface command.
Parameters
The following table lists the parameters used with this command. Parameter multi-link Description Configures the group interface to operate in multi-link mode. See Multi-link Mode on page 498 for more information about this mode. circuit <template_circuit_name> Maps the specified template circuit to the group interface. XOS configures the template circuit as a virtualized link aggregation device for each VAP group to which the circuit is assigned. See Multi-link Mode on page 498 for more information:
Restrictions
Default Privilege Level: 15 You must set the operating mode for a group interface and map a template circuit to that group interface before adding members to that group interface.
499
You must assign a template circuit to at least one VAP group before mapping the template circuit to a group interface. Each template circuit can be mapped to only one group interface. The following restrictions apply to group interfaces configured to operate in Multi-link Mode: The group interface can include a maximum of eight physical interfaces. The group interface cannot include any internal interfaces. Group interface members cannot be used in interface redundancy configurations. See configure redundancy-interface on page 541 for more information about interface redundancy.
Example
The following commands create and configure a template circuit called testgrp and assign that circuit to the VAP group called testvapgroup: CBS# configure circuit testgrp CBS(conf-cct)# device-name testgrp CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-vapgroup)# end CBS# The following command places you in the conf-group-intf context in which you can configure the existing group interface called testgrpint: CBS# configure group-interface testgrpint CBS(conf-group-intf)# The following command configures the group interface called testgrpint to operate in Multi-link Mode, and assigns the template circuit called testgrp to that group interface: CBS(conf-group-intf)# mode multi-link circuit testgrp CBS(conf-group-intf)# The following commands configure physical ports as members of the LAG and enable the interfaces for this group interface. CBS(conf-group-intf)# interface-type gigabitethernet CBS(conf-grp-intf-gig)# exit CBS(conf-group-intf)# interface 1/2 CBS(conf-grp-intf-intf)# exit CBS(conf-group-intf)# interface 1/3 CBS(conf-grp-intf-intf)# end CBS# XOS configures the template circuit called testgrp as a virtualized link aggregation device for the VAP group called testvapgroup.
500
XOS applies the specified Ethernet interface type setting to all members of the group interface that you are configuring. All Network Processor Module (NPM) interfaces that you configure as members of this group interface must be of the specified interface type. The default Ethernet interface type setting is Gigabit Ethernet. Use the interface-type gigabitethernet command to restore this default setting. NOTE: After you configure an interface as a member of a group interface, you cannot change the Ethernet interface type setting for that group interface. Use the show (conf-group-intf context) command to display the current Ethernet interface type setting for the group interface that you are configuring.
Syntax
interface-type {gigabitethernet | 10gigabitethernet}
Inline Commands
The following table lists the CLI commands used inline with the interface-type command. Command gigabitethernet 10gigabitethernet Description Sets the Ethernet interface type to Gigabit Ethernet for the group interface that you are configuring. Sets the Ethernet interface type to 10 Gigabit Ethernet for the group interface that you are configuring.
Restrictions
Default Privilege Level: 15
501
After you configure an interface as a member of a group interface, you cannot change the Ethernet interface type setting for that group interface.
Example
The following command places you in the conf-group-intf context in which you can configure the existing group interface called testgrpint: CBS# configure group-interface testgrpint CBS(conf-group-intf)# The following command sets the Ethernet interface type to Gigabit Ethernet for the group interface called testgrpint. This command also places you in the conf-grp-intf-gig context, in which you can configure additional settings for the Gigabit Ethernet interfaces that belong to the group interface called testgrpint. CBS(conf-group-intf)# interface-type gigabitethernet CBS(conf-grp-intf-gig)# XOS applies the above Ethernet interface configuration setting to all members of the group interface called testgrpint. All NPM interfaces that you configure as members of this group interface must be Gigabit Ethernet interfaces.
Syntax
[no] pause-frame
Contexts
You access this command from the conf-grp-intf-gig or conf-grp-intf-10gig context. To access the conf-grp-intf-gig context from the main CLI context, you perform the following steps: 1. 2. Issue the configure group-interface command to configure a specific group interface. Issue the gigabitethernet command inline with the interface-type (conf-group-intf context) command to configure settings for the Gigabit Ethernet interfaces that belong to the specified group interface.
To access the conf-grp-intf-10gig context from the main CLI context, you perform the following steps: 1. 2. Issue the configure group-interface command to configure a specific group interface. Issue the 10gigabitethernet command inline with the interface-type (conf-group-intf context) command to configure settings for the 10 Gigabit Ethernet interfaces that belong to the specified group interface.
502
Restrictions
Default Privilege Level: 15
Example
The following command places you in the conf-group-intf context in which you can configure the existing group interface called testgrpint: CBS# configure group-interface testgrpint CBS(conf-group-intf)# The following command sets the Ethernet interface type to Gigabit Ethernet for the group interface called testgrpint. This command also places you in the conf-grp-intf-gig context, in which you can configure additional settings for the Gigabit Ethernet interfaces that belong to the group interface called testgrpint. CBS(conf-group-intf)# interface-type gigabitethernet CBS(conf-grp-intf-gig)# The following command disables PAUSE frame support on all Gigabit Ethernet interfaces that belong to the group interface called testgrpint: CBS(conf-grp-intf-gig)# no pause-frame CBS(conf-grp-intf-gig)#
Syntax
[no] auto-negotiate
503
Context
You access this command from the conf-grp-intf-gig context. To access this context from the main CLI context, you perform the following steps: 1. 2. Issue the configure group-interface command to configure a specific group interface. Issue the gigabitethernet command inline with the interface-type (conf-group-intf context) command to configure settings for the Gigabit Ethernet interfaces that belong to the specified group interface.
Restrictions
Default Privilege Level: 15 This setting is not configurable for members of a group interface whose Ethernet interface type is set to 10 Gigabit Ethernet.
Example
The following command places you in the conf-group-intf context in which you can configure the existing group interface called testgrpint: CBS# configure group-interface testgrpint CBS(conf-group-intf)# The following command sets the Ethernet interface type to Gigabit Ethernet for the group interface called testgrpint. This command also places you in the conf-grp-intf-gig context, in which you can configure additional settings for the Gigabit Ethernet interfaces that belong to the group interface called testgrpint. CBS(conf-group-intf)# interface-type gigabitethernet CBS(conf-grp-intf-gig)# The following command disables auto-negotiation on all Gigabit Ethernet interfaces that belong to the group interface called testgrpint: CBS(conf-grp-intf-gig)# no auto-negotiate CBS(conf-grp-intf-gig)#
504
Syntax
duplex-mode {full | half} no duplex-mode
Context
You access this command from the conf-grp-intf-gig context. To access this context from the main CLI context, you perform the following steps: 1. 2. Issue the configure group-interface command to configure a specific group interface. Issue the gigabitethernet command inline with the interface-type (conf-group-intf context) command to configure settings for the Gigabit Ethernet interfaces that belong to the specified group interface.
Parameters
The following table lists the parameters used with this command. Parameter full Description Configures group interface members to operate in full-duplex mode. This is the default setting. half Configures group interface members to operate in half-duplex mode.
Restrictions
Default Privilege Level: 15 This setting applies only to Gigabit Ethernet interfaces with copper connectors. This setting is not configurable for members of a group interface whose Ethernet interface type is set to 10 Gigabit Ethernet. This setting has no effect if auto-negotiation is enabled on the interfaces that belong to the group interface that you are configuring. Use the show (conf-group-intf context) command to determine whether auto-negotiation is enabled or disabled on the Gigabit Ethernet interfaces that belong to the group interface that you are configuring. See auto-negotiate (conf-grp-intf-gig context) on page 503 for information about enabling and disabling auto-negotiation on the Gigabit Ethernet interfaces configured as members of a group interface. Members of a Multi-link Mode group interface cannot be configured to operate in half-duplex mode. If you attempt to issue the duplex-mode half command when configuring a multi-link mode group interface, the CLI displays an error message and reconfigures the group interface members to operate in full-duplex mode.
Example
The following command places you in the conf-group-intf context in which you can configure the existing group interface called testgrpint: CBS# configure group-interface testgrpint CBS(conf-group-intf)#
505
The following command sets the Ethernet interface type to Gigabit Ethernet for the group interface called testgrpint. This command also places you in the conf-grp-intf-gig context, in which you can configure additional settings for the Gigabit Ethernet interfaces configured as members of the group interface called testgrpint. CBS(conf-group-intf)# interface-type gigabitethernet CBS(conf-grp-intf-gig)# The following command configures the Gigabit Ethernet interfaces that belong to the group interface called testgrpint to operate in half-duplex mode: CBS(conf-grp-intf-gig)# duplex-mode half CBS(conf-grp-intf-gig)#
Syntax
media-speed {10 | 100 | 1000} no media-speed
Context
You access this command from the conf-grp-intf-gig context. To access this context from the main CLI context, you perform the following steps: 1. 2. Issue the configure group-interface command to configure a specific group interface. Issue the gigabitethernet command inline with the interface-type (conf-group-intf context) command to configure settings for the Gigabit Ethernet interfaces that belong to the specified group interface.
506
Parameters
The following table lists the parameters used with this command. Parameter 10 Description Sets the media speed to 10 Mbps for all Gigabit Ethernet interfaces that belong to the group interface that you are configuring. Sets the media speed to 100 Mbps for all Gigabit Ethernet interfaces that belong to the group interface that you are configuring. Sets the media speed to 1 Gbps for all Gigabit Ethernet interfaces that belong to the group interface that you are configuring. This is the default setting.
100
1000
Restrictions
Default Privilege Level: 15 This setting applies only to Gigabit Ethernet interfaces with copper connectors. This setting is not configurable for members of a group interface whose Ethernet interface type is set to 10 Gigabit Ethernet. This setting has no effect if auto-negotiation is enabled on the interfaces that belong to the group interface that you are configuring. Use the show (conf-group-intf context) command to determine whether auto-negotiation is enabled or disabled on the Gigabit Ethernet interfaces that belong to the group interface that you are configuring. See auto-negotiate (conf-grp-intf-gig context) on page 503 for information about enabling and disabling auto-negotiation on the Gigabit Ethernet interfaces configured as members of a group interface.
Example
The following command places you in the conf-group-intf context in which you can configure the existing group interface called testgrpint: CBS# configure group-interface testgrpint CBS(conf-group-intf)# The following command sets the Ethernet interface type to Gigabit Ethernet for the group interface called testgrpint. This command also places you in the conf-grp-intf-gig context, in which you can configure additional settings for the Gigabit Ethernet interfaces that belong to the group interface called testgrpint. CBS(conf-group-intf)# interface-type gigabitethernet CBS(conf-grp-intf-gig)# The following command sets the media speed to 10 Mbps for the Gigabit Ethernet interfaces that belong to the group interface called testgrpint: CBS(conf-grp-intf-gig)# media-speed 10 CBS(conf-grp-intf-gig)#
507
Syntax
[no] enable
Contexts
You access this command from the conf-grp-intf-gig or conf-grp-intf-10gig context. To access the conf-grp-intf-gig context from the main CLI context, you perform the following steps: 1. 2. Issue the configure group-interface command to configure a specific group interface. Issue the gigabitethernet command inline with the interface-type (conf-group-intf context) command to configure settings for the Gigabit Ethernet interfaces that belong to the specified group interface.
To access the conf-grp-intf-10gig context from the main CLI context, you perform the following steps: 1. 2. Issue the configure group-interface command to configure a specific group interface. Issue the 10gigabitethernet command inline with the interface-type (conf-group-intf context) command to configure settings for the 10 Gigabit Ethernet interfaces that belong to the specified group interface.
Restrictions
Default Privilege Level: 15 You can disable individual physical interfaces that belong to an enabled group interface. However, you cannot enable individual physical interfaces that belong to a disabled group interface. See enable (conf-grp-intf-intf context) on page 512 for instructions on enabling and disabling individual interfaces within a group.
508
Example
The following command places you in the conf-group-intf context in which you can configure the existing group interface called testgrpint: CBS# configure group-interface testgrpint CBS(conf-group-intf)# The following command sets the Ethernet interface type to Gigabit Ethernet for the group interface called testgrpint. This command also places you in the conf-grp-intf-gig context, in which you can configure additional settings for the Gigabit Ethernet interfaces that belong to the group interface called testgrpint. CBS(conf-group-intf)# interface-type gigabitethernet CBS(conf-grp-intf-gig)# The following command temporarily disables the group interface called testgrpint: CBS(conf-grp-intf-gig)# no enable CBS(conf-grp-intf-gig)# NPMs will not allow traffic to pass through the Gigabit Ethernet interfaces that belong to the group interface called testgrpint until you issue the following commands: CBS# configure group-interface testgrpint CBS(conf-group-intf)# interface-type gigabitethernet CBS(conf-grp-intf-gig)# enable CBS(conf-grp-intf-gig)#
509
510
Syntax
[no] interface <slot>/<port>
Parameters
The following table lists the parameters used with this command. Parameter <slot> Description Chassis slot number assigned to the NPM on which you want to configure an Ethernet interface as a member of the group interface that you are configuring. NPM port number assigned to the Ethernet interface that you want to configure as a member of the group interface that you are configuring. NOTE: The specified NPM port must be the interface type that you configured for the group interface using the interface-type (conf-group-intf context) command On an NPM-86x0, only ports 11 and 12 are 10 Gigabit Ethernet interfaces. All other NPM ports are Gigabit Ethernet ports.
<port>
Restrictions
Default Privilege Level: 15 You must set the operating mode for a group interface and map a circuit to that group interface before adding members to that group interface. After a physical interface has been configured as a standalone interface using the configure interface command, that physical interface cannot be configured as a member of a group interface. After you configure an interface as a member of a group interface, you cannot change the Ethernet interface type setting for that group interface. The following restrictions apply only to group interfaces configured to operate in Multi-link Mode: The group interface can include a maximum of eight physical interfaces. Group interface members cannot be used in interface redundancy configurations. See configure redundancy-interface on page 541 for more information about interface redundancy configurations.
511
Example
In this example, we will configure a physical interface as a member of a Multi-link Mode group interface called testgrpint. NOTE: The group interface template circuit is called testgrp. The following command places you in the conf-group-intf context in which you can configure the existing multi-link mode group interface called testgrpint: CBS# configure group-interface testgrpint CBS(conf-group-intf)# The following command configures Gigabit Ethernet port number 2 on the NPM installed in slot number 1 to pass traffic between the X-Series Platform and an external network, and configures this interface as a member of the group interface called testgrpint. This command also places you in the conf-grp-intf-intf context in which you can enable or disable Gigabit Ethernet interface 1/2. CBS(conf-group-intf)# interface 1/2 CBS(conf-grp-intf-intf)# exit CBS(conf-group-intf)# To complete the LAG, use the interface command to configure additional ports for the interface.
Syntax
[no] enable
Context
You access this command from the conf-grp-intf-intf context. You access this context by issuing the configure group-interface command to configure a specific group interface and then issuing the interface (conf-group-intf context) command to configure a physical interface as a member of that group interface.
512
Restrictions
Default Privilege Level: 15 You can disable individual physical interfaces that belong to an enabled group interface. However, you cannot enable individual physical interfaces that belong to a disabled group interface. Use the show (conf-group-intf context) command to determine whether the group interface that you are configuring is enabled or disabled. See enable (conf-grp-intf-gig or conf-grp-intf-10gig context) on page 508 for instructions on enabling and disabling a group interface.
Example
The following command places you in the conf-group-intf context in which you can configure the existing group interface called testgrpint. CBS# configure group-interface testgrpint CBS(conf-group-intf)# The following command places you in the conf-grp-intf-intf context in which you can configure Gigabit Ethernet interface 1/2, which has been configured as a member of the group interface called testgrpint: CBS(conf-group-intf)# interface 1/2 CBS(conf-grp-intf-intf)# The following command disables Gigabit Ethernet interface 1/2: CBS(conf-grp-intf-intf)# no enable CBS(conf-grp-intf-intf)# The NPM will not allow traffic to pass through Gigabit Ethernet interface 1/2 until you issue the following commands: CBS# configure group-interface testgrpint CBS(conf-group-intf)# interface 1/2 CBS(conf-grp-intf-intf)# enable CBS(conf-grp-intf-intf)#
513
Syntax
logical <logical_name> ingress-vlan-tag {<VLAN_tag> | <lowest_VLAN_tag> <highest_VLAN_tag>} no logical <logical_name>
Parameters
The following table lists the parameters used with this command. Parameter <logical_name> Description Name assigned to the logical interface that you wish to create, configure, or delete.
514
Description Configures the logical interface to create a logical link between a circuits VNDs and either a single VLAN or a range of VLANs. Specify a single VLAN tag, <VLAN_ID>, to enable the circuit mapped to the logical interface to accept only packets with the specified VLAN tag. Specify this parameter with a range of VLAN tags, <lowest_VLAN_ID> <highest_VLAN_ID>, to enable the circuit mapped to the logical interface to accept only packets whose VLAN tags are within the specified range. Valid values for <VLAN_ID>, <lowest_VLAN_ID>, and <highest_VLAN_ID> are from 0 to 4094. NOTE: A single group interface or internal interface cannot have multiple logical interfaces configured with overlapping VLAN tag ranges.
Restrictions
Default Privilege Level: 15 Each VLAN circuit mapped to a logical interface must be assigned to at least one of the VAP groups that is connected to the group interface, and each VAP groups circuit configuration must include the default-egress-vlan-tag (conf-cct-vapgroup context) command. Each VLAN circuit mapped to a logical interface configured for an internal interface must be assigned only to the VAP group on which the VLAN connection terminates. A single group interface or internal interface cannot have multiple logical interfaces configured with overlapping VLAN tag ranges. Multi-link mode group interface members cannot be used in interface redundancy configurations.
Example
In this example, we have configured a group interface called testgrpint to operate in Multi-link Mode. This group interface is mapped to the VAP group testvapgroup. We have configured the following interfaces as a members of the group interface called testgrpint: Gigabit Ethernet interface 1/2 Gigabit Ethernet interface 1/3 The group interface called testgrpint bonds Gigabit Ethernet interfaces 1/2 and 1/3 into a single logical interface and uses the circuit testgrp to pass traffic between this interface and the VAP group called testvapgroup. We wish to create separate connections for VLANs 101 and 102 with the members of the VAP group called testvapgroup. To do this, we need to create circuits for the VLANs for the VAP group testvapgroup and then create logical interfaces for the group interface called testgrpint for each VLAN circuit. NOTE: In the conf-group-intf context, the logical command creates a logical interface and maps an existing circuit to the logical interface. However for reference, the following example includes the circuit configuration steps as well.
515
The following commands create two circuits called vlan101 and vlan102. The VAP group called testvapgroup will use the circuit called vlan101 to connect to VLAN 101, and will use the circuit called vlan102 to connect to VLAN 102. CBS# configure circuit vlan101 CBS(conf-cct)# device-name vlan101 CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-vapgroup)# default-egress-vlan-tag 101 CBS(conf-cct-vapgroup)# ip 10.0.101.8/24 10.0.101.255 CBS(conf-cct-vapgroup-ip)# end CBS# configure circuit vlan102 CBS(conf-cct)# device-name vlan102 CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-vapgroup)# default-egress-vlan-tag 102 CBS(conf-cct-vapgroup)# ip 10.0.102.8/24 10.0.102.255 CBS(conf-cct-vapgroup-ip)# end CBS# The following command places you in the conf-group-intf context in which you can configure the existing multi-link mode group interface called testgrpint: CBS# configure group-interface testgrpint CBS(conf-group-intf)# The following commands create and configure a logical interface for the internal interface that belongs to the group interface called testgrpint for each VLAN circuit configured on the VAP group called testvapgroup, and map each VLAN circuit to a logical interface. NOTE: See circuit (conf-group-intf-logical context) on page 516 for more information about the command used to create each circuit that you want to map to a logical interface. CBS(conf-group-intf)# logical CBS(conf-group-intf-logical)# CBS(conf-group-intf-logical)# CBS(conf-group-intf)# logical CBS(conf-group-intf-logical)# CBS(conf-group-intf-logical)# CBS# vlan101 circuit exit vlan102 circuit end ingress-vlan-tag 101 vlan101 ingress-vlan-tag 102 vlan102
Syntax
[no] circuit <circuit_name> [[no] flow-table-limit] [[no] fragment-handling-options] [[no] packet-validation]
Context
You access this command from the conf-group-intf-logical context. You access this context from the main CLI context by issuing the configure group-interface command to configure a specific group interface and then issuing the logical (conf-group-intf context) command to configure a logical interface for the specified group interface.
516
Parameters
The following table lists the parameters used with this command. Parameter <circuit_name> Description Name of the circuit that you wish to map to the logical interface that you are configuring. Use the show circuit command to display all current circuit configurations. [no] flow-table-limit Overrides the global action when the flow table limit has reached. Has this additional parameter: alternative-action pass Specifies that traffic should be passed after the flow table limit has been exceeded. [no] fragment-handling-options [no] packet-validation Enables or disables (using no) fragment handling protection which overwrites the global settings Enables or disables (using no) packet validation which overwrites the global settings. Has these additional parameters: [no] validate-ip-packet Overrides the global action for the invalid IP packets [no] validate-tcp-packet Overrides the global action for the invalid TCP packets [no] validate-tcp-xsum Overrides the global action for invalid TCP packets with respect to checksum
Restrictions
Default Privilege Level: 15 Each VLAN circuit mapped to a logical interface must be assigned to at least one of the VAP groups that is connected to the group interface, and each VAP groups circuit configuration must include the default-egress-vlan-tag (conf-cct-vapgroup context) command. Each VLAN circuit mapped to a logical interface configured for an internal interface must be assigned only to the VAP group on which the VLAN connection terminates.
Example
In this example, we have configured a group interface called testgrpint to operate in Multi-link Mode. This group interface is mapped to the VAP group testvapgroup. We have configured the following interfaces as a members of the group interface called testgrpint: Gigabit Ethernet interface 1/2 Gigabit Ethernet interface 1/3 The group interface called testgrpint bonds Gigabit Ethernet interfaces 1/2 and 1/3 into a single logical interface and uses the circuit testgrp to pass traffic between this interface and the VAP group called testvapgroup. We wish to create separate connections for VLANs 101 and 102 with the members of the VAP group called testvapgroup. To do this, we need to create circuits for the VLANs for the VAP group testvapgroup and then create logical interfaces for the group interface called testgrpint for each VLAN circuit.
517
NOTE: In the conf-group-intf-logical context, the circuit command maps an existing circuit to the logical interface. However for reference, the following example includes the circuit configuration steps as well. The following commands create two circuits called vlan101 and vlan102. The VAP group called testvapgroup will use the circuit called vlan101 to connect to VLAN 101, and will use the circuit called vlan102 to connect to VLAN 102. CBS# configure circuit vlan101 CBS(conf-cct)# device-name vlan101 CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-vapgroup)# default-egress-vlan-tag 101 CBS(conf-cct-vapgroup)# ip 10.0.101.8/24 10.0.101.255 CBS(conf-cct-vapgroup-ip)# end CBS# configure circuit vlan102 CBS(conf-cct)# device-name vlan102 CBS(conf-cct)# vap-group testvapgroup CBS(conf-cct-vapgroup)# default-egress-vlan-tag 102 CBS(conf-cct-vapgroup)# ip 10.0.102.8/24 10.0.102.255 CBS(conf-cct-vapgroup-ip)# end CBS# The following command places you in the conf-group-intf context in which you can configure the existing multi-link mode group interface called testgrpint: CBS# configure group-interface testgrpint CBS(conf-group-intf)# The following commands create and configure a logical interface for the internal interface that belongs to the group interface called testgrpint for each VLAN circuit configured on the VAP group called testvapgroup, and map each VLAN circuit to a logical interface. NOTE: See logical (conf-group-intf context) on page 514 for more information about the command used to map each circuit to its logical interface. CBS(conf-group-intf)# logical CBS(conf-group-intf-logical)# CBS(conf-group-intf-logical)# CBS(conf-group-intf)# logical CBS(conf-group-intf-logical)# CBS(conf-group-intf-logical)# CBS# vlan101 circuit exit vlan102 circuit end ingress-vlan-tag 101 vlan101 ingress-vlan-tag 102 vlan102
518
Syntax
show
Context
You access this command from the conf-group-intf context. You access this context from the main CLI context by issuing the configure group-interface command.
Output
The output for this command has the following format: Group Name Mode Mode Circuit Traffic Cleaning Validation: Interface Type Enable (true/false) Auto Negotiate Enabled (true/false) Media Speed (Mbits) Duplex Mode Pause Frame (true/false) Included Group Physical Interface (Device) [en/disable] : : : : : : : : : : : : <group_interface_name> [multi-link] [<template_circuit_name>]
{gigabitethernet | 10gigabitethernet} {t | f} {t | f} {auto | 100 | 10} {auto | full | half} {t | f} <group_interface_name> {gigabitethernet | 10gigabitethernet} <slot>/<port> (<device_name>) [{enable | disable}] : <logical_interface_name> <lowest_VLAN_tag> <highest_VLAN_tag> (<VLAN_circuit_name>)
The following table describes the information provided in each column/row. Column/Row Heading Group Name Information Provided Name of the group interface that you are configuring. See configure group-interface on page 496 for information about assigning a name to a new group interface. Mode This row appears blank if the operating mode is not set for the group interface that you are configuring. Indicates the operating mode setting for the group interface that you are configuring: multi-link Group interface is configured to operate in Multi-link Mode. Group interface members are configured as members of a link aggregation group (LAG). See mode (conf-group-intf context) on page 497 for information about setting the operating mode for a group interface.
519
Information Provided This row appears blank if the operating mode is not set for the group interface that you are configuring. Name of the template circuit mapped to this group interface. See mode (conf-group-intf context) on page 497 for information about setting the operating mode for a group interface and mapping a template circuit to that group interface.
Interface Type
Indicates the Ethernet interface type setting for the group interface that you are configuring: gigabitethernet Default setting. Ethernet interface type is set to Gigabit Ethernet. 10gigabitethernet Ethernet interface type is set to 10 Gigabit Ethernet. XOS applies the specified Ethernet interface type setting to all members of the group interface that you are configuring. All Network Processor Module (NPM) interfaces that you configure as members of this group interface must be of the specified interface type. See interface-type (conf-group-intf context) on page 500 for information about setting the interface type for a group interface.
Enable (true/false)
Indicates whether the group interface is enabled (t) or disabled (f). Default is enabled (t). If a group interface is disabled, NPMs do not allow traffic to pass through any of the physical interfaces that belong to the group interface. See enable (conf-grp-intf-intf context) on page 512 for information about enabling and disabling a group interface.
Auto Negotiate Enabled (true/false) Indicates whether auto-negotiation is enabled (t) or disabled (f) on the physical interfaces that belong to the group interface that you are configuring. Default is enabled (t). NOTE: This setting applies to all physical interfaces that belong to this group interface. See auto-negotiate (conf-grp-intf-gig context) on page 503 for information about enabling and disabling auto-negotiation on the physical interfaces that belong to a group interface.
520
Information Provided Media speed setting for the physical interfaces that belong to the group interface that you are configuring. This row displays one of the following keywords: auto Indicates that auto-negotiation is enabled on the interface. When an external system establishes a connection with the X-Series Platform using this interface, the X-Series Platform works with the external system to choose the optimal media speed for that connection. 100 Media speed is 100 Mbps. This the default setting when auto-negotiation is disabled. 10 Media speed is 10 Mbps. NOTE: This setting applies to all physical interfaces that belong to this group interface. See media-speed (conf-grp-intf-gig context) on page 506 for information about setting the media speed for the physical interfaces that belong to a group interface.
Duplex Mode
Duplex mode setting for the physical interfaces that belong to the group interface that you are configuring. This row displays one of the following keywords: auto Indicates that auto-negotiation is enabled on the interface. When an external system establishes a connection with the X-Series Platform using this interface, the X-Series Platform works with the external system to choose the optimal duplex mode for that connection. full Interface is operating in full-duplex mode. This the default setting when auto-negotiation is disabled. half Interface is operating in half-duplex mode. NOTE: This setting applies to all physical interfaces that belong to this group interface. See duplex-mode (conf-grp-intf-gig context) on page 504 for information about setting the duplex mode for the physical interfaces that belong to a group interface.
Indicates whether PAUSE frame support is enabled (t) or disabled (f) for the physical interfaces that belong to the group interface that you are configuring. Default is enabled (t). NOTE: This setting applies to all physical interfaces that belong to this group interface. See pause-frame (conf-grp-intf-gig or conf-grp-intf-10gig context) on page 502 for information about enabling and disabling PAUSE frame support for the physical interfaces that belong to a group interface.
521
Information Provided This row appears only if you have configured a physical interface as a member of the group interface that you are configuring. The output for the show command includes one Physical Interface row for each physical interface that belongs to the group interface that you are configuring. Each row displays information in the following format: {gigabitethernet | 10gigabitethernet} <slot>/<port> (<device_name>) [{enable | disable}] where: {gigabitethernet | 10gigabitethernet} indicates whether the physical interface is a Gigabit Ethernet interface or a 10 Gigabit Ethernet interface. NOTE: Each physical interface must be of the Ethernet interface type configured for the group interface. <slot> is the chassis slot number assigned to the NPM on which you have configured the physical interface. <port> is the NPM port number assigned to the physical interface.
{enable | disable} indicates whether the physical interface
is enabled or disabled. Default is enabled. If an interface is disabled, the NPM does not allow traffic to pass through that interface, even if the group interface is enabled. NOTE: See enable (conf-grp-intf-intf context) on page 512 for information about enabling and disabling individual physical interfaces that belong to a group interface. See interface (conf-group-intf context) on page 510 for information about configuring a physical interface as a member of a group interface.
522
Information Provided This row appears only if you have configured a logical interface for the group interface that you are configuring or for the internal interface that belongs to that group interface. The output for the show command includes one Logical Interface row for each logical interface that you have configured. Each row displays information in the following format: <logical_interface_name> ingress-vlan-tag <lowest_VLAN_tag> <highest_VLAN_tag> (<VLAN_circuit_name>) where:
<logical_interface_name> is the name assigned to the
logical interface. <lowest_VLAN_tag> <highest_VLAN_tag> indicates the range of VLANs from which the VLAN circuit mapped to this logical interface can accept traffic. NOTE: If both VLAN ID numbers are the same, the circuit accepts traffic only from the specified VLAN.
<VLAN_circuit_name> is the name of the VLAN circuit mapped
to this logical interface. See logical (conf-group-intf context) on page 514 for information about configuring a logical interface for a group interface or for an internal interface configured as a member of a group interface.
Restrictions
Default Privilege Level: 15
Example
The following command places you in the conf-group-intf context in which you can configure the existing transparent mode group interface called testgrpint. CBS# configure group-interface testgrpint CBS(conf-group-intf)#
523
The following command displays the current configuration settings for the group interface called testgrpint and for the members of that group interface. NOTE: This command displays some of the configuration settings that you would create if you issued the example commands that we have provided throughout this section. CBS(conf-group-intf)# show Group Name Mode Mode Circuit Interface Type Enable (true/false) Auto Negotiate Enabled (true/false) Media Speed (Mbits) Duplex Mode Pause Frame (true/false) Physical Interface (Device) [en/disable] [enable] Logical Interface (Circuit) (vlan101) Logical Interface (Circuit) (vlan102) (1 row) CBS(conf-group-intf)# : : : : : : : : : : testgrpint transparent testgrp gigabitethernet t f 10 half f gigabitethernet 1/2 (testdev12)
configure acl-interface
When you configure an individual physical interface on a Network Processor Module (NPM) to pass traffic between the X-Series Platform and an external network, or when you configure a group interface that includes one or more physical interfaces, you can define an access control list (ACL) for that individual interface or group interface. An ACL consists of a filter and an action. When you define an ACL for an interface, the NPMs inspect all packets arriving on that interface and perform the ACLs action on all packets that match the criteria defined in the filter. NOTE: When you define an ACL for a group interface, the NPMs apply the ACL to all physical interfaces in the group. The configure acl-interface command creates and configures a new ACL filter or configures the specified existing ACL filter. This command also places you in the conf-acl-intf context in which you can configure the specified ACL filter. After you have created and configured an ACL filter, you can use that filter for ACLs that you define for one or more individual physical interfaces and/or group interfaces. Use the show acl-interface command to display the filtering criteria defined for each ACL filter that is currently configured on the X-Series Platform. Use the no parameter to delete the specified ACL filter. NOTE: Before deleting an ACL filter, you must delete all interface ACL definitions that include that filter. Use the show acl-interface-mapping command to display a list of the ACLs defined for each physical interface and group interface configured on the X-Series Platform.
524
Syntax
configure [no] acl-interface <ACL_filter_name>
Parameters
The following table lists the parameters used with this command. Parameter <ACL_filter_name> Description Name assigned to the ACL filter that you want to create, configure, or delete.
Restrictions
Default Privilege Level: 15 ACL mirroring can be done to more than one other interface provided that the target interfaces are on the same NPM. Multiple ACL filters can be configured for the same interface. When a packet arrives on an interface, the NPM applies the filters to the packet one at a time, in the order that the filters were configured. Remote mirroring (the mirrored port is on a different NPM than the source port) is not supported. Remote pass-through (the destination port is on a different NPM than the source port) is not supported. Before deleting an ACL filter, you must delete all interface ACL definitions that include that filter. Use the show show acl-interface-mapping command to display a list of the ACLs defined for each physical interface and group interface configured on the X-Series Platform.
Example
The following command creates a new ACL filter called testmirroracl and places you in the conf-acl-intf context in which you can configure this ACL filter: CBS# configure acl-interface testmirroracl CBS(conf-acl-intf)#
525
Syntax
direction {ingress-only | egress-only | bidirectional}
Context
You access this command from the conf-acl-intf context. You access this context from the main CLI context by issuing the configure acl-interface command.
Parameters
The following table lists the parameters used with this command. Parameter ingress-only Description Defines flow direction filtering criteria to match only ingress traffic. When an interface ACL includes the filter that you are configuring, the NPM applies the ACLs action only to packets ingressing the X-Series Platform over the interface for which the ACL is defined. This is the default flow direction filtering criteria defined when you create a new ACL filter. egress-only Defines flow direction filtering criteria to match only egress traffic. When an interface ACL includes the filter that you are configuring, the NPM applies the ACLs action only to packets egressing the X-Series Platform over the interface for which the ACL is defined.
526
Parameter bidirectional
Description Defines flow direction filtering criteria as all traffic flowing into and out of the X-Series Platform. When an interface ACL includes the filter that you are configuring, the NPM applies the ACLs action to all packets passing through the interface for which the ACL is defined.
Restrictions
Default Privilege Level: 15
Example
The following command places you in the conf-acl-intf context in which you can configure the ACL filter called testmirroracl: CBS# configure acl-interface testmirroracl CBS(conf-acl-intf)# The following command defines flow direction filtering criteria for the ACL filter called testmirroracl, such that the filtering criteria match only ingress traffic: CBS(conf-acl-intf)# direction ingress-only CBS(conf-acl-intf)# When an interface ACL includes the filter called testmirroracl, the NPM applies the ACLs action only to packets ingressing the X-Series Platform over the interface for which the ACL is defined.
527
Use the show acl-interface command to display the filtering criteria defined for each ACL filter that is currently configured on the X-Series Platform.
Syntax
vlan {<VLAN_tag> | <VLAN_tag> <mask>}
Context
You access this command from the conf-acl-intf context. You access this context from the main CLI context by issuing the configure acl-interface command.
Parameters
The following table lists the parameters used with this command. Parameter <VLAN_tag> Description Defines VLAN tag filtering criteria, using the specified VLAN tag. When an interface ACL includes the filter that you are configuring, the NPM applies the ACLs action to a packet passing through the interface only if the packets VLAN tag matches the specified VLAN tag. You can specify a VLAN tag in decimal or hexadecimal format. Valid decimal values are from 0 to 4095. Valid hexadecimal values are from 0x000 to 0x0fff. <VLAN_tag> <mask> Defines VLAN tag filtering criteria, using the specified VLAN tag and the specified mask. When an interface ACL includes the filter that you are configuring, the NPM applies the ACLs action to a packet passing through the interface only if the packets VLAN tag matches the specified VLAN tag when the specified mask is applied. You can specify the VLAN tag and mask in decimal or hexadecimal format. Valid decimal values for <VLAN_tag> are from 0 to 4095. Valid hexadecimal values are from 0x000 to 0x0FFF. Valid decimal values for <mask> are from 0 to 4095. Valid hexadecimal values are from 0x000 to 0x0FFF. NOTE: The X-Series Platform applies the mask in binary format, where 0s indicate wildcard bits. A packets VLAN tag matches the specified VLAN tag if all their non-wildcard bits match. To apply the ACLs action only to packets with the specified VLAN tag, use a mask of 0x0FFF. To apply the ACLs action without considering a packets VLAN tag, use a mask of 0x0000.
Restrictions
Default Privilege Level: 15
528
Example
The following command places you in the conf-acl-intf context in which you can configure the ACL filter called testmirroracl: CBS# configure acl-interface testmirroracl CBS(conf-acl-intf)# The following command defines VLAN tag filtering criteria for the ACL filter called testmirroracl, using the VLAN tag, 2000: CBS(conf-acl-intf)# vlan 2000 CBS(conf-acl-intf)# When an interface ACL includes the filter called testmirroracl, the NPM applies the ACLs action to a packet passing through the interface only if the packets VLAN ID number is 2000.
Syntax
ether-type {<Ethernet_type_code> | <Ethernet_type_code> <mask>}
Context
You access this command from the conf-acl-intf context. You access this context from the main CLI context by issuing the configure acl-interface command.
529
Parameters
The following table lists the parameters used with this command. Parameter <Ethernet_type_code> Description Defines Ethernet type filtering criteria, using the specified Ethernet type code. When an interface ACL includes the filter that you are configuring, the NPM applies the ACLs action to a packet passing through the interface only if the packets Ethernet type code matches the specified Ethernet type code. You must specify the Ethernet type code in hexadecimal format. Valid values are from 0x0000 to 0xFFFF. <Ethernet_type_code> <mask> Defines Ethernet type filtering criteria, using the specified Ethernet type code and the specified mask. When an interface ACL includes the filter that you are configuring, the NPM applies the ACLs action to a packet passing through the interface only if the packets Ethernet type code matches the specified Ethernet type code when the specified mask is applied. You must specify the Ethernet type code and mask in hexadecimal format. Valid values for <Ethernet_type_code> are from 0x0000 to 0xFFFF. Valid values for <mask> are from 0x0000 to 0xFFFF. NOTE: The X-Series Platform applies the mask in binary format, where 0s indicate wildcard bits. A packets Ethernet type code matches the specified Ethernet type code if all their non-wildcard bits match. To apply the ACLs action only to packets with the specified Ethernet type code, use a mask of 0xFFFF. To apply the ACLs action without considering a packets Ethernet type code, use a mask of 0x0000.
Restrictions
Default Privilege Level: 15
Example
The following command places you in the conf-acl-intf context in which you can configure the ACL filter called testmirroracl: CBS# configure acl-interface testmirroracl CBS(conf-acl-intf)# The following command defines Ethernet code filtering criteria for the ACL filter called testmirroracl, using the Ethernet code, 0x0002: CBS(conf-acl-intf)# ether-type 0x0002 CBS(conf-acl-intf)#
530
When an interface ACL includes the filter called testmirroracl, the NPM applies the ACLs action to a packet passing through the interface only if the packets Ethernet type code is 0x0002.
Syntax
source-mac {<source_MAC_address> | <source_MAC_address> <mask>}
Context
You access this command from the conf-acl-intf context. You access this context from the main CLI context by issuing the configure acl-interface command.
531
Parameters
The following table lists the parameters used with this command. Parameter <source_MAC_address> Description Defines source MAC address filtering criteria, using the specified source MAC address. When an interface ACL includes the filter that you are configuring, the NPM applies the ACLs action to a packet passing through the interface only if the packets source MAC address matches the specified source MAC address. You must specify the source MAC address using the standard hexadecimal address format (aa:bb:cc:dd:ee:ff). <source_MAC_address> <mask> Defines source MAC address filtering criteria, using the specified source MAC address and the specified mask. When an interface ACL includes the filter that you are configuring, the NPM applies the ACLs action to a packet passing through the interface only if the packets source MAC address matches the specified source MAC address when the specified mask is applied. You must specify the source MAC address and mask using the standard hexadecimal address format (aa:bb:cc:dd:ee:ff). NOTE: The X-Series Platform applies the mask in binary format, where 0s indicate wildcard bits. A packets source MAC address matches the specified source MAC address if all their non-wildcard bits match. To apply the ACLs action only to packets with the specified source MAC address, use a mask of ff:ff:ff:ff:ff:ff. To apply the ACLs action without considering a packets source MAC address, use a mask of 00:00:00:00:00:00.
Restrictions
Default Privilege Level: 15 If you configure an ACL filter with source MAC address filtering criteria, you must also configure that filter with traffic flow direction filtering criteria that matches only ingress traffic. See direction (conf-acl-intf context) on page 526 for information about defining traffic flow direction filtering criteria for an ACL filter. Use the show acl-interface command to display the filtering criteria defined for each ACL filter that is currently configured on the X-Series Platform.
Example
The following command places you in the conf-acl-intf context in which you can configure the ACL filter called testmirroracl: CBS# configure acl-interface testmirroracl CBS(conf-acl-intf)#
532
The following command defines source MAC address filtering criteria for the ACL filter called testmirroracl, using the source MAC address, 3f:03:d2:e0:01:02: CBS(conf-acl-intf)# source-mac 3f:03:d2:e0:01:02 CBS(conf-acl-intf)# When an interface ACL includes the filter called testmirroracl, the NPM applies the ACLs action to a packet passing through the interface only if the packets source MAC address is 3f:03:d2:e0:01:02.
Syntax
destination-mac {<destination_MAC_address> | <destination_MAC_address> <mask>}
Context
You access this command from the conf-acl-intf context. You access this context from the main CLI context by issuing the configure acl-interface command.
533
Parameters
The following table lists the parameters used with this command. Parameter <destination_MAC_address> Description Defines destination MAC address filtering criteria, using the specified destination MAC address. When an interface ACL includes the filter that you are configuring, the NPM applies the ACLs action to a packet passing through the interface only if the packets destination MAC address matches the specified destination MAC address. You must specify the destination MAC address using the standard hexadecimal address format (aa:bb:cc:dd:ee:ff). <destination_MAC_address> <wildcard_mask> Defines destination MAC address filtering criteria, using the specified destination MAC address and the specified mask. When an interface ACL includes the filter that you are configuring, the NPM applies the ACLs action to a packet passing through the interface only if the packets destination MAC address matches the specified destination MAC address when the specified mask is applied. You must specify the destination MAC address and mask using the standard hexadecimal address format (aa:bb:cc:dd:ee:ff). NOTE: The X-Series Platform applies the mask in binary format, where 0s indicate wildcard bits. A packets destination MAC address matches the specified destination MAC address if all their non-wildcard bits match. To apply the ACLs action only to packets with the specified destination MAC address, use a mask of ff:ff:ff:ff:ff:ff. To apply the ACLs action without considering a packets destination MAC address, use a mask of 00:00:00:00:00:00.
Restrictions
Default Privilege Level: 15 If you configure an ACL filter with destination MAC address filtering criteria, you must also configure that filter with traffic flow direction filtering criteria that matches only ingress traffic. See direction (conf-acl-intf context) on page 526 for information about defining traffic flow direction filtering criteria for an ACL filter. Use the show acl-interface command to display the filtering criteria defined for each ACL filter that is currently configured on the X-Series Platform.
Example
The following command places you in the conf-acl-intf context in which you can configure the ACL filter called testmirroracl: CBS# configure acl-interface testmirroracl CBS(conf-acl-intf)#
534
The following command defines destination MAC address filtering criteria for the ACL filter called testmirroracl, using the destination MAC address, 00:03:d2:e0:01:02: CBS(conf-acl-intf)# destination-mac 00:03:d2:e0:01:02 CBS(conf-acl-intf)# When an interface ACL includes the filter called testmirroracl, the NPM applies the ACLs action to a packet passing through the interface only if the packets destination MAC address is 00:03:d2:e0:01:02.
configure interface-status-group
This command ties the status of interfaces or group interfaces together. If all interfaces and group interfaces in an interface-status-group are UP, then the state of the interface-status-group is UP. If any interface in the group is DOWN, then the group state is DOWN.
Syntax
configure interface-status-group <group_name> [[10gigabitethernet <slot/port>] | [gigabitethernet <slot/port>] | [group-interface <group_interface_name>]]
Context
You enter this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter 10gigabitethernet <slot/port> gigabitethernet <slot/port> group_interface_name Description The 10 Gigabit Ethernet port on an NPM to be included in the interface-status-group. The Gigabit Ethernet port on an NPM to be included in the interface-status-group. The name of name of an existing group interface to be included in the interface-status-group.
Restrictions
Default Privilege Level: 15 Before an interface or group interface can be included in an interface-status-group, the interface or group interface must be configured. Each interface in an interface-status-group cannot be included in any other interface-status-group. Including a group interface in an interface-status-group is equivalent to including each individual member of the group interface in the interface-status-group. This means that: Neither the group interface nor any member of the group interface can be included in any other interface-status-group You cannot include a group interface and a member of that group interface in the same interface-status-group. Doing so is equivalent to specifying the same interface twice.
535
configure acl-interface-mapping
This command maps a configured acl-interface to an interface or a group-interface.
Syntax
configure acl-interface-mapping [no] interface {gigabitethernet | 10gigabitethernet} <slot>/<port> [no] acl-interface <acl_interface_name> {capture | drop} configure acl-interface-mapping [no] interface {gigabitethernet | 10gigabitethernet} <slot>/<port> [no] acl-interface <acl_interface_name> {mirror | pass-through} [no] {gigabitethernet | 10gigabitethernet} <slot>/<port> configure acl-interface-mapping [no] group-interface <group_interface_name> [no] acl-interface <acl_interface_name> {capture | drop} configure acl-interface-mapping [no] group-interface <group_interface_name> [no] acl-interface <acl_interface_name> {mirror | pass-through} [no] {gigabitethernet | 10gigabitethernet} <slot>/<port>
Context
You enter this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter gigabitethernet <slot>/<port> 10gigabitethernet <slot>/<port> group-interface <group_interface_name> acl-interface <acl_interface_name> Description The Gigabit Ethernet port on an NPM to be mapped to an acl-interface. The 10 Gigabit Ethernet port on an NPM to be mapped to an acl-interface. The name of the group-interface to be mapped to an acl-interface. The name of the acl-interface to be mapped to the specified interface.
536
Parameter <action>
Description capture Captures matched acl-interface and dumps to local eth2 interface on NPM drop Drops packets on this interface on matched acl-interface mirror Mirrors packets on matched acl-interface pass-through Allows packets to pass-through on matched acl-interface NOTE: When you specify either the mirror or pass-through parameter, you must specify the type of interface and the slot and port numbers for the interface that will be either mirrored to or that will be the pass-through destination for the first interface that you specified in the command. You can specify multiple destination interfaces for both mirror and pass-through, but they must all be on the same NPM as the source interface.
Restrictions
Default Privilege Level: 15 Remote mirroring (the mirrored port is on a different NPM than the source port) is not supported. Remote pass-through (the destination port is on a different NPM than the source port) is not supported. An interface or group-interface must be configured before it is used as a target to pass-through or mirror traffic. You can define multiple ACLs for the same interface. When a packet arrives on that interface, the NPM applies the ACLs to the packet one at a time, in the order in which the ACLs are configured. To reconfigure the precedence of acl-interface-mappings, you must delete mappings and then recreate them in the order you want. You cannot configure an interface as a mirror or pass-through target for itself. You cannot configure a single interface that is part of a group-interface to mirror traffic to a target interface. Instead, you must configure the entire group-interface to mirror the traffic to the target interface. Multiple ACL filters with the same function (for example, bi-directional) but different names, cannot be configured in the same one-to-many mirroring mapping. In this configuration, none of the mirrored interfaces pass traffic.
537
Example 1
This example shows: The configuration of an interface The configuration of an acl-interface The mapping of the acl-interface to the interface The setting of the action to mirror with two different mirror interfaces specified CBS# configure interface gigabitethernet 1/5 CBS(conf-intf-gig)# auto-negotiate CBS(conf-intf-gig)# enable CBS(conf-intf-gig)# end CBS# CBS# configure interface gigabitethernet 1/6 CBS(conf-intf-gig)# auto-negotiate CBS(conf-intf-gig)# enable CBS(conf-intf-gig)# end CBS# CBS# configure interface gigabitethernet 1/7 CBS(conf-intf-gig)# auto-negotiate CBS(conf-intf-gig)# enable CBS(conf-intf-gig)# end CBS# CBS# configure acl-interface testacl direction egress-only CBS# CBS# configure acl-interface-mapping CBS(conf-acl-intf-map)# interface gigabitethernet 1/5 CBS(conf-acl-map-intf-gig)# acl-interface testacl mirror CBS(conf-acl-map-intf-gig-mirror)# gigabitethernet 1/6 CBS(conf-acl-map-intf-gig-mirror)# gigabitethernet 1/7 CBS(conf-acl-map-intf-gig-mirror)# end CBS#
538
Example 2
This example shows: The configuration of an interface The configuration of an acl-interface The mapping of the acl-interface to the interface The setting of the action to pass-through with two different pass-through interfaces specified CBS# configure interface gigabitethernet 1/5 CBS(conf-intf-gig)# auto-negotiate CBS(conf-intf-gig)# enable CBS(conf-intf-gig)# end CBS# CBS# configure interface gigabitethernet 1/6 CBS(conf-intf-gig)# auto-negotiate CBS(conf-intf-gig)# enable CBS(conf-intf-gig)# end CBS# CBS# configure interface gigabitethernet 1/7 CBS(conf-intf-gig)# auto-negotiate CBS(conf-intf-gig)# enable CBS(conf-intf-gig)# end CBS# CBS# configure acl-interface acla direction ingress-only CBS# CBS# configure acl-interface-mapping CBS(conf-acl-intf-map)# interface gigabitethernet 1/5 CBS(conf-acl-map-intf-gig)# acl-interface acla pass-through CBS(conf-acl-map-intf-gig-pass-thru)# gigabitethernet 1/6 CBS(conf-acl-map-intf-gig-pass-thru)# gigabitethernet 1/7 CBS(conf-acl-map-intf-gig-pass-thru)# end CBS#
539
Example 3
This example shows: The configuration of two interfaces The configuration of two acl-interfaces The mapping of the two acl-interfaces, each to one of the interfaces The setting of the action to mirror with two different mirror interfaces specified and with overlap (one or more of the mirror interfaces that are specified for the two acl-interfaces are the same) CBS# configure interface gigabitethernet 1/4 CBS(conf-intf-gig)# auto-negotiate CBS(conf-intf-gig)# enable CBS(conf-intf-gig)# end CBS# CBS# configure interface gigabitethernet 1/5 CBS(conf-intf-gig)# auto-negotiate CBS(conf-intf-gig)# enable CBS(conf-intf-gig)# end CBS# CBS# configure interface gigabitethernet 1/6 CBS(conf-intf-gig)# auto-negotiate CBS(conf-intf-gig)# enable CBS(conf-intf-gig)# end CBS# CCBS# configure interface gigabitethernet 1/7 CBS(conf-intf-gig)# auto-negotiate CBS(conf-intf-gig)# enable CBS(conf-intf-gig)# end CBS# CBS# configure interface gigabitethernet 1/8 CBS(conf-intf-gig)# auto-negotiate CBS(conf-intf-gig)# enable CBS(conf-intf-gig)# end CBS# CBS# configure acl-interface acla vlan 1000 CBS# CBS# configure acl-interface aclb vlan 1000 0xffe CBS# CBS# configure acl-interface-mapping CBS(conf-acl-intf-map)# interface gigabitethernet 1/4 CBS(conf-acl-map-intf-gig)# acl-interface acla mirror CBS(conf-acl-map-intf-gig-mirror)# gigabitethernet 1/6 CBS(conf-acl-map-intf-gig-mirror)# gigabitethernet 1/7 CBS(conf-acl-map-intf-gig-mirror)# end CBS# CBS# configure acl-interface-mapping CBS(conf-acl-intf-map)# interface gigabitethernet 1/5 CBS(conf-acl-map-intf-gig)# acl-interface aclb mirror CBS(conf-acl-map-intf-gig-mirror)# gigabitethernet 1/6 CBS(conf-acl-map-intf-gig-mirror)# gigabitethernet 1/8 CBS(conf-acl-map-intf-gig-mirror)# end CBS# NOTE: The mapping of acl-interface acla overlaps the mapping of acl-interface aclb. They both are applied to interface gigabitethernet 1/6 and acla takes precedence because it was configured first.
540
configure redundancy-interface
When you assign a circuit to a virtual application processor (VAP) group, XOS creates a Virtual Network Device (VND) for that circuit on each VAP in the group. The VAP operating system and the application running on a VAP use VNDs as Linux networking interfaces. A logical interface creates a logical link between a circuits VNDs and a physical interface on a Network Processor Module (NPM). You configure a logical interface on a physical interface and then map the logical interface to a circuit that you have assigned to one or more VAP groups. An NPM uses logical interface mapping to identify the VNDs that send and receive traffic over each of its physical interfaces. One advantage of using logical interfaces to map circuit VNDs to physical interfaces is that you can easily configure interface redundancy for a VAP group. When one physical interface fails, its logical interfaces can be moved over to another functional physical interface. An interface redundancy configuration consists of one backup interface and one or more master interfaces that use the backup interface. In the event that a master interface fails, the logical interfaces move over to the backup interface, and the circuits mapped to those logical interfaces start sending and receiving traffic over the backup interface. The configure redundancy-interface command configures a pair of interfaces to participate in an interface redundancy configuration. This command also places you in the conf-intf-redun context in which you can set the failover mode for the specified master/backup redundant interface pair. NOTE: If you have more than one NPM in your chassis, you should configure master and backup interfaces on different NPMs. This way, if one NPM fails, the master interfaces configured on that NPM can failover to backup interfaces on a functional NPM. NOTE: The configure redundancy-interface command allows you to configure only one master/backup redundant interface pair at a time. However, you can create multiple master/backup redundant interface pairs that include the same backup interface. Master interfaces that share the same backup interface are considered to be part of the same redundancy interface configuration. Use the configure no redundancy-interface command to delete the specified master/backup interface redundancy pair. If the specified master interface is the only master interface in the redundancy interface configuration, the no redundancy-interface command also deletes the redundancy interface configuration. Use the show redundancy-interface command to display all redundant interface pairs configured on the X-Series Platform.
Syntax
configure redundancy-interface master {gigabitethernet | 10gigabitethernet} <slot>/<port> backup {gigabitethernet | 10gigabitethernet} <slot>/<port> mac-usage {master | active}
541
configure no redundancy-interface master {gigabitethernet | 10gigabitethernet} <slot>/<port> backup {gigabitethernet | 10gigabitethernet} <slot>/<port>
Inline Commands
The following table lists the CLI commands used inline with the configure interface-redundancy command. Command
master {gigabitethernet | 10gigabitethernet} <slot>/<port>
Description Configures the specified Network Processor Module (NPM) Ethernet interface as the master interface in the master/backup redundant interface pair that you are configuring. You specify an NPM Ethernet interface using its interface type (Gigabit Ethernet or 10 Gigabit Ethernet), its NPM slot number, and its NPM port number. For example, you specify the Gigabit Ethernet interface configured on port number 1 on the NPM installed in slot number 2 in the X-Series Platform, as follows: gigabitethernet 2/1 NOTE: The specified interface must be configured to pass traffic between the X-Series Platform and an external network. Use the show interface command to display the interfaces that are currently configured to pass traffic. See configure interface on page 467 for information about configuring an NPM interface to pass traffic.
542
Description Configures the specified Network Processor Module (NPM) Ethernet interface as the backup interface in the master/backup redundant interface pair that you are configuring. You specify an NPM Ethernet interface using its interface type (Gigabit Ethernet or 10 Gigabit Ethernet), its NPM slot number, and its NPM port number. For example, you specify the Gigabit Ethernet interface configured on port number 1 on the NPM installed in slot number 2 in the X-Series Platform, as follows: gigabitethernet 1/3 NOTE: The specified interface must be configured to pass traffic between the X-Series Platform and an external network. In addition, the specified interface must be configured with the standby-only (conf-intf-gig or conf-intf-10gig context) command. Use the configure interface command to configure an NPM interface to pass traffic. Use the show (conf-intf-gig or conf-intf-10gig context) command to determine whether an interface is configured with the standby-only command.
Parameters
The following table lists the parameters used with this command. Parameter mac-usage {master | active} Description Sets the MAC usage mode for the master/backup redundant interface pair that you are configuring. In the event of a redundant interface failover, the MAC usage mode determines whether the backup interface uses its own MAC address or the master interfaces MAC address. You must specify one of the following MAC usage modes: master In the event of a failover, the system assigns the master interfaces MAC address to the backup interface. This is the recommended setting. active In the event of a failover, the active interface uses its own MAC address. Therefore, the backup interface always uses its own MAC address rather than the master interfaces MAC address.
Restrictions
Default Privilege Level: 15 A master interface cannot be configured with the standby-only (conf-intf-gig or conf-intf-10gig context) command.
543
A member of a group interface operating in Multi-link Mode cannot be configured as a backup interface. A member of a group interface operating in Multi-link Mode cannot be configured as a redundant interface.
Example
In this example, we will create a master/backup redundant interface pair in which the master interface is 10 Gigabit Ethernet interface 1/12 and the backup interface is 10 Gigabit Ethernet interface 2/12. The following commands configure 10 Gigabit Ethernet port number 12 on the NPM installed in slot number 1 to pass traffic between the X-Series Platform and an external network: CBS# configure interface 10gigabitethernet 1/12 CBS(conf-intf-10gig)# end CBS# The following commands configure 10 Gigabit Ethernet port number 12 on the NPM installed in slot number 2 to pass traffic between the X-Series Platform and an external network, and configure the X-Series Platform to use the this interface as a backup interface in an interface redundancy configuration: CBS# configure interface 10gigabitethernet 2/12 CBS(conf-intf-10gig)# standby-only CBS(conf-intf-10gig)# end CBS# The following command configures 10 Gigabit Ethernet interface 1/12 and 10 Gigabit Ethernet interface 2/12 as a master/backup redundant interface pair and places you in the conf-intf-redun context in which you can set the failover mode for this master/backup redundant interface pair. CBS# configure redundancy-interface master 10gigabitethernet 1/12 backup 10gigabitethernet 2/12 mac-usage master CBS(conf-intf-redun)#
544
Syntax
failovermode {preemption-on | preemption-off | manual-swback | manual-failover | no-failover}
Context
You access this command from the conf-intf-redun context. You access this context from the main CLI context by issuing the configure redundancy-interface command.
Parameters
The following table lists the parameters used with this command. Parameter preemption-on Description Sets the failover mode for the master/backup redundant interface pair that you are configuring to preemption-on. If the failover mode is set to preemption-on, when the master interface fails, the backup interface services traffic until the master interface recovers. When the master interface recovers, it automatically resumes service. Traffic flow switches from master to backup and then back to master. NOTE: This is the default failover mode setting for a new master/backup redundant interface pair. preemption-off Sets the failover mode for the master/backup redundant interface pair that you are configuring to preemption-off. If the failover mode is set to preemption-off, when the master interface fails, the backup physical interface services traffic. However, when the master interface recovers, it does not resume service.
545
Parameter manual-swback
Description Sets the failover mode for the master/backup redundant interface pair that you are configuring to manual-swback. If the failover mode is set to manual-swback, when the master interface fails, the backup physical interface services traffic. However, when the master interface recovers, you must manually switch over the traffic from the backup interface to the master interface. To manually switch over the traffic from the backup interface to the master interface, use the failovermode no-failover command.
manual-failover
Performs a manual failover operation. When you issue the failovermode command with the manual-failover parameter, traffic immediately switches from the active interface to the redundant interface. Sets the failover mode for the master/backup redundant interface pair that you are configuring to no-failover. Usage Cases: 1. If the failover mode is set to no-failover at a time when neither the master or backup interface has failed, then later, when the master interface fails, the X-Series Platform takes no action. A master interface failure does not result in a failover event. 2. Under the following conditions, the no-failover command can be used to force a failback to the master: The backup interface has become the active interface because of a master interface failure. No automatic failback to the master interface (for example, preemption-off) has been configured. The master interface recovers. NOTE: After you use the no-failover command to force a failback to the master interface, you must then configure the failovermode that you want.
no-failover
Restrictions
Default Privilege Level: 15
Example
The following command configures 10 Gigabit Ethernet interface 1/12 and 10 Gigabit Ethernet interface 2/12 as a master/backup redundant interface pair and places you in the conf-intf-redun context in which you can set the failover mode for this master/backup redundant interface pair. CBS# configure redundancy-interface master 10gigabitethernet 1/12 backup 10gigabitethernet 2/12 mac-usage master CBS(conf-intf-redun)#
546
The following command sets the failover mode for the above master/backup redundant interface pair to preemption-off: CBS(conf-intf-redun)# failovermode preemption-off CBS(conf-intf-redun)# When 10 Gigabit Ethernet interface 1/12 fails, 10 Gigabit Ethernet interface 2/12 services traffic. However, when 10 Gigabit Ethernet interface 1/12 recovers, it does not resume service. After 10 Gigabit Ethernet interface 1/12 recovers, the following command forces a failback to the master interface (Gigabit Ethernet 1/12). CBS(conf-intf-redun) failover-mode no-failover After 10 Gigabit Ethernet interface 1/12 becomes master, you must then configure the failovermode that you want. For example: CBS# configure redundancy-interface master 10gigabitethernet 1/12 backup 10gigabitethernet 2/12 mac-usage master failovermode preemption-off
547
548
8
Commands for Configuring and Managing Multi-System High-Availability
This chapter contains XOS commands related to configuring virtual router redundancy protocol (VRRP) for multi-system high-availability on the X-Series Platform. This section contains the following command descriptions: configure management high-availability on page 550 auto-negotiate (conf-mgmt-ha context) on page 551 duplex-mode (conf-mgmt-ha context) on page 551 speed (conf-mgmt-ha context) on page 552 configure remote-box on page 553 configure vrrp failover-group on page 554 priority (conf-vrrp-group context) on page 555 preemption (conf-vrrp-group context) on page 556 advertise-interval (conf-vrrp-group context) on page 557 monitor-circuit (conf-vrrp-group context) on page 557 priority-delta (conf-vrrp-failover-cct context) on page 558 monitor-interface (conf-vrrp-group context) on page 559 priority-delta (conf-intf-gig or conf-intf-10gig context) on page 561 monitor-group-interface (conf-vrrp-group context) on page 562 priority-delta (conf-vrrp-failover-grpintf) on page 563 ospf-cost-increment (conf-vrrp-group context) on page 564 virtual-router (conf-vrrp-group context) on page 565 backup-stay-up (conf-vrrp-failover-vr context) on page 566 dist-port-threshold (conf-vrrp-failover-vr context) on page 567 mac-usage (conf-vrrp-failover-vr context) on page 567 priority-delta (conf-vrrp-failover-vr context) on page 568 vap-group (conf-vrrp-failover-vr context) on page 569 ip (conf-vrrp-vr-vapgroup context) (IPv6 and IPv4) on page 570 verify-next-hop-ip (conf-vrrp-vr-vapgroup context) (IPv6 and IPv4) on page 573 priority-delta (conf-vrrp-vr-verify-next-hop context) on page 574 virtual-ip (conf-vrrp-vr-vapgroup context) (IPv6 and IPv4) on page 575 enable (conf-vrrp-group context) on page 578 configure vrrp vap-group on page 578 active-vap-threshold (conf-vrrp-vap-group context) on page 579 enable (conf-vrrp-vap-group context) on page 580 failover-group-list (conf-vrrp-vap-group context) on page 580 hold-down-timer (conf-vrrp-vap-group context) on page 581 priority-delta (conf-vrrp-vap-group context) on page 582 vrrp-relinquish-master on page 583
549
Syntax
configure management high-availability {cp1|cp2}
Parameters
The following table lists the parameters used with this command. Parameter cp1 | cp2 Description Configures the primary (cp1) or secondary (cp2) CPM in your X-Series Platform.
Restrictions
Default privilege level: 15
Example
The following command configures the management high availability (HA) interface on the primary CPM designated as cp1 as the high-availability link to the management interface on the backup X-Series Platform. CBS# configure management high-availability cp1 CBS(conf-mgmt-ha)#
550
Syntax
[no] auto-negotiate
Context
You access this command from the conf-mgmt-ha context. You access this context from the main CLI context by issuing the configure management high-availability command.
Restrictions
Default privilege level: 15
Example
The following commands enable auto negotiation on the high-availability interface on the cp1 CPM. CBS# configure management high-availability cp1 CBS(conf-mgmt-ha)# auto-negotiate CBS(conf-mgmt-ha)#
Syntax
[no] duplex-mode {half | full}
Context
You access this command from the conf-mgmt-ha context. You access this context from the main CLI context by issuing the configure management high-availability command.
Parameters
The following table lists the parameters used with this command. Parameter half full Description Sets the duplex mode to half-duplex for the high-availability interface that you are configuring. Sets the duplex mode to full-duplex for the high-availability interface that you are configuring. This is the default value.
551
Restrictions
Default privilege level: 15
Example
The following commands configure the high-availability interface on the cp1 CPM to half duplex. CBS# configure management high-availability cp1 CBS(conf-mgmt-ha)# duplex-mode half CBS(conf-mgmt-ha)#
Syntax
[no] speed {10 | 100 | 1000}
Context
You access this command from the conf-mgmt-ha context. You access this context from the main CLI context by issuing the configure management high-availability command.
Parameters
The following table lists the parameters used with this command. Parameter 10 100 1000 Description Sets the interface speed to 10 Mb/s Sets the interface speed to 100 Mb/s. Sets the interface speed to 1000 Mb/s. This is the default value.
Restrictions
Default privilege level: 15
Example
The following commands set the transmission speed to 100 Mb/s for the high-availability interface on the CPM designated as cp1. CBS# configure management high-availability cp1 CBS(conf-mgmt-ha)# speed 100 CBS(conf-mgmt-ha)#
552
configure remote-box
Configures the local X-Series Platform to use the Control Processor Module(s) on another X-Series Platform as backup CPMs in the event that the CPMs installed in the local X-Series Platform fail. A remote CPM is one that is installed in another X-Series Platform. You specify a remote CPM using one or more of these five address: Internal IP address of remote Primary CPM (for example, 1.1.<System ID>.20> Management Interface 1 IP address of remote CP1 Management Interface 2 IP address of remote CP1 Management Interface 1 IP address of remote CP2 Management Interface 2 IP address of remote CP2 NOTE: By default, Management Interfaces 1 and 2 are disabled on a CPM. To enable either management interface, you must first assign an IP address to it. NOTE: Issue the show internal-ip command on the remote X-Series Platform to display the internal IP address assigned to current primary CPM. To obtain the IP addresses of the management interfaces on the primary and secondary CPMs, use the configure management command, specifying the interface that you want. When you are in the conf-mgmt-gig context, enter the show command. NOTE: You can use the remote- box command to specify additional backup CPMs (one command for each remote chassis). Use the no parameter to delete the specified IP addresses from the remote-box configuration for your X-Series Platform.
Syntax
configure [no] remote-box <system_id> <ipAddr1> [<ipAddr2>] [<ipAddr3>] [<ipAddr4>] [<ipAddr5>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <system_id> Description Identifier for the X-Series Platform that you want to use as a backup. Each X-Series Platform must have a unique ID. Values are 1 to 255. IP address of the interfaces listed earlier in this section
Restrictions
Default privilege level: 15 You can configure a maximum of five addresses for any one X-Series Platform.
553
Example
The command at the end of this example specifies all five possible interfaces on a remote chassis with these characteristics: System ID: 35 Remote Primary CPM HA Port (internal) IP address: 1.1.35.20 Remote CP1 Management Port 1 (eth2) IP address: 192.168.64.146 Management Port 2 (eth3) IP address: 192.168.64.137 Remote CP2 Management Port 1 (eth2) IP address: 192.168.64.147 Management Port 2 (eth3) IP address: 192.168.64.138 CBS# configure remote-box 35 1.1.35.20 192.168.64.137 192.168.64.138 192.168.64.146 192.168.64.147 CBS#
Syntax
configure vrrp failover-group <name> failover-group-id <id_number> configure vrrp no failover-group <name>
554
priority-delta (conf-vrrp-failover-cct context) on page 558 monitor-interface (conf-vrrp-group context) on page 559 priority-delta (conf-intf-gig or conf-intf-10gig context) on page 561 monitor-group-interface (conf-vrrp-group context) on page 562 priority-delta (conf-vrrp-failover-grpintf) on page 563 ospf-cost-increment (conf-vrrp-group context) on page 564 virtual-router (conf-vrrp-group context) on page 565 enable (conf-vrrp-group context) on page 578
Parameters
The following table lists the parameters used with this command. Parameter failover-group <name> Description Alphanumeric name for the group. This can be a new name to create a group, or the name of an existing group to modify its configuration. Use no to delete an existing group. The name must be 80 characters or fewer. Identifier for the failover group. Values can be 1 to 255. The identifier must be unique on the X-Series Platform, but the counterpart failover group on another X-Series Platform must have the same ID.
failover-group-id <id_number>
Restrictions
There is no hard limit on the number of VRRP MAC addresses you can assign; however, be aware that MAC addresses affect the APM VND driver performance. A virtual router can have only one VAP group per circuit. Default privilege level: 15
Example
The following command creates a VRRP failover group named vrrp_fw with a failover-group-id of 200 for a firewall application. CBS# configure vrrp failover-group vrrp_fw failover-group-id 200 CBS(conf-vrrp-group)#
555
Syntax
[no] priority <priority_value>
Context
You access this command from the conf-vrrp-group context. You access this context from the main CLI context by issuing the configure vrrp failover-group command.
Parameters
The following table lists the parameters used with this command. Parameter <priority_value> Description Sets the priority to a value from 1 to 255. The failover group with the highest priority becomes the master failover group. The default value is 100.
Restrictions
Default Privilege Level: 15
Example
The following commands configure a VRRP failover group called vrrp_fw with a failover-id of 200 and then assigns a priority of 200. CBS# configure vrrp failover-group vrrp_fw failover-group-id 200 CBS(conf-vrrp-group)# priority 200 CBS(conf-vrrp-group)#
Syntax
[no] preemption
Context
You access this command from the conf-vrrp-group context. You access this context from the main CLI context by issuing the configure vrrp failover-group command.
Restrictions
Default Privilege Level: 15
556
Example
The following commands configure preemption on a vrrp_fw failover group with a failover group id of 200. CBS# configure vrrp failover-group vrrp_fw failover-group-id 200 CBS(conf-vrrp-group)# preemption CBS#
Syntax
[no] advertise-internal <number_of_seconds>
Context
You access this command from the conf-vrrp-group context. You access this context from the main CLI context by issuing the configure vrrp failover-group command.
Parameters
The following table lists the parameters used with this command. Parameter <number_of_seconds> Description Time in seconds between advertisements from 1 to 255 seconds. The default time is 2 seconds. Use the no command to restore the value to the default.
Restrictions
Default privilege level: 15
Example
These commands set the advertise interval to 5 seconds on a vrrp_fw failover group with a failover group id of 200. CBS# configure vrrp failover-group vrrp_fw failover-group-id 200 CBS(conf-vrrp-group)# advertise-interval 5
557
IMPORTANT: This command does not configure a circuit as a member of a VRRP failover group. A circuit can participate in a VRRP failover only if a Virtual Router is configured for the circuit. Use the no parameter to delete the specified circuit VRRP health monitoring configuration.
Syntax
[no] monitor-circuit <circuit_name> <priority-delta> [no] monitor-circuit <circuit_name>
Parameters
The following table lists the parameters used with this command. Parameter <circuit_name> Description Name of the circuit for which you want to configure VRRP health monitoring. NOTE: The specified circuit does not participate in a VRRP failover unless one or more Virtual Routers are configured for the circuit.
Restrictions
Default privilege level: 15
Example
The following command places you in the conf-vrrp-group context in which you configure the monitoring interfaces for the VRRP failover group called vrrp_fw: CBS# configure vrrp failover-group vrrp_fw failover-group-id 200 The following command configures the vrrp_fw failover group with the lan circuit. CBS(conf-vrrp-group)# monitor-circuit lan CBS(conf-vrrp-failover-cct)#
Syntax
priority-delta <delta_value>
558
Context
You access this command from the conf-vrrp-failover-cct context. You enter that context from the conf-vrrp-group context by issuing the configure vrrp failover-group command and then the monitor-circuit (conf-vrrp-group context) command.
Parameters
The following table lists the parameters used with this command. Parameter <delta_value> Description Sets a priority-delta value from 0 to 255 that will be subtracted from the failover group priority when the link state of the interface is Down. The default value is 1. A value of 0 (zero) turns off priority-delta.
Restrictions
Default privilege level: 15
Example
The following command places you in the conf-vrrp-group context in which you configure the interfaces and priority delta for the VRRP failover group called vrrp_fw: CBS# configure vrrp failover-group vrrp_fw CBS(conf-vrrp-group)# The following command assigns the lan circuit to the VRRP failover group: CBS(conf-vrrp-group)# monitor-circuit lan CBS(conf-vrrp-failover-cct)# The following command assigns a priority-delta value of 105 to the lan circuit. VRRP uses this priority-delta value when the link state of the circuit is Down: CBS(conf-vrrp-failover-cct)# priority-delta 105 CBS(conf-vrrp-failover-cct)#
559
Syntax
[no] monitor-interface {gigabitethernet | 10gigabitethernet} <slot>/<port>
Inline Commands
The following table lists the CLI commands used inline with the monitor-interface command. Command gigabitethernet <slot>/<port> Description Configures VRRP health monitoring for the specified Gigabit Ethernet interface, and places you in the conf-intf-gig context in which you can configure a priority-delta value for that interface. You specify an interface using its NPM slot number and port number, separated by a forward slash (/) character. 10gigabitethernet <slot>/<port> Specifies the use of the 10 Gigabit Ethernet interface on the CPM. Configures VRRP health monitoring for the specified 10 Gigabit Ethernet interface, and places you in the conf-intf-10gig context in which you can configure a priority-delta value for that interface. You specify an interface using its NPM slot number and port number.
Restrictions
Default privilege level: 15
Example
The following command places you in the conf-vrrp-group context in which you can configure the VRRP failover group called vrrp_fw: CBS# configure vrrp failover-group vrrp_fw failover-group-id 200 The following command configures VRRP health monitoring for the 10 Gigabit Ethernet interface on port number 12 on the NPM installed in slot 1:
560
Syntax
priority-delta <delta_value>
Context
You access this command from either the conf-intf-gig or conf-intf-10gig context. You access this context from the main CLI context by issuing the configure vrrp failover-group command to configure a specific VRRP failover group and then issuing the monitor-interface (conf-vrrp-group context) command to configure VRRP health monitoring for a specific interface.
Parameters
The following table lists the parameters used with this command. Parameter <delta_value> Description Sets a priority-delta value from 0 to 255 that will be subtracted from the failover group priority when the link state of the interface is Down. The default value is 1. A value of 0 (zero) turns off priority-delta.
Restrictions
Default privilege level: 15
Example
The following command places you in the conf-vrrp-group context in which you configure the interfaces and priority delta for the VRRP failover group called vrrp_fw: CBS# configure vrrp failover-group vrrp_fw CBS(conf-vrrp-group)# The following command configures monitoring of a 10 Gigabit Ethernet interface (port 12) on the NPM in slot 1 for the VRRP failover group: CBS(conf-vrrp-group)# monitor-interface 10gigabitethernet 1/12 CBS(conf-intf-10gig)# The following command assigns a priority-delta value of 105 to the failover-groups 10 Gigabit Ethernet interface that VRRP uses when the interface fails: CBS(conf-intf-10gig)# priority-delta 105 CBS(conf-intf-10gig)#
561
Syntax
monitor-group-interface <group_interface_name> <priority_delta> <dist-port-threshold> no monitor-group-interface <group_interface_name>
Context
You access this command from the conf-vrrp-group context. You access this context by issuing the configure vrrp failover-group command to configure a specific VRRP failover group.
Parameters
The following table lists the parameters used with this command. Parameter <priority_delta> Description Sets a priority-delta value from 0 to 255 that will be subtracted from the failover group priority when the link state of the group interface is Down or if the number of ports in the active distributing state falls below the value of the dist_port_threshold parameter. The default value is 1. A value of 0 (zero) turns off priority-delta. Sets the minimum number of ports that must be in the active, distributing state. If the number of ports in that state falls below this threshold, the priority delta value is subtracted from failover group priority. Values range from 1 to 8.
<dist_port_threshold>
Restrictions
Default privilege level: 15
562
Example
The following command places you in the conf-vrrp-group context in which you configure the interfaces and priority delta for the VRRP failover group called vrrp_fw: CBS# configure vrrp failover-group vrrp_fw CBS(conf-vrrp-group)# The following command configures monitoring of group interface (gig15_35) for the VRRP failover group: CBS(conf-vrrp-group)# monitor-group-interface gig15_35 CBS(conf-vrrp-failover-grpinf)# The following command assigns a priority-delta value of 205 to the group interface that VRRP uses when the interface fails: CBS(conf-vrrp-failover-grpinf)# priority-delta 205 CBS(conf-vrrp-failover-grpinf)# The following command configures the minimum number of active, distributing ports to 5. When the number of ports falls below this value, the VRRP priority delta value is subtracted from the failover group priority. CBS(conf-vrrp-failover-grpinf)# dist-port-threshold 5 CBS(conf-vrrp-failover-grpinf)#
priority-delta (conf-vrrp-failover-grpintf)
VRRP reduces the VRRP priority by this value when the link state of the associated group-interface is Down or if the number of ports in the active distributing state falls below the value of the dist-port-threshold parameter.
Syntax
priority-delta <delta_value>
Context
You access this command from the conf-vrrp-failover-grpintf context. You access this context from the main CLI context by issuing the configure vrrp failover-group command to configure a specific VRRP failover group and then issuing the monitor-group-interface (conf-vrrp-group context) command to configure VRRP health monitoring for a specific group-interface.
Parameters
The following table lists the parameters used with this command. Parameter <delta_value> Description Sets a priority-delta value from 0 to 255 that will be subtracted from the failover group priority when the link state of the group-interface is Down or if the number of ports in the active distributing state falls below the value of the dist-port-threshold parameter. The default value is 1. A value of 0 (zero) turns off priority-delta.
563
Restrictions
Default privilege level: 15
Example
The following command places you in the conf-vrrp-group context in which you configure the interfaces and priority delta for the VRRP failover group called vrrp_fw: CBS# configure vrrp failover-group vrrp_fw CBS(conf-vrrp-group)# The following command configures monitoring of a 10 Gigabit Ethernet interface (port 12) on the NPM in slot 1 for the VRRP failover group: CBS(conf-vrrp-group)# monitor-interface 10gigabitethernet 1/12 CBS(conf-intf-10gig)# The following command assigns a priority-delta value of 105 to the failover-groups 10 Gigabit Ethernet interface that VRRP uses when the interface fails: CBS(conf-intf-10gig)# priority-delta 105 CBS(conf-intf-10gig)#
Syntax
ospf-cost-increment circuit <circuit_name> <increment_cost>
Context
You access this command from the conf-vrrp-group context. You access this context from the main CLI context by issuing the configure vrrp failover-group command.
Parameters
The following table lists the parameters used with this command. Parameter <circuit_name> Description The circuit mapped to the OSPF interfaces whose link costs you want to increase when the VRRP failover group that you are configuring enters the backup state. The amount by which the X-Series Platform increases or decreases the OSPF link cost of the interfaces mapped to the specified circuit when a VRRP failover takes place.
<increment_cost>
564
Restrictions
Default Privilege Level: 15
Example
Configures the circuit called ospf_circuit as a member of the VRRP failover group called vrrp_vap (failover group ID 2), and directs the X-Series Platform to increase or decrease the OSPF link costs for the interfaces mapped to the circuit called ospf_circuit each time the VRRP failover group called vrrp_vap changes state. Any VRRP state transition from master to backup causes the OSPF link costs to increase by 5. Any VRRP state transition from backup to master causes the OSPF link costs to decrease by 5. This ensures that the Crossbeam Routing Software (RSW) always updates OSPF routes to include only the interfaces configured on the master VAP group. CBS# configure vrrp failover-group vrrp_vap1 failover-group-id 2 CBS(conf-vrrp-group)# ospf-cost-increment circuit ospf_circuit 5
Syntax
[no] virtual-router vrrp-id <router_identifier> circuit <circuit_name>
Context
You access this command from the conf-vrrp-group context. You access this context from the main CLI context by issuing the configure vrrp failover-group command. This command places you in the conf-vrrp-failover-vr context. You can access the following commands from this context: backup-stay-up (conf-vrrp-failover-vr context) on page 566 dist-port-threshold (conf-vrrp-failover-vr context) on page 567 mac-usage (conf-vrrp-failover-vr context) on page 567 priority-delta (conf-vrrp-failover-vr context) on page 568 vap-group (conf-vrrp-failover-vr context) on page 569
Parameters
The following table lists the parameters used with this command. Parameter vrrp-id <router_identifier> Description Sets a virtual router identifier that must be the same on the related virtual router on the backup X-Series Platform. Values range from 1 through 4096. Assigns an existing circuit to the virtual router.
circuit <circuit_name>
565
Restrictions
Default Privilege Level: 15
Example
The following command places you in the conf-vrrp-group context in which you configure the virtual router for the VRRP failover group called vrrp_fw: CBS# configure vrrp failover-group vrrp_fw CBS(conf-vrrp-group)# This command configures a virtual router for the vrrp_fw failover group with a vrrp-id of 200 and associates the lan circuit with the virtual router. CBS(conf-vrrp-group)# virtual-router vrrp-id 200 circuit lan CBS(conf-vrrp-failover-vr)#
Syntax
backup-stay-up
Context
You access this command from the conf-vrrp-failover-vr context. You access this context from the conf-vrrp-group context that you enter by issuing the configure vrrp failover-group command from the main CLI.
Restrictions
Default Privilege Level: 15
Example
The following command places you in the conf-vrrp-group context in which you configure the virtual router for the VRRP failover group called vrrp_fw: CBS# configure vrrp failover-group vrrp_fw CBS(conf-vrrp-group)# This command configures a virtual router for the vrrp_fw failover group with a vrrp-id of 200 and associates the lan circuit with the virtual router. CBS(conf-vrrp-group)# virtual-router vrrp-id 200 circuit lan CBS(conf-vrrp-failover-vr)# This command configures backup-stay-up for the virtual router. CBS(conf-vrrp-failover-vr)# backup-stay-up CBS(conf-vrrp-failover-vr)#
566
Syntax
dist-port-threshold <minimum_number_of_ports>
Context
You access this command from the conf-vrrp-failover-vr context. You access this context from the conf-vrrp-group context that you enter by issuing the configure vrrp failover-group command from the main CLI.
Parameters
The following table lists the parameters used with this command. Parameter <minimum_number_of_ports> Description The minimum number of ports that must be in the active distributing state. Range: 1 8
Restrictions
Default Privilege Level: 15
Syntax
[no] mac-usage {vrrp-mac | interface}
Context
You access this command from the conf-vrrp-failover-vr context. You access this context from the conf-vrrp-group context that you enter by issuing the configure vrrp failover-group command from the main CLI.
567
Parameters
The following table lists the parameters used with this command. Parameter vrrp-mac Description Generates a VRRP MAC address based on the vrrp-id value assigned to the virtual router. For example, on a chassis with a System ID of 141, a generated MAC address would be: 00:32:D2:EX.XX.141 OR 00:32:D2:FX.XX.141 where X.XX are digits that are generated by XOS. interface Uses the physical interface MAC address. This is the default value.
Restrictions
There is no hard limit on the number of VRRP MAC addresses you can assign. If the virtual router that you are configuring has an IPv6 address, only the vrrp-mac parameter is allowed. Default Privilege Level: 15
Example
The following command places you in the conf-vrrp-group context in which you configure the virtual router for the VRRP failover group called vrrp_fw: CBS# configure vrrp failover-group vrrp_fw CBS(conf-vrrp-group)# This command configures a virtual router for the vrrp_fw failover group with a vrrp-id of 200 and associates the lan circuit with the virtual router. CBS(conf-vrrp-group)# virtual-router vrrp-id 200 circuit lan CBS(conf-vrrp-failover-vr)# This command configures mac-usage for the virtual router to use a generated VRRP MAC address based on the vrrp-id value. See vrrp-mac in the previous table. CBS(conf-vrrp-failover-vr)# mac-usage vrrp-mac CBS(conf-vrrp-failover-vr)#
Syntax
priority-delta <delta_value>
568
Context
You access this command from the conf-vrrp-failover-vr context. You access this context from the conf-vrrp-group context that you enter by issuing the configure vrrp failover-group command from the main CLI.
Parameters
The following table lists the parameters used with this command. Parameter priority-delta <delta_value> Description Sets a priority-delta value from 0 to 255 that will be subtracted from the failover group priority when the link state of the interface is Down. The default value is 1. A value of 0 (zero) turns off priority-delta.
Restrictions
Default Privilege Level: 15
Example
The following command places you in the conf-vrrp-group context in which you configure the virtual router for the VRRP failover group called vrrp_fw: CBS# configure vrrp failover-group vrrp_fw CBS(conf-vrrp-group)# This command configures a virtual router for the vrrp_fw failover group with a vrrp-id of 200 and associates the lan circuit with the virtual router. CBS(conf-vrrp-group)# virtual-router vrrp-id 200 circuit lan CBS(conf-vrrp-failover-vr)# This command configures the priority-delta for the virtual router to 105. CBS(conf-vrrp-failover-vr)# priority-delta 105 CBS(conf-vrrp-failover-vr)#
Syntax
vap-group <VAP_group_name>
569
Context
You access this command from the conf-vrrp-failover-vr context. You access this context from the conf-vrrp-group context that you enter by issuing the configure vrrp failover-group command from the main CLI and then the virtual-router (conf-vrrp-group context) command. After using the vap-group command on a virtual router, you can configure the following: ip (conf-vrrp-vr-vapgroup context) (IPv6 and IPv4) verify-next-hop-ip (conf-vrrp-vr-vapgroup context) (IPv6 and IPv4) virtual-ip (conf-vrrp-vr-vapgroup context) (IPv6 and IPv4)
Parameters
The following table lists the parameters used with this command: Parameter <VAP_group_name> Description Existing VAP group associated with the circuit.
Restrictions
Default Privilege Level: 15
Example
The following command places you in the conf-vrrp-group context in which you configure the virtual router for the VRRP failover group called vrrp_fw: CBS# configure vrrp failover-group vrrp_fw CBS(conf-vrrp-group)# This command configures a virtual router for the vrrp_fw failover group with a vrrp-id of 200 and associates the lan circuit with the virtual router. CBS(conf-vrrp-group)# virtual-router vrrp-id 200 circuit lan CBS(conf-vrrp-failover-vr)# This command assigns the fwvpn VAP group to the virtual router. CBS(conf-vrrp-failover-vr)# vap-group fwvpn CBS(conf-vrrp-vr-vapgroup)#
Syntax (IPv4)
ip {<IP_address> <netmask> | <IP_address>/<1-32>} [<broadcast_IP_address>] [increment-per-vap <IP_address>] ip {<lowest_IP_address> <netmask> | <lowest_IP_address>/<1-32>} [<broadcast_IP_address>] [increment-per-vap <highest_IP_address>] no ip
570
Syntax (IPv6)
ip <IP_address>/<1-128> no ip
Context
You access this command from the conf-vrrp-vr-vapgroup context. You access this context from the conf-vrrp-group context that you enter by issuing the configure vrrp failover-group command from the main CLI and then the virtual-router (conf-vrrp-group context) command and vap-group (conf-vrrp-failover-vr context) commands.
Parameters
The following table lists the parameters used with this command. Parameter (IPv4) {<IP_address> <netmask> | <IP_address>/<1-32>} Description Assigns the specified primary IP address to the virtual router that you are configuring. You must specify the subnet mask for the primary IP address. You can specify a subnet mask in dotted-quad format (for example, 10.15.3.5 255.255.0.0), or you can specify an IP network using CIDR notation (for example, 10.15.0.0/16). NOTE: You cannot specify the subnet mask, 0.0.0.0. If you specify an IP network using CIDR notation, you cannot use /0. <broadcast_IP_address> Assigns the specified primary broadcast IP address to the circuit for the VAP group that you are currently configuring. By default, XOS determines the primary broadcast IP address for a circuit by applying the subnet mask specified for the primary IP address(es). NOTE: The broadcast IP must match the primary IP, VRRP IP, Virtual IP, and alias IP addresses assigned to a circuit for a VAP group.
571
Description Assigns the specified range of consecutive primary IP addresses to the VNDs that XOS creates for the circuit on the VAP group that you are configuring. When you specify this parameter, XOS assigns a unique primary IP address to each VND. XOS assigns consecutive primary circuit IP addresses to consecutive VAP index numbers, with the lowest primary circuit IP address number assigned to VAP index number 1. You must specify the subnet mask for the lowest primary IP address in the range. You can specify a subnet mask in dotted-quad format (for example, 10.15.3.5 255.255.0.0), or you can specify an IP network using CIDR notation (for example, 10.15.0.0/16). NOTE: You cannot specify the subnet mask, 0.0.0.0. If you specify an IP network using CIDR notation, you cannot use /0.
Description Assigns the specified primary IP address to the virtual router that you are configuring. You must specify the subnet mask for the primary IP address. You can specify a subnet mask in CIDR notation only (for example, fd00:1900:4545::f8ff:fe21:67ca/64). NOTE: When using CIDR notation, you cannot use /0.
Restrictions
Default Privilege Level: 15 A primary, alias, VRRP, or virtual IPv4 address assigned to a circuit cannot have the subnet mask, 0.0.0.0. If you specify an IPv4 or IPv6 address using CIDR notation, you cannot use /0. The host portion of a primary, alias, VRRP, or virtual IP address cannot contain 0s.
Example
The following command places you in the conf-vrrp-group context in which you configure the virtual router for the VRRP failover group called vrrp_fw: CBS# configure vrrp failover-group vrrp_fw CBS(conf-vrrp-group)# This command configures a virtual router for the vrrp_fw failover group with a vrrp-id of 200 and associates the lan circuit with the virtual router. CBS(conf-vrrp-group)# virtual-router vrrp-id 200 circuit lan CBS(conf-vrrp-failover-vr)# This command assigns the fwvpn VAP group to the virtual router and an IP address of 192.168.2.103 with a mask of 24 in CIDR format. CBS(conf-vrrp-failover-vr)# vap-group fwvpn CBS(conf-vrrp-vr-vapgroup)# ip 192.168.2.104/24
572
CBS(conf-vrrp-vr-vapgroup)# This command assigns the fwvpn VAP group to the virtual router and an IP address of fd00:1900:4545::f8ff:fe21:67ca with a mask of 64 in CIDR format. CBS(conf-vrrp-failover-vr)# vap-group fwvpn CBS(conf-vrrp-vr-vapgroup)# ip fd00:1900:4545::f8ff:fe21:67ca/64 CBS(conf-vrrp-vr-vapgroup)#
Syntax
[no] verify-next-hop-ip <IP_address>
Context
You access this command from the conf-vrrp-vr-vapgroup context. You access this context from the conf-vrrp-group context that you enter by issuing the configure vrrp failover-group command from the main CLI and then the virtual-router (conf-vrrp-group context) command and vap-group (conf-vrrp-failover-vr context) commands. From this context, you can issue the following command: priority-delta (conf-vrrp-vr-verify-next-hop context) Use the priority-delta setting to help determine the failover action to take if the next-hop IP address cannot be reached.
Parameters
The following table lists the parameters used with this command. Parameter <IP_address> Description Specifies the next-hop IP address that the X-Series Platform must verify before using it.
Restrictions
Default Privilege Level: 15
Example
The following command places you in the conf-vrrp-group context in which you configure the virtual router for the VRRP failover group called vrrp_fw: CBS# configure vrrp failover-group vrrp_fw CBS(conf-vrrp-group)# This command configures a virtual router for the vrrp_fw failover group with a vrrp-id of 200 and associates the lan circuit with the virtual router.
573
CBS(conf-vrrp-group)# virtual-router vrrp-id 200 circuit lan CBS(conf-vrrp-failover-vr)# IPv4 This command assigns the fwvpn VAP group to the virtual router and an IP address of 192.168.2.103 with a mask of 24 in CIDR format. CBS(conf-vrrp-failover-vr)# vap-group fwvpn CBS(conf-vrrp-vr-vapgroup)# ip 192.168.2.104/24 CBS(conf-vrrp-vr-vapgroup) This command adds a verify-next-hop-IP value of 192.168.2.1 to the VAP group assigned to the vrrp_fw failover group. CBS(conf-vrrp-vr-vapgroup)# verify-next-hop-ip 192.168.2.1 CBS(conf-vrrp-vr-verify-next-hop)# IPv6 This command assigns the fwvpn VAP group to the virtual router and an IP address of fd00:1545:be72:e5af::cf33:54aa with a mask of 64 in CIDR format. CBS(conf-vrrp-failover-vr)# vap-group fwvpn CBS(conf-vrrp-vr-vapgroup)# ip fd00:1545:be72:e5af::cf33:54aa/64 CBS(conf-vrrp-vr-vapgroup) This command adds a verify-next-hop-IP value of fd00:1545:be72:e5af::cf33:1 to the VAP group assigned to the vrrp_fw failover group. CBS(conf-vrrp-vr-vapgroup)# verify-next-hop-ip fd00:1545:be72:e5af::cf33:1 CBS(conf-vrrp-vr-verify-next-hop)#
Syntax
priority-delta <delta_value>
Context
You access this command from the conf-vrrp-vr-verify-next-hop context. You access this context from the conf-vrrp-group context that you enter by issuing the configure vrrp failover-group command from the main CLI and then the virtual-router (conf-vrrp-group context), vap-group (conf-vrrp-failover-vr context), and verify-next-hop-ip (conf-vrrp-vr-vapgroup context) (IPv6 and IPv4) commands.
574
Parameters
The following table lists the parameters used with this command. Parameter priority-delta <delta_value> Description Sets a priority-delta value from 0 to 255 that will be subtracted from the failover group priority when the link state of the interface is Down. The default value is 1. A value of 0 (zero) turns off priority-delta.
Restrictions
Default Privilege Level: 15
Example
The following command places you in the conf-vrrp-group context in which you configure the virtual router for the VRRP failover group called vrrp_fw: CBS# configure vrrp failover-group vrrp_fw CBS(conf-vrrp-group)# This command configures a virtual router for the vrrp_fw failover group with a vrrp-id of 200 and associates the virtual router with the lan circuit. CBS(conf-vrrp-group)# virtual-router vrrp-id 200 circuit lan CBS(conf-vrrp-failover-vr)# This command assigns the fwvpn VAP group to the virtual router and an IP address of 192.168.2.103 with a mask of 24 in CIDR format. CBS(conf-vrrp-failover-vr)# vap-group fwvpn CBS(conf-vrrp-vr-vapgroup)# ip 192.168.2.104/24 CBS(conf-vrrp-vr-vapgroup) This command adds a verify-next-hop-IP value of 192.168.2.1 and a priority-delta value of 105 to the VAP group assigned to the vrrp_fw failover group. CBS(conf-vrrp-vr-vapgroup)# verify-next-hop-ip 192.168.2.1 CBS(conf-vrrp-vr-verify-next-hop)# priority-delta 105
Syntax (IPv4)
[no] virtual-ip {<IP_address> <netmask> | <IP_address>/<1-32>} [<broadcast_IP_address>] [increment-per-vap <IP_address>] [[no] floating]
575
Syntax (IPv6)
[no] virtual-ip <IP_address>/<1-128> [no] virtual-ip
Context
You access this command from the conf-vrrp-vr-vapgroup context. You access this context from the conf-vrrp-group context that you enter by issuing the configure vrrp failover-group command from the main CLI and then the virtual-router (conf-vrrp-group context) command and vap-group (conf-vrrp-failover-vr context) commands.
Parameters
The following table lists the parameters used with this command. Parameter (IPv4) <IP_address> <netmask> | <IP_address>/<1-32> Description Assigns the specified virtual IP address to the virtual router that you are configuring. You must specify the subnet mask for the alias IP address. You can specify a subnet mask in dotted-quad format (for example, 10.15.3.5 255.255.0.0), or you can specify an IP network using CIDR notation (for example, 10.15.0.0/16). NOTE: You cannot specify the subnet mask, 0.0.0.0. If you specify an IP network using CIDR notation, you cannot use /0. <broadcast_IP_address> Assigns the specified virtual IP broadcast IP address to the virtual router for the VAP group that you are currently configuring. By default, XOS determines the virtual IP broadcast IP address for a circuit by the applying the subnet mask specified for the virtual IP address(es). NOTE: The broadcast IP must match the primary IP, VRRP IP, Virtual IP, and alias IP addresses assigned to a circuit for a VAP group.
576
Description Assigns the specified range of consecutive alias IP addresses to the VNDs that XOS creates for the virtual IP on the VAP group that you are configuring. When you specify this parameter, XOS assigns a unique virtual IP address to each VND. XOS assigns consecutive virtual IP addresses to consecutive VAP index numbers, with the lowest virtual IP address number assigned to VAP index number 1. You must specify the subnet mask for the lowest virtual IP address in the range. You can specify a subnet mask in dotted-quad format (for example, 10.15.3.5 255.255.0.0), or you can specify an IP network using CIDR notation (for example, 10.15.0.0/16). NOTE: You cannot specify the subnet mask, 0.0.0.0. If you specify an IP network using CIDR notation, you cannot use /0.
[no] floating
Assigns the virtual IP address to the master VAP, allowing traffic, cluster management, and synchronization communication to go directly to the master VAP. If a new master VAP is elected, the address floats (is assigned) to the new master. In a VRRP configuration, the floating parameter assigns the virtual IP address to the master VAP on the new master chassis in the event of a failover. NOTE: This parameter can be used only with an IPv4 address. NOTE: This parameter cannot be used with increment-per-vap. NOTE: Only one floating address can be used with any one circuit.
Description Assigns the specified virtual IP address to the virtual router that you are configuring. You must specify the subnet mask for the alias IP address using CIDR notation (for example, fd00:1545:be72:e5af::cf33:54aa/64). NOTE: When using CIDR notation, you cannot use /0.
Restrictions
Default Privilege Level: 15 A primary, alias, VRRP, or virtual IP address assigned to a circuit cannot have the subnet mask, 0.0.0.0. If you specify an IP network for an IP address using CIDR notation, you cannot use /0. The host portion of a primary, alias, VRRP, or virtual IP address cannot contain 0s. The maximum number of virtual-ip addresses that can be configured on a given IP address is 99.
577
Example
The following command places you in the conf-vrrp-group context in which you configure the virtual router for the VRRP failover group called vrrp_fw: CBS# configure vrrp failover-group vrrp_fw CBS(conf-vrrp-group)# This command configures a virtual router for the vrrp_fw failover group with a vrrp-id of 200 and associates the lan circuit with the virtual router. CBS(conf-vrrp-group)# virtual-router vrrp-id 200 circuit lan CBS(conf-vrrp-failover-vr)# This command assigns the fwvpn VAP group to the virtual router and an IP address of 192.168.2.104 with a mask of 24 in CIDR format. CBS(conf-vrrp-failover-vr)# vap-group fwvpn CBS(conf-vrrp-vr-vapgroup)# virtual-ip 192.168.2.104/24 CBS(conf-vrrp-vr-vapgroup) This command assigns the fwvpn VAP group to the virtual router and an IP address of fd00:1545:be72:e5af::cf33:54aa with a mask of 64 in CIDR format. CBS(conf-vrrp-failover-vr)# vap-group fwvpn CBS(conf-vrrp-vr-vapgroup)# virtual-ip fd00:1545:be72:e5af::cf33:54aa/64 CBS(conf-vrrp-vr-vapgroup)
Syntax
[no] enable
Context
You access this command from the conf-vrrp-group context. You access this context from the main CLI context by issuing the configure vrrp failover-group command.
Restrictions
Default privilege level: 15
578
Syntax
[no] configure vrrp vap-group <VAP_group_name>
Context
You access this command from the main CLI.
Parameters
The following table lists the parameters used with this command. Parameter vap-group <VAP_group_name> Description Specifies the VAP group to participate in high-availability.
Restrictions
Default privilege level: 15
Example
The following command enables the VAP group called vap_fw1 to participate in VRRP failovers and places you in the conf-vrrp-vap-group context in which you can configure VRRP parameters (for example, failover-group-list, hold-down-timer, and priority-delta) for that VAP group. CBS# configure vrrp vap-group vap_fw1 CBS(conf-vrrp-vap-group)#
Syntax
[no] active-vap-threshold <number_of_active_VAPs>
Context
You access this command from the conf-vrrp-vap-group context. You access this context from the main CLI context by issuing the configure vrrp vap-group command.
Parameters
The following table lists the parameters used with this command. Parameter <number_of_active_VAPs> Description This value sets the minimum number of required active VAPs from 1 to 10. The default value is 1.
579
Restrictions
Default privilege level: 15
Example
CBS(conf-vrrp-vap-group)# active-vap-threshold 2 CBS(conf-vrrp-vap-group)#
Syntax
[no] enable
Context
You access this command from the conf-vrrp-vap-group context. You access this context from the main CLI context by issuing the configure vrrp vap-group command.
Restrictions
Default privilege level: 15
Example
The following command enables the VAP group to be used in the VRRP configuration. CBS(conf-vrrp-vap-group)# enable CBS(conf-vrrp-vap-group)#
Syntax
[no] failover-group-list <VRRP_failover_group_name> [<VRRP_failover_group_name>] [<VRRP_failover_group_name>]
Context
You access this command from the conf-vrrp-vap-group context. You access this context from the main CLI context by issuing the configure vrrp vap-group command.
580
Parameters
The following table lists the parameters used with this command. Parameter <VRRP_failover_group_name> [<VRRP_failover_group_name>] [<VRRP_failover_group_name>] Description The name of the first failover group that to be affected by this VAP group. The names of additional failover groups to be affected by this VAP group.
Restrictions
Default privilege level: 15
Example
The following command assigns 3 failover groups to the failover-group-list for this VAP group. CBS(conf-vrrp-vap-group)# failover-group-list vap_fw1 vap_fw2 vap_fw3 CBS(conf-vrrp-vap-group)#
Syntax
[no] hold-down-timer <number_of_seconds>
Context
You access this command from the conf-vrrp-vap-group context. You access this context from the main CLI context by issuing the configure vrrp vap-group command.
Parameters
The following table lists the parameters used with this command. Parameter <number_of_seconds> Description Specifies the time seconds to wait to become the VRRP master. Values range from 1 to 3600 seconds.
Restrictions
Default privilege level: 15
581
Example
The following command sets the hold-down-timer to 10 seconds for the transition to becoming the VRRP master. CBS(conf-vrrp-vap-group)# hold-down-timer 10 CBS(conf-vrrp-vap-group)#
Syntax
priority-delta <delta_value>
Context
You access this command from the conf-vrrp-vap-group context. You access this context from the main CLI context by issuing the configure vrrp vap-group command.
Parameters
The following table lists the parameters used with this command. Parameter priority-delta <delta_value> Description Sets a priority-delta value between 0 and 255 that is subtracted from the failover group priority when the number of active VAPs in the group falls below the value configured in active-vap-threshold. The default value is 1. A value of 0 (zero) turns off priority-delta.
Restrictions
Default privilege level: 15
Example
The following command sets a priority-delta value of 105 for the associated VAP group. CBS(conf-vrrp-vap-group)# priority-delta 105 CBS(conf-vrrp-vap-group)#
582
vrrp-relinquish-master
The name of the failover group that you want to relinquish master status.
Syntax
vrrp-relinquish-master <VRRP_failover_group>
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <VRRP_failover_group> Description The name of the failover group that you want to relinquish master status.
Restrictions
Default privilege level: 15
Example
The following command transfers the master status from the primary firewall failover group to the backup firewall failover group so that a technician can update the firewall policies on the VAP group in the primary failover group. CBS# vrrp-relinquish-master vrrp_fw1_primary CBS# After performing the firewall policy update on the VAP group in the primary failover group, the following command returns the master status to the primary failover group. CBS# vrrp-relinquish-master vrrp_fw2_backup CBS#
583
584
9
Commands for Managing X-Series Platform Hardware and Software Upgrades and Maintenance
This chapter contains commands necessary to manage X-Series Platform hardware and software upgrades and maintenance. This chapter contains the following commands: automated-workflow-menu on page 586 automated-workflows on page 586 automated-workflows on page 586 automated-workflows on page 586 cp-disk-scheme on page 587 show cp-disk-scheme on page 588 configure cp-action disk-error (config context) on page 588 configure module on page 589 reload all on page 590 reload module on page 591 reload offline-cp on page 592 reset-cp-serial on page 592 reload vap-group on page 593 reset-configuration on page 593 sleep on page 594 upgrade on page 595 in-service (upgrade context) on page 596 batch-<n> (in-service-upgrade context) on page 596 batch-default (in-service-upgrade context) on page 597 clear-batches (in-service-upgrade context) on page 598 install (in-service-upgrade context) on page 598 show (in-service-upgrade context) on page 599 install (upgrade context) on page 600 remove (upgrade context) on page 601 show current-running-release (upgrade context) on page 601 show new-release (upgrade context) on page 602 show release (upgrade context) on page 602 verify-system (upgrade context) on page 603
585
automated-workflow-menu
The automated workflow menu provides access to an infrastructure in which scripts automate various processes. In XOS V9.5, these functional areas have been included in the menus: Upgrading XOS software and installing recommended firmware Preparing the system for a possible rollback Installing XOS firmware only Rolling back XOS software and firmware Verifying XOS software and firmware compatibility When you enter the automated-workflow-menu command, this menu appears on the screen: Welcome to the X-Series Platform Automated Workflow System! Version: 1.w.x-yz 1. 2. 3. 4. 5. Configure XOS... Upgrade XOS software and firmware... View system configuration and status... Applications... Custom...
Select a submenu to view available automated workflows. Enter x to exit or ? for help. Please Enter Selection: At any point during the process, you can enter a ? to obtain additional information.
automated-workflows
This command enables you to set parameters associated with the automated-workflow-menu infrastructure.
Syntax
automated-workflows purge-log-files
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter purge-log-files Description Purges the automated-workflow log files. A new AWS log file that contains the purge event is created.
Commands for Managing X-Series Platform Hardware and Software Upgrades and Maintenance
586
Restrictions
Default Privilege Level: 15
Example
This command removes the AWS log files. CBS# automated-workflows purge-log-files
show automated-workflow-progress
This command displays the progress of the current automated-workflow.
Syntax
show automated-workflow-progress
cp-disk-scheme
This command is used to select a different disk partitioning scheme than the current one. When you execute this command, you set the value of the configured scheme. After the next CPM reboot, the value that you configured is used to reconfigure the disk partitioning scheme. Use the show cp-disk-scheme command to view the current and configured scheme. Use the no parameter to set the value to the current scheme (cancels any setting).
Syntax
[no] cp-disk-scheme {80 | 120 | 250 | 500}
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter 80 | 120 | 250 | 500 Description Selects the specific partitioning scheme that you want.
Restrictions
Default Privilege Level: 15 The partitioning scheme that you select must be equal to or smaller than your CPM disk size. NOTE: Setting the scheme equal to the current scheme cancels any previous settings. The partitioning scheme that you select must be larger than the current partitioning scheme. After executing this command, a reboot is required.
587
Example
This command sets the configured partitioning scheme to 250 Gigabytes. CBS# cp-disk-scheme 250
show cp-disk-scheme
This command shows the current disk partitioning scheme and the configured partitioning scheme. To configure a disk partitioning scheme on the CPM-9600, use the cp-disk-scheme command.
Syntax
show cp-disk-scheme
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0
Example
CBS# show cp-disk-scheme Current scheme: 250GB Configured scheme: 500GB
Syntax
configure cp-action {cp1|cp2} disk-error {offline|none}
Context
You access this command from the configure context that you access from the main CLI context with the configure command.
Parameters
The following table lists the parameters used with this command. Parameter cp1 | cp2 offline none Description Selects the specific CPM. CPM will go offline when a critical disk error occurs. CPM will take no action when a critical disk error occurs.
Commands for Managing X-Series Platform Hardware and Software Upgrades and Maintenance
588
Restrictions
Default Privilege Level: 15 This command is not available on the X20 or X30 chassis.
Example
The following example forces CP1 to go offline when there is a critical disk-error. CBS(config)# cp-action cp1 disk-error offline
configure module
This command configures the administrative state of one or more modules (APMs, CPMs, and NPMs). NOTE: A CPM cannot be configured to disable or maintenance state.
Syntax
configure module <low> [<high>] {enable|disable|maintenance}
Context
You access this command from the configure context that you access from the main CLI context with the configure command.
Parameters
The following table lists the parameters used with this command. Parameter Module <low> Description Slot of the module to configure. Valid values are from 1 to 14. If the high parameter is not specified, this is the only module to be configured. Allows you to configure multiple modules. The low parameter specifies the first module (lowest number) and the high parameter specifies the last module (highest number). All modules in the range are configured. Valid values are from 1 to 14. Enables modules. Disables modules (APMs or NPMs only). Places modules on maintenance state (APMs or NPMs only).
Module <high>
Restrictions
Default Privilege Level: 15
589
reload all
This command allows you to reload all modules in the X-Series Platform immediately or at a specified time. If the at or in parameters are not specified, the reload command acts immediately. IMPORTANT: If any modules are in the maintenance state and you do not supply the maintenance parameter, the reload all command asks you to verify that you want to reload the modules that are in the maintenance state. When you schedule a reload all, a warning message appears when any modules are in the maintenance state.
Syntax
reload all [[maintenance] [[at <hh:mm> <month> <day>] | [in <hh:mm>] [<reason>]]] | [cancel]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter all maintenance at <hh:mm> <month> <day> Description Loads all modules. Includes maintenance state modules when reloading. Schedules a reload for up to 24 days in the future. For example, if today is Nov. 13 then reload at 10:00 dec 5 will succeed, but reload at 10:00 dec 20 will fail. Schedules a reload in the specified number of hours and minutes. Text string explaining the reason for the reload. Spaces are not allowed. Cancels an existing scheduled reload.
Restrictions
Default Privilege Level: 15
Example
The following example reloads all modules in 2 hours and 30 minutes: CBS# reload all in 02:30 The following example cancels the reload of all modules. CBS# reload all cancel
Commands for Managing X-Series Platform Hardware and Software Upgrades and Maintenance
590
reload module
This command allows you to reload specific modules or a range of modules in the X-Series Platform immediately or at a specified time. If the at or in parameters are not specified, the reload module command acts immediately. IMPORTANT: If any modules are in the maintenance state and you do not supply the maintenance parameter, the reload module command displays a message to verify that you want to reload the modules that are in the maintenance state.
Syntax
reload module <low> [<high>] [[maintenance] [[at <hh:mm> <month> <day>] | [in <hh:mm>] [<reason>]]] | [cancel]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter module <low> Description Slot of the module to reload. Valid values are from 1 to 14. If the high parameter is not specified, this is the only module to be reloaded. Allows you to reload multiple modules. The low parameter specifies the first module (lowest number) and high specifies the last module (highest number). All modules in between are also reloaded. Valid values are from 1 to 14. Includes maintenance state modules when reloading. Schedules a reload for up to 24 days in the future. For example, if today is Nov. 13 then reload at 10:00 dec 5 will succeed, but reload at 10:00 dec 20 will fail. Schedules a reload in the specified number of hours and minutes. Text string explaining the reason for the reload. Spaces are not allowed. Cancels an existing scheduled reload.
module <high>
Restrictions
Default Privilege Level: 15
Example
The following example reloads modules 2 through 6 in 2 hours and 30 minutes: CBS# reload module 2 6 in 02:30
591
reload offline-cp
This command allows you to reload an offline CPM in the X-Series Platform.
Syntax
reload offline-cp
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 15
Example
The following example reloads an offline CPM. CBS# reload offline-cp
reset-cp-serial
This command allows you to update the chassis serial number in the CPM flash if the CPM is inserted into a different chassis.
Syntax
reset-cp-serial
Context
You access this command from the main CLI context. This command is only available when a CPM goes offline after being inserted into a different chassis. You must reload the CPM after executing this command.
Restrictions
Default Privilege Level: 15 Applies to an offline CPM only
Example
The following example resets the serial number on an offline CPM. CBS# reset-cp-serial
Commands for Managing X-Series Platform Hardware and Software Upgrades and Maintenance
592
reload vap-group
This command allows you to reload a VAP group in the X-Series Platform. IMPORTANT: If any modules in the VAP group are in the maintenance state and you do not supply the maintenance parameter, the reload vap-group command displays a warning message.
Syntax
reload vap-group <VAP_group_name> [<1-63>][maintenance]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter vap-group <VAP_group_name> <1-63> maintenance Description Reloads a specific VAP group. VAP groups are reloaded immediately. Specifies the VAP in the VAP group. Includes maintenance state modules when reloading.
Restrictions
Default Privilege Level: 15
Example
The following example reloads VAP group group1. CBS# reload vap-group group1
reset-configuration
This command resets the configuration to the initial installation base, which includes deleting all VAPs. This is an interactive command and asks you if you are sure about re-booting the system. If the shutdown option is specified, the system shuts down after erasing the configuration, otherwise it reboots the system.
Syntax
reset-configuration [shutdown]
Context
You access this command from the main CLI context.
593
Parameters
The following table lists the parameters used with this command. Parameter shutdown Description Specifies to shut down the system rather than reboot after erasing the configuration.
Restrictions
Default Privilege Level: 15
sleep
This command pauses the X-Series Platform for a given number of seconds.
Syntax
sleep [<number_of_seconds>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <number_of_seconds> Description Number of seconds to pause the system. The range is 0 to 65535.
Restrictions
Default Privilege Level: 0
Commands for Managing X-Series Platform Hardware and Software Upgrades and Maintenance
594
upgrade
This command installs, removes, or displays available XOS software upgrade packages on the CPM. There are five major upgrade commands: in-service Installs XOS software upgrades in a manner that minimizes system disruption. Refer to in-service (upgrade context) on page 596 for details. install Installs a specified XOS software release package, which is located on the local system. remove Removes a specified XOS software release package from the local system. show Displays all the current releases located on the local system. verify-system Verifies whether the system can be upgraded to a specific release. NOTE: All upgrade operations are performed on the local system. Remote server upgrades are not supported.
Syntax
upgrade
Inline Commands
The following table lists the CLI commands used inline with the upgrade command. Command in-service install remove show verify-system <release_number> Description Upgrade XOS from the local system with minimal service disruption. Installs an XOS release from the local system or Install Server. Removes a release from the local system. Displays all of the available releases on the local system. Verifies whether the system can be upgraded to the specified release. Specify the <release_number> in the format 9.x.x-yy.
595
Restrictions
Default Privilege Level: 15
Syntax
in-service
Restrictions
Default Privilege Level: 15
Syntax
batch-<n> [<slot_number>] [<module_number>] [<VAP_name>_<index_number>]
Context
You access this command from the upgrade context and the command places you in the in-service-upgrade context. Access the upgrade context from the main CLI with the upgrade command.
Commands for Managing X-Series Platform Hardware and Software Upgrades and Maintenance
596
Parameters
The following table lists the parameters used with this command. Parameter batch-<n> <slot_number> <module_number> <VAP_name>_<index_number> Description The variable <n> specifies the batch number from 1 through 10. Specifies the slot number to include in the batch. Specifies the module number to include in the batch. Specifies the VAP name and VAP name index number to include in the batch.
Restrictions
Default Privilege Level: 15
Example
This example assigns the VAP group fenway_1 and np2 to batch-1: CBS(in-service-upgrade)# batch-1 fenway_1 np2 Batch1: fenway_1(3) np2(2)
Syntax
batch-default
Context
You access this command from the upgrade context and the command places you in the in-service-upgrade context. Access the upgrade context from the main CLI with the upgrade command.
Restrictions
Default Privilege Level: 15
Example
This example assigns the system calculated default batches to the in-service upgrade: CBS(in-service-upgrade)# batch-default
597
Syntax
clear-batches
Context
You access this command from the upgrade context and the command places you in the in-service-upgrade context. Access the upgrade context from the main CLI with the upgrade command.
Restrictions
Default Privilege Level: 15
Example
This example clears all user-defined batches: CBS(in-service-upgrade)# clear-batches
Syntax
install <release_number> [non-interactive]
Context
You access this command from the upgrade context and the command places you in the in-service-upgrade context. Access the upgrade context from the main CLI with the upgrade command.
Parameters
The following table lists the parameters used with this command. Parameter <release_number> non-interactive Description Specifies the XOS release to be installed. Starts the upgrade process to use default values without interaction by the user.
Commands for Managing X-Series Platform Hardware and Software Upgrades and Maintenance
598
Restrictions
Default Privilege Level: 15
Example
Here is an example of the command for starting a non-interactive XOS V9.5.1 installation: CBS(in-service-upgrade)# install 9.5.1 non-interactive
Syntax
show [batches | default-batches | new-releases | progress | standby-modules]
Context
You access this command from the upgrade context and the command places you in the in-service-upgrade context. Access the upgrade context from the main CLI with the upgrade command.
Parameters
The following table lists the parameters used with this command. Parameter batches default-batches new-releases Description Displays user-defined batches. Displays the default in-service batches that are configured by the system. Displays all new releases on the local system or the install server. This parameter also displays the software version on offline CPMs. Displays the upgrade progress. Displays the standby and down modules that the system placed into default batches. These modules are moved first during the in-service upgrade. These modules cannot be reassigned to user-defined batches.
progress standby-modules
Restrictions
Default Privilege Level: 15
Example
Example of default batches as determined automatically by the XOS system. The show default-batches command shows the names and slot numbers of the modules and VAP groups the system has assigned to each batch:
599
CBS(in-service-upgrade)# show default-batches Batch1: fw_1(5) tmp_2(7) Batch2: np4(4) Batch3: np1(1) Batch4: bridge_1(10) fw_2(8) fw_3(9) tmp_3(11) tmp_1(6) In the above example, fw, bridge, and tmp are VAP group names. fw_1 is the first VAP in the fw VAP group. The values in parenthesis are slot numbers. This example shows the standby-modules, those modules that are moved first during the upgrade: CBS# upgrade in-service CBS(in-service-upgrade)# show standby-modules Standby Modules: ap4(6) ap5(7) ap6(8) ap8(10) ap9(11) ap10(12)
Syntax
install <release_number> You access this command from the upgrade CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <release_number> Description The release number for the XOS software package that you want to install from the local system.
Restrictions
Default Privilege Level: 15
Example
The following is an example of this command that installs an XOS release: CBS(upgrade)# install 9.5.1-xx
Commands for Managing X-Series Platform Hardware and Software Upgrades and Maintenance
600
Syntax
remove <release_number>
Context
You access this command from the upgrade CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <release_number> Description This parameter specifies the release number for the XOS software package that you want to remove. This does not remove the currently installed XOS version.
Restrictions
Default Privilege Level: 15
Example
The following is an example of this command that removes a down-level XOS release: CBS(upgrade)# remove 9.5.1-xx
Syntax
show current-running-release
Context
You access this command from the upgrade CLI context.
Restrictions
Default Privilege Level: 15
601
Example
The following is an example of this command: CBS(upgrade)# show current-running-release Crossbeam: 9.5.1-xx (current)
Syntax
show new-release
Context
You access this command from the upgrade CLI context.
Restrictions
Default Privilege Level: 15
Example
The following is an example of this command: CBS(upgrade)# show new-release Crossbeam: 9.5.1-xx
Format
show release
Context
You access this command from the upgrade CLI context.
Restrictions
Default Privilege Level: 15
Example
CBS(upgrade)# show release Crossbeam: 9.5.1-xx Crossbeam: 9.5.1-yy (current)
Commands for Managing X-Series Platform Hardware and Software Upgrades and Maintenance
602
Format
verify-system <release_number>
Context
You access this command from the upgrade CLI context.
Restrictions
Default Privilege Level: 15
Example
In this example, the specified shar file was not found in the /usr/os/rpm/ directory on the system. CBS(upgrade)# verify-system 9.5.1-xx Wed Feb 23 14:23:52 2011 ERROR: Neither /usr/os/rpm/xos-upgradepack-A000-9.5.1-xx.shar nor /usr/os/rpm/xos-upgradepack-A000-9.5.1-xx.shar.gz exists
%MISC-ERR: System is NOT ready for upgrade Detail: Release 9.5.1-xx CBS(upgrade)#
603
Commands for Managing X-Series Platform Hardware and Software Upgrades and Maintenance
604
10
Commands for Managing XOS Configuration Files
This chapter contains commands for managing XOS configuration files. Commands for Managing Startup and Running Configuration Files on page 606 Commands for Displaying Startup and Running Configurations on page 611
605
copy running-config
This command copies the running configuration to the startup configuration or to a file.
Syntax
copy running-config startup-config copy running-config {<path_file>} [-flat] [echo-password] [-sort] [include-default] [series-2 | series-6 | all-series] [vap-group <VAP_group_name>] [circuit <circuit_name>] [group-interface <group_interface_name>] [vrrp-failovergroup <vrrp_failover_group_name>] [interface] [ip-route] [system-ip-flow-rule] [system-non-ip-flow-rule] [exclude-wrp] [interface-internal <interface_internal_name>] [interface-status-group <interface_status_group_name>] [bridge-mode <circuit_name>] If you do not specify all-series, only the configuration parameters applicable to the current NPM Series-6 Mode will be copied to the file.
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter startup-config <path_file> -flat -sort echo-password include-default all-series series-2 Description Saves the running configuration as the startup configuration. Copies the configuration to a file. You must specify a full path and file name. Copies CLI commands with complete context. Sorts the output by VAP group and circuit name. Includes user-encrypted passwords. Includes configuration parameters that are still set to their default values. Includes the configuration components applicable to all NPM Modes. Includes the configuration components applicable to NPM Series-2 Mode.
606
Parameter series-6 circuit <circuit_name> group-interface <group_interface_name> vrrp-failovergroup <vrrp_failover_group_name> interface ip-route system-ip-flow-rule system-non-ip-flow-rule exclude-wrp interface-internal <interface-internal-name> interface-status-group <interface-status-group-name> bridge-mode <circuit_name>
Description Includes the configuration components applicable to NPM Series-6 Mode. Copies the configuration settings for the specified circuit. Copies the configuration settings for the specified group interface. Copies the configuration settings for the specified VRRP failover group. Copies the configuration settings for single interfaces. Copies the IP route configuration details. Copies all configured system IP flow rules. Copies all configured system non-IP flow rules. Excludes all wrp circuits and references to them. Copies configuration entries for the specified interface-internal. Copies configuration entries for the specified interface-status-group. Copies configuration entries for the specified bridge-mode circuit.
Restrictions
Default Privilege Level: 15
copy startup-config
This command copies the startup configuration to a file.
Syntax
copy startup-config <path_file> [-flat] [echo-password] [-sort] [include-default] [series-2 | series-6 | all-series] [vap-group <VAP_group_name>] [circuit <circuit_name>] [group-interface <group_interface_name>] [vrrp-failovergroup <vrrp_failover_group_name>] [ip-route] [system-ip-flow-rule] [system-non-ip-flow-rule] [exclude-wrp] [interface-internal <interface_internal_name>] [interface-status-group <interface_status_group_name>] [bridge-mode <circuit_name>] [interface [10gigabitethernet <slot/port> | gigabitethernet <slot/port>]] If you do not specify all-series, only the configuration parameters applicable to the current NPM Series-6 Mode will be copied to the file.
Context
You access this command from the main CLI context.
607
Parameters
The following table lists the parameters used with this command. Parameter Parameter startup-config <path_file> -flat -sort echo-password include-default all-series series-2 series-6 circuit <circuit_name> group-interface <group_interface_name> vrrp-failovergroup <vrrp_failover_group_name> interface ip-route system-ip-flow-rule system-non-ip-flow-rule exclude-wrp interface-internal <interface-internal-name> interface-status-group <interface-status-group-name> bridge-mode <circuit_name> interface [10gigabitethernet <slot/port> | gigabitethernet <slot/port>] Description Description Saves the running configuration as the startup configuration. Copies the configuration to a file. You must specify a full path and file name. Copies CLI commands with complete context. Sorts the output by VAP group and circuit name. Includes user crypted passwords. Includes configuration parameters that are still set to their default values. Includes the configuration components applicable to all NPM Modes. Includes the configuration components applicable to NPM Series-2 Mode. Includes the configuration components applicable to NPM Series-6 Mode. Copies the configuration settings for the specified circuit. Copies the configuration settings for the specified group interface. Copies the configuration settings for the specified VRRP failover group. Copies the configuration settings for single interfaces. Copies the IP route configuration details. Copies all configured system IP flow rules. Copies all configured system non-IP flow rules. Excludes all wrp circuits and references to them. Copies configuration entries for the specified interface-internal. Copies configuration entries for the specified interface-status-group. Copies configuration entries for the specified bridge-mode circuit. Copies configuration entries for all interfaces. If you specify either gigabitethernet or 10gigabitethernet, all interfaces of that type are displayed. If you specify the slot and port number, only that specific interface is displayed.
608
Restrictions
Default Privilege Level: 15
logout
This command logs the user out of the current CLI session from any context. As an option to logout of the root level, use the exit command.
Syntax
logout [save-config] [no-confirm]
Context
You access this command from any CLI context.
Parameters
The following table lists the parameters used with this command. Parameter save-config Description Copies the running configuration to the startup configuration, saving your configuration changes as part of the logout process. Allows the save and logout process to proceed without user confirmations being presented by using the default confirmation answers.
no-confirm
Restrictions
Default Privilege Level: 0 Default Privilege Level: logout save-config 15
reset-configuration
This command resets the configuration to the initial installation base, which includes deleting all VAPs. This is an interactive command and asks you if you are sure about re-booting the system. If the shutdown option is specified, the system shuts down after erasing the configuration, otherwise it reboots the system.
Syntax
reset-configuration [shutdown]
Context
You access this command from the main CLI context.
609
Parameters
The following table lists the parameters used with this command. Parameter shutdown Description Specifies to shut down the system rather than reboot after erasing the configuration.
Restrictions
Default Privilege Level: 15
610
grep
This command provides grep functionality for any show command executed from the root context. Use double quotes around the search term and the show command. Specify any grep options by using the -options parameter and enclose multiple grep options in either single quotes or double quotes.
Syntax
grep [-options <opt1> <optx>] <search_term> [<show_command>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter -options <opt1> through <optx> <search_term> <show_command> Description Use this parameter to invoke grep options. Specify one or more grep option. When specifying more than one option, use double quotes around the options. Specify the search term and use double quotes if using more than one term. Specify the related CLI show command and use double quotes when the command contains more than one word.
Restrictions
Default Privilege Level: 15
Example
Here is an example of the grep command that filters all case-insensitive references to system in the running-config file: CBS# grep -options -i system 'show running-config' system-identifier 2 system-internal-network 1.1.0.0/16 system-ip-flow-rule external CBS#
611
search
The search command provides a simple method to search for single terms within show command output. The show command can include multiple terms bounded by single or double-quotes. There are two options to -exclude terms and perform -case-sensitive searches.
Syntax
search [-exclude] [-case-sensitive] <single_search_term> <show_command>
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter -exclude -case-sensitive <search_term> Description Only lists non-matching search expression lines. Performs a case-sensitive search. By default, the search command does not consider case. This must be a single word search term. Valid characters are alphanumeric, underscore, period, exclamation point, tilde, open parenthesis, close parenthesis, forward slash, backward slash, plus sign, colon, and dash (with limitations). NOTE: The dash "-" character cannot be used as a prefix in the search term; for example, "-group" is not a valid search term, but "vap-" and "vap-group" are valid. <show_command> Any valid CLI show command can be searched and multiple term show commands must be bounded by single or double-quotes.
Restrictions
Default Privilege Level: 0
Example
The following is an example of a simple search for the VAP operating systems for each configured VAP group. CBS# search xslinux show running-config vap-group fw_1 xslinux_v5 vap-group fw_2 xslinux_v5 vap-group fw_3 xslinux_v3
612
show running-config
This command displays the configuration settings for the current Series-6 NPM Mode. The configuration is listed in the form of CLI commands and their parameter values. By default, this command displays only a subset of the configuration settings (modified settings and certain default settings). To display default settings, use the include-default parameter. XOS V8.5 or greater maintains configuration information specific to both Series-2 and Series-6 operating modes for upgrade purposes only because Series-2 hardware is not supported in XOS V8.5 or greater. The Series-2 information is important to identify and reconfigure or remove any previously configured components. The series-2, series-6, and all-series flags can be used to filter the available information. The series-2 option displays aspects of the configuration that are valid and applicable in NPM Series-2 mode. The series-6 option displays aspects of the configuration that are valid and applicable in NPM Series-6 mode. The all-series option displays aspects of the configuration valid for both Series-2 and Series-6 modes. NOTE: In order to view the values of some parameters, such as mac-addr that has a system-reserved value, you must use the all-series flag. If you do not use one of the series flags, the current running NPM Mode series is assumed. NOTE: If you use show running-config with the series-2 or the series-6 option, and key criteria (listed below) do not apply to the selected NPM mode, the flow rules will not be displayed. Key criteria include the following items: Destination addresses Source addresses Destination ports Source ports Protocols Primary-action Series-6 mode does not support rate-limiter or hide-slot-originator. Flow rules with these settings are shown in a Series-6 display, but these parameters are hidden. NOTE: If you use configure no username admin to remove the default username, you will see this action as a configuration line when you show the running configuration.
Syntax
show running-config [-flat] [echo-password] [-sort] [include-default] [series-2 | series-6 | all-series] [vap-group <VAP_group_name>] [circuit <circuit_name>] [group-interface <group_interface_name>] [vrrp-failovergroup <vrrp_failover_group_name>] [ip-route] [system-ip-flow-rule] [system-non-ip-flow-rule] [exclude-wrp] [interface-internal <interface_internal_name>] [interface-status-group <interface_status_group_name>] [bridge-mode <circuit_name>] [interface [10gigabitethernet <slot/port> | gigabitethernet <slot/port>]]
613
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter -flat echo-password -sort include-default series-2 series-6 all-series vap-group <VAP_group_name> circuit <circuit_name> group-interface <group_interface_name> vrrp-failovergroup <vrrp_failover_group_name> ip-route system-ip-flow-rule system-non-ip-flow-rule exclude-wrp interface-internal <interface-internal-name> interface-status-group <interface-status-group-name> bridge-mode <circuit_name> interface [10gigabitethernet <slot/port> | gigabitethernet <slot/port>] Description Displays CLI commands with complete context. Includes user crypted passwords. Sorts the output by VAP group and circuit name. Includes configuration parameters that are still set to their default values. Displays configuration components applicable to series-2 NPM Mode. Displays configuration components applicable to series-6 NPM Mode. Displays configuration components for all NPM Modes. Displays configuration entries for the specified VAP group. Displays configuration entries for the specified circuit. Displays configuration entries for the specified group interface. Displays configuration entries for the specified VRRP failover group. Displays configured IP routes. Displays configured system IP flow rules. Displays configured system non IP flow rules. Excludes wrp circuits and all references to them. Displays configuration entries for the specified interface-internal. Displays configuration entries for the specified interface-status-group. Displays configuration entries for the specified bridge-mode circuit. Displays configuration entries for all interfaces. If you specify either gigabitethernet or 10gigabitethernet, all interfaces of that type are displayed. If you specify the slot and port number, only that specific interface is displayed.
Restrictions
Default Privilege Level: 15
614
Example
The following abbreviated examples show differences in the output when using the series-2 and series-6 options. Refer to Example XOS Running Configuration File on page 901 for a complete example running-config file. The following output for show running-config series-6 contains information about the non-ip-flow-rule, which is valid in series-6 NMP Mode only: CBS# show running-config series-6 vap-group fw xslinux_v3 raid 0 vap-count 3 max-load-count 3 ap-list ap8 ap9 ap10 load-balance-vap-list 1 2 3 4 5 6 7 8 9 10 ip-flow-rule fw_lb action load-balance activate non-ip-flow-rule a45C action drop # vap-group fw1 xslinux_v3 vap-count 3 max-load-count 3 ap-list ap5 ap6 ap7 load-balance-vap-list 1 2 3 4 5 6 7 8 9 10 ip-flow-rule fw1_lb action load-balance activate non-ip-flow-rule 33_RA action drop The following abbreviated example shows the output of show running-config using the -flat option: CBS# show running-config -flat #Do not remove after this line # Last time the configuration was saved on Wed Feb 23 14:08:10.831535 2011 EST # Configuration generated by CLI on Wed Feb 23 14:23:52 2011 # CLI Version 9.5.1 [Feb 19 2011 02:15:42] (bldmgr) # Kit Number: xx #Do not remove above this line # configure # configure hostname docs-x45 cp1 configure ip domainname crossbeam configure ip telnet configure ip ftp configure system-identifier 2 configure system-internal-network 1.1.0.0/16 configure operating-mode single-np series-2 # configure access-list 1001 permit ip source-ip 0.0.0.0 255.255.255.255 destination-ip 0.0.0.0 255.255.255.255 configure access-list 1002 permit ip source-ip 0.0.0.0 255.255.255.255 destination-ip 0.0.0.0 255.255.255.255 #
615
show startup-config
This command displays the startup configuration. The startup configuration is used the next time the system starts. The configuration is displayed in the form of CLI commands. By default, this command displays only user-modified settings. To display all settings, including unmodified default settings, use the include-default parameter. XOS V8.5 or greater maintains configuration information specific to both Series-2 and Series-6 operating modes for upgrade purposes only because Series-2 hardware is not supported in XOS V8.5 or greater. The Series-2 information is important to identify and reconfigure or remove any previously configured components. The series-2, series-6, and all-series flags can be used to filter the available information. The series-2 option displays aspects of the configuration that are valid and applicable in NPM Series-2 mode. The series-6 option displays aspects of the configuration that are valid and applicable in NPM Series-6 mode. The all-series option displays aspects of the configuration valid for both Series-2 and Series-6 modes. NOTE: In order to view the values of some parameters, such as mac-addr that has a system-reserved value, you must use the all-series flag. If you do not use one of the series flags, the current running NPM Mode series is assumed. NOTE: If you use show startup-config with the series-2 or the series-6 option, and key criteria (listed below) do not apply to the selected NPM mode, the flow rules will not be displayed. For example, if you enter show startup-config series-6, and the flow rule contains a domain range, the flow rule will not be displayed because NPM Series-6 mode does not support domain ranges. Key criteria include the following items: Destination addresses Source addresses Destination ports Source ports Protocols Primary-action In the case of the following minor criteria, when they do not apply to a flow rule (based on the NPM mode you designated with the show startup-config command), only the non-applicable parameters are hidden, not the entire rule: Hide-slot-originator
Syntax
show startup-config [-flat] [echo-password] [-sort] [include-default] [series-2 | series-6 | all-series] [vap-group <VAP_group_name>] [circuit <circuit_name>] [group-interface <group_interface_name>] [vrrp-failovergroup <vrrp_failover_group_name>] [ip-route] [system-ip-flow-rule] [system-non-ip-flow-rule] [exclude-wrp] [interface-internal <interface_internal_name>] [interface-status-group <interface_status_group_name>] [bridge-mode <circuit_name>] [interface [10gigabitethernet <slot/port> | gigabitethernet <slot/port>]]
616
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter -flat echo-password -sort include-default series-2 series-6 all-series vap-group <VAP_group_name> circuit <circuit_name> group-interface <group_interface_name> vrrp-failovergroup <vrrp_failover_group_name> ip-route system-ip-flow-rule system-non-ip-flow-rule exclude-wrp interface-internal <interface-internal-name> interface-status-group <interface-status-group-name> bridge-mode <circuit_name> interface [10gigabitethernet <slot/port> | gigabitethernet <slot/port>] Description Displays CLI commands with complete context. Includes user crypted passwords. Sorts the output by VAP group and circuit name. Includes configuration parameters that are still set to their default values. Displays configuration components applicable to series-2 NPM Mode. Displays configuration components applicable to series-6 NPM Mode. Displays configuration components for all NPM Modes. Displays configuration entries for the specified VAP group. Displays configuration entries for the specified circuit. Displays configuration entries for the specified group interface. Displays configuration entries for the specified VRRP failover group. Displays configured IP routes. Displays configured system IP flow rules. Displays configured system non IP flow rules. Excludes wrp circuits and all references to them. Displays configuration entries for the specified interface-internal. Displays configuration entries for the specified interface-status-group. Displays configuration entries for the specified bridge-mode circuit. Displays configuration entries for all interfaces. If you specify either gigabitethernet or 10gigabitethernet, all interfaces of that type are displayed. If you specify the slot and port number, only that specific interface is displayed.
Restrictions
Default Privilege Level: 15
617
Example
Refer to Example XOS Running Configuration File on page 901. The following is an example of this command: CBS# show startup-config -flat #Do not remove after this line # Last time the configuration was saved on Wed Feb 23 14:08:10.831535 2011 EST # Configuration generated by CLI on Wed Feb 23 14:23:52 2011 # CLI Version 9.5.1 [Feb 19 2011 02:15:42] (bldmgr) # Kit Number: xx #Do not remove above this line # configure # configure hostname docs-x45 cp1 configure ip domainname crossbeam configure ip telnet configure ip ftp configure system-identifier 2 configure system-internal-network 1.1.0.0/16 configure operating-mode single-np series-2 # configure access-list 1001 permit ip source-ip 0.0.0.0 255.255.255.255 destination-ip 0.0.0.0 255.255.255.255 configure access-list 1002 permit ip source-ip 0.0.0.0 255.255.255.255 destination-ip 0.0.0.0 255.255.255.255 # ntp server 192.168.1.101 # module 12 disable # username admin privilege 15 gui-level administrator # no timeout web-server web-timeout 65535 # alias wr 'copy running-config startup-config' # vap-group L3 xslinux_v3 vap-count 3 ap-list ap7 ap8 ap9 load-balance-vap-list 1 2 3 4 5 6 7 8 9 10 ip-flow-rule LB action load-balance activate vap-group IDS xslinux_v3 vap-count 3 ap-list ap7 ap8 ap9 load-balance-vap-list 1 2 3 4 5 6 7 8 9 10 ip-flow-rule IDS action load-balance activate vap-group FW xslinux_v3 vap-count 3 max-load-count 1 ap-list ap3 ap4 ap5
618
load-balance-vap-list 1 2 3 4 5 6 7 8 9 10 ip-forwarding ip-flow-rule Slb action load-balance activate # dns server 192.168.1.102 dns server 192.168.1.102 vap-group IDS # dns search-name crossbeam.com dns search-name crossbeam.com vap-group IDS dns search-name lab.crossbeam.com vap-group IDS 0.0.0.0 255.255.255.255 destination-ip 192.168.1.0 0.0.255.255 . . # redundancy-interface master gigabitethernet 1/2 backup gigabitethernet 2/2 mac-usage master failovermode preemption-on # vrrp failover-group one failover-group-id 1 preemption priority 200 virtual-router vrrp-id 1 circuit intr320 vap-group FW virtual-ip 100.3.20.251/24 100.3.20.255 virtual-router vrrp-id 2 circuit intr420 vap-group FW virtual-ip 100.4.20.251/24 100.4.20.255 vrrp failover-group two failover-group-id 2 preemption priority 250 virtual-router vrrp-id 3 circuit mltvlan110 vap-group FW virtual-ip 100.1.10.251/24 100.1.10.255 virtual-router vrrp-id 4 circuit mltvlan210 vap-group FW virtual-ip 100.2.10.251/24 100.2.10.255 # ip route 79.0.0.0/24 78.0.0.100 vap-group FW circuit 78net ip route 80.0.0.0/24 78.0.0.100 vap-group FW circuit 78net ip route 192.168.66.0/24 192.168.74.1 vap-group FW circuit fwman ip route 100.10.10.0/24 100.1.10.100 vap-group FW circuit mltvlan110 ip route 100.20.10.0/24 100.2.10.100 vap-group FW circuit mltvlan210 ip route 100.30.20.0/24 100.3.20.100 vap-group FW circuit intr320 ip route 100.40.20.0/24 100.4.20.100 vap-group FW circuit intr420. end CBS#
619
620
11
Advanced XOS Configuration Commands
This chapter contains XOS commands for advanced configuration tasks. This chapter contains the following commands: alias on page 622 configure alias on page 622 auto-promote on page 623 echo on page 624 exec on page 625 script on page 626 unix on page 626
621
alias
This command creates an alias text string for an existing command. This only applies for the current user and session. The alias supersedes the command. The no version of the command deletes the alias.
Syntax
[no] alias <alias_name> <alias_command_line>
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <alias_name> <alias_command_line> Description Specify a unique alias name. Specify the command to which the alias string is associated. Single strings containing a space must be placed inside quotation marks.
Restrictions
Default Privilege Level: 0
Example
This example uses the string protect to execute the configure vap-group firewall command. CBS# alias protect configure vap-group firewall
configure alias
This command creates an alias. The alias command supersedes the command and applies to all CLI users. The no parameter deletes the alias.
Syntax
configure [no] alias <alias_name> <alias_command_line>
Context
You access this command from the main CLI context.
622
Parameters
The following table lists the parameters used with this command. Parameter <alias_name> <alias_command_line> Description Specify a unique name for the alias. Specify the command to which the alias string is associated. Single strings containing a space must be placed inside quotation marks.
Restrictions
Default Privilege Level: 15
auto-promote
This command is useful (for example) to copy and paste configuration commands from a source, such as the show running-config output, into a CLI session. If a command fails, because the current CLI context is incorrect for the commands format, the auto-promote feature allows the failed command to be retried at the parent mode. This retrying process continues until the command is successfully executed or the command fails at the root mode. The context changes to the context of the command associated with the alias. If the command fails at the root, the context does not change. Disabled by default, this command should be disabled again immediately after you are finished using it. To do so, use the no version of the command. The no version of the command does not allow commands to be executed from other than their designated context (normal CLI operation). NOTE: This command is valid only for the current CLI session.
Caution: Using the auto-promote command automatically selects all command defaults, and disables auto confirm functions of commands. The auto-promote command disables the enable more command, thus disabling the Press any key to continue prompts for each screen of output. Even more importantly, it automatically uses defaults to answer dangerous commands like reload vap-group and reset-configuration. Use this command with extreme caution, and be sure to disable it (no auto-promote) when it is not needed.
Syntax
[no] auto-promote
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0
623
Example
This example allows the show circuit command to be executed even though the CLI is in the config-vap-grp context. In this case, the CLI is returned to the Main context and the command is successfully executed. After the command is executed, the CLI returns to the current context. CBS# auto-promote CBS# configure vap-group fw CBS(config-vap-grp)# show circuit admin-status test Circuit Name : test Circuit-Id : 1026 Device Name : sideA Incoming Circuit Group : 1 Promiscuous Mode : no promiscuous Proxy ARP Enabled (true/false) : f IP Forwarding (true/false) : t ICMP Redirect (true/false) : f Hide VLAN Header (true/false) : f Reclassify NAT Flows (true/false) : f IP Flow Rule Priority : 21 IP Flow Rule No Failover (true/false) : f VAP Group : fw Verify Next Hop IP : Aggregation Mode : none Primary/Alias Index : primary Domain : 1 IP Address : 192.168.10.1/24 IP Broadcast Address : 192.168.10.255 Increment-per-vap Mode (true/false) : f New Flow Control (true/false) : t DHCP Relay (true/false) : f Default Egress Vlan Tag : N/A Replace Egress Vlan Tag : N/A MAC Address : 00:03:d2:e0:02:65 (system-reserved) MTU : 1500 Management Circuit (true/false) : f CBS(config-vap-grp)#
echo
This command echoes the text identified by <string> to your monitor.
Syntax
echo [<string>]
Context
You access this command from the main CLI context.
624
Parameters
The following table lists the parameters used with this command. Parameter <string> Description String that is displayed on the screen.
Restrictions
Default Privilege Level: 0
exec
This command executes a CLI script file.
Syntax
exec [-echo] [prompt-on-error|continue-on-error|stop-on-error] [no-confirm] <file_name>
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter -echo prompt-on-error continue-on-error stop-on-error no-confirm <file-name> Description Displays the commands in the script file back to the terminal. Prompts you to continue after an error is encountered. The XOS CLI does not stop executing the script when an error is encountered. The XOS CLI stops executing the script when an error is encountered. This is the default. Executes the script without user input by using default values as necessary. Name of the CLI script to execute.
Restrictions
Default Privilege Level: 0
625
script
In addition to displaying output to the screen, this command saves CLI output to a file. After entering the script command, all commands you enter are saved to the file. Be aware that the commands you enter while in a script session also affects your running configuration. The no script command ends this session.
Syntax
[no] script <path_and_file>
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <path_and_file> Description Saves CLI output to a file.
Restrictions
Default Privilege Level: 0
unix
This command executes a UNIX command and returns to the CLI prompt or starts a UNIX session.
Syntax
unix [<command>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <command> Description Specifies the UNIX command to execute. If a command is not entered, the CLI prompt changes to a Linux shell prompt. Return to the CLI prompt by entering exit.
Restrictions
Default Privilege Level: 15
626
12
Commands for Displaying XOS Configuration Settings
This chapter contains commands that display XOS configuration settings. Commands for Displaying All Configuration Settings on page 628 Commands for Displaying X-Series Platform Hardware and XOS Software Version Information on page 643 Commands for Displaying X-Series Platform Management Configuration Settings on page 647 Commands for Displaying X-Series Platform Management Interface Configuration Settings on page 665 Commands for Displaying User Account and User Access Configuration Settings on page 668 Commands for Displaying System Alarm and Logging Configuration Settings on page 674 Commands for Displaying CPM Redundancy Configuration Settings on page 681 Commands for Displaying VAP Group Configuration Settings on page 684 Commands for Displaying Flow Provisioning Configuration Settings on page 690 Commands for Displaying Circuits and Interface Configuration Settings on page 696 Commands for Displaying Multi-System High-Availability Configuration Settings on page 712 Commands for Displaying Hardware and Software Maintenance Configuration Settings on page 735 Commands for Displaying Advanced Configuration Settings on page 740 Commands for Displaying Console Display Configuration Settings on page 741
627
grep
This command provides grep functionality for any show command executed from the root context. Use double quotes around the search term and the show command. Use any grep options with the -options parameter and use double quotes around multiple grep options.
Syntax
grep [-options <opt1> <optx>] <search_term> [<show_command>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter -options <opt1> through <optx> <search_term> <show_command> Description Use this parameter to invoke grep options. Specify one or more grep option. When specifying more than one option, use double quotes around the options. Specify the search term and use double quotes if using more than one term. Specify the related CLI show command and use double quotes when the command contains more than one word.
Restrictions
Default Privilege Level: 15
Example
Here is an example of the grep command that filters all case-insensitive references to system in the running-config file:
628
CBS# grep -options -i system 'show running-config' system-identifier 2 system-internal-network 1.1.0.0/16 system-ip-flow-rule external
search
The search command provides a simple method to search for single terms within show command output. The show command can include multiple terms bounded by single or double-quotes. There are two options to -exclude terms and perform -case-sensitive searches.
Syntax
search [-exclude] [-case-sensitive] <single_search_term> <show_command>
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter -exclude -case-sensitive <search_term> Description Only lists non-matching search expression lines. Performs a case-sensitive search. By default, the search command does not consider case. This must be a single word search term. Valid characters are alphanumeric, dash, underscore, period, exclamation point, tilde, open parenthesis, close parenthesis, forward slash, backward slash, plus sign, and colon. Any valid CLI show command can be searched and multiple term show commands must be bounded by single or double-quotes.
<show_command>
Restrictions
Default Privilege Level: 0
Example
The following is an example of a simple search for the VAP operating systems for each configured VAP group. CBS# search xslinux show running-config vap-group fw_1 xslinux_v5 vap-group fw_2 xslinux_v5_64 vap-group fw_3 xslinux_v3
629
show audit-trail
This command displays the entries in the audit-trail log file that match the specified filter criteria. If no filter criteria are specified, the command displays all entries in the audit-trail log file. The audit-trail process records an entry in the audit-trail log file each time a user issues a CLI command and each time the CLI starts one of the following processes: routing-protocol routing-protocol-service application application-remove application-update archive-vap-group NOTE: The audit-trail process does not record entries for CLI show commands. Audit-trail log file entries also include detailed information about the CLI warning and error messages (if any) that result from each CLI command entry.
Syntax
show audit-trail [<username>] [type {cli | web | both}] [chronological-order] [date [<month>] [<date>] [<year>] [<hh:mm:ss>]]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <username> type {cli | web | both} Description Specifies the username to match. The match is case-insensitive. Specifies commands issued by either CLI users, or Web interface users, or both. cli Displays only commands issued by CLI users. web Displays only commands issued by Web interface users. both Displays commands issued by users of both interfaces. chronological-order Displays the log with the most recent entries first. Default displays the oldest entries first.
630
Parameter date
Description The date parameter takes the following arguments: <jan-dec> Three letter month name (lower-case). Default is jan. <1-31> Date of month. Default is 1. <2000-3000> Four digit year. Default is 2000. <hh:mm:ss> Time in hh:mm:ss 24-hour format. Default is 00:00:00. This parameter filters the output to display commands issued since the date specified. If an argument is omitted, the default is used. For best results, specify a month, date, and year.
Restrictions
Default Privilege Level: 0
Example
The following audit-trail output shows audit trail entries at the start and completion of the application command run. For the command: CBS# application fw1 vap-group ipf install Entries in the audit trail: Apr 5 18:10:16 omaha cli: application fw1 vap-group Apr 5 18:12:25 omaha cli: application fw1 vap-group USER: admin, COMMAND: CBS# application > ipf install #STARTED USER: admin, COMMAND: CBS# application > ipf install
If a command fails, the audit trail provides an error message and details about the error. In the following example, the configure circuit vap-group ip alias command failed. In addition to the Invalid value output, the console and audit trail outputs provide the following detail information: Detail: Conflict found with existing circuit cct, vap-group jack, primary-ip. CLI console: CBS# configure circuit cct CBS(conf-cct)# vap-group jack CBS(conf-cct-vapgroup)# ip 5.5.5.5/24 CBS(conf-cct-vapgroup-ip)# alias 5.5.5.5/24 %CONF-ERR: Invalid value Detail: Conflict found with existing circuit cct, vap-group jack, primary-ip CBS(conf-cct-vapgroup-ip)# CBS# show audit-trail /var/log/audit-trail Aug 29 18:22:14 earth cli: USER: admin, COMMAND: CBS# configure circuit > configure circuit cct Aug 29 18:22:17 earth cli: USER: admin, COMMAND: CBS# configure circuit vap-group > vap-group jack Aug 29 18:22:23 earth cli: USER: admin, COMMAND: CBS# configure circuit vap-group ip > ip 5.5.5.5/24 Aug 29 18:22:56 earth cli: USER: admin, COMMAND: CBS# configure circuit vap-group ip alias > alias 5.5.5.5/24 #Failure: CONF-ERR: Invalid value, Detail: Conflict found with existing circuit cct, vap-group jack, primary-ip
631
show history
This command displays the past several commands in the configurable history buffer that you entered during this session. The default history buffer includes 70 commands.
Syntax
show history
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0
show running-config
This command displays the configuration settings for the current Series-6 NPM Mode. The configuration is listed in the form of CLI commands and their parameter values. By default, this command displays only a subset of the configuration settings (modified settings and certain default settings). To display default settings, use the include-default parameter. XOS V8.5 or greater maintains configuration information specific to both Series-2 and Series-6 operating modes for upgrade purposes only because Series-2 hardware is not supported in XOS V8.5 or greater. The Series-2 information is important to identify and reconfigure or remove any previously configured components. The series-2, series-6, and all-series flags can be used to filter the available information. The series-2 option displays aspects of the configuration that are valid and applicable in NPM Series-2 mode. The series-6 option displays aspects of the configuration that are valid and applicable in NPM Series-6 mode. The all-series option displays aspects of the configuration valid for both Series-2 and Series-6 modes. NOTE: In order to view the values of some parameters, such as mac-addr that has a system-reserved value, you must use the all-series flag. If you do not use one of the series flags, the current running NPM Mode series is assumed. NOTE: Certain flow rules may not be displayed when using the series-2 or series-6 option. This occurs if a flow rule has a setting not applicable to that NPM mode. For example, if you enter show startup-config series-6, and the flow rule contains a domain range, the flow rule will not be displayed because NPM Series-6 mode does not support domain ranges. Key criteria include the following items: Destination addresses Source addresses Destination ports Source ports Protocols
632
Domain Primary-action Series-6 mode does not support rate-limiter or hide-slot-originator. Flow rules with these settings are shown in a Series-6 display, but these parameters are hidden. NOTE: If you use configure no username admin to remove the default username, you will see this action as a configuration line when you show the running configuration.
Syntax
show running-config [-flat] [echo-password] [-sort] [include-default] [series-2 | series-6 | all-series] [vap-group <VAP_group_name>] [circuit <circuit_name>] [group-interface <group_interface_name>] [vrrp-failovergroup <vrrp_failover_group_name>] [ip-route] [system-ip-flow-rule] [system-non-ip-flow-rule] [exclude-wrp] [interface-internal <interface_internal_name>] [interface-status-group <interface_status_group_name>] [bridge-mode <circuit_name>] [interface [10gigabitethernet <slot/port> | gigabitethernet <slot/port>]]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter -flat echo-password -sort include-default series-2 series-6 all-series vap-group <VAP_group_name> circuit <circuit_name> group-interface <group_interface_name> vrrp-failovergroup <vrrp_failover_group_name> ip-route system-ip-flow-rule system-non-ip-flow-rule Description Displays CLI commands with complete context. Includes user-encrypted passwords. Sorts the output by VAP group and circuit name. Includes configuration parameters that are still set to their default values. Displays configuration components applicable to series-2 NPM Mode. Displays configuration components applicable to series-6 NPM Mode. Displays configuration components for all NPM Modes. Displays configuration entries for the specified VAP group. Displays configuration entries for the specified circuit. Displays configuration entries for the specified group interface. Displays configuration entries for the specified VRRP failover group. Displays configured IP routes. Displays configured system IP flow rules. Displays configured system non IP flow rules.
633
Parameter exclude-wrp interface-internal <interface_internal_name> interface-status-group <interface_status_group_name> bridge-mode <circuit_name> interface [10gigabitethernet <slot/port> | gigabitethernet <slot/port>]
Description Excludes wrp circuits and all references to them. Displays configuration entries for the specified interface-internal. Displays configuration entries for the specified interface-status-group. Displays configuration entries for the specified bridge-mode circuit. Displays configuration entries for all interfaces. If you specify either gigabitethernet or 10gigabitethernet, all interfaces of that type are displayed. If you specify the slot and port number, only that specific interface is displayed.
Restrictions
Default Privilege Level: 0
Example
The following abbreviated examples show differences in the output when using the series-2 and series-6 options. Refer to Example XOS Running Configuration File on page 901 for a complete example running-config file. The following output for show running-config series-6 contains information about the non-ip-flow-rule, which is valid in series-6 NMP Mode only: CBS# show running-config series-6 vap-group fw xslinux_v3 raid 0 vap-count 3 max-load-count 3 ap-list ap8 ap9 ap10 load-balance-vap-list 1 2 3 4 5 6 7 8 9 10 ip-flow-rule fw_lb action load-balance activate non-ip-flow-rule a45C action drop # vap-group fw1 xslinux_v3 vap-count 3 max-load-count 3 ap-list ap5 ap6 ap7 load-balance-vap-list 1 2 3 4 5 6 7 8 9 10 ip-flow-rule fw1_lb action load-balance activate non-ip-flow-rule 33_RA action drop
634
The following abbreviated example shows the output of show running-config using the -flat option: CBS# show running-config -flat #Do not remove after this line # Last time the configuration was saved on Wed Feb 23 14:08:10.831535 2011 EST # Configuration generated by CLI on Wed Feb 23 14:23:52 2011 # CLI Version 9.5.1 [Feb 19 2011 02:15:42] (bldmgr) # Kit Number: xx #Do not remove above this line # configure # configure hostname docs-x45 cp1 configure ip domainname crossbeam configure ip telnet configure ip ftp configure system-identifier 2 configure system-internal-network 1.1.0.0/16 configure operating-mode single-np series-2 # configure access-list 1001 permit ip source-ip 0.0.0.0 255.255.255.255 destination-ip 0.0.0.0 255.255.255.255 configure access-list 1002 permit ip source-ip 0.0.0.0 255.255.255.255 destination-ip 0.0.0.0 255.255.255.255 #
635
show startup-config
This command displays the startup configuration. The startup configuration is used the next time the system starts. The configuration is displayed in the form of CLI commands. By default, this command displays only user-modified settings. To display all settings, including unmodified default settings, use the include-default parameter. XOS V8.5 or greater maintains configuration information specific to both Series-2 and Series-6 operating modes for upgrade purposes only because Series-2 hardware is not supported in XOS V8.5 or greater. The Series-2 information is important to identify and reconfigure or remove any previously configured components. The series-2, series-6, and all-series flags can be used to filter the available information. The series-2 option displays aspects of the configuration that are valid and applicable in NPM Series-2 mode. The series-6 option displays aspects of the configuration that are valid and applicable in NPM Series-6 mode. The all-series option displays aspects of the configuration valid for both Series-2 and Series-6 modes. NOTE: In order to view the values of some parameters, such as mac-addr that has a system-reserved value, you must use the all-series flag. If you do not use one of the series flags, the current running NPM Mode series is assumed. NOTE: If you use show startup-config with the series-2 or the series-6 option, and key criteria (listed below) do not apply to the selected NPM mode, the flow rules will not be displayed. For example, if you enter show startup-config series-6, and the flow rule contains a domain range, the flow rule will not be displayed because NPM Series-6 mode does not support domain ranges. Key criteria include the following items: Destination addresses Source addresses Destination ports Source ports Protocols Primary-action In the case of the following minor criteria, when they do not apply to a flow rule (based on the NPM mode you designated with the show startup-config command), only the non-applicable parameters are hidden, not the entire rule: Hide-slot-originator
Syntax
show startup-config [-flat] [echo-password] [-sort] [include-default] [series-2 | series-6 | all-series] [vap-group <VAP_group_name>] [circuit <circuit_name>] [group-interface <group_interface_name>] [vrrp-failovergroup <vrrp_failover_group_name>] [ip-route] [system-ip-flow-rule] [system-non-ip-flow-rule] [exclude-wrp] [interface-internal <interface_internal_name>] [interface-status-group <interface_status_group_name>] [bridge-mode <circuit_name>] [interface [10gigabitethernet <slot/port> | gigabitethernet <slot/port>]]
636
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter -flat echo-password -sort include-default series-2 series-6 all-series vap-group <VAP_group_name> circuit <circuit_name> group-interface <group_interface_name> vrrp-failovergroup <vrrp_failover_group_name> ip-route system-ip-flow-rule system-non-ip-flow-rule exclude-wrp interface-internal <interface_internal_name> interface-status-group <interface_status_group_name> bridge-mode <circuit_name> interface [10gigabitethernet <slot/port> | gigabitethernet <slot/port>] Description Displays CLI commands with complete context. Includes user-encrypted passwords. Sorts the output by VAP group and circuit name. Includes configuration parameters that are still set to their default values. Displays configuration components applicable to series-2 NPM Mode. Displays configuration components applicable to series-6 NPM Mode. Displays configuration components for all NPM Modes. Displays configuration entries for the specified VAP group. Displays configuration entries for the specified circuit. Displays configuration entries for the specified group interface. Displays configuration entries for the specified VRRP failover group. Displays configured IP routes. Displays configured system IP flow rules. Displays configured system non IP flow rules. Excludes wrp circuits and all references to them. Displays configuration entries for the specified interface-internal. Displays configuration entries for the specified interface-status-group. Displays configuration entries for the specified bridge-mode circuit. Displays configuration entries for all interfaces. If you specify either gigabitethernet or 10gigabitethernet, all interfaces of that type are displayed. If you specify the slot and port number, only that specific interface is displayed.
Restrictions
Default Privilege Level: 15
637
Example
Refer to Example XOS Running Configuration File on page 901. The following is an example of this command: CBS# show startup-config -flat #Do not remove after this line # Last time the configuration was saved on Wed Feb 23 14:08:10.831535 2011 EST # Configuration generated by CLI on Wed Feb 23 14:23:52 2011 # CLI Version 9.5.1 [Feb 19 2011 02:15:42] (bldmgr) # Kit Number: xx #Do not remove above this line # configure # configure hostname docs-x45 cp1 configure ip domainname crossbeam configure ip telnet configure ip ftp configure system-identifier 2 configure system-internal-network 1.1.0.0/16 configure operating-mode single-np series-2 # configure access-list 1001 permit ip source-ip 0.0.0.0 255.255.255.255 destination-ip 0.0.0.0 255.255.255.255 configure access-list 1002 permit ip source-ip 0.0.0.0 255.255.255.255 destination-ip 0.0.0.0 255.255.255.255 # ntp server 192.168.1.101 # module 12 disable # username admin privilege 15 gui-level administrator # no timeout web-server web-timeout 65535 # alias wr 'copy running-config startup-config' # vap-group L3 xslinux_v3 vap-count 3 ap-list ap7 ap8 ap9 load-balance-vap-list 1 2 3 4 5 6 7 8 9 10 ip-flow-rule LB action load-balance activate vap-group IDS xslinux_v3 vap-count 3 ap-list ap7 ap8 ap9 load-balance-vap-list 1 2 3 4 5 6 7 8 9 10 ip-flow-rule IDS action load-balance activate vap-group FW xslinux_v3 vap-count 3 max-load-count 1 ap-list ap3 ap4 ap5
638
load-balance-vap-list 1 2 3 4 5 6 7 8 9 10 ip-forwarding ip-flow-rule Slb action load-balance activate # dns server 192.168.1.102 dns server 192.168.1.102 vap-group IDS # dns search-name crossbeam.com dns search-name crossbeam.com vap-group IDS dns search-name lab.crossbeam.com vap-group IDS 0.0.0.0 255.255.255.255 destination-ip 192.168.1.0 0.0.255.255 . . # redundancy-interface master gigabitethernet 1/2 backup gigabitethernet 2/2 mac-usage master failovermode preemption-on # vrrp failover-group one failover-group-id 1 preemption priority 200 virtual-router vrrp-id 1 circuit intr320 vap-group FW virtual-ip 100.3.20.251/24 100.3.20.255 virtual-router vrrp-id 2 circuit intr420 vap-group FW virtual-ip 100.4.20.251/24 100.4.20.255 vrrp failover-group two failover-group-id 2 preemption priority 250 virtual-router vrrp-id 3 circuit mltvlan110 vap-group FW virtual-ip 100.1.10.251/24 100.1.10.255 virtual-router vrrp-id 4 circuit mltvlan210 vap-group FW virtual-ip 100.2.10.251/24 100.2.10.255 # ip route 79.0.0.0/24 78.0.0.100 vap-group FW circuit 78net ip route 80.0.0.0/24 78.0.0.100 vap-group FW circuit 78net ip route 192.168.66.0/24 192.168.74.1 vap-group FW circuit fwman ip route 100.10.10.0/24 100.1.10.100 vap-group FW circuit mltvlan110 ip route 100.20.10.0/24 100.2.10.100 vap-group FW circuit mltvlan210 ip route 100.30.20.0/24 100.3.20.100 vap-group FW circuit intr320 ip route 100.40.20.0/24 100.4.20.100 vap-group FW circuit intr420. end CBS#
show vsx-configuration
This command displays configuration settings modified by the Check Point VSX application, such as system IP flow rules, IP flow rules, circuits, and logical interfaces.
639
Syntax
show vsx-configuration [<vsx_name>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <vsx_name> Description Portion of VSX names to match.
Restrictions
Default Privilege Level: 15
Example
The following information shows an excerpt of the show vsx-configuration output: CBS# show vsx-configuration Displaying VSX Configuration of System IP Flow Rules Displaying VSX Configuration of IP Flow Rules ip-flow-rule vsx_dst_vs1_77_77_77_77_vsxb1 action load-balance priority 15 destination-addr 77.77.77.77 77.77.77.77 activate ip-flow-rule vsx_dst_vs2_10_10_2_1_vsxb1 action load-balance priority 15 destination-addr 10.10.2.1 10.10.2.1 activate Displaying VSX Configuration of Circuits circuit vsx_ckt_vsxb1_1_4_4001 circuit-id 1027 domain 501 device-name out.4001 vap-group vsxb1 ip-forwarding default-egress-vlan-tag 4001 circuit vsx_ckt_vsxb1_internal_l2l3_3001 circuit-id 1032 domain 502 internal device-name l2l3.3001 vap-group vsxb1 ip-forwarding default-egress-vlan-tag 3001 Displaying VSX Configuration of Logical Interfaces interface gigabitethernet 1/4
640
logical outside circuit outside logical vsx_log_vsxb1_1_4_4001 ingress-vlan-tag 4001 4001 circuit vsx_ckt_vsxb1_1_4_4001 logical vsx_log_vsxb1_1_4_4002 ingress-vlan-tag 4002 4002 circuit vsx_ckt_vsxb1_1_4_4002
show resource-statistics
This command displays chassis-wide flow table utilization statistics in these categories: UDP flow entries TCP flow entries ICMP flow entries Other-IP flow entries Skip-port-protocol entries
Syntax
show resource-statistics [verbose] ([flow-table-limit] | [flow-table-usage]) [<np_module_name_list>] Use the clear resource-statistics command to clear the flow table utilization counters.
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter verbose flow-table-limit flow-table-usage <np_module_name_list> Description (Optional) Shows all active flow information Displays statistics on flow-table-limit Displays statistics on flow-table-usage Specifies any subset of the list of NPMs. Separate the list items with a space. Example: np1 np3 np4
Restrictions
Default Privilege Level: 0 Default Privilege Level: show resource-statistics flow-table-limit 15
641
Examples
CBS# show resource-statistics verbose flow-table-limit Slot 1 Uni-directional flows exceeding configured flow table limits: Excess flows since Dropped flows since last clear last clear ==================== ==================== UDP : 0 0 TCP : 0 0 ICMP : 0 0 Other-IP : 0 0 Last cleared: Never CBS# CBS# show resource-statistics verbose flow-table-usage np1 np3 Slot 1 Bi-directional flow entry usage: Active flows Total since last (% of flow table) clear ================== ====================== UDP : 0 ( 0%) 0 TCP : 0 ( 0%) 0 ICMP : 0 ( 0%) 0 Other-IP : 0 ( 0%) 0 Skip-port-protocol : 0 ( 0%) 0 Flow table size: 7134208 Last cleared: Never CBS# Available entries ========= 60% 75% 60% 55%
clear resource-statistics
This command clears the cumulative counters of the chassis-wide flow table utilization statistics. You must be an administrator (privilege level 15) to use this command.
Syntax
clear resource-statistics
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 15
Example
CBS# clear resource-statistics CBS#
642
Commands for Displaying X-Series Platform Hardware and XOS Software Version Information
This section contains the following commands: show system on page 643 show version on page 644
show system
This command displays information about the system, such as: system name, location, contact info, hardware revision, software version, and so on.
Syntax
show system
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0
Example
The following is an example of this command that includes configured SNMP data for System-Name, System-Contact, System-Location, and System-Engine-ID: CBS# show system Copyright (c) 2000-2011 by Crossbeam Systems, Inc. All rights reserved. Version: CLI 9.5.1 [Feb 26 2011 02:12:22] (bldmgr) gcc: gcc version 2.96 20000731 (Linux 7.3 2.96-112) CVS_Label: XOS-9_5_1_0-20110226_1 System-Name System-Contact System-Location System-Engine-ID : : : : mail@crossbeam.com Rogers IT lab engine45
Chassis information: Part number: 003717, Serial Number: F6240016, Hardware Revision: E Slot 1 2 5 6 9 13 Board Type NP8600 NP8600 AP8650 AP9600 AP9600 CP9600 Ports 12 12 0 0 0 5 Part Num 003927 003927 004911 005682 005682 005962 Serial Num G7150499 G7150508 L845H046 P104N013 P104N034 N023J519 Hw Revision 8 8 8 AA AA AA Status Up Up Active Active Active Up
643
show version
This command displays the XOS software version, creation date, system image name, and kit number running on the primary CPM and displays basic hardware configuration information for the primary CPM. If you specify the detail parameter, the show version command also displays hardware and firmware information for each module installed in the X-Series Platform.
Syntax
show version [detail]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter detail Description Displays the hardware and firmware version information for each module installed in the X-Series Platform.
Restrictions
Default Privilege Level: 0
Example
The following is an example of the show version command. CBS# show version Copyright (c) 2000-2011 by Crossbeam Systems, Inc. Version: XOS 9.5.1 [Feb 26 2011 02:12:22] (bldmgr) CVS_Label: XOS-9_5_1_0-20110226_1 Kit_Number: xx All rights reserved.
CPU at 2327 Mhz processor with 16410064K bytes of memory 6755944K bytes of memory in use Uptime is 3 day(s) 17 hour(s) 43 min(s) 56 sec(s) Hard disk is 500(GB) Second Hard disk is 500(GB) Flash is not present The following is an example of the show version detail command. CBS# show version detail Copyright (c) 2000-2011 by Crossbeam Systems, Inc. All rights reserved. Version: XOS 9.5.1 [Feb 26 2011 02:12:22] (bldmgr) gcc: gcc version 2.96 20000731 (Linux 7.3 2.96-112) CVS_Label: XOS-9_5_1_0-20110226_1 Kit_Number: 37 CPU at 2327 Mhz processor with 16410064K bytes of memory
644
6757472K bytes of memory in use Uptime is 3 day(s) 17 hour(s) 44 min(s) 57 sec(s) Hard disk is 500(GB) Second Hard disk is 500(GB) Flash is not present
Details per slot: Revision for slot 1 Boot Strap version Bootloader version Diagnostics version SysCtl FPGA version Focus FPGA version CPLD version Board version Board serial number Board type Board part number Revision for slot 2 Boot Strap version Bootloader version Diagnostics version SysCtl FPGA version Focus FPGA version CPLD version Board version Board serial number Board type Board part number Revision for slot 5 Boot Strap version Bootloader version Diagnostics version SysCtl FPGA version Focus FPGA version CPLD version Board version Board serial number Board type Board part number Revision for slot 6 Boot Strap version Bootloader version Diagnostics version SysCtl FPGA version Focus FPGA version CPLD version Board version Board serial number : : : : : : : : 1.8.0.0 1.8.0.2 0.4.0.14 0x10c 0x10c 0xc AA P104N013 : : : : : : : : : : 1.7.0.1 1.7.0.2 1.1.0.4 0x600 0x600 0x15 8 L845H046 AP8650 004911 : : : : : : : : : : 2.0.0.10 2.0.0.10 2.1.0.3 0x4 0xf 0x4 8 G7150508 NP8600 003927 : : : : : : : : : : 2.0.0.10 2.0.0.10 2.1.0.3 0x4 0xf 0x4 8 G7150499 NP8600 003927
645
Board type Board part number Revision for slot 9 Boot Strap version Bootloader version Diagnostics version SysCtl FPGA version Focus FPGA version CPLD version Board version Board serial number Board type Board part number Revision for slot 13 Boot Strap version Bootloader version Diagnostics version SysCtl FPGA version Focus FPGA version CPLD version Board version Board serial number Board type Board part number
: AP9600 : 005682
: : : : : : : : : :
: : : : : : : : : :
646
show arp
This command displays entries in the ARP cache. You may provide a range of IP addresses to be displayed by specifying the low and high range. If one IP address is specified, only the entries in the ARP cache matching that IP address are displayed. You can also specify to only display dynamic entries. By default, all IP addresses in the ARP cache are displayed.
Syntax
show arp [<IP_addr_low> [<IP_addr_high>]] [dynamic]
Context
You access this command from any CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <IP_addr_low> <IP_addr_high> dynamic Description Display entries in the ARP cache for this IP address. Display entries in the ARP cache for all IP addresses between <IP_addr_low> and this IP address. Display dynamic ARP entries only.
647
Restrictions
Default Privilege Level: 0
Example
The following is an example of this command. CBS# show arp Module vsx_1 vsx_1 vsx_1 vsx_1 flo_1 flo_1 flo_1 flo_1 flo_1 flo_1 flo_1 flo_2 flo_2 flo_2 flo_2 flo_2 flo_2 flo_2 primarycpm primarycpm primarycpm primarycpm Address 1.1.200.20 192.168.71.211 7.7.7.2 192.168.71.161 192.168.71.186 9.9.9.2 192.168.71.202 172.16.10.10 1.1.200.102 1.1.200.20 192.168.71.161 1.1.200.101 172.16.10.10 192.168.71.186 1.1.200.20 192.168.71.161 9.9.9.1 192.168.71.201 192.168.71.40 192.168.71.1 1.1.200.104 1.1.200.4 Hardware Addr 00:03:d2:00:c8:0d 00:03:d2:e0:02:c8 00:03:d2:e0:07:c8 00:0c:29:78:a9:ab 00:0c:29:bd:4d:2d 00:03:d2:e0:06:c8 00:03:d2:e0:01:c8 00:0e:0c:4e:1f:84 00:03:d2:00:c8:09 00:03:d2:00:c8:0d 00:0c:29:78:a9:ab 00:03:d2:00:c8:08 00:0e:0c:4e:1f:84 00:0c:29:bd:4d:2d 00:03:d2:00:c8:0d 00:0c:29:78:a9:ab 00:03:d2:e0:06:c8 00:03:d2:e0:01:c8 00:03:d2:2f:54:1c 00:00:5e:00:00:47 00:03:d2:00:c8:06 00:03:d2:00:c8:04 Type dynamic static static dynamic dynamic static static dynamic dynamic dynamic dynamic dynamic dynamic dynamic dynamic dynamic static static dynamic dynamic dynamic dynamic Interface eth0 mgt sync mgt mgt sync mgt bint eth0 eth0 mgt eth0 bint mgt eth0 mgt sync mgt eth2 eth2 eth0 eth0
Syntax
show neighbor-discovery
Context
You access this command from the main CLI context.
Output
The following table describes the information provided in each row of the output. Row Heading Domain IP address Information Provided Displays the domain number associated with this neighbor entry. Displays the IP address of this neighbor entry.
648
Information Provided Displays the most recent state recorded in the neighbor discovery table. Possible values are: DELAY The neighbor is no longer known to be reachable, and traffic has recently been sent to the neighbor. Rather than probe the neighbor immediately, however, delay sending probes for a short while in order to give upper layer protocols a chance to provide reachability confirmation. INCOMPLETE Address resolution is in progress and the link-layer address of the neighbor has not yet been determined. PROBE The neighbor is no longer known to be reachable, and unicast Neighbor Solicitation probes are being sent to verify reachability. REACHABLE Roughly speaking, the neighbor is known to have been reachable recently (within tens of seconds ago). STALE The neighbor is no longer known to be reachable but until traffic is sent to the neighbor, no attempt should be made to verify its reachability. FAILED The neighbor has been declared unreachable. The system seeks an alternate path.
649
Information Provided Displays the type of link associated with this neighbor discovery table entry. Possible values are: asymmetric reachability - A link where non-reflexive and/or non-transitive reachability is part of normal operation. (Non- reflexive reachability means packets from A reach B but packets from B don't reach A. Non-transitive reachability means packets from A reach B, and packets from B reach C, but packets from A don't reach C.) Many radio links exhibit these properties. multicast - A link that supports a native mechanism at the link layer for sending packets to all (i.e., broadcast) or a subset of all neighbors. non-broadcast multi-access (NBMA) - A link to which more than two interfaces can attach, but that does not support a native form of multicast or broadcast (e.g., X.25, ATM, frame relay, etc.). point-to-point - A link that connects exactly two interfaces. A point-to-point link is assumed to have multicast capability and have a link-local address. shared media - A link that allows direct communication among a number of nodes, but attached nodes are configured in such a way that they do not have complete prefix information for all on-link destinations. That is, at the IP level, nodes on the same link may not know that they are neighbors; by default, they communicate through a router. Examples are large (switched) public data networks such as SMDS and B- ISDN. Also known as "large clouds". See [SH- MEDIA]. unicast One of these unicast address types: Global unicast address A conventional, publicly routable address, just like conventional IPv4 publicly routable addresses. Link-local address Similar to the private, non-routable addresses in IPv4 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). They are not meant to be routed, but confined to a single network segment. Link-local addresses mean you can easily throw together a temporary LAN, such as for conferences or meetings, or set up a permanent small LAN the easy way. Unique local address Meant for private addressing, with the addition of being unique, so that joining two subnets does not cause address collisions. Special addresses are loopback addresses, IPv4-address mapped spaces, and 6-to-4 addresses for crossing from an IPv4 network to an IPv6 network. variable MTU - A link that does not have a well-defined MTU (e.g., IEEE 802.5 token rings). Many links (e.g., Ethernet) have a standard MTU defined by the link- layer protocol or by the specific document describing how to run IP over the link layer.
Flags
If one or more flags are set, they indicate the type of neighbor. Possible values are: A dash or hyphen indicates that no flags are set. The type of neighbor is not specified. The word PROXY indicates that the neighbor is a proxy ARP device. The word ROUTER indicates that the neighbor is an IPv6 router.
HW Address
The MAC address associated with this neighbor discovery table entry.
650
Information Provided The device name associated with this neighbor table entry.
Restrictions
Default Privilege Level: 0
Example
The following is an example of this command. CBS# show neighbor-discovery Neighbor Entry Module one_2 Domain 0 IP address 2002:1::3 State REACHABLE Type UNICAST Flags HW Address 00:03:d2:20:0c:69 Device enter Neighbor Entry Module one_2 Domain 0 IP address 2002:2::1 State REACHABLE Type UNICAST Flags HW Address 00:03:d2:1f:fb:b9 Device thru Neighbor Entry Module one_2 Domain 0 IP address fe80::203:d2ff:fe1f:fbb9 State STALE Type UNICAST Flags HW Address 00:03:d2:1f:fb:b9 Device thru
show dns-search-name
This command displays the configured DNS search name.
Syntax
show dns-search-name
Context
You access this command from the main CLI context.
651
Restrictions
Default Privilege Level: 0
Example
The following is an example of this command. CBS# show dns-search-name DNS Search Name VAP Group crossbeam.com
show dns-server
This command displays the configured DNS server.
Syntax
show dns-server
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0
Example
The following is an example of this command. CBS# show dns-server DNS Server Address VAP Group 10.1.2.89
show hostname
This command displays the hostname of the X-Series Platform.
Syntax
show hostname
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0
652
Example
The following is an example of this command. CBS# show hostname CP1 Hostname : mars CP2 Hostname : mars
show ip addresses
This command displays IP addresses.
Syntax
show ip addresses
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0
show ip default-network
This command displays the IP default network configuration.
Syntax
show ip default-network
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0
show ip domainname
This command displays the domain name.
Syntax
show ip domainname
Context
You access this command from the main CLI context.
653
Restrictions
Default Privilege Level: 0
show ip forwarding
This command displays whether IP forwarding is enabled or disabled.
Syntax
show ip forwarding
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0
show ip ftp
This command displays whether the FTP server is enabled or disabled.
Syntax
show ip ftp
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0
show ip route
By default, this command displays all entries in the IP route table. If you specify a single destination IP address, this command queries all the VAP groups to find a matching route. The output displays three IP route table entries whose destination IP addresses best match the specified destination IP address as well as the management route. IP route table entry matches are ranked first by exact IP address matching, then by subnet mask matching, and then by metric matching. If you specify a range of destination IP addresses, this command displays all IP route table entries with destination IP addresses that match those in the specified range.
654
Syntax
show ip route [<destination_IP> | <first_destination_IP> <last_destination_IP>] [sort_by_destination_address]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <destination_IP> Description Displays the three IP route table entries whose destination IP addresses that are on the same subnet as the specified destination IP address that most closely match the specified destination IP address. IP route table entry matches are ranked first by exact IP address matching, then by subnet mask matching, and then by metric matching. Displays all IP route table entries with destination IP addresses that match those in the specified range. Sorts the display by domain and destination address.
Restrictions
Default Privilege Level: 0
Example
NOTE: All example commands in this section display entries from the same systems IP route table. The command lists all of the systems IP route table entries: CBS(config)# show ip route Module fw_1 fw_1 ips_1 ips_1 primarycpm primarycpm primarycpm primarycpm Destination 192.168.74.0/24 1.1.0.0/16 192.168.74.0/24 1.1.0.0/16 192.168.74.0/24 1.1.0.0/16 127.0.0.0/8 0.0.0.0/0 Gateway 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 192.168.74.1 Metric 0 0 0 0 0 0 0 0 Device mgmt eth0 mgmt eth0 eth2 eth0 lo eth2
The following command displays each of the three IP route table entries that have the specified destination IP address, 192.168.74.0: CBS# show ip route 192.168.74.0 Module fw_1 ips_1 primarycpm Destination 192.168.74.0/24 192.168.74.0/24 192.168.74.0/24 Gateway 0.0.0.0 0.0.0.0 0.0.0.0 Metric 0 0 0 Device mgmt mgmt eth2
655
The following command displays each of the three IP route table entries that have a destination IP address that is on the same subnet as the specified IP address, 192.168.74.4: CBS# show ip route 192.168.74.4 Module fw_1 ips_1 primarycpm Destination 192.168.74.0/24 192.168.74.0/24 192.168.74.0/24 Gateway 0.0.0.0 0.0.0.0 0.0.0.0 Metric 0 0 0 Device mgmt mgmt eth2
NOTE: The above two commands have the same output because when you specify a single destination IP address with the show ip route command, the CLI displays the IP route table entries whose destination IP addresses best match the specified destination IP address. In the second example, there are no IP route table entries that match the specified destination IP address exactly, so the CLI displays the three best matches instead; these IP route table entries have destination IP addresses that are on the same subnet as the specified destination IP address.
show ip ssh
This command displays SSH server configuration information including the inactivity timeout setting (in minutes), and the number of authentication retries a user is allowed to make before being denied access to the system.
Syntax
show ip ssh
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0
Example
The following is a sample display. CBS# show ip ssh SSH Server Enabled (true/false) : t Login Timeout (seconds) : 120 Authentication Retry : 3 (1 row)
show ip telnet
This command displays whether the Telnet server is enabled or disabled.
Syntax
show ip telnet
656
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0
show ldap-parameters
This command displays the Lightweight Directory Access Protocol (LDAP) server parameters.
Syntax
show ldap-parameters
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 15
Example
The following is an example of this command. CBS# show ldap-parameters LDAP Version LDAP Distinguished Names 3 1
show ldap-server
This command displays the Lightweight Directory Access Protocol (LDAP) server configuration.
Syntax
show ldap-server [<hostname> | <IP_address>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <hostname> | <IP_address> Description LDAP server DNS name or IP address. The default is to show all LDAP servers.
657
Restrictions
Default Privilege Level: 15
show cp-next-boot
This command displays the current and the next CPM boot distribution for each CPM.
Syntax
show cp-next-boot
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0
Example
The following is an example of this command. CBS# CP1: CP1: CP2: CP2: show cp-next-boot Current boot is D1 (9.5.1) Next boot is D1 (9.5.1) Slot 14 is inaccessible Slot 14 is inaccessible
show np-reload-timeout
This command displays the time interval, measured in seconds, that the system waits for an NPM to reload. If an NPM reload is not completed within the specified time interval, the system declares the NPM inaccessible and resets the slot. The default time interval is 300 seconds.
Syntax
show np-reload-timeout
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0
658
Example
The following example shows the output of this command for a system configured with the default np-reload-timeout setting of 300 seconds: CBS# show np-reload-timeout NP Reload Timeout (seconds) 300 (1 row)
show np-reset-wait-time
Displays the time interval, measured in seconds, that the system waits for a heartbeat signal from an NPM before resetting it. The default time interval is 5 seconds. Use the configure np-reset-wait-time command to display the NPM reset timeout interval configured for the X-Series Platform.
Syntax
show np-reset-wait-time
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 15
show ntp-server
This command displays Network Time Protocol (NTP) server addresses, if configured.
Syntax
show ntp-server
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0
659
show operating-mode
This command displays the X-Series Platform configured and operational mode.
Syntax
show operating-mode
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 15
Example
The following is an example of this command: CBS# show operating-mode Chassis Type Configured Operating Mode Operational Mode Configured NPM Mode Operational NPM Mode : : : : : X80 dual-np dual-np series-6 series-6
show radius-server
This command displays the RADIUS host configuration on the X-Series Platform.
Syntax
show radius-server [<hostname>|<IP_address>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <hostname> <IP_address> Description Host name of RADIUS server host. IP address of RADIUS server host.
Restrictions
Default Privilege Level: 15
660
show system-identifier
This command displays the identifier configured with the configure system-identifier command. If the system identifier has been changed, but the chassis has not yet been reloaded, there will be a difference in the display of the Operating System Identifier and the Configured System Identifier as shown below.
Syntax
show system-identifier
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 15
Example
CBS# configure system-identifier 5 CBS# show system-identifier Operating System Identifier Configured System Identifier 1 5
show system-internal-network
This command displays the configured and operational IP addresses and subnet masks for the control network.
Syntax
show system-internal-network
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 15
Example
The following example displays the output of this command. CBS# show system-internal-network Configured System Internal Network : 1.1.0.0/16 Operational System Internal Network : 1.1.0.0 Operational System Internal Netmask : 255.255.0.0 (1 row)
661
show timeout
This command displays the current CLI session idle timeout.
Syntax
show timeout
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0
show timezone
This command displays the system time zone configured for the X-Series Platform.
Syntax
show timezone
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0
Example
The following is an example of this command. CBS# show timezone Time Zone America/New_York
show web-server
This command displays whether the Web server is enabled or disabled.
Syntax
show web-server
Context
You access this command from the main CLI context.
662
Restrictions
Default Privilege Level: 0
Example
The following is an example of this command. CBS# show web-server Web Server Enabled (true/false) : t
show web-session
This command displays web user sessions.
Syntax
show web-session
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0
Example
The following is an example of this command. CBS# show web-session User : admin GUI Access Level : Administrator Start Access Time : 2010-03-08 10:09:39.339501-04 Last Access Time : 2010-03-08 10:10:59.796468-04 User IP Addr : 10.2.1.126
663
show web-timeout
This command displays the XOS Web Session timeout value.
Syntax
show web-timeout
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0 This command is not available on the X20, X30, or X60 chassis.
Example
The following shows an example of this command. CBS# show web-timeout Web Session Timeout (minutes) : 20 (1 row)
show web-wizard
This command displays the XOS GUIs wizard setting.
Syntax
show web-wizard
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0 This command is not available on the X20, X30, or X60 chassis.
Example
The following shows an example of this command. CBS# show web-wizard Login Web Wizard View (true/false) : f (1 row)
664
show management
This command displays the management interface configuration of a specific port. Only the CPM ports are configured for management interfaces.
Syntax
show management {gigabitethernet <slot/port> | high-availability}
Context
You access this command from the main CLI context.
Inline Commands
The following table lists the CLI commands used inline with the show management command. Command gigabitethernet <slot/port> high-availability Description Displays the Gigabit Ethernet interface and the slot and port of the interface. Displays the configurations for the high-availability management port on each CPM.
Restrictions
Default Privilege Level: 0
Example
The following is a sample display: CBS# show management gigabitethernet 14/1 Gigabitethernet 14/1 is up Hardware address is 00:03:d2:10:09:08 MTU 1500 bytes, BW 1000 Mbits, half-duplex, auto-negotiation is enabled Last clearing of "show interface" counters never 1108362 packets input, 140561899 bytes Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 1 input errors, 0 CRC, 2 frame, 0 overrun, 0 ignored 1201989 packets output, 818440146 bytes, 2 underruns 2 output errors, 0 collisions
665
CBS# show management high-availability CP Module Auto Negotiate Enabled (true/false) Media Speed (Mbits) Duplex Mode cp1 t N/A N/A cp2 t N/A N/A (2 rows) High-availability port on slot 14 is up BW 1 Gigabit, full-duplex, auto-negotiation is disabled Last clearing of "show interface" counters Fri Sep 3 04:49:04 2010 PHY stats: Statistics on physical line Received: Total frames 0 (bytes 0) Total errors 0 Transmitted: Total frames 58 (bytes 3712) Total errors 0
show management-ip-alias
This command displays management IP aliases.
Syntax
show management-ip-alias
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0
show management-ip-nat
This command displays the NAT inside and outside configurations.
Syntax
show management-ip-nat
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0
666
show access-list
This command displays configured access lists.
Syntax
show access-list [<list_number>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <list_number> Description Access list number. Valid values are 0 to 65535. Default is all.
Restrictions
Default Privilege Level: 15
Example
The following is an example of this command: CBS# show access-list Access List Access Protocol Source IP and Wildcard Destination IP and Wildcard Log Enable (true/false) Access List Access Protocol Source IP and Wildcard Destination IP and Wildcard Log Enable (true/false) : : : : : : : : : : : : 1001 permit ip 192.168.0.0 0.0.255.255 0.0.0.0 255.255.255.255 f 1002 permit ip 0.0.0.0 255.255.255.255 192.168.0.0 0.0.255.255 f
667
Commands for Displaying User Account and User Access Configuration Settings
This section contains the following commands: show lock-config on page 668 show snmp-user on page 668 show username on page 669 show usernames on page 670 show autocommand on page 671 show privilege on page 672 show tree include-privilege on page 673
show lock-config
This command displays information about the user who issued a lock-config command.
Syntax
show lock-config
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0
Example
The following is a sample display: CBS# show lock-config Configuration is locked by : admin User type : CLI (1 row)
show snmp-user
This command displays all SNMPv3 users or a specific user.
Syntax
show snmp-user [<username>]
Context
You access this command from the main CLI context.
668
Parameters
The following table lists the parameters used with this command. Parameter <username> Description Name of an SNMPv3 user.
Restrictions
Default Privilege Level: 0
Example
This example displays the configuration for an SNMP user with the username of bob. The settings are all the default settings. CBS# show snmp-user Username Authentication Type Privacy Type OID (1 row) : : : : bob none none .iso
show username
This command displays information (username, CLI privilege level and GUI level) about the specified user. If no username is specified, the command displays information for the current user.
Syntax
show username [<username>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <username> Description User for whom the information is displayed.
Restrictions
Default Privilege Level: 0
Output
This command displays username information in the following format:
669
CBS# show username Username Assigned CLI Privilege Level Current CLI Privilege Level GUI Access Level Maxdays (1 row)
: : : : :
admin 15 15 Administrator 30
The following table describes the information provided in each column/row:. Column/Row Heading Username Assigned CLI Privilege Level Information Provided User name assigned to the user account. The CLI privilege level assigned to the user account. To execute a CLI command, a users CLI privilege level must be greater than or equal to the commands privilege level. Valid values are from 0-15. The default CLI privilege level for a new user account is 0. Current CLI Privilege Level GUI Access Level The CLI privilege level in effect for the current (logged on) user. This information is displayed only for the current user. The GUI privilege level assigned to the user account. unauthorized User cannot access the GUI at all. guest User has read-only access to the GUI. User can view current X-Series Platform configuration settings, but cannot change any settings using the GUI. network-operator User can view current X-Series Platform configuration settings and can change network connectivity configuration settings such as NPM interface configuration settings. service-operator User can view current X-Series Platform configuration settings and can change service provisioning configuration settings such as VAP group configuration settings. administrator User can view and change all current X-Series Platform configuration settings. Maxdays The maximum number of days that a user account password can remain valid before it expires. When a password expires, the user must change the password upon his/her next login. The default maxdays parameter value is 30 days. The valid range is 0 - 65355.
show usernames
This command displays information (username, privilege level, GUI access level, and maximum number of days before the password expires) about all users.
Syntax
show usernames
670
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0
Example
The following is an example of this command: CBS# show usernames Username : admin Assigned CLI Privilege Level : 15 GUI Access Level : Administrator Maxdays : 30 Username : guest Assigned CLI Privilege Level : 15 GUI Access Level : Guest Maxdays : 30 (3 rows) For a description of the information provided, see show username on page 669.
show autocommand
This command displays the configured autocommand, which is a group of CLI commands to execute when the user logs in.
Syntax
show autocommand [<username>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <username> Description Username whose autocommand(s) will be displayed. Default is current user.
Restrictions
Default Privilege Level: 0
671
show privilege
This command displays privilege levels of a command and sub-command (up to 10 levels).
Syntax
show privilege <command> [<sub_command> ...]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <command> <sub_command> Description Command for which the privilege level is displayed. Sub-command for which privilege level is displayed.
Restrictions
Default Privilege Level: 0
Example
The following example shows a privilege level for the show ip route command. CBS# show privilege show ip route Command 'show ip route' at privilege level 0
672
Syntax
show tree [include-privilege]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter include-privilege Description Displays the privilege level required to execute that command after the commands name.
Restrictions
Default Privilege Level: 0
Example
The following shows partial output from the show tree include-privilege command: CBS# show tree include-privilege | +---alias (privilege 0) | +---application (privilege 15) | +---application-remove (privilege 15) | | | +---version (privilege 15) | | | +---release (privilege 15) | +--
673
show alarm-enabled
This command displays whether alarms are turned on or off.
Syntax
show alarm-enabled
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0
Example
The following is an example of this command: CBS# show alarm-enabled Alarm Name Enabled (true/false) power-supply t power-feed t (2 rows)
show facility-alarm
This command displays facility alarm settings.
Syntax
show facility-alarm
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0
674
Example
The following is an example of this command. CBS# show facility-alarm Facility Name : cpu Lower Critical : 0 Percent Upper Critical : 99 Percent Lower Major : 0 Percent Upper Major : 90 Percent Lower Minor : 0 Percent Upper Minor : 80 Percent Facility Name Lower Critical Upper Critical Lower Major Upper Major Lower Minor Upper Minor Facility Name Lower Critical Upper Critical Lower Major Upper Major Lower Minor Upper Minor Facility Name Lower Critical Upper Critical Lower Major Upper Major Lower Minor Upper Minor Facility Name Lower Critical Upper Critical Lower Major Upper Major Lower Minor Upper Minor Facility Name Lower Critical Upper Critical Lower Major Upper Major Lower Minor Upper Minor Facility Name Lower Critical Upper Critical Lower Major Upper Major : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : cpu-core 0 Percent 99 Percent 0 Percent 90 Percent 0 Percent 80 Percent disk-usage-boot 0 Percent 97 Percent 0 Percent 80 Percent 0 Percent 70 Percent disk-usage-cbconfig 0 Percent 97 Percent 0 Percent 80 Percent 0 Percent 70 Percent disk-usage-mgmt 0 Percent 97 Percent 0 Percent 80 Percent 0 Percent 70 Percent disk-usage-root 0 Percent 97 Percent 0 Percent 80 Percent 0 Percent 70 Percent disk-usage-tftpboot 0 Percent 97 Percent 0 Percent 80 Percent
675
Lower Minor Upper Minor Facility Name Lower Critical Upper Critical Lower Major Upper Major Lower Minor Upper Minor Facility Name Lower Critical Upper Critical Lower Major Upper Major Lower Minor Upper Minor (9 rows) CBS#
: 0 Percent : 70 Percent : : : : : : : : : : : : : : disk-usage-var 0 Percent 97 Percent 0 Percent 80 Percent 0 Celsius 70 Percent free-memory N/A N/A 2 - threshold multiplier N/A 4 - threshold multiplier N/A
show snmp
This command displays the existing system location, contact information, and SNMP hosts or SNMP communities. If no parameter is specified, system information is displayed.
Syntax
show snmp [contact|engine-id|location|community|hosts|system]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter contact engine-id location community hosts Description SNMP contact information. Engine Identifier for this copy of SNMP. SNMP server location information. Community strings, IP address, and network mask. IP address, traps/inform configuration, security level, community string, and port number of the configured hosts for SNMP traps. SNMP system information, such as system name, contact, and location.
system
676
Restrictions
Default Privilege Level: 0
Syntax
show logging console [level {<level_number> | emerg | alert | crit | error | warning | notice | info | debug}] [component <component_name>] [hostname <hostname>] [chronological-order] [<month>] [<date>] [<year>] [<time>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter level <level_number> Description Displays all event messages stored in the console log that have a severity level number equal to or lower than the log level, <level_number>. See parameter descriptions below for a list of severity level descriptions. Valid values are 0-7. Default is 4. level emerg Displays messages stored in the console log with severity level 0. Severity level 0 is Emergency, which indicates that the system is unstable. level alert Displays messages stored in the console log with severity levels 0 and 1. Severity level 1 is Alert, which indicates that immediate action is needed.
677
Description Displays messages stored in the console log with severity levels 0-2. Severity level 2 is Critical, which indicates a critical condition.
level error
Displays messages stored in the console log with severity levels 0-3. Severity level 3 is Error, which indicates an error condition.
warning
Displays messages stored in the console log with severity levels 0-4. Severity level 4 is Warning, which indicates a warning condition.
level notice
Displays messages stored in the console log with severity levels 0-5. Severity level 5 is Notification, which indicates that a significant event has occurred, but conditions remain normal.
level info
Displays messages stored in the console log with severity levels 0-6. Severity level 6 is Informational. Use these messages for information only.
level debug
Displays messages stored in the console log with severity levels 0-7. Severity level 7 is Debugging. Use these messages for debugging only.
component <component_name>
Filters the output of the show logging console command. Displays only the event messages whose component names match one of the following <component_name> values: cbsalarmmond CBS RMON Monitor cbscfgmgrd CBS Configuration Manager cbsd CBS Daemon cbsflowagentd CBS Flow Agent cbsflowcalcd CBS Flow Calculator cbshmonitord CBS Health Monitor cbsinitd CBS Initializer cbsstatsd CBS Statistic Collector cbssysctrld CBS System Controller cbsvfpcfgd CBS VAP Config Agent cli Command Line Interface init_cli CLI Initializer WEB CBS Graphic User Interface (GUI)
hostname <hostname>
Filters the output of the show logging console command. Displays only the event messages that originate from the module with the specified host name.
678
Description Displays event messages in reverse chronological order. Filters the output of the show logging console command. Displays messages only for events that occurred during the specified month. You must specify the month as a three-letter abbreviation. Default value is the current month if the <date>, <year>, or <time> parameter is specified.
<date>
Filters the output of the show logging console command. Displays messages only for events that occurred on the specified day of the month. Valid values are from 1 to 31. Default value is the current date if the <mon>, <year>, or <time> parameter is specified.
Restrictions
Default Privilege Level: 0
Syntax
show logging settings
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0
Example
Monitor Logging Level 4 (1 row) Logging Level 4 Logging Level Name warning Log Facility
Syntax
show logging server <IP_address> <hostname>
679
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <IP_address> <hostname> Description IP address of logging (syslog) server. Hostname of logging (syslog) server.
Restrictions
Default Privilege Level: 0
680
show cp-redundancy
This command displays the configured action for each CPM in a CP redundancy configuration. NOTE: This command issues a warning message if an in-service upgrade (ISU) is in progress. If you get this message, please be aware that there will be a period of time during the ISU when both CPMs are listed as the primary CPM. This condition will be resolved when the upgrade is complete.
Syntax
show cp-redundancy
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0
Example
The following is an example of this commands output during normal operation. CBS# show cp-redundancy Administrative State: CP1 (this cp) is ELECTION CP2 (other cp) is ELECTION CP Redundancy is ENABLED Operational State: CP1 (this cp) is PRIMARY CP2 (other cp) is OFFLINE CP CP Redundancy is ENABLED The following is an example of this commands output during an ISU. CBS# show cp-redundancy WARNING: In-Service Upgrade Is in Progress Administrative State: CP1 (this cp) is ELECTION CP2 (other cp) is ELECTION CP Redundancy is ENABLED
681
Operational State: CP1 (this cp) is PRIMARY CP2 (other cp) is OFFLINE CP Redundancy is ENABLED Synchronization Status: Disk synchronization is 0% completed
show cp-disk-error
This command displays the currently configured CPM actions.
Syntax
show cp-disk-error
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 15 This command is not available on the X20 or X30 chassis.
show cp-unknown-state
This command displays the configured CPM actions.
Syntax
show cp-unknown-state
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 15 This command is not available on the X20 or X30 chassis.
Example
The following is an example of this command. CBS# show cp-unknown-state CP1: slot 13 is inaccessible CP2: Unknown CP setting is MONITOR
682
show management-vip
This command displays the virtual IP addresses.
Syntax
show management-vip
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 15
Example
The following is a sample display: CBS# show management-vip Management Virtual IP 192.168.75.193 (1 row)
683
show archive-vap-group
Displays information about VAP group archive. An archive is a backup copy of all the filesystems used by a particular VAP group at a particular time. By default, this command displays information about all archives created for VAP groups configured on the X-Series Platform. Use the vap-group parameter to display information only about archives created for the specified VAP group. Use the vap-group parameter with the archive parameter to display information only about the specified archive of the specified VAP group.
Syntax
show archive-vap-group [vap-group <VAP_group_name> [archive <archive_number>]]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter vap-group <VAP_group_name> Description Displays information only about the archives created for the specified VAP group. If you do not specify this parameter, the show archive-vap-group show command displays information about all archives created for all VAP groups configured on the X-Series Platform.
684
Description Displays information only about the specified archive created for the specified VAP group. You specify an archive using its archive number. NOTE: A VAP groups archives are numbered from 1 to n, where n is the number of archives created for a VAP group. The first archive that you create for a VAP group is archive number 1, the second is 2, etc. If you do not specify the archive parameter with the vap-group parameter, the show archive-vap-group command displays information about all archives created for the specified VAP group.
Output
This command displays archive information in the following format: VAP Group : <VAP_group_name> Archive Number : <archive_number> VAP Count : <VAP_count> VAP OS version : {xslinux_v3 | xslinux_v5 | xslinux_v5_64} XOS version : <XOS_version> Application : <application_name> Application Version : <application_version_identifier> Application Release : <application_release_number> Date : <archive_creation_date> Archive Location : {<archive_directory_on_CPM> | <URL_for_archive_directory_on_external_server>} Archive Size : <number_of_bytes> The following table describes the information provided in each column/row. Column/Row Heading VAP Group Archive Number Information Provided Name of the VAP group that was backed up to create the archive. Archive number that XOS assigned to the archive. XOS assigns the number 1 to the first archive that you create for a VAP group. XOS then increments the archive number by 1 for each subsequent archive that you create for the VAP group. For example, the second archive you create for a VAP group is archive number 2, and the third is archive number 3. VAP Count VAP OS version XOS version Application Number of VAPs in the archived VAP group at the time when the archive was created. VAP OS version running on the archived VAP group at the time when the archive was created. XOS version running on the X-Series Platform at the time when the archive was created. Name of the application running on the VAP group at the time when the archive was created.
685
Information Provided Version of the application running on the VAP group at the time when the archive was created. Release of the application running on the VAP group at the time when the archive was created. Day, date, and time at which the archive was created. If the archive is stored on the CPM, this field displays the full path to the directory in which the archive files are stored. If the archive is stored on an external server, this field displays the URL that can be used to access the archive files on the external server. NOTE: The show archive-vap-group command displays the location where the archive files were placed when the archive was created. If the archive files have been moved to another location, the show archive-vap-group command does not display the new location.
Archive Size
Restrictions
Default Privilege Level: 0
Examples
Example 1: Displaying Information About an Archive Stored on the CPM The following command displays information about the first archive (archive number 1) that was created for the VAP group called testvapgroup; archive number 1 is stored on the CPM. CBS# show archive-vap-group vap-group testvapgroup archive 1 VAP Group : testvapgroup Archive Number : 1 VAP Count : 3 VAP OS version : xslinux_v3 XOS version : 9.5.1-xx Application : VPN-1 Power Application Version : NGXR65 Application Release : 1.0.2.0-5 Date : Wed Feb 23 14:23:52 EST 2011 Archive Location : /tftpboot/archives/testvapgroup/1 Archive Size : 419624 CBS#
686
show host
This command displays hosts.
Syntax
show host
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0
show kernel
This command displays the current kernel version for a specified VAP group or all VAP groups.
Syntax
show kernel [vap-group <VAP_group_name>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <VAP_group_name> Description Name of a VAP group.
Restrictions
Default Privilege Level: 0
Example
The following is a sample display. CBS# show kernel vAP Group : firewall kernel : 2.6.18-53.el5
687
show routing-protocol
This command displays routing protocol configurations.
Syntax
show routing-protocol [rip | ospf | pim | bgp | ospf6 | ripng | nsm] [vap-group <VAP_group_name>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter rip ospf pim bgp ospf6 ripng Description Displays the Routing Information Protocol (RIP) configuration. Displays the Open Shortest Path First (OSPF) configuration. Displays the Protocol Independent Multicast configuration. Displays the Border Gateway Protocol configuration. Displays the Open Shortest Path First (OSPF) for IPv6 configuration. Displays the Routing Information Protocol (RIP) for IPv6 configuration. nsm vap-group <VAP_group_name> Displays the Network Services Module configuration. Displays the routing configuration for a specific VAP group.
Restrictions
Default Privilege Level: 0
show vap-group
This command displays configuration information for the specified VAP group. If you do not specify a VAP group, this command displays configuration information for all VAP groups.
Syntax
show vap-group [<VAP_group_name>]
Context
You access this command from the main CLI context.
688
Parameters
The following table lists the parameters used with this command. Parameter <VAP_group_name> Description Name of a VAP group.
Restrictions
Default Privilege Level: 0
Example
This is an example configuration of a VAP group named ips. CBS# show vap-group ips VAP Group Operating System Load Priority Preemption Priority AP List VAP Count Max Load Count Max Reload Count Load Balance VAP List IP Forwarding (true/false) Delay Flow (seconds) Backup Mode Reload Timeout (seconds) RP Filter (true/false) Log Martians (true/false) DHCP Relay Server List RAID Jumbo Frame (true/false) Scatter Gather (true/false) Master HoldDown Timer (in seconds) Application Monitoring (true/false) IPv6 Enabled (true/false) IPv6 IP Forwarding (true/false) Fail to Host (true/false) Flow Proxy (true/false) Reset Wait Time (seconds) (1 row) : : : : : : : : : : : : : : : : : : : : : : : : : : ips xslinux_v5 0 0 ap6 ap7 ap8 2 2 3 1 2 f 0 none 300 f f none f f 0 t t f t t 5
689
show check-flow-rule
This command displays whether IP flow rules will be checked for conflicts. The display consists of t for true or f for false.
Syntax
show check-flow-rule
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0
show default-ip-flow-rule
This command displays the default IP flow rule settings. NOTE: In Series-6 NPM mode, the Rate Limiter and Hide Slot Originator fields will be designated N/A, since the rate-limiter and hide-slot-originator parameters apply only to systems running in Series-2 NPM mode.
Syntax
show default-ip-flow-rule
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 15
690
Example
The following is an example of this command when operating in Series-6 NPM mode: CBS# show default-ip-flow-rule Default IP Flow Rule: Source Addresses Source Ports Destination Addresses Destination Ports Protocols Domains Incoming Circuit Group (ICG) Priority Primary Action VAP Group Index In Group Rate Limiter Skip Protocol (t/f) Skip Port (t/f) Hide Slot Originator (t/f) Timeout Trace (t/f) Sync (t/f)
: : : : : : : : : : : : : : : : : :
0.0.0.0 - 255.255.255.255 0 - 65535 192.168.0.10 - 192.168.0.11 0 - 65535 0 - 255 1 - 1 1 21 dest-ip-based-load-balance ips N/A N/A t t N/A none f N/A
show default-non-ip-flow-rule
This command displays the default non-IP flow rule settings.
Syntax
show default-non-ip-flow-rule
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 15
Example
In the following example, MLT is used; a rule for LACP packets is initialized for the system: CBS# show running-config ... circuit mlt circuit-id 1025 vap-group VLAN # group-interface mlt mode multi-link circuit mlt gigabitethernet 1/1 gigabitethernet 2/1
691
CBS# show default-non-ip-flow-rule System Non IP Flow Rule : system generated multi-link flow (LACP) Encapsulation : ethernet Type : 34825 Action : broadcast Activate (true/false) : t (example shows 1 row)
show ip-flow-rule
This command displays the current parameter settings for all IP flow rules or displays the current parameter settings for the specified IP flow rule. This command displays only the IP flow rules that have valid settings for the destination-port, source-port, destination-ip, source-ip, protocol, domain, and primary-action parameters. IP flow rules with invalid settings for these parameters are not displayed.
Syntax
show ip-flow-rule [<IP_flow_rule>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <IP_flow_rule> Description Displays the current parameter settings only for the specified IP flow rule. By default, the show ip-flow-rule command displays the current parameter settings for all IP flow rules.
Restrictions
Default Privilege Level: 15
Example
The following is an example of this command run on a system operating in Series-6 NPM mode: CBS# show ip-flow-rule IP Flow Rule VAP Group Destination Address Destination Address High Destination Port Destination Port High Source Address Source Address High : : : : : : : : allthings TAP 0.0.0.0 255.255.255.255 0 65535 0.0.0.0 255.255.255.255
692
Source Port Source Port High Incoming Circuit Group Protocol Protocol High Domain Domain High Action Activate (true/false) Priority Skip Protocol (true/false) Skip Port (true/false) Skip Port Protocol (true/false) Timeout Trace (true/false)
: : : : : : : : : : : : : : :
show non-ip-flow
This command displays any VAP non-ip-flow rules configured.
Syntax
show non-ip-flow [<flow_rule_name>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter [<flow_rule_name>] Description The name of the flow rule. If you do not specify the name of a non-IP flow rule, the command displays all non-IP flow rules.
Restrictions
Default Privilege Level: 15
Example
The following is an example using the show non-ip-flow command to display defined non-ip-flow rules. CBS# show non-ip-flow Non IP Flow Rule VAP Group Encapsulation Type Action Activate (true/false) Core Assignment (1 row) : : : : : : : test TAP ethernet 1600 broadcast t random-single-core
693
show system-ip-flow-rule
This command displays the current parameter settings for all system IP flow rules or displays the current parameter settings for the specified system IP flow rule. This command displays only the system IP flow rules that have valid settings for the destination-port, source-port, destination-ip, source-ip, protocol, domain, and primary-action parameters. System IP flow rules with invalid settings for these parameters are not displayed.
Syntax
show system-ip-flow-rule [<IP_flow_rule_id>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <IP_flow_rule_id> Description Displays the current parameter settings only for the specified system IP flow rule. By default, the show system-ip-flow-rule command displays the current parameter settings for all system IP flow rules.
Restrictions
Default Privilege Level: 15
Example
The following is an example of this command run on a system operating in Series-6 NPM mode: CBS# show system-ip-flow-rule System IP Flow Rule Destination Address Destination Address High Destination Port Destination Port High Source Address Source Address High Source Port Source Port High Incoming Circuit Group Protocol Protocol High Domain Domain High Action Activate (true/false) Priority : : : : : : : : : : : : : : : : : myrule 0.0.0.0 255.255.255.255 0 65535 0.0.0.0 255.255.255.255 0 65535 1 1 255 1 4095 drop f 10
694
Skip Protocol (true/false) Skip Port (true/false) Skip Port Protocol (true/false) Timeout
: : : :
t t t auto
show system-non-ip-flow-rule
This command displays the system non-IP flow rules.
Syntax
show system-non-ip-flow-rule [<non_IP_flow_rule_name>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <non_IP_flow_rule_name> Description Specifies the flow rule to display.
Restrictions
Default Privilege Level: 15
Example
The following is an example of this command: CBS# show system-non-ip-flow-rule System Non IP Flow Rule : myrule Encapsulation : snap Type : any Action : drop Activate (true/false) : f (1 row)
695
show bridge-mode
This command displays a bridge-mode circuit and its members.
Syntax
show bridge-mode [<circuit_name>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <circuit_name> Description Name of a circuit configured for bridge mode. Default is all circuits configured for bridge mode.
Restrictions
Default Privilege Level: 0
Example
CBS# show bridge-mode Bridge Mode Name Mode Member Circuit Bridge Mode Name Mode : bridge66mode : bridge : int66 : vlan66bridge : bridge
696
show circuit
This command displays circuit information for one or all circuits. The command includes a parameter that shows the status of the circuit. The Aggregation Mode field displays whether the circuit is a part of a multi-link, bridge, or transparent group interface. If not a member of a group interface, none is displayed.
Syntax
show circuit <circuit-name>[admin-status | status]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <circuit_name> status admin-status Description Name of a specific circuit. Default is all circuits. Displays statistical information relating to a circuit. Default. Displays circuit configuration information.
Restrictions
Default Privilege Level: 0
Example
The following example shows the output of the status parameter. CBS# show circuit outside status Module ips_1 ips_2 Circuit outside outside In In In Out Out Out IP Address Packets Errors Drops Packets Errors Drops 10.37.0.1 28401561 0 0 28422779 0 0 10.37.0.1 28401543 0 0 28422559 0 0
The following example shows the output of the admin-status parameter. CBS# show circuit outside admin-status Circuit Name : Circuit-Id : Device Name : Incoming Circuit Group : Promiscuous Mode : Proxy ARP Enabled (true/false) : IP Forwarding (true/false) : ICMP Redirect (true/false) : Reclassify NAT Flows (true/false) : IP Flow Rule Priority : IP Flow Rule No Failover (true/false) : bint 1027 bint 1 no promiscuous f f f f 21 f
697
VAP Group Verify Next Hop IP Aggregation Mode Domain New Flow Control (true/false) DHCP Relay (true/false) Default Egress Vlan Tag Hide VLAN Header (true/false) Replace Egress Vlan Tag MAC Address MTU Management Circuit (true/false) Enable (true/false) Primary Type IP Address IP Broadcast Address Increment-per-vap Mode (true/false) Alias Index IP Address IP Broadcast Address Increment-per-vap Mode (true/false) Floating (true/false)
: : : : : : : : : : : : : : : : : : : : : :
flo none 1 t f N/A N/A N/A 00:03:d2:e0:0c:c8 (system-reserved) 1500 f t primary 192.168.10.1/24 192.168.10.255 f 1 100.100.100.44/24 100.100.100.255 f t
show incoming-circuit-group-name
This command displays all incoming circuit groups, giving the number and name of each one. To configure a name for an incoming circuit group, use the configure incoming-circuit-group-name command.
Syntax
show incoming-circuit-group-name
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0
Example
CBS# show incoming-circuit-group-name ICG Number ICG Name 3 icg3 4 icg4 5 icg5 (3 rows)
698
show group-interface
This command displays the configurations of all group interfaces, or displays only the configuration of the specified group interface. This command displays only the parameter settings that are applicable to each group interfaces physical interface type. IMPORTANT: This command shows how the group interface was configured, not the current state of the group interface. To view the current state, use the show interface command for each interface in the group.
Syntax
show group-interface [<group_name>] [stats | status]
Context
You access this command from the main CLI context.
Inline Commands
The following table lists the CLI commands used inline with the show group-interface command. Command stats status Description Displays the operational group interface status. Displays the group interface status.
Parameters
The following table lists the parameters used with this command. Parameter <group_name> Description Displays only the configuration of the specified group interface. By default, the show group-interface command displays the configurations of all group interfaces.
Restrictions
Default Privilege Level: 15
Example
The following is an example display of group interface firewall1. No parameters have been set for this group interface. CBS# show group-interface firewall1 Group Name Mode Mode Circuit Interface Internal Circuit Status Grouping (true/false) Interface Type : : : : : : firewall1 none
f gigabitethernet
699
Enable (true/false) Auto Negotiate Enabled (true/false) Media Speed (Mbits) Duplex Mode Pause Frame (true/false) (2 rows)
: : : : :
t t auto auto t
NOTE: If Mode is None, the group interface is not yet fully configured or functional. You still need to select a mode. The following is an example display of group interface firewall3. This group interface type is Gigabit Ethernet. There are three individual interfaces assigned to this group, and one of those individual interfaces is disabled. CBS# show group-interface firewall3 Group Name : firewall3 Mode : multi-link Mode Circuit : cct2 Interface Type : gigabitethernet Enable (true/false) : t MAC Address : 00:05:d2:10:0a:7e Auto Negotiate Enabled (true/false) : f Media Speed (Mbits) : 100 Duplex Mode : full Pause Frame (true/false) : t Included Group : Physical Interface (Device) [en/disable] : gigabitethernet 2/1 [enable] Physical Interface (Device) [en/disable] : gigabitethernet 2/2 [enable] Physical Interface (Device) [en/disable] : gigabitethernet 2/3 [disable] Example of show group-interface status: Group Name (Status) gi1 (down) (1 row) Interface (Status) gigabitethernet 1/1 (down) Auto-Neg. enabled Speed auto Duplex auto
show interface
This command displays the current state for a physical interface. If no interface is specified, status is displayed for all physical interfaces. The detail parameter displays verbose information, and allows you to specify additional parameters to filter the verbose output to display only data for the physical line, IPv4, IPv6, or non-IPv4 frame types, interface type, or to display data for a specific interface. The IP frame type parameters apply only to NPM interfaces. With the exception of management interfaces, the MTU setting is defined at the circuit level. Use show circuit to display the MTU.
Syntax
show interface [detail [phy] [ipv4] [ipv6] [non-ipv4] [gigabitethernet <slot/port> | 10gigabitethernet <slot/port>]] show interface [gigabitethernet <slot/port> | 10gigabitethernet <slot/port>] [high-availability]
Context
You access this command from the main CLI context.
700
Parameters
The following table lists the parameters used with this command. Parameter detail Description Displays verbose information, including a reason for dropped packets. The detail parameter is ignored for management interfaces. The detail parameter supports the following parameters as filters. (Used only following the detail parameter) Displays the verbose status of all physical interfaces. This is the default. (Used only following the detail parameter) Displays the verbose status of all physical lines. When this parameter is followed by the 10gigabitethernet or gigabitethernet parameter, it displays the status for only the specified interface type, or for the interface specified by <slot/port>. (Used only following the detail parameter) Displays the verbose status for IPv4 frames on all NPM interfaces. When this parameter is followed by the 10gigabitethernet or gigabitethernet parameter, it displays the status for only the specified interface type, or for the interface specified by <slot/port>. (Used only following the detail parameter) Displays the verbose status for IPv6 frames on all NPM interfaces. When this parameter is followed by the 10gigabitethernet or gigabitethernet parameter, it displays the status for only the specified interface type, or for the interface specified by <slot/port>. (Used only following the detail parameter) Displays the verbose status for non-IPv4 frames, including IPv6 frames, on all NPM interfaces. When this parameter is followed by the 10gigabitethernet or gigabitethernet parameter, it displays the status for only the specified interface type, or for the interface specified by <slot/port>. Displays the status of 10 Gigabit Ethernet interfaces only. Displays the verbose status when used following the detail parameter. If you specify 10gigabitethernet, all interfaces of that type are displayed. If you specify the slot and port number, only that specific interface is displayed. [detail] gigabitethernet <slot/port> Displays the status of Gigabit Ethernet interfaces only. Displays the verbose status when used following the detail parameter. If you specify gigabitethernet, all interfaces of that type are displayed. If you specify the slot and port number, only that specific interface is displayed. high-availability Displays the status of the High Availability port on the primary CPM.
detail ipv4
detail ipv6
detail non-ipv4
701
Output
The output for the show interface detail command has the following format: show interface detail gigabitethernet 2/1 Gigabitethernet 2/1 is up Interface is in use Hardware address is N/A SFP info: phy_present|phy_good Media Type: Copper, Vendor Name: Methode Elec. MTU N/A, BW 100 Mbits, full-duplex, auto-negotiation is enabled Last clearing of "show interface" counters never PHY stats: Statistics on physical line Received: Total frames 2069898 (bytes 200033630) Broadcast frames 1546455 Undersized frames 0 Oversized frames 0 Throttles 0 Total errors 0 Frame check sequence (FCS) errors 0 Frame errors 0 Overrun errors 0 Ignored errors 0 Transmitted: Total frames 381705 (bytes 345098116) Underrun errors 0 Total errors 0 Collisions 0 IPv4 stats: Statistics for IPv4 frames Received frames 1304125 (rate 0 fps) Transmitted frames 381705 (rate 0 fps) Dropped frames (and rate per minute): Bad V4 header 41 (rate 0 fpm) Un-configured circuit 23 (rate 0 fpm) Provision table full 0 (rate 0 fpm) Table configuration error 0 (rate 0 fpm) Packet processing capacity 0 (rate 0 fpm) Interface down 19 (rate 0 fpm) Invalid internal route 0 (rate 0 fpm) Mismatched L2 entry 218 (rate 0 fpm) Mismatched L3 entry 0 (rate 0 fpm) Early NFI reinjection 0 (rate 0 epm) Mismatched L2 route 0 (rate 0 fpm) L3 policy action 6 (rate 0 fpm) Mismatched L3 route 0 (rate 0 fpm) Unavailable master 0 (rate 0 fpm) Mismatched index for action pass-to-vap 1304 (rate 0 fpm) Unavailable lb-vector 0 (rate 0 fpm) Empty vap-group 365 (rate 0 fpm) NFI (New Flow Initiation) Events (and rate): New flow 7514 (rate 0 eps) Internal route change 3534 (rate 0 eps) External route change 4 (rate 0 eps) Frame Validation Failure Stats (and rate per minute) Invalid IP/TCP frame 0 (rate 0 fpm)
702
Invalid IP/TCP frame dropped IPv6 stats: Statistics for IPv6 frames Received frames Transmitted frames
0 (rate 0 fpm)
Non-IPv4 (incl. IPv6) stats: Statistics for Non-IPv4 Frames Received frames 765501 (rate 1 fps) Transmitted frames 10726 (rate 0 fps) Dropped frames (and rate per minute): Un-configured circuit 0 (rate 0 fpm) Mismatched L2 policy 3706 (rate 0 fpm) Policy action 0 (rate 0 fpm) Interface down 8 (rate 0 fpm) Empty vap-group 0 (rate 0 fpm) The following table describes the information provided in each column and or row. Column/Row Heading SFP Info MTU and Phy stats IP Stats: Statistics for IP Frames Received Frames Transmitted Frames Reasons for Dropped IP Frames Bad V4 Header Un-configured circuit Provision table full The IPv4 header type or the header length is wrong. The circuit is not configured for the incoming VLAN and port to process the packet. Packets for new flows are dropped because the provision table was full. The provision table holds new flows during flow setup. Internal NPU configuration error Traffic exceeded the packet processing capacity of the NPU. The state of the interface was down. Unexpected route information in the NPU. The L2 policy did not match the incoming packet. The L3 policy did not match the incoming packet. When new flow initiation (NFI) packets are injected before the flow is established in the NPU. The NPM was unable to establish an L2 flow to the APM. A Layer-3 policy is programmed to drop the packet. The NPM was unable to establish an L3 flow to the APM. The number of IP data packets received at the network processing unit (NPU) from the external interfaces. Number of IP data packets transmitted from the NPU to the external interfaces. Information Provided Provides hardware and configuration information for the SFP. This information is the same information produced by the command ifconfig.
Table configuration error Packet processing capacity Interface down Invalid internal route Mismatched L2 entry Mismatched L3 entry Early NFI Reinjection Mismatched L2 route L3 policy action Mismatched L3 route
703
Column/Row Heading Unavailable master Mismatched index for action pass-to-vap Unavailable lb-vector
Information Provided When a policy is programmed to pass-to-master and a master VAP is not available, the packet is dropped. When a policy is programmed to pass to index and the VAP with the specified index is not available, the packet is dropped. When a policy is programmed to load balance and the VAP member for the load balanced flow is unavailable, the packet is dropped. When a policy is set to broadcast and there are no VAP members available. The number of packets that resulted in new flow processing on the NPU. The flow can exist in the control processor, but the 5-tuple entry does not exist in the NPU. When a VAP member or application goes down, the processor flow software initiates the internal route change. When an external route changes, the packet fails the ingress point validation and the result is that a new flow is initiated.
Internal route change External route change Non-IP Stats: Statistics for Non-IP Frames Received frames Transmitted frames Reasons for Dropped Non-IP Frames Un-configured circuit Mismatched L2 policy Policy action Interface down Empty vap-group
Number of non-IP data packets received at the NPU from the external interfaces. Number of non-IP data packets transmitted from the NPU to the external interfaces.
The circuit is not configured for the incoming VLAN and port to process the packet. The L2 policy did not match the incoming non-IP packet. The L2 policy is programmed to drop the packet. The state of the interface was down. When a policy is set to broadcast and there are no VAP members available.
The output of the show interface high-availability command has the following format: CBS# show CP Module cp1 cp2 (2 rows) interface high-availability Auto Negotiate Enabled (true/false) Media Speed (Mbits) Duplex Mode t auto auto t auto auto
High-availability port on slot 14 is up BW 1 Gigabit, full-duplex, auto-negotiation is disabled Last clearing of "show interface" counters Fri Sep 3 04:54:25 2010 PHY stats: Statistics on physical line Received: Total frames 0 (bytes 0) Total errors 0 Transmitted: Total frames 367 (bytes 28146)
704
Total errors 0
Restrictions
Default Privilege Level: 0
show interface-status-group
This command displays the status of all interface-status-groups or of the interface-status-group that you specify.
Syntax
show interface-status-group [<interface_status_group_name>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <interface_status_group_name> Description Displays only the configuration of the specified interface-status-group. By default, the show interface-status-group command displays a list of all interface-status-groups.
Restrictions
Default Privilege Level: 15
Example
The following is an example output of the show interface-status-group command. CBS# show interface-status-group Interface Status Group : isg1 Group Interface : my_grp Interface Status Group : isg2 Group Interface : group1 Individual Interface : gigabitethernet 1/1 (2 rows)
705
show ip-mapping
This command displays interfaces and their associated IP address mapping.
Syntax
show ip-mapping [record-format] [verbose]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter record-format verbose Description Displays data in record (name : value) format. Displays data that includes VAP group information.
Restrictions
Default Privilege Level: 0
Example
The following is a sample display. CBS# show ip-mapping Interface Name prefix: (p) Physical Interface. (g) Group Interface. (i) Interface Internal. Logical Type: logical-all handles all traffic. non-vlan handles non-vlan traffic. Range indicates high/low vlan tag Interface Name alias) Logical Logical Type Circuit isatap_cct mgt mgt rswtrf sn test_group trf new_isatap Domain Address (* denotes 1 1 1 1 1 1 1 1 2002::3 - 2002::3 1.10.1.10 - 1.10.1.15 2.2.2.30 - 2.2.2.33 2.2.20.10 - 2.2.20.10 10.30.3.1 - 10.30.3.5 0.0.0.0 - 0.0.0.0 10.20.2.1 - 10.20.2.1 0.0.0.0 - 0.0.0.0
trflog gig28
non-vlan non-vlan
706
show redundancy-interface
This command displays the backup/master pairs for interface redundancy. This command also displays status.
Syntax
show redundancy-interface
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0
Example
CBS# show redundancy-interface Master Intf Backup Intf Active Intf ------------------------------gig 1/10 gig 4/10 Master MacUsage -------master FailOverMode -----------preemption-on
show status-grouping
This command displays the status and physical interfaces that comprise a group interface configured with the configure group-interface command.
Syntax
show status-grouping [<group_interface_name>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <group_interface_name> Description Displays the status of the specific group interface. Default is to display all group interfaces.
Restrictions
Default Privilege Level: 0
707
Example
The following is shows that there are three physical interfaces in a group interface named ipsonly. CBS# show status-grouping ipsonly Group Interface : ipsonly Interface : gigabitethernet 2/1 Status : Up Group Interface Interface Status Group Interface Interface Status (3 rows) : ipsonly : gigabitethernet 2/2 : Up : ipsonly : gigabitethernet 2/4 : Up
show vlan
This command displays VLAN information.
Syntax
show vlan
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0
Example
The following is an example of this command. CBS# show vlan Interface gigabitethernet gigabitethernet gigabitethernet gigabitethernet (4 rows) Logical Line mlt1 all 1 mlt2 all 3 mlt1 all 2 mlt2 all 4 Ingress Range all all all all Circuit c1 1027 c2 1029 c1 1028 c2 1030 Def. Egress Tag 0 0 0 0
show acl-interface
Displays the packet filtering criteria defined for all access control list (ACL) filters configured on the X-Series Platform, or displays only the packet filtering criteria defined for the specified ACL filter. See configure acl-interface on page 524 for information about configuring an ACL filter.
708
Syntax
show acl-interface [<ACL_interface_name>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <ACL_interface_name> Description Displays only the packet filtering criteria defined for the specified ACL filter.
Output
The output for this command has the following format: ACL Interface : VLAN/Mask (in decimal): Source MAC/Mask : Destination MAC/Mask : Ethernet Type/Mask : Direction : testacl2 0x000 / 0x000 (0 / 0) 00:00:00:00:00:00 / 00:00:00:00:00:00 00:00:00:00:00:00 / 00:00:00:00:00:00 0x0000 / 0x0000 ingess-only
The following table describes the information provided in each column/row. Column/Row Heading ACL Interface VLAN/Mask (in decimal) Source MAC/Mask Destination MAC/Mask Ethernet Type/Mask Direction Information Provided Displays the name of the ACL Interface. Displays the source VLAN and mask in hex and decimal for the ACL Interface. Displays the source MAC address and mask for the ACL Interface. This applies to the ingress direction only. Displays the destination MAC address and mask for the ACL Interface. This applies to the ingress direction only. Displays the Ethernet type and mask for the ACL Interface. Displays the direction for the ACL Interface as ingress-only or egress-only.
Restrictions
Default Privilege Level: 15
709
Example
The following example shows an ACL interface testmirroracl configured with a source-mac address and mask of 01:02:03:00:00:00 / ff:ff:ff:ff:ff:ff and a destination-mac address of 00:00:00:01:02:03 / ff:ff:ff:ff:ff:ff. CBS# show acl-interface testmirroracl ACL Interface : testmirroracl VLAN/Mask (in decimal) : 0x000 / 0x000 (0 / 0) Source MAC/Mask : 01:02:03:00:00:00 / ff:ff:ff:ff:ff:ff Destination MAC/Mask : 00:00:00:01:02:03 / ff:ff:ff:ff:ff:ff Ethernet Type/Mask : 0x0000 / 0x0000 Direction : ingress-only (1 row)
show acl-interface-mapping
Displays a list of the access control lists (ACLs) assigned to each individual interface and each group interface configured on the X-Series Platform, and displays the action configured for each ACL on each interface. For each ACL interface configuration, this command displays the individual or group interface name, the ACL filter name, and the action defined for the ACL on the individual or group interface. See configure acl-interface on page 524 for information about configuring an ACL for an individual physical interface or a group interface.
Syntax
show acl-interface-mapping
Context
You access this command from the main CLI context.
Output
The output for this command has the following format: Primary (interface/group) 10gigabitethernet 1/12 gigabitethernet 1/5 gigabitethernet 1/2 gigabitethernet 1/2 (3 rows) ACL Interface testacl test2 testacl testacl2 action drop mirror drop drop Destination interface gigabitethernet 1/6
The following table describes the information provided in each column/row. Column/Row Heading Primary (interface/group) ACL Interface Information Provided Displays the physical interface and port on which the ACL interface is configured. Displays the name of the ACL filter configured for the primary interface.
710
Information Provided Displays the configured action capture, drop, mirror, or pass-through. NOTE: The capture action directs the matching traffic to the eth2 interface on the NPM.
Destination interface
Restrictions
Default Privilege Level: 15
Example
The following example displays show acl-interface-mapping output for a single ACL interface on the gigabitethernet 1/1 port named testmirroracl with an action to drop traffic that matches the ACL filter criteria: CBS# show acl-interface-mapping Primary (interface/group) ACL Interface gigabitethernet 1/1 testmirroracl (1 row) action drop Destination interface
711
show remote-box
This command displays the system ID and addresses of any remote systems configured with this system in a VRRP configuration. Optionally, you can specify the system-identifier of a remote system. Use the ? option to see a list of currently configured remote systems.
Syntax
show remote-box [<remote_box_ID>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <remote_box_ID> Description A number from 1 through 255, representing the system-identifier of the remote-box.
Output
The following table explains the information provided in the output from the show remote-box command. Column Heading Remote IP Local Intf Local IP Status Description The IP address of the interface on the remote-box. The local interface that is used to access the remote IP address. The IP address of the local interface that is used to access the remote IP address. The status of the connection to the remote box (Active or Standby).
712
Description The amount of time that the current Status (Active or Standby) has been true. The quality of the link between the local and remote boxes. If the link has been connected for some time, the value of link quality is 100. If the link is disconnected for some time, the value is reset to 0. When the link is reconnected, the value increases over time to the maximum value of 100. If a link connection is intermittent, the value that appears will be somewhere between 0 and 100.
Restrictions
Default Privilege Level: 15
Example
The following is an example of this command: CBS# show remote-box 22 Local System ID: 85 Remote System ID: 22 Remote IP Local Intf Local IP 192.168.211.89 14/1 192.168.211.85 1.1.89.20 HA port 1.1.85.20 (2 rows)
show vrrp
This command displays basic configuration and status information for each VRRP failover group configured on the system. This command also displays VRRP status.
Syntax
show vrrp
Context
You access this command from the main CLI context.
Output
The output for this command has the following format: Priority is Actual/Configured FG-ID Priority 1 100/100 2 150/150 3 150/150 (3 rows) Status Master Master Master Preempt on off on Master Sys ID 1 1 1 Master Priority 100 150 150
713
The following table describes the information provided in each column/row. Column/Row Heading FG-ID Priority Status Information Provided Failover group ID number. Failover group priority (actual/configured). Failover group status. Possible values are: master Failover group is in master mode. backup Failover group is in backup mode. down Failover group is not functioning. init Failover group is initializing. Preempt Master Sys ID Master Priority Indicates whether preemption is enabled (on) or disabled (off) for each failover group. System ID assigned to the master system. Current priority of the failover group on the master system.
Restrictions
Default Privilege Level: 0
Example
The following example shows the output of this command: CBS# show vrrp Priority is Actual/Configured FG-ID Priority 1 200/200 2 250/250 (2 rows) Status Master Master Preempt on on Master Sys ID 62 62 Master Priority 200 250
Syntax
show vrrp circuit-ip [<failover_group_name>] [vrrp-id <virtual_router_ID_number>]
Context
You access this command from the main CLI context.
714
Parameters
The following table lists the parameters used with this command. Parameter <failover_group_name> vrrp-id <virtual_router_ID_number> Description Displays the VRRP configurations for all circuits in the specified failover group. Displays the VRRP configuration for the circuit assigned to the specified virtual router.
Output
The output for this command has the following format: Failover Group Failover Group ID VRRP State VRRP ID Circuit Name VAP Group IP Address Interface (State) Group Interface (State) : : : : : : : : : chetire 4 Backup 112 gig15 fw 192.203.10.100/24 192.203.10.255 (Virtual) gigabitethernet 1/5 (Up), gigabitethernet 1/6 (Up) gig15_16 (Up)
The following table describes the information provided in each column/row. Column/Row Heading Failover Group Failover Group ID VRRP State Information Provided Failover group name. Failover group ID number. Current state of the failover group: backup Failover group is in backup mode. down Failover group is not functioning. init Failover group is initializing. master Failover group is in master mode. unknown System cannot determine the state of the failover group. VRRP ID Circuit Name VAP Group IP Address Virtual router ID number. Name of the circuit mapped to the virtual router. Name of the VAP group mapped to the virtual router. Displays the IP address assigned to the circuit for the VAP group mapped to the VIrtual Router, and indicates whether this IP address is the Primary Address for the circuit. If there is no IP address assigned to the circuit for the VAP group mapped to the virtual router, the IP Address field displays the text, IP-less.
715
Information Provided Displays the interface type, slot/port, and state of the physical interface to which the circuit is assigned. If the circuit is assigned to a group interface, Interface (State) displays the interface type, slot/port, and state of each physical interface that belongs to the group interface. Each physical interface can be in one of the following states: Up - The interface is functioning normally. Down - The interface is not functioning. Admin. Down - The administrator has used the CLI to manually disable the individual interface or the group interface. Unknown - System cannot determine the state of the interface.
Displays the name and state of the group interface to which the circuit is assigned. The group interface can be in one of the following states: Up - The group interface is functioning normally. Down - The group interface is not functioning. Admin. Down - The administrator has used the CLI to manually disable the group interface. Unknown - System cannot determine the state of the group interface.
Restrictions
Default Privilege Level: 15
716
Example
The following example shows four circuits mapped to VAP group vsxb1, which is part of failover group vrrp_vsx. CBS# show vrrp circuit-ip vrrp_vsx VAP Group : vsxb1 IP Address : 10.10.2.1 255.255.255.0 10.10.2.255 (Primary) Interface (State) : gigabitethernet 1/2 (Up), gigabitethernet 1/3 (Up), gigabitethernet 4/2 (Up), gigabitethernet 4/3 (Up) Group Interface (State) : inside (Up) Failover Group : vrrp_vsx Failover Group ID : 200 VRRP State : Master VRRP ID : 1000 Circuit Name : vsx_ckt_vsxb1_internal_l2l3_3003 VAP Group : vsxb1 IP Address : 10.10.3.1 255.255.255.0 10.10.3.255 (Primary) Interface (State) : gigabitethernet 1/2 (Up), gigabitethernet 1/3 (Up), gigabitethernet 4/2 (Up), gigabitethernet 4/3 (Up) Group Interface (State) : inside (Up) Failover Group : vrrp_vsx Failover Group ID : 200 VRRP State : Master VRRP ID : 1008 Circuit Name : vsx_ckt_vsxb1_internal_l2l3_3004 VAP Group : vsxb1 IP Address : 10.10.4.1 255.255.255.0 10.10.4.255 (Primary) Interface (State) : gigabitethernet 1/2 (Up), gigabitethernet 1/3 (Up), gigabitethernet 4/2 (Up), gigabitethernet 4/3 (Up) Group Interface (State) : inside (Up) Failover Group : vrrp_vsx Failover Group ID : 200 VRRP State : Master VRRP ID : 1003 Circuit Name : vsx_ckt_vsxb1_internal_l2l3_3005 VAP Group : vsxb1 IP Address : 10.10.5.1 255.255.255.0 10.10.5.255 (Primary) Interface (State) : gigabitethernet 1/2 (Up), gigabitethernet 1/3 (Up), gigabitethernet 4/2 (Up), gigabitethernet 4/3 (Up) Group Interface (State) : inside (Up) Failover Group : vrrp_vsx Failover Group ID : 200 VRRP State : Master VRRP ID : 1004 Circuit Name : vsx_ckt_vsxb1_internal_l2l3_3006 VAP Group : vsxb1 IP Address : IP-less (Primary) Interface (State) : gigabitethernet 1/2 (Up), gigabitethernet 1/3 (Up), gigabitethernet 4/2 (Up), gigabitethernet 4/3 (Up) Group Interface (State) : inside (Up) (5 rows)
717
Syntax
show vrrp detail-status [<failover_group_name>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <failover_group_name> Description Displays information only for the components of the specified failover group.
Output
The output for this command has the following format: FG_ID 1 1 1 1 Status Backup Backup Backup Backup Priority 99/101 99/101 99/101 99/101 Delta 2 2 1 -2 Type vr vr mc vg Component gig14/101 gig13/100 dummy fw
The following table describes the information provided in each column/row. Column/Row Heading FG_ID Status Information Provided Failover group ID number Failover group status. Possible values are: master Failover group is in master mode. backup Failover group is in backup mode. down Failover group is not functioning. init Failover group is initializing.
718
Information Provided Failover group priority (actual/configured). The number shown in this column is the VRRP component's configured priority-delta value. The number is displayed differently depending on the status of the priority-delta: Number is positive Components priority-delta is not in effect, as the component is functioning normally. Number is negative Components priority-delta is in effect, as the component has failed. The failover groups priority has been decremented by the components priority-delta value. Star symbol (*) appears after the number Next hop status is unknown. (See the XOS Configuration Guide for more details on this status.)
Type
VRRP component type. Possible values are: vr virtual router mi Monitored interface mg Monitored group interface mc Monitored circuit vg VAP group nh Next hop
Component
Detailed information about the VRRP component. The contents of this field depend on the VRRP component type: virtual router Field displays circuit name/ID number for the virtual router. Monitored interface Field displays the monitored interface name. Monitored group interface Field displays the monitored group interface name Monitored circuit Field displays the monitored circuit name. VAP group Field displays the VAP group name. Next hop Field displays verify-next-hop IP address/ID number for the VIrtual Router.
Restrictions
Default Privilege Level: 15
719
Example
The following example shows the output of the show vrrp detail-status command run on an X-Series Platform configured as the backup system for VRRP failover group 200. CBS# show vrrp detail-status FG_ID Status Priority Delta 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1* 200 Backup 198/198 50 (21 rows) Type vr vr vr vr vr vr vr vr vr vr vr vr vr vr vr nh vg Component vsx_ckt_vsxb2_wrp448/33 vsx_ckt_vsxb2_internal_l2l3_3006/32 vsx_ckt_vsxb2_wrp384/31 vsx_ckt_vsxb2_internal_l2l3_3005/30 vsx_ckt_vsxb2_wrp320/29 vsx_ckt_vsxb2_internal_l2l3_3004/28 vsx_ckt_vsxb2_wrp256/27 vsx_ckt_vsxb2_internal_l2l3_3003/26 vsx_ckt_vsxb2_wrp192/25 vsx_ckt_vsxb2_internal_l2l3_3002/24 vsx_ckt_vsxb2_wrp128/23 vsx_ckt_vsxb2_internal_l2l3_3001/22 vsx_ckt_vsxb2_outside_4001/21 l2l3/20 outside/10 10.10.1.10/22 vsxb2
Syntax
show vrrp failover-group [<failover_group_name>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <failover_group_name> Description Displays the configuration for the specified failover group. Default is to display the configuration for all failover groups.
720
Output
The output for this command has the following format: Failover Group Failover Group ID Advertisement Interval (seconds) Preemption (true/false) Enabled (true/false) Configured Priority Actual Priority Virtual Router IDs Monitored Circuits Monitored Group Interfaces OSPF Cost Increment (Circuits) VAP Groups (failover-group) VAP Groups (failover-group-list) State Time of Last State Change: Reason for Last State change: : : : : : : : : : : : : : : : : odin 1 1 t t 101 101 100, 101 dummy gig15_55 fw fw Master Fri Sep 3 04:47:53 2010 Timed out waiting for master
The following table describes the information provided in each column/row. Column/Row Heading Failover Group Failover Group ID Advertisement Interval (seconds) Preemption (true/false) Enabled (true/false) Configured Priority Information Provided Displays the failover group name. Displays the failover group ID. Displays the number of seconds between VRRP advertisements. Displays the preemption status. Displays the configuration status (enabled or disabled) for the failover group. The configured priority is the VRRP priority that you set for the failover group. If the configured priority is not the same as the actual priority, a failure caused a priority-delta to decrement the priority. The actual priority is the current VRRP priority value. If the actual priority is not the same as the configured priority, a failure caused a priority-delta to decrement the priority. Displays the virtual router ID. Displays the circuits that VRRP monitors in the configured virtual routers. Displays the group interfaces that VRRP monitors in the configured virtual routers. Displays the OSPF cost increment associated for the configured circuits. Displays the VAP groups associated with the failover group. Displays the VAP groups associated with the failover group list.
Actual Priority
Virtual Router IDs Monitored Circuits Monitored Group Interfaces OSPF Cost Increment (Circuits) VAP Groups (failover-group) VAP Groups (failover-group-list)
721
Information Provided The State is the state of the failover group, which can be one of the following: backup Failover group is in backup mode. down Failover group is not functioning. init Failover group is initializing. master Failover group is in master mode. unknown System cannot determine the state of the failover group
The date and time of the most recent change in the State parameter. The reason for the most recent change in the State parameter. Possible reasons include: Initializing Priority is 255 Priority is 0 Priority higher than remote box <remote_box_id> Remote box <remote_box_id> has higher priority Timed out waiting for master Master <remote_box_id> has lower priority, but preemption is disabled Preempted by remote box <remote_box_id> Relinquished by user VRRP failover group is disabled No valid virtual routers configured
Restrictions
Default Privilege Level: 0
Syntax
show vrrp monitor-circuit [<failover_group_name>]
Context
You access this command from the main CLI context.
722
Parameters
The following table lists the parameters used with this command. Parameter <failover_group_name> Description Displays only the monitored circuits for the specified failover group.
Output
The output for this command has the following format: Failover Group Failover Group ID Circuit Interface (State) Priority Delta (1 row) : : : : : odin 1 dummy gigabitethernet 1/2 (Up) 1
The following table describes the information provided in each column/row. Column/Row Heading Failover Group Failover Group ID Circuit Interface (State) Information Provided Displays the monitored circuits failover group name. Displays the monitored circuits failover group ID number. Displays the name of the monitored circuit. Displays the interface type, slot/port, and state of the physical interface to which the monitored circuit is assigned. If the monitored circuit is assigned to a group interface, Interface (State) displays the interface type, slot/port, and state of each physical interface that belongs to the group interface. Each physical interface can be in one of the following states: Up - The interface is functioning normally. Down - The interface is not functioning. Admin. Down - The administrator has used the CLI to manually disable the individual interface or the group interface. Unknown - System cannot determine the state of the interface.
723
Information Provided Displays the name and state of the group interface to which the monitored circuit is assigned, along with these parameters: Distributing Ports Threshold - The number of ports that must be in the active distributing state to prevent the subtraction of the priority-delta value from virtual router. Distributing Ports Number - The number of ports that are currently in the active distributing state. The group interface can be in one of the following states: Up - The group interface is functioning normally. Down - The group interface is not functioning. Admin. Down - The administrator has used the CLI to manually disable the group interface. Unknown - System cannot determine the state of the group interface.
Priority Delta
Displays the monitored circuits configured priority-delta value. If the Interface (State) or Group Interface (State) is Down, Admin. Down, or Unknown, the failover groups priority has been decremented by the Priority Delta.
Restrictions
Default Privilege Level: 15
Example
The following is an example of this command. CBS# show vrrp monitor-circuit Failover Group : vrrp_vsx Failover Group ID : 200 Circuit : vsx_ckt_vsxb2_l2l3_3005 Interface (State) : gigabitethernet 1/2 (Up), gigabitethernet 1/3 (Up), gigabitethernet 2/2 (Up), gigabitethernet 2/3 (Up) Group Interface (State) : l2l3 (Up) Priority Delta : 25 (1 row)
Syntax
show vrrp monitor-interfaces [<failover_group_name>]
724
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <failover_group_name> Description Displays only the monitored interfaces for the specified failover group.
Output
The output for this command has the following format: Failover Group Failover Group ID Interface Interface State Priority Delta (1 row) : : : : : vosem 8 gigabitethernet 2/2 Up 2
The following table describes the information provided in each column/row. Column/Row Heading Failover Group Failover Group ID Interface Interface State Information Provided Failover group name. Failover group ID number. Interface being monitored. Current state of the monitored interface. Possible values are: Up Interface is functioning. Down Interface is not functioning. Unknown Interface may or may not be functioning. Admin. Down - The administrator has used the CLI to manually disable the interface. Priority Delta Monitored interfaces configured priority-delta value. If the Interface State is Down, Admin. Down, or Unknown, the failover groups priority has been decremented by the Priority Delta.
Restrictions
Default Privilege Level: 15
725
Example
The following is an example of this command. CBS# show vrrp monitor-interfaces Failover Group : vrrp_vsx Failover Group ID : 200 Interface : gigabitethernet 1/2 Interface State : Up Priority Delta : 1 Failover Group : vrrp_vsx Failover Group ID : 200 Interface : gigabitethernet 1/3 Interface State : Up Priority Delta : 1 Failover Group : vrrp_vsx Failover Group ID : 200 Interface : gigabitethernet 4/2 Interface State : Up Priority Delta : 1 Failover Group : vrrp_vsx Failover Group ID : 200 Interface : gigabitethernet 4/3 Interface State : Up Priority Delta : 1 (4 rows)
Syntax
show vrrp monitor-group-interfaces [<failover_group_name>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <failover_group_name> Description Displays only the monitored group-interfaces for the specified failover group.
726
Output
The output for this command has the following format: CBS# show vrrp monitor-group-interfaces Failover Group : tri Failover Group ID : 3 Group Interface (State) : gig15_16 (Up) Interface (State) : gigabitethernet 1/5 (Up), gigabitethernet 1/6 (Up) Priority Delta : 5 Distributing Port Threshold : 2 Distributing Interfaces : 2 (1 row) The following table describes the information provided in each column/row. Column/Row Heading Failover Group Failover Group ID Group Interface (State) Interface (State) Information Provided Failover group name. Failover group ID number. Group interface being monitored with the current state of the group interface in parentheses Current state of each of the interfaces that are included in the monitored-group-interface. Possible values are: Up Interface is functioning. Down Interface is not functioning. Unknown Interface may or may not be functioning. Admin. Down - The administrator has used the CLI to manually disable the interface. Priority Delta VRRP reduces the VRRP priority of the failover-group by this value whenever the number of active distributing ports for the group interface falls below the configured Distributing Port Threshold value. The minimum number of ports in the active distributing state required for the group interface. When the number of active distributing ports is less than this value, VRRP decrements the failover group VRRP priority by the priority-delta value. The number of interfaces that are currently in the active distributing state in the group interface. Whenever this number falls below the Distributing Port Threshold value, the Priority Delta value is subtracted from the failover group VRRP priority.
Distributing Interfaces
727
Syntax
show vrrp status [<failover_group_id>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <failover_group_name> Description Displays only the monitored circuits for the specified failover group.
Output
The output for this command has the following format: Priority is Actual/Configured FG-ID Priority 1 100/100 2 150/150 3 150/150 (3 rows) Status Backup Backup Backup Preempt on off on Master Sys ID 0 0 0 Master Priority 0 0 0
The following table describes the information provided in each column/row. Column/Row Heading FG-ID Priority Status Information Provided Failover group ID number. Failover group priority (actual/configured). Failover group status. Possible values are: master Failover group is in master mode. backup Failover group is in backup mode. down Failover group is not functioning. init Failover group is initializing. Preempt Master Sys ID Master Priority Indicates whether preemption is enabled (on) or disabled (off) for each failover group. System ID assigned to the master system. Current priority of the failover group on the master system.
Restrictions
Default Privilege Level: 0
728
Example
The following is an example of this command: CBS# show vrrp status Group ID Priority VR ID Device Name 1 101 / 101 100 gig21 1 101 / 101 100 gig21 1 101 / 101 101 gig22 1 101 / 101 101 gig22 2 0 / 100 200 gig21 2 0 / 100 200 gig21 2 0 / 100 201 gig22 2 0 / 100 201 gig22 (8 rows) Priority is Actual/Configured Status Master Master Master Master Backup Backup Backup Backup
Syntax
show vrrp vap-group [<VAP_group_name>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <VAP_group_name> Description Existing VAP group.
Output
The output for this command has the following format: VAP Group Enable (true/false) Hold Down Timer Priority Delta Active Slot Threshold Active VAPs Failover Group List : : : : : : : L2 t 120 51 2 2 fg1 fg2
729
The following table describes the information provided in each column/row. Column/Row Heading VAP Group Enable (true/false) Hold Down Timer Priority Delta Information Provided Displays the name of the VAP group assigned to the virtual router. Displays the status of the VAP group in the virtual-router. Number of seconds to wait before becoming VRRP master. The value that the priority will be decremented if the VAP group does not meet the minimum criteria for the VRRP configuration. The minimum number of slots required for the VAP group. When the number of active VAPs is less than this value, VRRP decrements the failover groups VRRP priority by the priority-delta value. The Active VAPs field show the number of VAPs that are currently active in the VAP group. If this number is less than the Active Slot Threshold value, then the Priority Delta value has been subtracted from the failover groups VRRP priority. Displays the failover groups that are participating in the VRRP configuration.
Active VAPs
Restrictions
Default Privilege Level: 15
Example
The following is an example of this command. CBS# show vrrp vap-group VAP Group : cb1ids Enable (true/false) : t Hold Down Timer : 100 Priority Delta : 2 Active Slot Threshold : 3 Active VAPs : 4 Failover Group List : failoverfw
Syntax
show vrrp verify-next-hop [<failover_group_name>] [vrrp-id <virtual_router_id>]
Context
You access this command from the main CLI context.
730
Parameters
The following table lists the parameters used with this command. Parameter <failover_group_name> vrrp-id <virtual_router_id> Description Displays only the configuration for the specified failover group. If not specified, all virtual routers are displayed. Existing virtual router Identifier. Values are 1-4096.
Output
The output for this command has the following format: Failover Group : 3 VRRP ID : 6 Circuit Name : c12Bottom VAP Group : fwv5 Verify Next Hop IP : 192.168.1.156 Priority Delta : 77 State : Reachable The following table describes the information provided in each column/row. Column/Row Heading Failover Group VRRP ID Circuit Name VAP Group Verify Next Hop IP Priority Delta State Information Provided Displays the virtual routers failover group name. Displays the virtual router ID number. Displays the name of the circuit mapped to the virtual router. Displays the name of the VAP group assigned to the virtual router. Displays the specified IP address for the next hop check. If the next hop IP address is unreachable, the failover groups priority will be decremented by the Priority Delta. The State can be Reachable, Unreachable, or Unknown. If the State is Unreachable or Unknown, the Priority Delta value has been subtracted from the failover groups VRRP priority.
Restrictions
Default Privilege Level: 15
731
Example
The following is an example. CBS# show vrrp verify-next-hop Failover Group VRRP ID Circuit Name VAP Group Verify Next Hop IP Priority Delta State : : : : : : : failoverfw 62 vlan602 cb1fw 192.168.19.71 2 Reachable
Syntax
show vrrp virtual-router [<failover_group_name>] [vrrp-id <virtual_router_ID>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <failover_group_name> vrrp-id <virtual_router_ID> Description Displays the VRRP configurations only for the virtual routers that belong to the specified failover group. Displays the VRRP configuration only for the specified virtual router.
Output
The output for this command has the following format: Failover Group Failover Group ID VRRP State Virtual Router ID Circuit Name Priority Delta Backup Stay Up (true/false) MAC Usage VAP Group Interface (State) Group Interface (State) : : : : : : : : : : : fg2 2 Backup 4 WanOut 10 t vrrp-mac fwv5 10gigabitethernet 1/10 (Up) group1 (Up)
732
The following table describes the information provided in each column/row. Column/Row Heading Failover Group Failover Group ID VRRP State Information Provided Displays the virtual routers failover group name. Displays the virtual routers failover group ID number. Current state of the failover group: backup Failover group is in backup mode. down Failover group is not functioning. init Failover group is initializing. master Failover group is in master mode. unknown System cannot determine the state of the failover group. Virtual Router ID Circuit Name Priority Delta Displays the virtual router ID number. Displays the name of the circuit mapped to the virtual router. Displays the virtual routers configured priority-delta value. If the Interface (State) or Group Interface (State) is Down, Admin. Down, or Unknown, the failover groups priority has been decremented by the Priority Delta. Indicates whether the backup-stay-up parameter is enabled (t) or disabled (f) for the virtual router. Displays the mac-usage parameter setting for the virtual router. Displays the name of the VAP group assigned to the virtual router. Displays the interface type, slot/port, and state of the physical interface to which the virtual routers circuit is assigned. If the virtual routers circuit is assigned to a group interface, Interface (State) displays the interface type, slot/port, and state of each physical interface that belongs to the group interface. Each physical interface can be in one of the following states: Up - The interface is functioning normally. Down - The interface is not functioning. Admin. Down - The administrator has used the CLI to manually disable the individual interface or the group interface. Unknown - System cannot determine the state of the interface.
733
Information Provided Displays the name and state of the group interface to which the monitored circuit is assigned. The group interface can be in one of the following states: Up - The group interface is functioning normally. Down - The group interface is not functioning. Admin. Down - The administrator has used the CLI to manually disable the group interface. Unknown - System cannot determine the state of the group interface.
Restrictions
Default Privilege Level: 15
Example
The following is an example. CBS# show vrrp virtual-router vrrp-id 1014 Failover Group : vrrp_vsx Failover Group ID : 200 VRRP State : Backup Virtual Router ID : 1014 Circuit Name : vsx_ckt_vsxb2_l2l3_3333 Priority Delta : 1 Backup Stay Up (true/false) : t MAC Usage : vrrp-mac VAP Group : vsxb2 Interface (State) : gigabitethernet 1/2 (Up), gigabitethernet 1/3 (Up), gigabitethernet 2/2 (Up), gigabitethernet 2/3 (Up) Group Interface (State) : l2l3 (Up) (1 row)
734
Syntax
show module admin-state
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter admin-state Description Displays administrative status (enabled, disabled, or maintenance) for each module.
Restrictions
Default Privilege Level: 0
735
Example
The following is an example using show module admin-state to see the status for all modules in an X80. CBS# show module admin-state Slot Number Administrative Status 1 Enable 2 Enable 3 Enable 4 Disable 5 Enable 6 Enable 7 Enable 8 Enable 9 Enable 10 Enable 11 Enable 12 Enable 13 Enable 14 Enable (14 rows)
Syntax
show module status [np1|np2|np3|np4|cp1|cp2|ap1|ap2|ap3|ap4|ap5|ap6|ap7|ap8|ap9|ap10] [voltage|temperature|type|revision|serial|link|memory|leds|disk|duart| reachability|acceleration-card|eth-daughter-card]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter np1 - np4 cp1 or cp2 ap1 - ap10 voltage temperature type Description Displays specific NPMs in the X-Series Platform. Displays specific CPMs in the X-Series Platform. Displays specific APMs in the X-Series Platform. Displays the voltage measured on each module in volts. Displays the temperatures measured on each module in degrees celsius. Displays the module type.
736
Description Displays the module hardware revision. Displays the module serial number. Displays the status of links attached to the module specified (UP/DOWN). Displays the status of memory devices on the specified module in KB. Displays whether the LEDs on the modules are ON or OFF. Displays slot, number, size, errors, and RAID status information about disk drives installed on the CPMs and APMs. NOTE: Use this parameter to check for dual drives before configuring RAID.
Displays the status of the DUAL UART (serial ports) if connected to the specified module (UP/DOWN). Displays the modules reachable from the specified slot through the control and data plane. Displays the presence of an Accelerated Crypto Engine (ACE) card, used for VPN acceleration, on an APM. Displays the presence of an Ethernet daughter card on an APM.
Output
The output for this command has the following format: NA = Not Available, DP = Data Plane, CP = Control Plane cp = Control Processor, ap = Application Processor, np = Network Processor Slot 1: Board Type Board Part Number Board Serial Number Board Revision Control FPGA Revision Focus FPGA Revision Board OCODE Dual-CPU Capacity CPU Presence CPU2 Presence CPU Voltage 3.3v Supply 2.5v Supply 1.8v Supply 1.8v NP6 Octeon DDR 1.2v NP6 EZChip Core 1.8v NP6 EZChip DDR 1.5v NP6 EZChip XGMII/RGMII 1.2v NP6 XBPRC Ethernet Switch Voltage CPU Temperature
NP8620 005331 G834L008 2 0x3 0xDB1C A000 Not Available Present Not Present 1.10(V) 3.32(V) 2.50(V) 1.79(V) 1.79(V) 1.18(V) 1.79(V) 1.47(V) 1.19(V) 1.24(V) 42(C)
737
Intake Air Temperature FPGA Temperature Exhaust Air Temperature SDRAM 1 Size SDRAM 2 Size SDRAM 3 Size SDRAM 4 Size Total Memory Used Memory Free Memory Active LED Standby LED Failure LED Control Bus A Control Bus B np1/np1 Link np1/np2 Link np1/ap1 Link np1/ap2 Link np1/ap3 Link np1/ap4 Link np1/ap5 Link np1/ap6 Link np1/ap7 Link np1/ap8 Link np1/ap9 Link np1/ap10 Link np1/cp2 Link gigabitethernet 1/1 gigabitethernet 1/2 gigabitethernet 1/3 gigabitethernet 1/4 gigabitethernet 1/5 gigabitethernet 1/6 gigabitethernet 1/7 gigabitethernet 1/8 gigabitethernet 1/9 gigabitethernet 1/10
28(C) 43(C) 32(C) 1048576(KB) 0(KB) 1048576(KB) 0(KB) 2097152(KB) 1772372(KB) 324780(KB) On Off Off Up Up Up Up Down Down Down Down Down Down Down Down Down Down Up Down Down Down Down Down Down Down Down Down Down
Restrictions
Default Privilege Level: 0
738
Example
The following command displays the voltage levels for np1 in an X-Series Platform: CBS# show module status np1 voltage NA = Not Available, DP = Data Plane, CP = Control Plane cp = Control Processor, ap = Application Processor, np = Network Processor
Slot 1: CPU Voltage 3.3v Supply 2.5v Supply 1.8v Supply 1.8v NP6 Octeon 1.2v NP6 EZChip 1.8v NP6 EZChip 1.5v NP6 EZChip 1.2v NP6 XBPRC Ethernet Switch
1.10(V) 3.32(V) 2.50(V) 1.79(V) 1.79(V) 1.18(V) 1.78(V) 1.47(V) 1.19(V) 1.25(V)
show reload
This command displays scheduled reload information.
Syntax
show reload
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 15
739
show auto-promote
This command displays the auto promote state.
Syntax
show auto-promote
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0
Example
The following is an example of this command. CBS# show auto-promote auto-promote enabled
show alias
This command displays all configured alias commands.
Syntax
show alias
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0
Example
The following is an example of this command. CBS# show alias wr copy running-config startup-config
740
Syntax
show terminal history
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0
741
742
13
Using swatch Scripts for System Monitoring
The XOS Swatch Dynamic Display Tool (Swatch) is a Linux tool designed to display dynamically-changing data on a terminal screen in a customized display format. The Swatch tool runs from the UNIX prompt and the XOS CLI. This chapter contains the following sections: Introducing swatch Scripts on page 743 Using swatch Scripts on page 745
Syntax
swatch
Context
You access this command from the main CLI context.
743
From the swatch menu, you can access the following swatch scripts: APM Switched Data Path Statistics (apmdevstats.swc) on page 745 APM Interface Statistics (apmdevstats_slot.swc) on page 747 APM Firewall Statistics (apmfwstats.swc) on page 748 APM Firewall Statistics by Slot (apmfwstats_slot.swc) on page 749 APM IP, ICMP, TCP, and UDP Statistics (apmsnmpstats.swc) on page 750 Crossbeam Daemon Status Script (cbsinitdstats.swc) on page 754 NPM Fabric Packet Statistics (fabricstats.swc) on page 754 NPM Flow Calculation Statistics (flowcalcstats.swc) on page 757 Flow Assignment and Scheduling Statistics (flowsched.swc) on page 757 Group Interface Statistics (groupintstats.swc) on page 758 CPU Activity for the APM and CPM (health_cpubsy.swc) on page 759 CPU Load, Utilization, and Memory Information (health_cpumem.swc) on page 760 CPU and Board Temperature (health_temp.swc) on page 761 Module Uptime Statistics (moduleuptime.swc) on page 761 Local Network Interface Statistics (netifstats.swc) on page 762 NPM Interface Statistics (npmdevstats.swc) on page 762 NPM VDF Status (npmfragstats.swc) on page 764
Restrictions
Default Privilege Level: 15
Example
Here is an example of the swatch menu: CBS# swatch 1. apmdevstats.swc 2. apmdevstats_slot.swc 3. apmfwstats.swc 4. apmfwstats_slot.swc 5. apmsnmpstats.swc 6. cbsinitdstats.swc 7. fabricstats.swc 8. flowcalcstats.swc 9. flowsched.swc 10. groupintstats.swc 11. health_cpubsy.swc 12. health_cpumem.swc 13. health_temp.swc 14. moduleuptime.swc 15. netifstats.swc 16. npmdevstats.swc 17. npmfragstats.swc X. Exit <1 - 17> [X]:
744
745
APM APM APM APM APM APM APM APM APM APM APM APM APM APM APM APM
Interface Interface Interface Interface Interface Interface Interface Interface Interface Interface Interface Interface Interface Interface Interface Interface
Statistics for sdp0 Rates Statistics for Statistics for sdp1 Rates Statistics for Statistics for sdp2 Rates Statistics for Statistics for sdp3 Rates Statistics for Statistics for sdp4 Rates Statistics for Statistics for sdp5 Rates Statistics for Statistics for sdp6 Rates Statistics for Statistics for sdp7 Rates Statistics for
Total:
0.996
3.720
0.821
5.137
746
747
748
Interface -------------Total
749
750
751
752
753
754
4: NPM Fabric Byte Count Statistics 5: NPM Fabric Byte Rates Statistics 6: NPM Fabric Byte Rates Peaks
755
756
757
Stat ---up up
758
759
487727
1995
1026520
955000
71520
760
0 users 0 users
761
762
763
Interface ----------GigaEth1/1 GigaEth1/2 GigaEth1/3 GigaEth1/4 GigaEth1/5 GigaEth1/6 GigaEth1/7 GigaEth1/8 GigaEth1/9 GigaEth1/10 10GEth1/11 10GEth1/12 GigaEth2/1 GigaEth2/2 GigaEth2/3 GigaEth2/4 GigaEth2/5 GigaEth2/6 GigaEth2/7 GigaEth2/8 GigaEth2/9 GigaEth2/10
Stat ---up up down down down down down up down down down down down down down down down down down down down down
764
14
Commands for Troubleshooting
This chapter contains commands that display troubleshooting information for data collection and diagnostics. Commands for Troubleshooting XOS Configuration Settings on page 765 Commands for Troubleshooting X-Series Platform Hardware and Software on page 769 Commands for Troubleshooting X-Series Platform Network Connectivity on page 804 Commands for Troubleshooting VAPs, VAP Groups, and Applications on page 852 Commands for Troubleshooting Multi-System High-Availability Issues on page 858 Commands for Providing Troubleshooting Information to Crossbeam Customer Support on page 880 Commands for Crossbeam Customer Support Use on page 890
audit-trail
This command sends a text message to the audit-trail log file. If you are using spaces, you must enclose the string in quotes ( ).
Syntax
audit-trail <text-message>
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0
Example
This example sends the text, this is a test, to the audit-trail log. CBS# audit-trail this is a test
765
show audit-trail
This command displays the entries in the audit-trail log file that match the specified filter criteria. If no filter criteria are specified, the command displays all entries in the audit-trail log file. The audit-trail process records an entry in the audit-trail log file each time a user issues a CLI command that affects the system configuration and each time the CLI starts one of the following processes: routing-protocol routing-protocol-service application application-remove application-update archive-vap-group NOTE: The audit-trail process does not record entries for CLI show commands. Audit-trail log file entries also include detailed information about the CLI warning and error messages (if any) that result from each CLI command entry.
Syntax
show audit-trail [<username>] [type {cli | web | both}] [chronological-order] [date [<month>] [<date>] [<year>] [<hh:mm:ss>]]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <username> type {cli | web | both} Description Specifies the username to match. Specifies commands issued by either CLI users, or Web interface users, or both. cli Displays only commands issued by CLI users. web Displays only commands issued by Web interface users. both Displays commands issued by users of both interfaces. chronological-order Displays the log with the most recent entries first. Default displays the oldest entries first.
766
Parameter date
Description The date parameter takes the following arguments: <jan-dec> Three letter month name (lower-case). Default is jan. <1-31> Date of month. Default is 1. <2000-3000> Four digit year. Default is 2000. <hh:mm:ss> Time in hh:mm:ss 24-hour format. Default is 00:00:00. This parameter filters the output to display commands issued since the date specified. If an argument is omitted, the default is used. For best results, specify a month, date, and year.
Restrictions
Default Privilege Level: 0
Example
The following audit-trail output shows audit trail entries at the start and completion of the application command run. For the command: CBS# application fw1 vap-group ipf install Entries in the audit trail: Apr 5 18:10:16 omaha cli: application fw1 vap-group Apr 5 18:12:25 omaha cli: application fw1 vap-group USER: admin, COMMAND: CBS# application > ipf install #STARTED USER: admin, COMMAND: CBS# application > ipf install
If a command fails, the audit trail provides an error message and details about the error. In the following example, the configure circuit vap-group ip alias command failed. In addition to the Invalid value output, the console and audit trail outputs provide the following detail information: Detail: Conflict found with existing circuit cct, vap-group jack, primary-ip. CLI console: CBS# configure circuit cct CBS(conf-cct)# vap-group jack CBS(conf-cct-vapgroup)# ip 5.5.5.5/24 CBS(conf-cct-vapgroup-ip)# alias 5.5.5.5/24 %CONF-ERR: Invalid value Detail: Conflict found with existing circuit cct, vap-group jack, primary-ip CBS(conf-cct-vapgroup-ip)# CBS# show audit-trail /var/log/audit-trail Aug 29 18:22:14 earth cli: USER: admin, COMMAND: CBS# configure circuit > configure circuit cct Aug 29 18:22:17 earth cli: USER: admin, COMMAND: CBS# configure circuit vap-group > vap-group jack Aug 29 18:22:23 earth cli: USER: admin, COMMAND: CBS# configure circuit vap-group ip > ip 5.5.5.5/24 Aug 29 18:22:56 earth cli: USER: admin, COMMAND: CBS# configure circuit vap-group ip alias > alias 5.5.5.5/24 #Failure: CONF-ERR: Invalid value, Detail: Conflict found with existing circuit cct, vap-group jack, primary-ip
767
show history
This command displays the past several commands in the configurable history buffer that you entered during this session. The default history buffer includes 70 commands.
Syntax
show history
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0
validate-configuration
This command validates the completeness of the CLI configuration and displays any incomplete configuration.
Syntax
validate-configuration
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 15
Example
For example: CBS# validate-configuration #Start Configuration Validation # # No access-list configured # No management interface configured # No vap-group configured # No circuit configured # No interface configured # #End Configuration Validation
768
show alarms
Use this command to display currently active alarms or an alarm history that includes both active and past alarms. Use the active parameter to display currently active alarms. Use the history parameter to display all alarms. If you use the active parameter, this command displays an active alarm status summary. If you specify one or more of the minor, major, or critical filters, this command displays the active alarm status summary, followed by a list of the conditions that triggered active alarms of each specified severity. If you use the history parameter, this command displays a list of the conditions that triggered both active and past alarms, with the most recent alarms appearing first. The alarm history includes up to 1000 alarms. The show alarms command supports a number of additional parameters to filter the output, and a verbose parameter to display additional detail, including suggested repair actions. NOTE: Some alarms can be configured by setting threshold values to determine when it is a minor, major, or critical alarm. Other alarms use a non-configurable system value to determine whether or not the chassis is operating normally. For information on configuring alarm values, see Commands for Configuring System Alarms and Logs on page 124. You can also use the model parameter to display the XOS alarms model. The alarms model provides detailed information about every alarm that can be raised on an X-Series platform.
Syntax
show alarms {active | history | model}
769
The following parameters are used to filter the output of the active and history parameters: show alarms active [critical] [major] [minor] [source <module_or_component>] [verbose] [id {<id#> | <lowest_id#> <highest_id#>} | date mmm dd yyyy [hh:mm:ss]] show alarms history [critical] [major] [minor] [info] [clear] [source <module_or_component>] [verbose] [id {<id#> | <lowest_id#> <highest_id#>} | date mmm dd yyyy [hh:mm:ss]] The following parameter displays the alarms model: show alarms model
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter active Description Displays a summary table of the active alarms. When used without other parameters, the active parameter displays only the summary table. Displays a list of the active and past alarms. The alarm history includes the most recent 1000 alarms. Displays the alarm model, which provides information about all alarms supported by XOS. Optional. Filters the output of the show alarms active or show alarms history command to display the items that caused critical alarms. Optional. Filters the output of the show alarms active or show alarms history command to display the items that caused major alarms. Optional. Filters the output of the show alarms active or show alarms history command to display the items that caused minor alarms. Optional. Filters the output of the show alarms history command to display the informational alarms. Optional. Filters the output of the show alarms history command to display the Clear alarms. A severity of Clear indicates that the alarm has been cleared. Alarms are automatically cleared by the system if the condition that generated the alarm no longer exists, or if the alarm has been superseded by a later alarm. Some alarms can be cleared by an administrator, using the clear alarms command.
major
minor
info clear
770
Description Optional. Filters the output of the show alarms active or show alarms history command to display the alarms that originated from the specified module or component. Valid module and component names are: apN - an APM, where N is any number from 1 to 10 cpN - a CPM, where N is 1 or 2 npN - an NPM, where N is any number from 1 to 4 uprfan - upper fan tray lwrfan - lower fan tray feedA, feedB - power feeds pwrN - a power suppy, where N is any number from 1 to 4 pwrA, pwrB - a power supply bayN - a power supply bay, where N is any number from 1 to 4
verbose
Optional. Changes the format in which the CLI displays the output to display all available information for the specified alarm or alarms. Optional. Filters the output of the show alarms active or show alarms history command to display the items specified by the ID matching criteria. Specify a single ID to display a single alarm. Specify a beginning ID (lowest number) and an ending ID (highest number) to display alarms within the range of IDs. NOTE: Do not use the id parameter in a command that also includes the date parameter. If the date parameter is used, it overrides the id parameter.
Optional. Filters the output of the show alarms active or show alarms history command to display the alarms that occurred since the specified date. To further filter the output, you can specify a time. Specify the date in the format mmm dd yyyy. For example, entering nov 30 2010 retrieves alarms that occurred on or after that date. NOTE: The mmm part of the date parameter must be entered in lower-case. Optionally, specify a time in the format hh:mm:ss. For example, entering aug 31 2010 10:48:00 retrieves alarms that occurred on or after 10:48:00 AM of that date. NOTE: The date parameter must be the last parameter used in the show alarms command. Do not use the id parameter in a command that also includes the date parameter. The date parameter overrides the id parameter.
771
Restrictions
Default Privilege Level: 0
Output
The output of the show alarms active command has the following format when used without additional parameters: CBS# show alarms active Active Alarms Summary: Source -----cp1 uprfan lwrfan Total Critical -------0 0 0 0 Major ----0 1 1 2 Minor ----1 0 0 1
You can filter the output of the show alarms active command by using one or more additional parameters. The following example displays active alarms that have severities of critical, major, or minor: CBS# show alarms active critical major minor Active Alarms Summary: Source -----cp2 np1 uprfan Total Critical -------1 0 0 1 Major ----3 0 1 4 Minor ----0 2 0 2
* indicates an alarm that can be cleared with the 'clear alarms' CLI command Critical: ID -43 Major: ID -96 *95 94 69 Minor: ID -83 82 CBS# Date ---Nov 11 09:28:00 Nov 11 09:27:50 Source -----np1 np1 Description ----------Link down 1/5 Link down 1/4 Date ---Nov 11 Nov 11 Nov 11 Nov 10 Source -----cp2 cp2 cp2 uprfan Description ----------Failover group xyz priority 49 Failover group xyz status master No remote box configured Fan tray mismatch Date ---Nov 4 07:01:03 Source -----cp2 Description ----------APM Memory mismatch slot: 3
772
The output of the show alarms history command has the following format when used without additional parameters: CBS# show alarms history ID -425 424 423 422 421 420 Date ---Oct Oct Oct Oct Oct Oct Severity -------Minor Clear Minor Info Major Minor Source -----bay1 pwrA cp1 system lwrfan np1 Description ----------Power supply missing Power supply failure Firmware mismatch slot: 1,5,13 New system alarm level (major) Fan tray mismatch Flow table median threshold(tcp)
7 7 7 7 7 7
You can filter the output of the show alarms history command by using one or more additional parameters. The following example displays all alarms that have severities of critical, major, or minor, and occurred on cp1: CBS# show alarms history critical major minor source cp1 ID -11 9 8 7 4 Date ---Jun 22 Jun 22 Jun 22 Jun 22 Jun 22 Severity -------Major Critical Minor Critical Minor Source -----cp1 cp1 cp1 cp1 cp1 Description ----------CPU core utilization Memory misconfiguration Hard disk error Disk 1 Disk utilization (98%) /boot Firmware mismatch slot: 1,5
The following table describes the information provided in each column and or row. Column/Row Heading ID Date Severity Information Provided The unique ID number of the alarm. The date and time at which the alarm occurred. The severity status of the alarm. Values are: Critical - Represents an imminent impact to system stability or performance. Attend to critical alarms immediately. Major - Represents a potentially serious impact to system stability or performance. Investigate major alarms immediately. Minor - Represents a minor impact to system stability or performance. Although less serious, conditions causing minor alarms should be corrected or monitored. Info - (History) Presents information about a change in the system, for example, a state change in a module. No action is required. Clear - (History) Indicates that the alarm has been cleared. Alarms are automatically cleared by the system if the condition that generated the alarm no longer exists, or if the alarm has been superseded by a later alarm. Some alarms can be cleared by an administrator, using the clear alarms command.
773
Information Provided The source of the alarm. Possible alarm sources are: apN - an APM, where N is any number from 1 to 10 cpN - a CPM, where N is 1 or 2 npN - an NPM, where N is any number from 1 to 4 uprfan - upper fan tray lwrfan - lower fan tray feedA, feedB - power feeds pwrN - a power suppy, where N is any number from 1 to 4 pwrA, pwrB - a power supply bayN - a power supply bay, where N is any number from 1 to 4
Description
A brief description of the alarm. Use the verbose parameter to see a more detailed description and suggested repair actions.
Verbose output
The output of the show alarms command with the verbose parameter has the following format: CBS# show alarms history id 150 verbose ================================================================================ Alarm Id : 150 Brief Description : Disk utilization (91%) /tftpboot Date : Tue Oct 5 13:09:03 2010 Severity : Major Alarm Name : diskUtilizationTftpBootExceeded Alarm Source : cp1 Slot : slot 13 Module : cp1 Disk : disk 1 Partition : partition /tftpboot Parameters : Percent : 91% Information : Probable Cause : Storage Capacity Problem Event Type : Equipment Alarm User Clearable : false Extended Description : Disk utilization on the /tftpboot partition is : above the configured limit. Repair Action : From the Unix prompt, change directory to the : partition, and run the "du" (disk usage) command. : Look for large files that can be safely removed, : for example, obsolete VAP images or obsolete files : in the user home directories. Contact customer : support if you need help identifying unused files. -------------------------------------------------------------------------------================================================================================
774
The following table describes the information provided in each column and or row. Column/Row Heading Alarm Id Brief Description Date Severity Information Provided The unique ID number of the alarm. A summary description of the alarm. The date and time at which the alarm occurred. The severity status of the alarm. Values are: Critical - Represents an imminent impact to system stability or performance. Attend to critical alarms immediately. Major - Represents a potentially serious impact to system stability or performance. Investigate major alarms immediately. Minor - Represents a potential impact to system stability or performance. Although less serious, conditions causing minor alarms should be corrected or monitored. Info - (History) Presents information about the system, for example, a state change in a module. No action required. Clear - (History) Indicates that the alarm has been cleared. Alarms are automatically cleared by the system if the condition that generated the alarm no longer exists, or if the alarm has been superseded by a later alarm. Some alarms can be cleared by an administrator, using the clear alarms command. Correlation Id Clearing Agent Refers to an alarm that was cleared or replaced by the current alarm. Indicates the ID of the original alarm. (Appears in alarms with a severity of Clear.) Clearing Agent displays one of the following values for a Clear alarm: System - indicates the alarm was cleared automatically by the system. If the alarm was cleared by a subsequent alarm, XOS displays the alarm ID. Login name - indicates the administrator who cleared the alarm. Alarm Name Alarm Source The name of the alarm in the XOS alarms model. One or more items that indicate the source of the alarm. Alarm Source describes the physical and logical hierarchy of the module or component that generated the alarm. One or more values that provide information about the alarm, for example a temperature, percentage, or threshold value.
Parameters
775
Information Provided Additional information about the alarm Probable Cause - Description of the probable cause of the alarm; for example, Storage Capacity Problem or Temperature Unacceptable (ITU-T compliant) Event Type - The type of alarm; for example Equipment Alarm or Environmental Alarm (ITU-T compliant) User Clearable - Indicates whether an administrator can clear the alarm by using the clear alarms command. Extended Description - A detailed description of the condition that caused the alarm Repair Action - Suggestions for verifying and correcting the condition that caused the alarm
Model Output
The output of the show alarms model command has the following format: CBS# show alarms model Alarm Name Managed Objects : : : Parameters : : : : : : : : : Information : Default Severity : Probable Cause : Event Type : User Clearable : Brief Format : Extended Description : : Repair Action : : : Targets : : : applicationDown Slot Module APP CPM Host Name APP CPM IP Address APP Name APP New State APP Old State APP Release APP VAP Group Name APP VAP Index APP Version minor Out Of Service Processing Error Alarm false Application down The application running on the specified APM is down. Verify the state of the application on the APM (use GEM System view). Restart the application if necessary. GEM LOG SNMP
The following table describes the information provided in each column and or row. Column/Row Heading Alarm Name Information Provided The name of the alarm in the XOS alarms model.
776
Information Provided The hierarchy of modules or components that indicate the source of the alarm. One or more values that provide information about the alarm, for example a temperature, percentage, or threshold value. Additional information about the alarm Default Severity - The severity status of the alarm. Values are: Critical - Represents an imminent impact to system stability or performance. Attend to critical alarms immediately. Major - Represents a potentially serious impact to system stability or performance. Investigate major alarms immediately. Minor - Represents a potential impact to system stability or performance. Although less serious, conditions causing minor alarms should be corrected or monitored. Info - (History) Presents information about the system, for example, a state change in a module. No action required. Clear - (History) Indicates that the alarm has been cleared. Alarms are automatically cleared by the system if the condition that generated the alarm no longer exists, or if the alarm has been superseded by a later alarm. Some alarms can be cleared by an administrator, using the clear alarms command. Probable Cause - An ITU-T compliant description of the probable cause of the alarm; for example, Storage Capacity Problem or Temperature Unacceptable. Event Type - The type of alarm; for example Equipment Alarm or Environmental Alarm (ITU-T compliant). User Clearable - Indicates whether an administrator can clear the alarm by using the clear alarms command. Brief Format - A brief description of the alarm that may include the parameters used to display values that triggered the alarm. Extended Description - A detailed description of the condition that caused the alarm. Repair Action - Suggestions for verifying and correcting the condition that caused the alarm.
Targets
The interfaces to which the alarm data is sent. Alarms are sent to the XOS GEM user interface, to the XOS syslog files, and as SNMP traps.
777
clear alarms
This command clears user-clearable alarms from the active alarms table. You must be an administrator (privilege level 15) to use this command. Active alarms that can be cleared by using the clear alarms command are indicated by an asterisk in the ID column of the output of the show alarms active command when used with one or more parameters. NOTE: You must use at least one parameter with the show alarms active command to see this output. Otherwise the show alarms active command displays only the summary table. In this example, alarm with ID 95 is user-clearable. ID -96 *95 94 69 Date ---Nov 11 Nov 11 Nov 11 Nov 10 Source -----cp2 cp2 cp2 uprfan Description ----------Failover group xyz priority 49 Failover group xyz status master No remote box configured Fan tray mismatch
Cleared alarms remain in the alarms history, and can be viewed by executing the show alarms history CLI command. NOTE: The system also clears alarms automatically, either because the condition that generated the alarm no longer exists, or because the alarm has been superseded by a later alarm.
Syntax
clear alarms {id {<id#> | <lowest_id#> <highest_id#>} | all}
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter id {<id#> | <lowest_id#> <highest_id#>} Description Clears the items specified by the ID matching criteria. Specify a single ID to clear a single alarm. Specify a beginning ID (lowest number) and an ending ID (highest number) to clear alarms within the range of IDs. all Clears all user-clearable alarms.
Restrictions
Default Privilege Level: 15
Example
The following command clears the user-clearable alarm with ID 95.
778
CBS# clear alarms id 95 CBS# A new alarm (ID 97) appears in the alarms history with a severity of Clear. The cleared alarm (ID 95) remains in the alarm history. CBS# show alarms history ID -97 96 95 Date ---Nov 12 18:38:48 Nov 11 16:02:43 Nov 11 15:34:16 Severity -------Clear Major Major Source -----cp2 cp2 cp2 Description ----------Failover group xyz status master Failover group xyz priority 49 Failover group xyz status master
In the new alarm, the Correlation ID references the original alarm (ID 95), and the Clearing Agent is admin, the user who cleared the original alarm. CBS# show alarms history id 97 verbose ================================================================================ Alarm Id : 97 Brief Description : Failover group xyz status master Date : Fri Nov 12 18:38:48 2010 Severity : Clear Correlation ID : 95 Clearing Agent : admin Alarm Name : vrrpFailGroupStatusChange Alarm Source : cp2 Slot : slot 7 Module : cp2 VRRP Failover Group : Vrrp Failover Group 44 Parameters : Group Name : xyz Group Old Status : down Group New Status : master Group Change Reason : Timed out waiting for master Information : Probable Cause : Failover Occurred Event Type : Environmental Alarm User Clearable : true Extended Description : The VRRP status of the failover group has changed, : which may indicate that a VRRP failover has : occurred. Repair Action : Use the CLI commands "show vrrp failover-group" and : "show vrrp detail-status" to view the status of the : failover group. Investigate the reason for the : status change and correct any issues. -------------------------------------------------------------------------------================================================================================ CBS#
show calendar
This command displays the system calendar.
Syntax
show calendar
779
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0
Example
The following is an example of this command: CBS# show calendar Tue Apr 06 08:52:31 2010
show chassis
This command displays the current status of the chassis and all modules present in the chassis. NOTE: Each VAP group can contain only APM-8650s or only APM-8600s. Use the show chassis command to obtain each modules name and model. Then, use the configure vap-group <VAP_group_name> ap-list command to add only APM-8650s or only APM-8600s to the VAP group.
Syntax
show chassis
Context
You access this command from the main CLI context.
Parameters
The following table describes the information provided in each column/row. Column/Row Heading Slot Present Module Name Module Type Information Provided Chassis slot number. Indicates whether or not a module is present in the slot. Name of module or n/a if a module is not present in the slot. Type (model) of module or n/a if a module is not present in the slot.
780
Information Provided Operational status of the module. Status can be one of the following: Active Applies only to APMs. Indicates that the APM is UP and is ready to receive traffic. Standby Applies only to APMs. Indicates that the APM is functioning as a Standby VAP. Up Module is functioning normally. For APMs, the Up status indicates that the module is functioning, but it is not yet ready to receive traffic. Initializing Module is initializing. Booting Module is booting up. AwaitingBoot Module is getting ready to boot up. Diagnostic Module is running hardware diagnostics. Maintenance Module is running in maintenance mode. Offline Applies only to CPMs. Indicates that the CPM is offline. CrashDumping Module is crashing and is sending information to a log file that you can use to debug the crash. Down Module is not functioning. Unavailable Module is unavailable. Unknown System is unable to determine the status of the module. n/a Module is not present in the slot.
Uptime
Restrictions
Default Privilege Level: 0
Example
The following example is output for this command:
781
CBS# show chassis Chassis Status for X80: Power Type: AC-3 1G Backplane Support: Yes 1G Backplane Capability for Slots 3 and 4: Yes Chassis Revision: C2 Chassis Serial Number: G808F008 Chassis Part Number: 004360 Chassis OCODE: A000 Slot Present Module Name Module Type 1 No n/a n/a 2 Yes np2 NP8600 3 No n/a n/a 4 No n/a n/a 5 Yes ap3 AP9600 6 No n/a n/a 7 Yes ap5 AP8600 8 Yes ap6 AP8600 9 No n/a n/a 10 No n/a n/a 11 No n/a n/a 12 No n/a n/a 13 Yes cp1 CP8600 14 No n/a n/a
Status n/a Up n/a n/a Active n/a Standby Standby n/a n/a n/a n/a Up n/a
13 days, 04:14
show cpu
This command displays the CPU load and utilization average information for the last 1, 5, and 15 minutes on all modules in the system, and displays other statistics for each CPU. Use parameters to display only the specified types of information.
Syntax
show cpu [utilization-average] [load-average] [statistics]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter utilization-average load-average statistics Description Displays CPU utilization averages. Displays CPU load average. Displays additional CPU statistics.
782
Restrictions
Default Privilege Level: 0
Example
The following is an example of this command: CBS# show cpu CPU utilization average for np1: for last 1 minute: 0.59 for last 5 minutes: 0.57 for last 15 minutes: 0.59 CPU utilization average for np2: for last 1 minute: 0.66 for last 5 minutes: 0.62 for last 15 minutes: 0.63 CPU utilization average for ap1: for last 1 minute: 0.03 for last 5 minutes: 0.33 for last 15 minutes: 0.12 CPU utilization average for ap2: for last 1 minute: 0.00 for last 5 minutes: 0.08 for last 15 minutes: 0.07 CPU utilization average for cp1: for last 1 minute: 100.00 for last 5 minutes: 100.00 for last 15 minutes: 100.00
CPU load average for np1: for last 1 minute: 15.00 for last 5 minutes: 15.00 for last 15 minutes: 15.00 CPU load average for np2: for last 1 minute: 15.00 for last 5 minutes: 15.00 for last 15 minutes: 15.00 CPU load average for ap1: for last 1 minute: 0.00 for last 5 minutes: 0.00 for last 15 minutes: 0.00 CPU load average for ap2: for last 1 minute: 0.00 for last 5 minutes: 0.00 for last 15 minutes: 0.00 CPU load average for cp1: for last 1 minute: 42.99 for last 5 minutes: 42.97
783
for last 15 minutes: 42.85 Slot Module CPU User Nice Syst Idle Irq SfIrq Iowt ---- ------ ----- ----- ----- ----- ----- ----- ----- ----3 ap1 CPU 0.0 0.0 0.0 100.0 0.0 0.0 0.0 3 ap1 CPU0 0.0 0.0 0.0 100.0 0.1 0.1 0.0 3 ap1 CPU1 0.0 0.0 0.0 100.0 0.0 0.0 0.0 Slot Module CPU User Nice Syst Idle Irq SfIrq Iowt ---- ------ ----- ----- ----- ----- ----- ----- ----- ----4 ap2 CPU 0.0 0.0 0.0 100.0 0.0 0.0 0.0 4 ap2 CPU0 0.0 0.0 0.0 100.0 0.0 0.0 0.0 4 ap2 CPU1 0.0 0.0 0.0 100.0 0.0 0.0 0.0 Slot Module CPU User Nice Syst Idle Irq SfIrq Iowt ---- ------ ----- ----- ----- ----- ----- ----- ----- ----13 cp1 CPU 0.1 0.0 0.0 0.0 0.0 0.1 98.4
show current-release
This command displays the currently loaded XOS software release version. This command displays the software version for off-line CPMs.
Syntax
show current-release [verify-rpm]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter verify-rpm Description Verifies the consistency of installed rpms.
Restrictions
Default Privilege Level: 0
Example
The following is an example of this command: CBS# show current-release Copyright (c) 2000-2011 by Crossbeam Systems, Inc. All rights reserved. Version: XOS 9.5.1 [Feb 26 2011 02:12:22] (bldmgr) gcc: gcc version 2.96 20000731 (Linux 7.3 2.96-112) CVS_Label: XOS-9_5_1_0-20110226_1 Kit_Number: xx
784
Syntax
show current-running-release
Context
You access this command from the upgrade CLI context.
Restrictions
Default Privilege Level: 15
Example
The following is an example of this command: CBS(upgrade)# show current-running-release Crossbeam: 9.5.1-xx (current)
show disk-usage
This command displays disk usage statistics for the root partition and for the /, /boot, /cbconfig, /tftpboot, and /mgmt partitions on the CPM. The system collects disk usage information from the four CPM disk usage facility alarm sensors (one alarm sensor for each partition) once a day.
Syntax
show disk-usage [history]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter history Description Displays disk usage statistics for the past several days.
Restrictions
Default Privilege Level: 15
785
Example
The following is an example of this command: CBS# show disk-usage ====================================================================== Top Disk Users Report for Thu Mar 17 17:25:18 EDT 2011 ====================================================================== Filesystem /dev/md5 /dev/md1 /dev/drbd0 /dev/drbd1 /dev/drbd2 1K-blocks 7882448 102672 1971472 210121168 2011792 Used Available Use% Mounted on 4129128 3352908 56% / 7804 89652 9% /boot 233560 1637768 13% /cbconfig 8318236 191129372 5% /tftpboot 162060 1747540 9% /mgmt
show environment
This command displays the current chassis status for temperatures, power supplies, LEDs, fans, and power feeds. If no parameters are specified, all parameters measured on the chassis are displayed.
Syntax
show environment [temperatures|power-supply|leds|fans|feeds]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter temperatures power-supply leds fans feeds Description Displays the temperature measured by the sensor on the fan tray. Displays whether power-supplies are present or not. Displays whether the LEDs on the chassis are on or off. Displays the status of fan-trays (present/not-present) and individual fans (on/off). Displays whether the power feeds are present or not.
Restrictions
Default Privilege Level: 0
786
Example
The following is an example of this command: CBS# show environment Environmental Statistics: Temperature readings: Chassis temperature measured at 17(C) LED status: Critical LED is OFF Major LED is OFF Minor LED is ON Power Type: Power Type is AC Power Power Power Power Power Power Power Power Power Power Supply status: Supply has Failed supply Bay 1 Present supply Bay 1 is Operational supply Bay 2 Not Present supply Bay 3 Not Present supply Bay 4 Present supply Bay 4 has Failed Feed status: Feed is Operational
Upper Fan Tray Status: Upper Fan Tray Revision Is C Upper Fan Tray Serial Number Is B24700200 Upper Fan Tray Part Number Is 000350 Upper Fan Tray Present Upper Fan Tray is Compatible Fan 1 Is OK Fan 2 Is OK Fan 3 Is OK Fan 4 Is OK Fan 5 Is OK Fan 6 Is OK Fan 7 Is OK Fan 8 Is OK Fan 9 Is OK Lower Fan Tray Status: Lower Fan Tray Revision Is C Lower Fan Tray Serial Number Is B31600442 Lower Fan Tray Part Number Is 001911 Lower Fan Tray Present Lower Fan Tray is Compatible Fan 1 Is OK Fan 2 Is OK Fan 3 Is OK Fan 4 Is OK Fan 5 Is OK Fan 6 Is OK
787
show heartbeat
This command displays the link quality between all modules or to specified modules. Each active module in an X-Series chassis sends out four heartbeat signals every second.
Syntax
show heartbeat [cp1] [cp2] [ap1] [ap2] [ap3] [ap4] [ap5] [ap6] [ap7] [ap8] [ap9] [ap10] [np1] [np2] [np3] [np4]
Context
You access this command from the main CLI context.
Output
In the output from this command, the first column contains these items: X-Series Chassis X45 Control Buses CB A CB B X20, X30, and X60 CB A CB B Data Planes DP A DP B DP A1 DP A2 DP B1 DP B2 X40, X80, and X80-S CB A CB B DP A DP B DP C DP D The data are presented as follows: Percent - On a given bus or data plane, 100% indicates that all heartbeats were received during the most recent time period. Lower percentages indicate that some heartbeats were not received. NA - Indicates that the link is unconnected or that no heartbeats have been received. An unconnected link means that the slot is empty or that the module in the slot is not in the Active or Up state.
Parameters
The following table lists the parameters used with this command. Parameter cp1 cp2 ap1 ap2 ap3 Description Heartbeats received by CP1 Heartbeats received by CP2 Heartbeats received by AP1 Heartbeats received by AP2 Heartbeats received by AP3
788
Parameter ap4 ap5 ap6 ap7 ap8 ap9 ap10 np1 np2 np3 np4
Description Heartbeats received by AP4 Heartbeats received by AP5 Heartbeats received by AP6 Heartbeats received by AP7 Heartbeats received by AP8 Heartbeats received by AP9 Heartbeats received by AP10 Heartbeats received by NP1 Heartbeats received by NP2 Heartbeats received by NP3 Heartbeats received by NP4
Restrictions
Default Privilege Level: 0
Example
The following example shows the output of show heartbeat for cp2 on an X80 system. CBS# show heartbeat Link Quality TO: 14 FROM 1 2 ON ports CB A: NA NA CB B: NA 100% DP A: NA NA DP B: NA 100% DP C: NA NA DP D: NA NA cp2 3 NA NA NA NA NA NA 4 NA NA NA NA NA NA 5 NA 100% NA NA NA NA 6 NA NA NA NA NA NA 7 NA 100% NA NA NA NA 8 NA NA NA NA NA NA 9 NA NA NA NA NA NA 10 NA NA NA NA NA NA 11 NA NA NA NA NA NA 12 NA NA NA NA NA NA 13 NA NA NA NA NA NA 14 NA NA NA NA NA NA
789
The following example shows the output of the show heartbeat command on an X60 with no module specified. CBS# show heartbeat Link Quality TO: 1 FROM 1 2 ON ports CB A: NA NA CB B: NA 100% DP A1: 100% 100% DP A2: NA NA DP B1: NA NA DP B2: NA NA Link Quality TO: 2 FROM 1 2 ON ports CB A: NA NA CB B: 100% NA DP A1: NA NA DP A2: NA NA DP B1: 100% 100% DP B2: NA NA Link Quality TO: 3 FROM 1 2 ON ports CB A: NA NA CB B: 100% 100% DP A1: NA NA DP A2: NA NA DP B1: NA NA DP B2: NA NA Link Quality TO: 4 FROM 1 2 ON ports CB A: NA NA CB B: 100% 100% DP A1: 100% NA DP A2: 100% NA DP B1: NA 100% DP B2: NA 100% Link Quality TO: 5 FROM 1 2 ON ports CB A: NA NA CB B: 100% 100% DP A1: 100% NA DP A2: 100% NA DP B1: NA 100% DP B2: NA 100%
3 NA 100% NA NA NA NA
7 NA 100% 100% NA NA NA
3 NA 100% NA NA NA NA
7 NA 100% NA NA 100% NA
3 NA NA NA NA NA NA
4 NA 100% NA NA NA NA
5 NA 100% NA NA NA NA
6 NA 100% NA NA NA NA
7 NA 100% NA NA NA NA
3 NA 100% NA NA NA NA
4 NA NA NA NA NA NA
3 NA 100% NA NA NA NA
5 NA NA NA NA NA NA
790
Link Quality TO: 6 FROM 1 2 ON ports CB A: NA NA CB B: 100% 100% DP A1: 100% NA DP A2: 100% NA DP B1: NA 100% DP B2: NA 100% Link Quality TO: 7 FROM 1 2 ON ports CB A: NA NA CB B: 100% 100% DP A1: 100% NA DP A2: NA NA DP B1: NA 100% DP B2: NA NA CBS#
3 NA 100% NA NA NA NA
6 NA NA NA NA NA NA
3 NA 100% NA NA NA NA
7 NA NA NA NA NA NA
Syntax
show logging console [level {<level_number> | emerg | alert | crit | error | warning | notice | info | debug}] [component <component_name>] [hostname <hostname>] [chronological-order] [<month>] [<date>] [<year>] [<time>]
Context
You access this command from the main CLI context.
791
Parameters
The following table lists the parameters used with this command. Parameter level <level_number> Description Displays all event messages stored in the console log that have a severity level number equal to or lower than the log level, <level_number>. See parameter descriptions below for a list of severity level descriptions. Valid values are 0-7. Default is 4. level emerg Displays messages stored in the console log with severity level 0. Severity level 0 is Emergency, which indicates that the system is unstable. level alert Displays messages stored in the console log with severity levels 0 and 1. Severity level 1 is Alert, which indicates that immediate action is needed. level crit Displays messages stored in the console log with severity levels 0-2. Severity level 2 is Critical, which indicates a critical condition. level error Displays messages stored in the console log with severity levels 0-3. Severity level 3 is Error, which indicates an error condition. warning Displays messages stored in the console log with severity levels 0-4. Severity level 4 is Warning, which indicates a warning condition. level notice Displays messages stored in the console log with severity levels 0-5. Severity level 5 is Notification, which indicates that a significant event has occurred, but conditions remain normal. level info Displays messages stored in the console log with severity levels 0-6. Severity level 6 is Informational. Use these messages for information only. level debug Displays messages stored in the console log with severity levels 0-7. Severity level 7 is Debugging. Use these messages for debugging only.
792
Description Filters the output of the show logging console command. Displays only the event messages whose component names match one of the following <component_name> values: cbsalarmmond CBS RMON Monitor cbscfgmgrd CBS Configuration Manager cbsd CBS Daemon cbsflowagentd CBS Flow Agent cbsflowcalcd CBS Flow Calculator cbshmonitord CBS Health Monitor cbsinitd CBS Initializer cbsstatsd CBS Statistic Collector cbssysctrld CBS System Controller cbsvfpcfgd CBS VAP Config Agent cli Command Line Interface init_cli CLI Initializer WEB CBS Graphic User Interface (GUI)
hostname <hostname>
Filters the output of the show logging console command. Displays only the event messages that originate from the module with the specified host name. Displays event messages in reverse chronological order. Filters the output of the show logging console command. Displays messages only for events that occurred during the specified month. You must specify the month as a three-letter abbreviation. Default value is the current month if the <date>, <year>, or <time> parameter is specified.
chronological-order <month>
<date>
Filters the output of the show logging console command. Displays messages only for events that occurred on the specified day of the month. Valid values are from 1 to 31. Default value is the current date if the <mon>, <year>, or <time> parameter is specified.
793
Syntax
show module admin-state
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter admin-state Description Displays administrative status (enabled, disabled, or maintenance) for each module.
Restrictions
Default Privilege Level: 0
Example
The following is an example using show module admin-state to see the status for all modules in an X80. CBS# show module admin-state Slot Number Administrative Status 1 Enable 2 Enable 3 Enable 4 Disable 5 Enable 6 Enable 7 Enable 8 Enable 9 Enable 10 Enable 11 Enable 12 Enable 13 Enable 14 Enable (14 rows)
Syntax
show module status [np1|np2|np3|np4|cp1|cp2|ap1|ap2|ap3|ap4|ap5|ap6|ap7|ap8|ap9|ap10] [voltage|temperature|type|revision|serial|link|memory|leds|disk|duart| reachability|acceleration-card|eth-daughter-card]
794
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter np1 - np4 cp1 or cp2 ap1 - ap10 voltage temperature type revision serial link memory leds disk Description Displays specific NPMs in the X-Series Platform. Displays specific CPMs in the X-Series Platform. Displays specific APMs in the X-Series Platform. Displays the voltage measured on each module in volts. Displays the temperatures measured on each module in degrees celsius. Displays the module type. Displays the module hardware revision. Displays the module serial number. Displays the status of links attached to the module specified (UP/DOWN). Displays the status of memory devices on the specified module in KB. Displays whether the LEDs on the modules are ON or OFF. Displays slot, number, size, errors, and RAID status information about disk drives installed on the CPMs and APMs. NOTE: Use this parameter to check for dual drives before configuring RAID. duart reachability acceleration-card eth-daughter-card Displays the status of the DUAL UART (serial ports) if connected to the specified module (UP/DOWN). Displays the modules reachable from the specified slot through the control and data plane. Displays the presence of an Accelerated Crypto Engine (ACE) card, used for VPN acceleration, on an APM. Displays the presence of an Ethernet daughter card on an APM.
Output
The output for this command has the following format: NA = Not Available, DP = Data Plane, CP = Control Plane cp = Control Processor, ap = Application Processor, np = Network Processor Slot 1: Board Type Board Part Number
NP8620 005331
795
Board Serial Number Board Revision Control FPGA Revision Focus FPGA Revision Board OCODE Dual-CPU Capacity CPU Presence CPU2 Presence CPU Voltage 3.3v Supply 2.5v Supply 1.8v Supply 1.8v NP6 Octeon DDR 1.2v NP6 EZChip Core 1.8v NP6 EZChip DDR 1.5v NP6 EZChip XGMII/RGMII 1.2v NP6 XBPRC Ethernet Switch Voltage CPU Temperature Intake Air Temperature FPGA Temperature Exhaust Air Temperature SDRAM 1 Size SDRAM 2 Size SDRAM 3 Size SDRAM 4 Size Total Memory Used Memory Free Memory Shared Memory Buffers Memory Cached Memory Memory Utilization Total High Memory Free High Memory Total Low Memory Free Low Memory Active LED Standby LED Failure LED Control Bus A Control Bus B np1/ Link np1/np2 Link np1/ap1 Link np1/ap2 Link np1/ap3 Link np1/ap4 Link np1/ap5 Link np1/ap6 Link np1/ap7 Link np1/ap8 Link np1/ap9 Link np1/ap10 Link np1/cp2 Link gigabitethernet 1/1 gigabitethernet 1/2 gigabitethernet 1/3
G834L008 2 0x3 0xDB1C A000 Not Available Present Not Present 1.10(V) 3.32(V) 2.50(V) 1.79(V) 1.79(V) 1.18(V) 1.79(V) 1.47(V) 1.19(V) 1.24(V) 42(C) 28(C) 43(C) 32(C) 1048576(KB) 0(KB) 1048576(KB) 0(KB) 2097152(KB) 1772372(KB) 324780(KB) 0(KB) 0(KB) 79068(KB) 81.09% 0(KB) 0(KB) 0(KB) 0(KB) On Off Off Up Up Up Up Down Down Down Down Down Down Down Down Down Down Up Down Down Down
796
gigabitethernet 1/4 gigabitethernet 1/5 gigabitethernet 1/6 gigabitethernet 1/7 gigabitethernet 1/8 gigabitethernet 1/9 gigabitethernet 1/10 CPU Speed CPU Up Time Threshold
Down Down Down Down Down Down Down 550 MHz 76389 secs
Restrictions
Default Privilege Level: 0
Example
The following command displays the voltage levels for np1 in an X-Series Platform: CBS# show module status np1 voltage NA = Not Available, DP = Data Plane, CP = Control Plane cp = Control Processor, ap = Application Processor, np = Network Processor
Slot 1: CPU Voltage 3.3v Supply 2.5v Supply 1.8v Supply 1.8v NP6 Octeon 1.2v NP6 EZChip 1.8v NP6 EZChip 1.5v NP6 EZChip 1.2v NP6 XBPRC Ethernet Switch
1.10(V) 3.32(V) 2.50(V) 1.79(V) 1.79(V) 1.18(V) 1.78(V) 1.47(V) 1.19(V) 1.25(V)
Syntax
show release
Context
You access this command from the upgrade CLI context.
Restrictions
Default Privilege Level: 15
797
Example
CBS# upgrade show release Crossbeam: 9.5.1-xx Crossbeam: 9.5.1-yy (current)
show rmon
This command displays the current RMON agent status.
Syntax
show rmon [alarms | events | log]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter alarms events log Description Displays the RMON alarm table (default). Displays the RMON event table. Displays list of RMON events that have been logged.
Restrictions
Default Privilege Level: 0
Example
The following is an example of the RMON events display: CBS# show rmon Event Number Event Type Community Last Time Sent Owner Description events : 65000 : Log_n_trap : public : 00:00 : system : Disk Usage Crossed Upper Threshold
show snmp
This command displays the existing system location, contact information, and SNMP hosts or SNMP communities. If no parameter is specified, system information is displayed.
Syntax
show snmp [contact | engine-id | location | community | hosts | system]
798
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter contact engine-id location community hosts Description SNMP contact information. Engine Identifier for this copy of SNMP. SNMP server location information. Community strings, IP address, and network mask. IP address, traps/inform configuration, security level, community string, and port number of the configured hosts for SNMP traps. SNMP system information, such as system name, contact, and location.
system
Restrictions
Default Privilege Level: 0
show ssh-session
Lists all ssh sessions established to the X-Series Platform.
Syntax
show ssh-session
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0
Example
The following is example output of the show ssh-session command: Session Identifier 19275 19392 24260 24272 7422 (5 rows) Remote Address 192.168.1.160 192.168.1.160 192.168.1.160 192.168.1.160 192.168.1.160 Username admin admin admin admin admin
799
show switch-data-path
This command displays switch data path statistics for each APM and CPM.
Syntax
show switch-data-path
Context
You access this command from the main CLI context. The following table describes the information provided in each column/row. Column/Row Heading Slot Mod SDPx In Packets Errors Drops Out Packets Errors Drops Information Provided Physical slot number Module type Switch data path number (sdp0 sdp7) Number of packets received Number of packets received with errors Number of packets dropped during reception Number of packets transmitted Number of errors occurring during transmission Number of packets dropped during transmission
NOTE: The output for each module includes a total line that adds all of the statistics across all SDPs for that module. The total line appears after the individual SPD lines for that module. See the example for details.
Restrictions
Default Privilege Level: 0
Example
The following is an example of this command: CBS# show switch-data-path In Slot Mod SDPx Packets 5 VAP 0 68924632 5 VAP 1 8141 5 VAP 2 4918 5 VAP 3 3494 5 VAP total 68941185 6 VAP 0 69175814 6 VAP 1 19376 6 VAP 2 0 6 VAP 3 0 6 VAP total 69195190 8 VAP 0 157042359 In Errors 0 0 0 0 0 0 0 0 0 0 0 In Drops 0 0 0 0 0 0 0 0 0 0 0 Out Packets 15335954 15196503 15202006 15203418 60937881 60920931 2929 12 0 60923872 36700424 Out Errors 0 0 0 0 0 0 0 0 0 0 0 Out Drops 0 0 0 0 0 0 0 0 0 0 0
800
8 8 8 8 8 8 8 8 9 9 9 9 9 9 9 9 9 13 13 13 13 13
VAP VAP VAP VAP VAP VAP VAP VAP VAP VAP VAP VAP VAP VAP VAP VAP VAP CP CP CP CP CP
102288199 95230406 95359152 107456912 104381580 89192465 104532946 855484019 64451065 5043 3581 3098 9291201 3524 2949 3105 73763566 6631094 0 0 0 6631094
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
26237621 52243981 55730905 55798419 57114440 62689669 55764149 402279608 49283608 12496123 17892 30967 75174 20795 4266019 38905 66229483 13467209 0 0 0 13467209
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
show system
This command displays information about the system, such as: system name, location, contact info, hardware revision, software version, and so on.
Syntax
show system
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0
Example
CBS# show system Copyright (c) 2000-2011 by Crossbeam Systems, Inc. All rights reserved. Version: CLI 9.5.1 [Feb 26 2011 02:12:22] (bldmgr) gcc: gcc version 2.96 20000731 (Linux 7.3 2.96-112) CVS_Label: XOS-9_5_1_0-20110226_1 Chassis information: Part number: 003717, Serial Number: F6240016, Hardware Revision: E Slot 1 2 5 6 Board Type NP8600 NP8600 AP8650 AP9600 Ports 12 12 0 0 Part Num 003927 003927 004911 005682 Serial Num G7150499 G7150508 L845H046 P104N013 Hw Revision 8 8 8 AA Status Up Up Active Active
801
9 13 CBS#
AP9600 CP9600
0 5
005682 005962
P104N034 N023J519
AA AA
Active Up
show traplog
This command displays the log of the last 100 SNMP traps.
Syntax
show traplog
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0
Example
The following is a partial example of this command: CBS# show traplog Trap Description : Trap OID : sysUpTime : Time & Date : Num of variables : Variable 1 : Variable 2 : Other Variables : cbsHwModuleStatusChanged .1.3.6.1.4.1.6848.4.1.14 00:01:05 2010-06-21 10:12:39.51 1 cbsHwModuleStatus.5 = standby(5)
Trap Description Trap OID sysUpTime Time & Date Num of variables Variable 1 Variable 2 Other Variables
: : : : : : : :
Trap Description Trap OID sysUpTime Time & Date Num of variables Variable 1 Variable 2 Other Variables
: : : : : : : :
802
show web-session
This command displays Web user sessions.
Syntax
show web-session
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0
Example
The following is an example of this command: CBS# show web-session User : admin GUI Access Level : Administrator Start Access Time : 2010-03-09 10:09:39.339501-04 Last Access Time : 2010-03-09 10:10:59.796468-04 User IP Addr : 192.168.1.126
who
This command displays the users currently logged on to the X-Series Platform.
Syntax
who
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0
803
ping
This command tests network connectivity from this system to the specified IP address. This command originates from the CPM if the VAP group is not specified.
Syntax
ping [vap-group <vap-group> [<vap-index>]] {<ip-address>|<hostname>} [-c][-i][-s][-t]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <vap-group> <vap-index> <ip-address> <hostname> -c -i -s -t Description VAP group for the VAP that the ping is originated from. Specific VAP in the VAP group. IP address of the host to ping. Name of the host to ping. Number of packets sent. Default value is 5, with a range of 1 to 100. Number of seconds to wait between sending packets. Default is 1 with a range of 1 to 100. Packet size in bytes. Default is 56, with a range of 56 to 1024. Time-To-Live in hop (router) count. Default is 2, with a range of 1 to 100.
804
Restrictions
Default Privilege Level: 0
show arp
This command displays entries in the ARP cache. You may provide a range of IP addresses to be displayed by specifying the low and high range. If one IP address is specified, only the entries in the ARP cache matching that IP address are displayed. You can also specify to only display dynamic entries. By default, all IP addresses in the ARP cache are displayed.
Syntax
show arp [<IP_addr_low> [<IP_addr_high>]] [dynamic]
Context
You access this command from any CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <IP_addr_low> <IP_addr_high> dynamic Description Display entries in the ARP cache for this IP address. Display entries in the ARP cache for all IP addresses between <IP_addr_low> and this IP address. Display dynamic ARP entries only.
Restrictions
Default Privilege Level: 0
Example
CBS# show arp Module primarycpm primarycpm Address 1.1.2.32 192.168.64.1 Hardware Addr Type Interface 00:03:d2:00:02:02 dynamic eth0 00:00:5e:00:00:40 dynamic eth2
Syntax
show neighbor-discovery
805
Context
You access this command from the main CLI context.
Output
The following table describes the information provided in each row of the output. Row Heading Domain IP address State Information Provided Displays the domain number associated with this neighbor entry. Displays the IP address of this neighbor entry. Displays the most recent state recorded in the neighbor discovery table. Possible values are: DELAY The neighbor is no longer known to be reachable, and traffic has recently been sent to the neighbor. Rather than probe the neighbor immediately, however, delay sending probes for a short while in order to give upper layer protocols a chance to provide reachability confirmation. INCOMPLETE Address resolution is in progress and the link-layer address of the neighbor has not yet been determined. PROBE The neighbor is no longer known to be reachable, and unicast Neighbor Solicitation probes are being sent to verify reachability. REACHABLE Roughly speaking, the neighbor is known to have been reachable recently (within tens of seconds ago). STALE The neighbor is no longer known to be reachable but until traffic is sent to the neighbor, no attempt should be made to verify its reachability. FAILED The neighbor has been declared unreachable. The system seeks an alternate path.
806
Information Provided Displays the type of link associated with this neighbor discovery table entry. Possible values are: asymmetric reachability - A link where non-reflexive and/or non-transitive reachability is part of normal operation. (Non- reflexive reachability means packets from A reach B but packets from B don't reach A. Non-transitive reachability means packets from A reach B, and packets from B reach C, but packets from A don't reach C.) Many radio links exhibit these properties. multicast - A link that supports a native mechanism at the link layer for sending packets to all (i.e., broadcast) or a subset of all neighbors. non-broadcast multi-access (NBMA) - A link to which more than two interfaces can attach, but that does not support a native form of multicast or broadcast (e.g., X.25, ATM, frame relay, etc.). point-to-point - A link that connects exactly two interfaces. A point-to-point link is assumed to have multicast capability and have a link-local address. shared media - A link that allows direct communication among a number of nodes, but attached nodes are configured in such a way that they do not have complete prefix information for all on-link destinations. That is, at the IP level, nodes on the same link may not know that they are neighbors; by default, they communicate through a router. Examples are large (switched) public data networks such as SMDS and B- ISDN. Also known as "large clouds". See [SH- MEDIA]. unicast One of these unicast address types: Global unicast address A conventional, publicly routable address, just like conventional IPv4 publicly routable addresses. Link-local address Similar to the private, non-routable addresses in IPv4 (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16). They are not meant to be routed, but confined to a single network segment. Link-local addresses mean you can easily throw together a temporary LAN, such as for conferences or meetings, or set up a permanent small LAN the easy way. Unique local address Meant for private addressing, with the addition of being unique, so that joining two subnets does not cause address collisions. Special addresses are loopback addresses, IPv4-address mapped spaces, and 6to4 addresses for crossing from an IPv4 network to an IPv6 network. variable MTU - A link that does not have a well-defined MTU (e.g., IEEE 802.5 token rings). Many links (e.g., Ethernet) have a standard MTU defined by the link- layer protocol or by the specific document describing how to run IP over the link layer.
Flags
If one or more flags are set, they indicate the type of neighbor. Possible values are: A dash or hyphen indicates that no flags are set. The type of neighbor is not specified. The word PROXY indicates that the neighbor is a proxy ARP device. The word ROUTER indicates that the neighbor is an IPv6 router.
HW Address
The MAC address associated with this neighbor discovery table entry.
807
Information Provided The device name associated with this neighbor table entry.
Restrictions
Default Privilege Level: 0
Example
The following is an example of this command. CBS# show neighbor-discovery Neighbor Entry Module one_2 Domain 0 IP address 2002:1::3 State REACHABLE Type UNICAST Flags HW Address 00:03:d2:20:0c:69 Device enter Neighbor Entry Module one_2 Domain 0 IP address 2002:2::1 State REACHABLE Type UNICAST Flags HW Address 00:03:d2:1f:fb:b9 Device thru Neighbor Entry Module one_2 Domain 0 IP address fe80::203:d2ff:fe1f:fbb9 State STALE Type UNICAST Flags HW Address 00:03:d2:1f:fb:b9 Device thru
show circuit
This command displays circuit information for one or all circuits. The Aggregation Mode field displays whether the circuit is a part of a multi-link, bridge, or transparent group interface. If not a member of a group interface, none is displayed.
Syntax
show circuit <circuit_name> [admin-status | status]
Context
You access this command from the main CLI context.
808
Parameters
The following table lists the parameters used with this command. Parameter <circuit_name> status admin-status Description Name of a specific circuit. Default is all circuits. Displays statistical information relating to a circuit. Default. Displays circuit configuration information.
Restrictions
Default Privilege Level: 0
Example
The following example shows the output of the status parameter. CBS# show circuit outside status Module ips_1 ips_2 Circuit outside outside In In In Out Out Out IP Address Packets Errors Drops Packets Errors Drops 10.37.0.1 28401561 0 0 28422779 0 0 10.37.0.1 28401543 0 0 28422559 0 0
The following example shows the output of the admin-status parameter. CBS# show circuit outside admin-status Circuit Name : Circuit-Id : Device Name : Incoming Circuit Group : Promiscuous Mode : Proxy ARP Enabled (true/false) : IP Forwarding (true/false) : ICMP Redirect (true/false) : Reclassify NAT Flows (true/false) : IP Flow Rule Priority : IP Flow Rule No Failover (true/false) : VAP Group : Verify Next Hop IP : Aggregation Mode : Domain : New Flow Control (true/false) : DHCP Relay (true/false) : Default Egress Vlan Tag : Hide VLAN Header (true/false) : Replace Egress Vlan Tag : MAC Address : MTU : Management Circuit (true/false) : Enable (true/false) : Primary Type : IP Address : IP Broadcast Address : Increment-per-vap Mode (true/false) : bint 1027 bint 1 no promiscuous f f f f 21 f flo none 1 t f N/A N/A N/A 00:03:d2:e0:0c:c8 (system-reserved) 1500 f t primary 192.168.10.1/24 192.168.10.255 f
809
By default, this command lists the active flows in the order in which they appear in the AFT. Use the sort parameter to sort the list of flows, as described in Parameters on page 811.
810
Syntax
show flow active [source-address {<IP_address> | <lowest_IP_address> <highest_IP_address>}] [destination-address {<IP_address> | <lowest_IP_address> <highest_IP_address>}] [source-port {<port_number> | <lowest_port_number> <highest_port_number>}] [destination-port {<port_number> | <lowest_port_number> <highest_port_number>}] [protocol {<protocol_number> | <lowest_protocol_number> <highest_protocol_number>}] [domain {<domain_ID_number> | <lowest_domain_ID_number> <highest_domain_ID_number>}] [circuit-id {<circuit_ID_number> | <lowest_circuit_ID_number> <highest_circuit_ID_number>}] [module {<npm_slot_number> | <lowest_npm_slot_number> <highest_npm_slot_number>}] [master-npm {<npm_slot_number> | <lowest_npm_slot_number> <highest_npm_slot_number>}] [fast-path-only] [verbose] [poll <polling_interval>] [sort] [validated] [validation-pending] [no-validation]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter source-address {<IP_address> | <lowest_IP_address> <highest_IP_address>} Description Filters the command output using the specified source IP address matching criteria. Specify a single IP address to display information only about active flows that have the specified source IP address. Specify a range of IP addresses to display information only about active flows whose source IP addresses are within the specified range. destination-address {<IP_address> | <lowest_IP_address> <highest_IP_address>} Filters the command output using the specified destination IP address matching criteria. Specify a single IP address to display information only about active flows that have the specified destination IP address. Specify a range of IP addresses to display information only about active flows whose destination IP addresses are within the specified range. source-port {<port_number> | <lowest_port_number> <highest_port_number>} Filters the command output using the specified source port matching criteria. Specify a single port number to display information only about active flows that have the specified source port number. Specify a range of port numbers to display information only about active flows whose source port numbers are within the specified range.
811
Description Filters the command output using the specified destination port matching criteria. Specify a single port number to display information only about active flows that have the specified destination port number. Specify a range of port numbers to display information only about active flows whose destination port numbers are within the specified range.
Filters the command output using the specified protocol matching criteria. Specify a single protocol number to display information only about active flows that have the specified protocol number. Specify a range of protocol numbers to display information only about active flows whose protocol numbers are within the specified range.
Filters the command output using the specified domain matching criteria. Specify a single domain ID number to display information only about active flows received on circuits with the specified domain ID number. Specify a range of domain ID numbers to display information only about active flows received on circuits whose domain ID numbers are within the specified range. Use the show circuit command to display the domain ID numbers assigned to circuits configured on the X-Series Platform NOTE: By default, XOS assigns all new circuits to domain number 1. You can assign a circuit to a different domain by specifying the domain parameter with the configure circuit command. If you assign a single domain ID to all of the circuits configured for a VAP group, you can use the show flow active command to monitor the status of all of the flows that arrive on that VAP group. This is particularly useful when monitoring flows that pass through multiple, serialized VAP groups, since you can assign a unique domain ID to each VAP groups circuits.
812
Description Filters the command output using the specified circuit ID matching criteria. Specify a single circuit ID number to display information only about active flows received on the circuit with the specified circuit ID number. Specify a range of circuit ID numbers to display information only about active flows received on the circuits whose circuit ID numbers are within the specified range. Use the show circuit command to display the circuit ID numbers assigned to circuits configured on the X-Series Platform NOTE: XOS assigns a default circuit ID number to every new circuit. You can assign a new circuit ID number to a circuit by specifying the circuit-id parameter with the configure circuit command.
Filters the command output using the specified originating NPM matching criteria. Specify a single NPM slot number to display information only about active flows that originate on the NPM with the specified slot number. Specify a range of NPM slot numbers to display information only about active flows that originate on the NPMs whose slot numbers are within the specified range.
Filters the command output using the specified master NPM matching criteria. Specify a single NPM slot number to display information only about active flows whose master NPM has the specified slot number. Specify a range of NPM slot numbers to display information only about active flows whose master NPM has a slot number within the specified range.
fast-path-only
Filters the command output to display information only about active flows that originate on an NPM and are processed using the Fast Path. NOTE: Refer to the XOS Configuration Guide for more information about Fast Path flow processing.
verbose
Changes the format in which the CLI displays the output of the command and displays additional information about flows sent to a VAP in a VAP group. See Default Output on page 814 for more details.
poll <polling_interval>
Polls the NPMs continuously and displays updated information every <polling_interval> seconds. NOTE: Press Ctrl-y to stop polling the NPMs and return to the CLI prompt. Valid values for <polling_interval> are from 1-3600.
813
Parameter sort
Description Sorts the list of active flows that the command displays, using the following criteria, in the order shown. The CLI sorts the list of flows: 1. 2. 3. 4. 5. first by destination IP address then by source IP address then by protocol number then by destination port then by source port
Displays flows that have been validated by TCP flow setup validation scheme. Displays flows that are subject to validation but have not yet been validated by TCP flow setup validation scheme. Displays flows not are not subject to the TCP flow setup validation scheme. This includes non-TCP flows.
Default Output
By default, the show flow active command displays information in a table, using the following format: .
Module <NPM_or_VAP_name1>
Source <IP>:<port>
Destination <IP>:<port>
Prot <#>
Dom
TTI/MAX
Modules <VAP_name1>, <VAP_name2> ... rx circuit <ID#> Master <NPM_name> <#> <NPM_or_VAP_name2> <IP>:<port> <IP>:<port> {Re-routing | Drop(<drop_reason_ID>)} rx circuit <ID#> Master <NPM_name>
The format shown in the entry for <NPM_or_VAP_name1> is used if the flow is received by an NPM or VAP and then transferred to a VAP for processing. The format shown in the entry for <NPM_or_VAP_name2> is used if the flow is received by an NPM or VAP and then rerouted to an external system or dropped.
814
The following table describes the information provided in each column/row/field in the command output. Column/Row Heading or Field Module <NPM_or_VAP_nameN> Information Provided Name of the NPM or VAP from which the flow originates. An NPM name has the format: np<NPM_slot_number> Use the show chassis command to display the module names assigned to the NPMs installed in the X-Series Platform. A VAP name has the format: <VAP_group_name>_<VAP_index_number> Use the show ap-vap-mapping command to display the index numbers assigned to the VAPs in each VAP group configured on the X-Series Platform. Source <IP>:<port> Destination <IP>:<port> Prot <#> Dom <ID#> TTI/MAX <mm:ss>/<mm:ss> Domain ID number assigned to the circuit on which the originating NPM or VAP receives the flow. TTI Time to idle: the amount of time that the flow can remain idle before the NPM deletes that flow from the AFT MAX Maximum idle time: the maximum amount of time that the flow be idle before the NPM deletes that flow from the AFT Both TTI and MAX are displayed in minutes and seconds, using the format, mm:ss. For example, 8 minutes and 7 seconds has the format, 08:07. TTI is equal to MAX when the flow is active. When the flow becomes idle, TTI begins to count down to 00:00. If TTI reaches 00:00 before the flow becomes active again, the NPM deletes the flow from the AFT. Modules <VAP_name1>, <VAP_name2> ... Name(s) of the VAPs to which the originating NPM or VAP transfers the flow. Destination IP address and destination port number for the flow. Numeric identifier for the protocol that the flow uses. Source IP address and source port number for the flow.
815
Information Provided
{Re-routing | Drop(<drop_reason_ID>)} Indicates one of the following: Re-routing Originating NPM or VAP re-routes the flow to an external system. Drop(<drop_reason_ID>) Originating NPM or VAP drops the flow for the reason specified by <drop_reason_ID>. Possible values for <drop_reason_ID> are: No L2 policy match The destination MAC address in the packet did not match the MAC address of any VND on the circuit on which the packet entered the system. NOTE: Circuit information is not displayed for flows with this drop reason ID. No L3 policy match There are no IP flow rules that apply to this layer 3 flow. NOTE: Circuit information is not displayed for flows with this drop reason ID. L3 drop policy This layer 3 flow matches the conditions defined in the packet matching criteria for an IP flow rule configured with the action, drop. PS2Master failed A VAP group IP flow rule configured with the action, pass-to-master, or a system-level IP flow rule with the action, pass-to-masters, applies to this flow. The NPM attempted to send this flow to one or more master VAPs, but the operation failed because none of the master VAPs were in the Active state. PS2IDX failed A VAP group IP flow rule configured with the action, pass-to-vap, applies to this flow. The NPM attempted to send this flow to the appropriate VAP, but the operation failed because the VAP was not in the Active state. Load-balance failed A VAP group IP flow rule configured with the action, load-balance, applies to this flow. The NPM attempted to load balance this flow across the VAPs in the appropriate VAP group, but the operation failed because there were no active VAPs in the group or because there were no VAPs in the VAP groups load-balance VAP list. Broadcast failed A flow rule configured with the action, broadcast, applies to this flow. The NPM attempted to broadcast this flow to all VAPs in one VAP group or to all VAPs in all VAP groups, but the operation failed because none of the VAPs to which the NPM sent the flow were in the Active state. No Reason One or more flow rules were successfully applied to this flow, and none of those IP flow rules are configured with the action, drop.
816
Information Provided Circuit ID number assigned to the circuit on which the flow is received. Use the show circuit command to display the circuit ID numbers assigned to the circuits configured on the X-Series Platform.
Master NPM assigned to the flow. Fast Path Y Indicates that the flow originates on an NPM and that the NPM and processes the flow using the Fast Path. NOTE: Refer to the XOS Configuration Guide for more information about Fast Path flow processing.
rx packets <#>
Number of packets that the originating NPM or VAP has received as part of this flow.
Verbose Output
The verbose output for this command has the following format: <NPM_or_VAP_Name1> Source Addr <IP_address>, Destination Addr <IP_address> Protocol <prot_name> (<#>), Dest Port {<#> | <port_prot>(<#>)}, Source Port {<#> | <port_prot>(<#>)}, Domain <ID#> TTI <tti_mm:ss> out of <max_mm:ss> configured Modules <VAP_name1>, <VAP_name2> ... Rx Available Slots <VAP_name1>, <VAP_name2> ... Ageout <#_of_seconds> rx circuit <ID#> Master <NPM_name> Fast Path {Y|N} rx packets <#> <NPM_or_VAP_Name2> Source Addr <IP_address>, Destination Addr <IP_address> Protocol <prot_name> (<#>), Dest Port {<#> | <port_prot>(<#>)}, Source Port {<#> | <port_prot>(<#>)}, Domain <ID#> TTI <tti_mm:ss> out of <max_mm:ss> configured {Re-routing | Drop(<drop_reason_ID>)} Rx Available Slots <VAP_name1>, <VAP_name2> ... Ageout <#_of_seconds> rx circuit <ID#> Master <NPM_name> Fast Path {Y|N} rx packets <#> The format shown in the entry for <NPM_or_VAP_name1> is used if the flow is received by an NPM or VAP and then transferred to a VAP for processing. The format shown in the entry for <NPM_or_VAP_name2> is used if the flow is received by an NPM or VAP and then rerouted to an external system or dropped.
817
The following table describes the information provided in each column/row/field in the command output. Column/Row Heading or Field <NPM_or_VAP_nameN> Information Provided Name of the NPM or VAP from which the flow originates. An NPM name has the format: np<NPM_slot_number> Use the show chassis command to display the module names assigned to the NPMs installed in the X-Series Platform. A VAP name has the format: <VAP_group_name>_<VAP_index_number> Use the show ap-vap-mapping command to display the index numbers assigned to the VAPs in each VAP group configured on the X-Series Platform. Source Addr <IP_address> Destination Addr <IP_address> Protocol <prot_name> (<#>) Source IP address for the flow. Destination IP address for the flow. Name of the protocol that the flow uses and the numeric identifier for that protocol. For example, if the flow uses UDP, this field displays: Protocol udp (17) Dest Port {<#> | <port_prot>(<#>)} Destination port number for the flow or destination port protocol and port number for the flow. NOTE: Destination port protocol appears only if the destination port has a standard protocol. For example, if the destination port is 80, this field displays: Dest Port http (80) Source Port {<#> | <port_prot>(<#>)} Source port number for the flow or source port protocol and port number for the flow. NOTE: Source port protocol appears only if the source port has a standard protocol. For example, if the source port is 80, this field displays: Dest Port http (80) Domain <ID#> Domain ID number assigned to the circuit on which the originating NPM or VAP receives the flow.
818
Information Provided <tti_mm:ss> Time to idle (TTI): the amount of time that the flow can remain idle before the NPM deletes that flow from the AFT <max_mm:ss> Maximum idle time: the maximum amount of time that the flow be idle before the NPM deletes that flow from the AFT Both TTI and maximum idle time are displayed in minutes and seconds, using the format, mm:ss. For example, 8 minutes and 7 seconds has the format, 08:07. TTI is equal to maximum idle time when the flow is active. When the flow becomes idle, TTI begins to count down to 00:00. If TTI reaches 00:00 before the flow becomes active again, the NPM deletes the flow from the AFT.
Name(s) of the VAPs to which the originating NPM or VAP transfers the flow.
819
Information Provided
{Re-routing | Drop(<drop_reason_ID>)} Indicates one of the following: Re-routing Originating NPM or VAP re-routes the flow to an external system. Drop(<drop_reason_ID>) Originating NPM or VAP drops the flow for the reason specified by <drop_reason_ID>. Possible values for <drop_reason_ID> are: No L2 policy match The destination MAC address in the packet did not match the MAC address of any VND on the circuit on which the packet entered the system. NOTE: Circuit information is not displayed for flows with this drop reason ID. No L3 policy match There are no IP flow rules that apply to this layer 3 flow. NOTE: Circuit information is not displayed for flows with this drop reason ID. L3 drop policy This layer 3 flow matches the conditions defined in the packet matching criteria for an IP flow rule configured with the action, drop. PS2Master failed A VAP group IP flow rule configured with the action, pass-to-master, or a system-level IP flow rule with the action, pass-to-masters, applies to this flow. The NPM attempted to send this flow to one or more master VAPs, but the operation failed because none of the master VAPs were in the Active state. PS2IDX failed A VAP group IP flow rule configured with the action, pass-to-vap, applies to this flow. The NPM attempted to send this flow to the appropriate VAP, but the operation failed because the VAP was not in the Active state. Load-balance failed A VAP group IP flow rule configured with the action, load-balance, applies to this flow. The NPM attempted to load balance this flow across the VAPs in the appropriate VAP group, but the operation failed because there were no active VAPs in the group or because there were no VAPs in the VAP groups load-balance VAP list. Broadcast failed A flow rule configured with the action, broadcast, applies to this flow. The NPM attempted to broadcast this flow to all VAPs in one VAP group or to all VAPs in all VAP groups, but the operation failed because none of the VAPs to which the NPM sent the flow were in the Active state. No Reason One or more flow rules were successfully applied to this flow, and none of those IP flow rules are configured with the action, drop.
820
Column/Row Heading or Field Rx Available Slots <VAP_name1>, <VAP_name2> ... Ageout <#_of_seconds> rx circuit <ID#>
Information Provided VAPs available to receive packets. Number of seconds the flow will remain in the active flow table. Circuit ID number assigned to the circuit on which the flow is received. Use the show circuit command to display the circuit ID numbers assigned to the circuits configured on the X-Series Platform.
Master NPM assigned to the flow. Fast Path Y Indicates that the flow originates on an NPM and that the NPM and processes the flow using the Fast Path. NOTE: Refer to the XOS Configuration Guide for more information about Fast Path flow processing.
rx packets <#>
Number of packets that the originating NPM or VAP has received as part of this flow.
Restrictions
Default Privilege Level: 0
Examples
Example 1: Displaying all Active Flows Using the Default Command Output Format The following command displays information about all active flows on an X-Series Platform on which a VAP group called testvapgroup is currently running a firewall application: CBS# show flow active This command may take a few minutes. Module testvapgroup_1 Source 0.0.0.0:8116 Do you want to continue? <Y or N> [Y]: Y Destination 3.3.3.0:8116 Prot 17 Dom 1 TTI/MAX 01:00/01:00
Modules testvapgroup_2, testvapgroup_3 rx circuit 1026 Master np1 Fast Path N testvapgroup_2 Drop(No reason) rx circuit 1026 np3 3.3.3.6:0 Master np1 224.0.0.22:0 Fast Path N
rx packets 0 1 09:12/10:00
rx packets 24
821
Example 2: Filtering the Default Command Output Format The following command displays information only about the active flows using protocol 17: CBS# show flow active protocol 17 This command may take a few minutes. Module testvapgroup_1 Source 0.0.0.0:8116 Do you want to continue? <Y or N> [Y]: Y Destination 3.3.3.0:8116 Prot 17 Dom 1 TTI/MAX 01:00/01:00
Modules testvapgroup_2, testvapgroup_3 rx circuit 1026 Master np1 Fast Path N CBS#
rx packets 732
Example 3: Displaying all Active Flows Using the Verbose Command Output Format The following command displays information about all active flows on an X-Series Platform on which a VAP group called testvapgroup is currently running a firewall application: CBS# show flow active verbose This command may take a few minutes. Do you want to continue? <Y or N> [Y]: Y
testvapgroup_1 Source Addr 0.0.0.0, Destination Addr 3.3.3.0 Protocol udp (17), Dest Port 8116, Source Port 8116, Domain 1 TTI 01:00 out of 01:00 configured Modules testvapgroup_2, testvapgroup_3 Rx Available Slots testvapgroup_1 Ageout 60 rx circuit 1026 Master np1 Fast Path N rx packets 856 testvapgroup_1 Source Addr 3.3.3.6, Destination Addr 224.0.0.22 Protocol tcp (6), Dest Port 0, Source Port 0, Domain 1 TTI 00:15 out of 00:30 configured Drop(No reason) rx circuit 1026 Master np1 Fast Path N rx packets 0 np3 Source Addr 192.168.5.1, Destination Addr 192.168.5.4:397 Protocol tcp (6), Dest Port 397, Source Port 257, Domain 1 TTI 10:00 out of 10:00 configured Modules testvapgroup_1 Rx Available Slots testvapgroup_2, testvapgroup_3 Ageout 88 rx circuit 1025 Master np1 Fast Path Y rx packets 934 CBS#
822
By default, this command lists the active flows in the order in which they appear in the AFT. Use the sort parameter to sort the list of flows, as described in Parameters on page 824.
823
Syntax
show flow-path active [verbose] [poll <polling_interval>] [source-address {<IP_address> | <lowest_IP_address> <highest_IP_address>}] [destination-address {<IP_address> | <lowest_IP_address> <highest_IP_address>}] [source-port {<port_number> | <lowest_port_number> <highest_port_number>}] [destination-port {<port_number> | <lowest_port_number> <highest_port_number>}] [protocol {<protocol_number> | <lowest_protocol_number> <highest_protocol_number>}] [domain {<domain_ID_number> | <lowest_domain_ID_number> <highest_domain_ID_number>}] [circuit-id {<circuit_ID_number> | <lowest_circuit_ID_number> <highest_circuit_ID_number>}] [module {<npm_slot_number> | <lowest_npm_slot_number> <highest_npm_slot_number>}] [master-npm {<npm_slot_number> | <lowest_npm_slot_number> <highest_npm_slot_number>}] [sort]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter verbose Description Changes the format in which the CLI displays the output of the command and displays information about the full path for each active flow, from ingress NPM interface to egress NPM interface. See Default Output on page 827 for more details. poll <polling_interval> Polls the NPMs continuously and displays updated information every <polling_interval> seconds. NOTE: Press Ctrl-y to stop polling the NPMs and return to the CLI prompt. Valid values for <polling_interval> are from 1-3600. source-address {<IP_address> | <lowest_IP_address> <highest_IP_address>} Filters the command output using the specified source IP address matching criteria. Specify a single IP address to display flow path information only for active flows that have the specified source IP address. Specify a range of IP addresses to display flow path information only for active flows whose source IP addresses are within the specified range.
824
Description Filters the command output using the specified destination IP address matching criteria. Specify a single IP address to display flow path information only for active flows that have the specified destination IP address. Specify a range of IP addresses to display flow path information only for active flows whose destination IP addresses are within the specified range.
Filters the command output using the specified source port matching criteria. Specify a single port number to display flow path information only for active flows that have the specified source port number. Specify a range of port numbers to display flow path information only for active flows whose source port numbers are within the specified range.
Filters the command output using the specified destination port matching criteria. Specify a single port number to display flow path information only for active flows that have the specified destination port number. Specify a range of port numbers to display flow path information only for active flows whose destination port numbers are within the specified range.
Filters the command output using the specified protocol matching criteria. Specify a single protocol number to display flow path information only for active flows that have the specified protocol number. Specify a range of protocol numbers to display flow path information only for active flows whose protocol numbers are within the specified range.
825
Description Filters the command output using the specified domain matching criteria. Specify a single domain ID number to display flow path information only for active flows received on circuits with the specified domain ID number. Specify a range of domain ID numbers to display flow path information only for active flows received on circuits whose domain ID numbers are within the specified range. Use the show circuit command to display the domain ID numbers assigned to circuits configured on the X-Series Platform NOTE: By default, XOS assigns all new circuits to domain number 1. You can assign a circuit to a different domain by specifying the domain parameter with the configure circuit command. If you assign a single domain ID to all of the circuits configured for a VAP group, you can use the show flow-path active command to monitor the status of all of the flows that pass through that VAP group. This is particularly useful when monitoring flows that pass through multiple, serialized VAP groups, since you can assign a unique domain ID to each VAP groups circuits.
Filters the command output using the specified circuit ID matching criteria. Specify a single circuit ID number to display flow path information only for active flows received on the circuit with the specified circuit ID number. Specify a range of circuit ID numbers to display flow path information only for active flows received on the circuits whose circuit ID numbers are within the specified range. Use the show circuit command to display the circuit ID numbers assigned to circuits configured on the X-Series Platform NOTE: XOS assigns a default circuit ID number to every new circuit. You can assign a new circuit ID number to a circuit by specifying the circuit-id parameter with the configure circuit command.
Filters the command output using the specified originating NPM matching criteria. Specify a single NPM slot number to display flow path information only for active flows that originate on the NPM with the specified slot number. Specify a range of NPM slot numbers to display information only about active flows that originate on the NPMs whose slot numbers are within the specified range.
826
Description Filters the command output using the specified master NPM matching criteria. Specify a single NPM slot number to display flow path information only for active flows whose master NPM has the specified slot number. Specify a range of NPM slot numbers to display flow path information only for active flows whose master NPM has a slot number within the specified range.
sort
Sorts the list of active flow paths that the command displays, using the following criteria, in the order shown. The CLI sorts the list of flow paths: 1. 2. 3. 4. 5. first by destination IP address then by source IP address then by protocol number then by destination port then by source port
Default Output
By default, the show flow-path active command displays information in a table, using the following format:
Module <NPM_name1>
Source:port <IP>:<port>
Destination:port <IP>:<port>
Prot <#>
Dom <ID#>
rx circuit <ID#> rx active <VAP_name> [rx passive] tx_port <slot>_<port> master <NPM_name> <NPM_name2> <IP>:<port> <IP>:<port> <#> <ID#>
Drop(<drop_reason>)
The output has the format shown in the entry for <NPM_name1> if the originating NPM transfers the flow to a VAP for processing. The output has the format shown in the entry for <NPM_name2> if the originating NPM drops the flow. The following table describes the information provided in each column/row/field in the command output. Column/Row Heading or Field Module <NPM_nameN> Information Provided Name of the NPM from which the flow originates. An NPM name has the format: np<NPM_slot_number> Use the show chassis command to display the module names assigned to the NPMs installed in the X-Series Platform.
827
Column/Row Heading or Field Source:port <IP>:<port> Destination:port <IP>:<port> Prot <#> Dom <ID#> rx circuit <ID#>
Information Provided Source IP address and source port number for the flow.
Destination IP address and destination port number for the flow. Numeric identifier for the protocol that the flow uses.
Domain ID number assigned to the first circuit on which the flow enters an active VAP group. Circuit ID number assigned to the first circuit on which the flow enters an active VAP group. Use the show circuit command to display the circuit ID numbers assigned to the circuits configured on the X-Series Platform.
Name of the first active VAP that receives the flow. If a Tap is configured on the circuit on which the flow enters the active VAP group, the name of the TAP appears in the rx_passive field. If no tap is configured, this field is blank. NOTE: A VAP name has the format: <VAP_group_name>_<VAP_Index_Number> Use the show ap-vap-mapping command to display the index numbers assigned to the VAPs in each VAP group configured on the X-Series Platform.
tx_port <slot>_<port>
NPM slot number and port number for the NPM interface on which the flow exits the X-Series Platform. Use the verbose parameter with the show ip-mapping command to determine which NPM interfaces are mapped to circuit IP addresses configured for an active VAP group.
828
Information Provided Indicates that the originating NPM drops the flow for the reason specified by <drop_reason_ID>. Possible values for <drop_reason_ID> are: No L2 policy match There are no non-IP flow rules that apply to this layer 2 flow. NOTE: Circuit information is not displayed for flows with this drop reason ID. No L3 policy match There are no IP flow rules that apply to this layer 3 flow. NOTE: Circuit information is not displayed for flows with this drop reason ID. L3 drop policy This layer 3 flow matches the conditions defined in the packet matching criteria for an IP flow rule configured with the action, drop. PS2Master failed A VAP group IP flow rule configured with the action, pass-to-master, or a system-level IP flow rule with the action, pass-to-masters, applies to this flow. The NPM attempted to send this flow to one or more master VAPs, but the operation failed because none of the master VAPs were in the Active state. PS2IDX failed A VAP group IP flow rule configured with the action, pass-to-vap, applies to this flow. The NPM attempted to send this flow to the appropriate VAP, but the operation failed because the VAP was not in the Active state. Load-balance failed A VAP group IP flow rule configured with the action, load-balance, applies to this flow. The NPM attempted to load balance this flow across the VAPs in the appropriate VAP group, but the operation failed because there were no active VAPs in the group or because there were no VAPs in the VAP groups load-balance VAP list. Broadcast failed A flow rule configured with the action, broadcast, applies to this flow. The NPM attempted to broadcast this flow to all VAPs in one VAP group or to all VAPs in all VAP groups, but the operation failed because none of the VAPs to which the NPM sent the flow were in the Active state. No Reason One or more flow rules were successfully applied to this flow, and none of those IP flow rules are configured with the action, drop.
Master <NPM_name>
829
Verbose Output
The verbose output for this command has the following format: <NPM_Name1> Source Addr <IP_address>, Destination Addr <IP_address> Protocol <prot_name> (<#>), Dest Port {<#> | <port_prot>(<#>)}, Source Port {<#> | <port_prot>(<#>)}, Domain <ID#> rx circuit <ID#1> rx active <VAP_name1> [rx passive] rx circuit <ID#2> rx active <VAP_name2> [rx passive] ... rx circuit <ID#N> rx active <VAP_nameN> [rx passive] rx circuit <ID#NPM> rx active <NPM_name> [rx passive] tx_port <slot>_<port> master <NPM_name> <NPM_or_VAP_Name2> Source Addr <IP_address>, Destination Addr <IP_address> Protocol <prot_name> (<#>), Dest Port {<#> | <port_prot>(<#>)}, Source Port {<#> | <port_prot>(<#>)}, Domain <ID#> rx circuit <ID#1> Drop(<drop_reason>) master <NPM_name> The format shown in the entry for <NPM_or_VAP_name1> is used if the flow is received by an NPM or VAP and then transferred to a VAP for processing. The format shown in the entry for <NPM_or_VAP_name2> is used if the flow is received by an NPM or VAP and then rerouted to an external system or dropped. The following table describes the information provided in each column/row/field in the command output. Column/Row Heading or Field <NPM_nameN> Information Provided Name of the NPM from which the flow originates. An NPM name has the format: np<NPM_slot_number> Use the show chassis command to display the module names assigned to the NPMs installed in the X-Series Platform. Source Addr <IP_address> Destination Addr <IP_address> Protocol <prot_name> (<#>) Source IP address for the flow. Destination IP address for the flow. Name of the protocol that the flow uses and the numeric identifier for that protocol. For example, if the flow uses UDP, this field displays: Protocol udp (17) Dest Port {<#> | <port_prot>(<#>)} Destination port number for the flow or destination port protocol and port number for the flow. NOTE: Destination port protocol appears only if the destination port has a standard protocol. For example, if the destination port is 80, this field displays: Dest Port http (80)
830
Information Provided Source port number for the flow or source port protocol and port number for the flow. NOTE: Source port protocol appears only if the source port has a standard protocol. For example, if the source port is 80, this field displays: Dest Port http (80)
Domain <ID#> rx circuit <ID#1> rx active <VAP_name1> [rx passive] rx circuit <ID#2> rx active <VAP_name2> [rx passive] ... rx circuit <ID#N> rx active <VAP_nameN> [rx passive]
Domain ID number assigned to the first circuit on which the flow enters an active VAP group. Sequence of paths that the flow uses to enter an active VAP group on the X-Series Platform and then pass through one or more additional active VAP groups. The paths are listed in the order in which the active VAP groups configured on the X-Series Platform receive and process the flow. The CLI displays the following information about each path that the flow uses to pass through an active VAP group before arriving at its final egress interface on the NPM: rx circuit <ID#N> Circuit ID number assigned to the circuit on which the flow enters the active VAP group. Use the show circuit command to display the circuit ID numbers assigned to the circuits configured on the X-Series Platform. Use the verbose parameter with the show ip-mapping command to determine which NPM interfaces are mapped to the circuit IP addresses configured for a VAP group. rx active <VAP_nameN> Name of the active VAP that receives the flow. A VAP name has the format: <VAP_group_name>_<VAP_Index_Number> Use the show ap-vap-mapping command to display the index numbers assigned to the VAPs in each VAP group configured on the X-Series Platform. rx passive If a Tap is configured on the circuit on which the flow enters the active VAP group, the name of the TAP appears in the rx_passive field. If no tap is configured, this field is blank.
831
Information Provided Path that the flow uses to arrive at its egress interface on the NPM. The egress interface is the physical interface that the flow uses to exit the X-Series Platform. The CLI displays the following information about this path: rx circuit <ID#NPM> Circuit ID number assigned to the circuit mapped to the egress interface on the NPM. NOTE: This circuit is mapped to the last VAP group that the flow passes through before exiting the X-Series Platform. Use the show circuit command to display the circuit ID numbers assigned to the circuits configured on the X-Series Platform. Use the verbose parameter with the show ip-mapping command to determine which NPM interfaces are mapped to the circuit IP addresses configured for a VAP group. rx active <NPM_name> Name of the NPM from which the flow exits the X-Series Platform. A VAP name has the format: <VAP_group_name>_<VAP_Index_Number> Use the show ap-vap-mapping command to display the index numbers assigned to the VAPs in each VAP group configured on the X-Series Platform. rx passive This field contains the name of a Tap if one is configured on the circuit mapped to the flows egress interface on the NPM. If no Tap is configured, this field is blank.
tx_port
<slot>_<port>
NPM slot number and port number for the NPM interface on which the flow exits the X-Series Platform. NOTE: This interface is mapped to a circuit that is mapped to the last VAP group that the flow passes through before exiting the X-Series Platform. Use the show circuit command to display the circuit ID numbers assigned to the circuits configured on the X-Series Platform. Use the verbose parameter with the show ip-mapping command to determine which NPM interfaces are mapped to the circuit IP addresses configured for a VAP group.
832
Information Provided Indicates that the originating NPM drops the flow for the reason specified by <drop_reason_ID>. Possible values for <drop_reason_ID> are: No L2 policy match There are no non-IP flow rules that apply to this layer 2 flow. NOTE: Circuit information is not displayed for flows with this drop reason ID. No L3 policy match There are no IP flow rules that apply to this layer 3 flow. NOTE: Circuit information is not displayed for flows with this drop reason ID. L3 drop policy This layer 3 flow matches the conditions defined in the packet matching criteria for an IP flow rule configured with the action, drop. PS2Master failed A VAP group IP flow rule configured with the action, pass-to-master, or a system-level IP flow rule with the action, pass-to-masters, applies to this flow. The NPM attempted to send this flow to one or more master VAPs, but the operation failed because none of the master VAPs were in the Active state. PS2IDX failed A VAP group IP flow rule configured with the action, pass-to-vap, applies to this flow. The NPM attempted to send this flow to the appropriate VAP, but the operation failed because the VAP was not in the Active state. Load-balance failed A VAP group IP flow rule configured with the action, load-balance, applies to this flow. The NPM attempted to load balance this flow across the VAPs in the appropriate VAP group, but the operation failed because there were no active VAPs in the group or because there were no VAPs in the VAP groups load-balance VAP list. Broadcast failed A flow rule configured with the action, broadcast, applies to this flow. The NPM attempted to broadcast this flow to all VAPs in one VAP group or to all VAPs in all VAP groups, but the operation failed because none of the VAPs to which the NPM sent the flow were in the Active state. No Reason One or more flow rules were successfully applied to this flow, and none of those IP flow rules are configured with the action, drop.
Master <NPM_name>
Restrictions
Default Privilege Level: 15
833
Examples
Example 1: Displaying all Active Flow Paths Using the Default Command Output Format The following command displays the initial entry path and the egress NPM interface for every active flow that the X-Series Platform is currently processing. In this example, a VAP group called testvapgroup is currently configured on the X-Series Platform and is running a firewall application. CBS# show flow-path active This command may take a few minutes. Module np2 Source:port 172.16.10.100:2009 Do you want to continue? <Y or N> [Y]: Y Destination:port 172.16.20.240:80 rx passive Prot 6 Dom 1
rx circuit 1027 rx active testvapgroup_2 tx_port 4_2 master np2 np4 172.16.20.240:80
172.16.10.144:53814 rx passive
rx circuit 1028 rx active testvapgroup_1 tx_port 2_2 master np2 np2 rx circuit 1029 master np2 CBS# 172.16.10.207:31754 Drop(PS2IDX failed)
172.16.20.240:80
Example 2: Filtering the Default Command Output Format The following command displays initial entry path and egress NPM interface information only for the active flows whose source port number is 80: CBS# show flow-path active source-port 80 This command may take a few minutes. Module np4 Source:port 172.16.20.240:80 Do you want to continue? <Y or N> [Y]: Y Destination:port 172.16.10.144:53814 rx passive Prot 6 Dom 1
Example 3: Displaying all Active Flow Paths Using the Verbose Command Output Format The following command displays the complete flow path for every active flow that the X-Series Platform is currently processing. In this example, a VAP group called testvapgroup is currently configured on the X-Series Platform and is running a firewall application. CBS# show flow-path active verbose This command may take a few minutes. np4 Do you want to continue? <Y or N> [Y]: Y
Source Addr 172.16.10.100, Destination Addr 172.16.20.240 Protocol tcp (6), Dest Port http(80), Source Port 2009, Domain 1
834
rx circuit 1027 rx active testvapgroup_2 rx passive rx circuit 1030 rx active np2 rx passive tx_port 2_2 master np2 np2 Source Addr 172.16.20.240, Destination Addr 172.16.10.144 Protocol tcp (6), Dest Port 53814, Source Port http(80), Domain 1 rx circuit 1028 rx active testvapgroup_1 rx passive rx circuit 1031 rx active np4 rx passive tx_port 4_2 master np2 np2 Source Addr 172.16.10.207, Destination Addr 172.16.20.240 Protocol tcp (6), Dest Port http(80), Source Port 31754, Domain 1 rx circuit 1029 Drop(PS2IDX failed) master np2 CBS#
Syntax
show flow distribution [sort {vap-group | apm-slot}]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter sort {vap-group | apm-slot} Description Sorts the list of VAP flow assignments. Use one of the following keywords to specify the method used to sort the list: vap-group Sorts the list of VAP flow assignments first by VAP group name, then by VAP index number, and then by APM slot number. apm-slot Sorts the list of VAP flow assignments first by APM slot number, then by VAP group name, and then by VAP index number.
835
Output
This command displays information in a table, using the following format. The command output shows the number of flows that each NPM assigns to each VAP in each VAP group. NOTE: Table entries appear only for the NPMs that are actually installed in the X-Series Platform. New Flows Rate ============= <Delta_#flows> <Delta_#flows> <Delta_#flows> <Delta_#flows> <Delta_#flows> <Delta_#flows> <Delta_#flows> <Delta_#flows> Aged Flows Rate ============= <Delta_#flows> <Delta_#flows> <Delta_#flows> <Delta_#flows> <Delta_#flows> <Delta_#flows> <Delta_#flows> <Delta_#flows> Flows ===== <#> <#> <#> <#> <#> <#> <#> <#>
Uptime <#> days, <#> days, <#> days, <#> days, <#> days, <#> days, <#> days, <#> days,
The following table describes the information provided in each column/row. Column/Row Heading NP Information Provided Name of the NPM that assigns flows to a VAP. Use the show chassis command to display the NPM names assigned to the NPMs installed in your X-Series Platform. Uptime Amount of time that the NPM has been in the UP state, in days, hours, and minutes. Hours and minutes are expressed in the format: mm:ss. For example, 9 hours and 7 minutes is 09:07. Slot VAP Slot number for the APM assigned to the VAP to which the NPM assigns flows. Name of the VAP to which the NPM assigns flows. A VAP name has the format: <VAP_group_name>_<VAP_Index_Number> Use the show ap-vap-mapping command to display the index numbers assigned to the VAPs in each VAP group configured on the X-Series Platform. New Flows Rate Aged Flows Rate Flows The change in the number of new flows that the NPM assigns to the VAP, since the past second. The change in the number of existing flows that the NPM assigns to the VAP, since the past second. Total number of flows that the NPM currently assigns to the VAP.
Restrictions
Default Privilege Level: 0
836
Examples
Example 1: Default Command Output The following command displays the number of flows that each Network Processor Module (NPM) installed in the X-Series Platform has assigned to each VAP in each VAP group configured on the X-Series Platform, and display the rates at which each NPM assigns new and existing flows to each VAP. There are two VAP groups configured on this X-Series Platform one called cp, which has three VAPs, and one called iss, which has two VAPs. CBS# sho flow distribution Rate calculation is enabled New Flows Aged Flows Rate Rate ========== ========== 1465 521 505 183 1358 524 447 192 2122 766 702 288 1380 532 466 184 2081 811 716 271 Flows ========= 8939 3100 8744 3040 13201 4526 8734 2983 13194 4575
NP np1 np4 np1 np4 np1 np4 np1 np4 np1 np4 CBS#
1 1 1 1 1 1 1 1 1 1
Uptime Slot VAP days, 19:22 6 cp_1 days, 19:22 6 cp_1 days, 19:22 7 cp_2 days, 19:22 7 cp_2 days, 19:22 10 iss_1 days, 19:22 10 iss_1 days, 19:22 11 cp_3 days, 19:22 11 cp_3 days, 19:22 12 iss_2 days, 19:22 12 iss_2
show group-interface
This command displays the configurations of all group interfaces, or displays only the configuration of the specified group interface. This command displays only the parameter settings that are applicable to each group interfaces physical interface type. This command shows how the group interface was configured, not the current state of the group interface. To view the current state, use the show interface on page 838 command for each interface in the group.
Syntax
show group-interface [<group_name>][stats][status]
Context
You access this command from the main CLI context.
Inline Commands
The following table lists the CLI commands used inline with the show group-interface command. Command stats status Description Displays the operational group interface status. Displays the group interface status.
837
Parameters
The following table lists the parameters used with this command. Parameter <group_name> Description Displays only the configuration of the specified group interface. By default, the show group-interface command displays the configurations of all group interfaces.
Restrictions
Default Privilege Level: 15
Example
The following is an example display of group interface testgrpint. CBS# show group-interface testgrpint Group Name Mode Mode Circuit Traffic Cleaning Validation: Interface Type Enable (true/false) Auto Negotiate Enabled (true/false) Media Speed (Mbits) Duplex Mode Pause Frame (true/false) Physical Interface (Device) [en/disable] Physical Interface (Device) [en/disable] Logical Interface (Circuit) (v101) (1 row) : : : : : : : : : : : : : testgrpint multi-link new_cct2 gigabitethernet t t auto auto t gigabitethernet 1/2 [enable] gigabitethernet 1/3 [enable] log2 ingress-vlan-tag 101 101
NOTE: If Mode is None, the group interface is not yet fully configured or functional. You still need to select a mode.
show interface
This command displays the current state for a physical interface. If no interface is specified, status is displayed for all physical interfaces. The detail parameter displays verbose information, and allows you to specify additional parameters to filter the verbose output to display only data for the physical line, IPv4, IPv6, or non-IPv4 frame types, interface type, or to display data for a specific interface. The IP frame type parameters apply only to NPM interfaces. With the exception of management interfaces, the MTU setting is defined at the circuit level. Use show circuit to display the MTU.
838
Syntax
show interface [detail [phy] [ipv4] [ipv6] [non-ipv4] [gigabitethernet <slot/port> | 10gigabitethernet <slot/port>]] show interface [gigabitethernet <slot/port> | 10gigabitethernet <slot/port>] [high-availability]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter detail Description Displays verbose information, including a reason for dropped packets. The detail parameter is ignored for management interfaces. The detail parameter supports the following parameters as filters. (Used only following the detail parameter) Displays the verbose status of all physical interfaces. This is the default. (Used only following the detail parameter) Displays the verbose status of all physical lines. When this parameter is followed by the 10gigabitethernet or gigabitethernet parameter, it displays the status for only the specified interface type, or for the interface specified by <slot/port>. (Used only following the detail parameter) Displays the verbose status for IPv4 frames on all NPM interfaces. When this parameter is followed by the 10gigabitethernet or gigabitethernet parameter, it displays the status for only the specified interface type, or for the interface specified by <slot/port>. (Used only following the detail parameter) Displays the verbose status for IPv6 frames on all NPM interfaces. When this parameter is followed by the 10gigabitethernet or gigabitethernet parameter, it displays the status for only the specified interface type, or for the interface specified by <slot/port>. (Used only following the detail parameter) Displays the verbose status for non-IPv4 frames, including IPv6 frames, on all NPM interfaces. When this parameter is followed by the 10gigabitethernet or gigabitethernet parameter, it displays the status for only the specified interface type, or for the interface specified by <slot/port>.
detail ipv4
detail ipv6
detail non-ipv4
839
Description Displays the status of 10 Gigabit Ethernet interfaces only. Displays the verbose status when used following the detail parameter. If you specify 10gigabitethernet, all interfaces of that type are displayed. If you specify the slot and port number, only that specific interface is displayed.
Displays the status of Gigabit Ethernet interfaces only. Displays the verbose status when used following the detail parameter. If you specify gigabitethernet, all interfaces of that type are displayed. If you specify the slot and port number, only that specific interface is displayed.
high-availability
Displays the status of the High Availability port on the primary CPM.
Output
The output for the show interface detail command has the following format: show interface detail gigabitethernet 2/1 Gigabitethernet 2/1 is up Interface is in use Hardware address is N/A SFP info: phy_present|phy_good Media Type: Copper, Vendor Name: Methode Elec. MTU N/A, BW 100 Mbits, full-duplex, auto-negotiation is enabled Last clearing of "show interface" counters never PHY stats: Statistics on physical line Received: Total frames 2069898 (bytes 200033630) Broadcast frames 1546455 Undersized frames 0 Oversized frames 0 Throttles 0 Total errors 0 Frame check sequence (FCS) errors 0 Frame errors 0 Overrun errors 0 Ignored errors 0 Transmitted: Total frames 381705 (bytes 345098116) Underrun errors 0 Total errors 0 Collisions 0 IPv4 stats: Statistics for IPv4 frames Received frames Transmitted frames Dropped frames (and rate per minute): Bad V4 header Un-configured circuit Provision table full
1304125 (rate 0 fps) 381705 (rate 0 fps) 41 (rate 0 fpm) 23 (rate 0 fpm) 0 (rate 0 fpm)
840
Table configuration error 0 (rate 0 fpm) Packet processing capacity 0 (rate 0 fpm) Interface down 19 (rate 0 fpm) Invalid internal route 0 (rate 0 fpm) Mismatched L2 entry 218 (rate 0 fpm) Mismatched L3 entry 0 (rate 0 fpm) Early NFI reinjection 0 (rate 0 epm) Mismatched L2 route 0 (rate 0 fpm) L3 policy action 6 (rate 0 fpm) Mismatched L3 route 0 (rate 0 fpm) Unavailable master 0 (rate 0 fpm) Mismatched index for action pass-to-vap 1304 (rate 0 fpm) Unavailable lb-vector 0 (rate 0 fpm) Empty vap-group 365 (rate 0 fpm) NFI (New Flow Initiation) Events (and rate): New flow 7514 (rate 0 eps) Internal route change 3534 (rate 0 eps) External route change 4 (rate 0 eps) Frame Validation Failure Stats (and rate per minute) Invalid IP/TCP frame 0 (rate 0 fpm) Invalid IP/TCP frame dropped 0 (rate 0 fpm) IPv6 stats: Statistics for IPv6 frames Received frames Transmitted frames
Non-IPv4 (incl. IPv6) stats: Statistics for Non-IPv4 Frames Received frames 765501 (rate 1 fps) Transmitted frames 10726 (rate 0 fps) Dropped frames (and rate per minute): Un-configured circuit 0 (rate 0 fpm) Mismatched L2 policy 3706 (rate 0 fpm) Policy action 0 (rate 0 fpm) Interface down 8 (rate 0 fpm) Empty vap-group 0 (rate 0 fpm) The following table describes the information provided in each column and or row. Column/Row Heading SFP Info MTU and Phy stats IP Stats: Statistics for IP Frames Received Frames Transmitted Frames Reasons for Dropped IP Frames Bad V4 Header Un-configured circuit The IPv4 header type or the header length is wrong. The circuit is not configured for the incoming VLAN and port to process the packet. The number of IP data packets received at the network processing unit (NPU) from the external interfaces. Number of IP data packets transmitted from the NPU to the external interfaces. Information Provided Provides hardware and configuration information for the SFP. This information is the same information produced by the command ifconfig.
841
Information Provided Packets for new flows are dropped because the provision table was full. The provision table holds new flows during flow setup. Internal NPU configuration error Traffic exceeded the packet processing capacity of the NPU. The state of the interface was down. Unexpected route information in the NPU. The L2 policy did not match the incoming packet. The L3 policy did not match the incoming packet. When new flow initiation (NFI) packets are injected before the flow is established in the NPU. The NPM was unable to establish an L2 flow to the APM. A Layer-3 policy is programmed to drop the packet. The NPM was unable to establish an L3 flow to the APM. When a policy is programmed to pass-to-master and a master VAP is not available, the packet is dropped. When a policy is programmed to pass to index and the VAP with the specified index is not available, the packet is dropped. When a policy is programmed to load balance and the VAP member for the load balanced flow is unavailable, the packet is dropped. When a policy is set to broadcast and there are no VAP members available. The number of packets that resulted in new flow processing on the NPU. The flow can exist in the control processor, but the 5-tuple entry does not exist in the NPU. When a VAP member or application goes down, the processor flow software initiates the internal route change. When an external route changes, the packet fails the ingress point validation and the result is that a new flow is initiated.
Table configuration error Packet processing capacity Interface down Invalid internal route Mismatched L2 entry Mismatched L3 entry Early NFI Reinjection Mismatched L2 route L3 policy action Mismatched L3 route Unavailable master Mismatched index for action pass-to-vap Unavailable lb-vector
Internal route change External route change Non-IP Stats: Statistics for Non-IP Frames Received frames Transmitted frames Reasons for Dropped Non-IP Frames Un-configured circuit Mismatched L2 policy Policy action Interface down
Number of non-IP data packets received at the NPU from the external interfaces. Number of non-IP data packets transmitted from the NPU to the external interfaces.
The circuit is not configured for the incoming VLAN and port to process the packet. The L2 policy did not match the incoming non-IP packet. The L2 policy is programmed to drop the packet. The state of the interface was down.
842
Information Provided When a policy is set to broadcast and there are no VAP members available.
The output of the show interface high-availability command has the following format: CBS# show CP Module cp1 cp2 (2 rows) interface high-availability Auto Negotiate Enabled (true/false) Media Speed (Mbits) Duplex Mode t auto auto t auto auto
High-availability port on slot 14 is up BW 1 Gigabit, full-duplex, auto-negotiation is disabled Last clearing of "show interface" counters Fri Sep 3 04:54:25 2010 PHY stats: Statistics on physical line Received: Total frames 0 (bytes 0) Total errors 0 Transmitted: Total frames 367 (bytes 28146) Total errors 0
Restrictions
Default Privilege Level: 0
show internal-ip
This command displays the module name, operational state, and internal IP address of each CPM and VAP installed in the X-Series Platform.
Syntax
show internal-ip
Context
You access this command from the main CLI context.
Output
The output for this command has the following format: Module Name CP2 npm1 (2 rows) State PRIMARY CP Down Internal IP Address 1.1.2.20 1.1.2.1
The following table describes the information provided in each column/row. Column/Row Heading Module Name Information Provided Name of module or n/a if a module is not present in the slot.
843
Information Provided Operational state of the module. State can be one of the following: Active Applies only to APMs. Indicates that the APM is UP and is ready to receive traffic. AwaitingBoot Module is getting ready to boot up. Booting Module is booting up. CrashDumping Module is crashing and is sending information to a log file that you can use to debug the crash. Diagnostic Module is running hardware diagnostics. Down Module is not functioning. Initializing Module is initializing. Maintenance Module is running in maintenance mode. Offline Applies only to CPMs. Indicates that a secondary CPM is present in the chassis, but that CPM is currently offline. Standby Applies only to APMs. Indicates that the APM is functioning as a Standby VAP. Unavailable Module is unavailable. Unknown System is unable to determine the status of the module. Up Module is functioning normally. For APMs, the Up status indicates that the module is functioning, but it is not yet ready to receive traffic. n/a Module is not present in the slot.
Internal IP Address
Restrictions
Default Privilege Level: 0
Example
The following is an example of this command: CBS# show internal-ip Module Name State CP1 PRIMARY CP flo_1 Active flo_2 Active npm1 Down npm2 Up npm3 Down npm4 Up fwa_1 Active fwa_2 Active Internal IP Address 1.1.200.20 1.1.200.101 1.1.200.102 1.1.200.1 1.1.200.2 1.1.200.3 1.1.200.4 1.1.200.103 1.1.200.104
844
show netstat
This command displays the current active network connections and list statistics for various protocols in TCP/IP for the specified domains or VAPs range. By default, the statistics for TCP, UDP, IP, and ICMP protocols for all domains and VAPs are displayed.
Syntax
show netstat [tcp | udp | ip | icmp | stats | arp | interface | management | process | route]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter tcp, udp, ip, and icmp arp stats interface management process route Description Specify which protocol statistics are displayed. Displays the ARP cache. Displays statistics for TCP, UDP, IP, and ICMP protocols. This is the default. Displays the interface statistics. Displays statistics for the management interface. Displays statistics for current processes. Displays IP routing information.
Restrictions
Default Privilege Level: 0
show redundancy-interface
This command displays the backup/master pairs for interface redundancy.
Syntax
show redundancy-interface
Context
You access this command from the main CLI context.
Restrictions
Default Privilege Level: 0
845
Example
CBS# show redundancy-interface Master Intf Backup Intf Active Intf ------------------------------gig 1/10 gig 4/10 Master MacUsage -------master FailOverMode -----------preemption-on
show vdf-status
This command displays the virtual defragmentation (VDF) statistics reported by NPM-8600s, NPM-8620s, NPM-8650s, APM-8600s, and APM-8650s. By default, this command displays information about all NPMs, APMs, and VAP groups. You can use one of the following parameters to filter the command output to display information about specific modules or VAP groups. module VAP-group VAP-group-member NOTE: If the you have used the clear vdf-statistics command during the current session, the Last cleared field in the output from show vdf-status has a time stamp. Otherwise is shows Never.
Syntax
show vdf-status [verbose] [[module <module_name>] | [vap-group <VAP_group_name>] | [vap-group-member <VAP_group_name>]]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter verbose module Description (Optional) Displays detailed virtual defragmentation (VDF) statistics about the modules and VAP groups. (Optional) Displays VDF statistics for the specified modules. For APMs, displays VDF statistics for the VAP that runs on each of the specified APMs. Specify a module (APM or NPM) or list of modules separated by spaces for which VDF statistics are to be displayed. An NPM name has the format: np<NPM_number> An APM name has the format: ap<APM_number> Use the show chassis command to display the module names assigned to the NPMs and APMs installed in the X-Series Platform.
846
Parameter vap-group
Description (Optional) Displays the aggregate statistics for all members of the VAP group. Specify the name of a VAP group for which the VDF status is to be displayed.
vap-group-member
(Optional) Displays statistics for the member VAPs in the VAP group separately. Specify the name of a VAP group for whose members the VDF status is to be displayed.
Restrictions
Default Privilege Level: 0
Default Output
By default, the show vdf-status command displays VDF statistics in the following format: CBS# show vdf-status Virtual DeFragmentation (VDF) statistics reported by np1: Fragment statistics Fragments received : 0 Fragments processed : 0 Fragments dropped : 0 Fragment queue limit : 0 Fragment overlap check : 0 Overlap protection on Head of Packet (HOP) : 0 Fragment pool depletion : 0 Packet pool depletion : 0 Invalid fragment : 0 Packet statistics Packets processed : 0 Packets dropped : 0 Last cleared: Never Virtual DeFragmentation (VDF) statistics reported by vsx_1: Fragment statistics Fragments received : 0 Fragments processed : 0 Fragments dropped : 0 Packet statistics Packets dropped : 0 Last cleared: Never Virtual DeFragmentation (VDF) statistics reported by fw1_1: Fragment statistics Fragments received : 0 Fragments processed : 0 Fragments dropped : 0 Packet statistics Packets dropped : 0 Last cleared: Never
847
Verbose Output
The following example shows the verbose output of the show vdf-status command: CBS# show vdf-status verbose Virtual DeFragmentation (VDF) statistics reported Fragment statistics Fragments received Fragments processed Fragments dropped Fragment queue limit Fragment overlap check Overlap protection on Head of Packet (HOP) Fragment pool depletion Packet pool depletion Invalid fragment In-flight fragments Maximum in-flight fragments Duplicate End of Packet (EOP) EOP last byte below last byte seen Multiple HOP fragments Fragments pruned by overlap protection on HOP Packet statistics Packets processed Packets dropped In-flight packets Maximum in-flight packets Packets with fragment-offset overlapping Packet tracking restarts by IP-ID validation Packet reassembly timeouts Last cleared: Never by np1: : : : : : : : : : : : : : : : : : : : : : : 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Virtual DeFragmentation (VDF) statistics reported by vsx_1: Fragment statistics Fragments received : 0 Fragments processed : 0 Fragments dropped : 0 In-flight fragments : 0 Maximum in-flight fragments : 0 Packet statistics Packets dropped : 0 In-flight packets : 0 Maximum in-flight packets : 0 Last cleared: Never Virtual DeFragmentation (VDF) statistics reported by fw1_1: Fragment statistics Fragments received : 0 Fragments processed : 0 Fragments dropped : 0 In-flight fragments : 0 Maximum in-flight fragments : 0 Packet statistics Packets dropped : 0 In-flight packets : 0 Maximum in-flight packets : 0 Last cleared: Never
848
clear vdf-status
This command clears the virtual defragmentation (VDF) statistics counters on NPMs and APMs. By default, this command clears information about all NPMs, APMs, and VAP groups. You can use one of the following parameters to selectively clear information for specific modules or VAP groups. module VAP-group-member NOTE: The statistics are cleared for the current session only and are note cleared on the module.
Syntax
clear vdf-status [module <module_name>] [vap-group-member <VAP_group_name>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter module Description (Optional) Clears VDF statistics for the specified modules. Specify a module (APM or NPM) or list of modules separated by spaces for which VDF statistics are to be cleared. An NPM name has the format: np<NPM_number> An APM name has the format: ap<APM_number> Use the show chassis command to display the module names assigned to the NPMs and APMs installed in the X-Series Platform. vap-group-member (Optional) Clears VDF statistics for all member VAPs in the specified VAP group. Specify the name of a VAP group to clear the VDF status for all member VAPs.
Restrictions
Default Privilege Level: 15
Example
The following command clears the virtual defragmentation statistics counters for all modules: CBS# clear vdf-status The following command clears the virtual defragmentation statistics counters for an NPM and an APM:
849
CBS# clear vdf-status module np2 ap3 The following command clears the virtual defragmentation statistics counters for all member VAPs in a VAP group: CBS# clear vdf-status vap-group-member <VAP_group_name>
show veth-stats
This command displays virtual interface (VETH) statistics, used in group interfaces.
Syntax
show veth-stats
Context
You access this command from the main CLI context.
Output
The output for this command has the following format: Reporting Module Load Balance State Slot/Port Circuit Name Local Key Partner Key Partner Sys. Priority Partner ID TX State RX State Check Frequency Local Oper. State Partner Oper. State fw_1 Selected 1/5 testcct 0x0b00 0x001a 1 00:13:72:ee:0e:04 Distributing Current Slow Periodic LACP Activity, Aggregation, Synchronization, Collecting, Distributing LACP Activity, Aggregation, Synchronization, Collecting, Distributing
The following table describes the information provided in each column/row. Column/Row Heading Reporting Module Load Balance State Slot/Port Circuit Name Local Key Partner Key Information Provided Displays the VAP group member. Displays the status of the port. An unselected state indicates a down port. Displays the NPM module and port. Displays the circuit that the LACP link is associated with. The LACP key for the local circuit. The LACP key for the remote interface.
850
Information Provided The priority assigned to the partner system. The value is determined by management or administration policy. The range is 1 65535. The ID of the remote interface. The transmit status of the LACP link. The receive status of the LACP link. Displays the frequency of the LACP link check. Displays the local operating state for LACP activity. Displays the partners operating state for LACP activity. Displays a value assigned by the management or administration policy on a partner system used for establishing LACP connections.
Partner ID TX State RX State Check Frequency Local Oper. State Partner Oper. State Partner Priority
Restrictions
Default Privilege Level: 0
851
show ap-vap-mapping
This command displays the X-Series Platforms APM-to-VAP mapping information. This command also displays each VAPs APM operational status, IP address, VAP group name, index number, and master VAP status.
Syntax
show ap-vap-mapping
Context
You access this command from the main CLI context.
Output
The output for this command has the following format: Module Slot AP7 9 AP8 10 AP9 11 (5 rows) Status Active Active Active VAP IP Address 1.1.246.103 1.1.246.104 1.1.246.105 VAP Group fw fw fw Index 1 2 3 Master (true/false) false true false
The following table describes the information provided in each column/row. Column/Row Heading Module Slot Information Provided APM module name. APM slot number.
852
Information Provided Operational status of the APM. Status can be one of the following: Active APM is functioning and is ready to receive traffic. AwaitingBoot APM is getting ready to boot up. Booting APM is booting up. CrashDumping APM is crashing and is sending information to a log file that you can use to debug the crash. Diagnostic APM is running hardware diagnostics. Initializing APM is initializing. Maintenance APM is running in maintenance mode. Standby APM is UP and is being used as a standby VAP. Unavailable APM is unavailable. Unknown System is unable to determine the status of the module. Up APM is functioning, but is not yet ready to receive traffic. NOTE: If a VAP is DOWN, it does not appear in the list displayed by the show ap-vap-mapping command.
IP address assigned to the VAP. Name of the VAP group to which the VAP belongs. VAP index number. Current Master status of the VAP: true VAP is the Master VAP for the VAP group. false VAP is not the Master VAP for the VAP group.
Restrictions
Default Privilege Level: 0
Example
The following is an example of this command: CBS# show ap-vap-mapping Module Slot Status VAP IP Address VAP Group Index Master (true/false) AP3 5 Active 1.1.0.101 l2 1 true AP4 6 Active 1.1.0.102 fw 1 true AP7 9 Active 1.1.0.103 fw 2 false (3 rows)
853
show application
Displays information about the applications loaded onto the CPM on the X-Series Platform.
Syntax
show application
Context
You access this command from the main CLI context.
Output
This command displays information about each application loaded on the X-Series Platform, using the following format: App ID Name Version Release CBI Version : : : : : <application_identifier> <application_name> <application_version> <application_release_number> <CBI_version_number>
The following table describes the information provided in each column/row. Column/Row Heading App ID Information Provided Application identifier that Crossbeam has assigned to the application. When you use a CLI command to perform an operation on a specific application, you specify the application identifier as an argument to the CLI command. For example, to install Check Point VPN-1 Power NGX R65 on a VAP group, you specify the application identifier, vpn1, with the following command: CBS# application vpn1 version NGXR65 vap-group <VAP_group_name> install Name Version Release Application name. Application version. Application release number. NOTE: This row does not appear for applications that are installed using Application Development Framework (ADF) RPMs. CBI Version Version number assigned to the Crossbeam Installer (CBI) package used to install the application on a VAP group. NOTE: This row does not appear for applications that are installed using RPMs.
Restrictions
Default Privilege Level: 0
854
Example
The following command shows information about the two applications that are currently loaded on the CPM in an X-Series Platform: CBS# show application App ID : issprovg Name : IBM Proventia Network IPS Version : 2.0 Release : 1 CBI Version : 1.1.0.0 App ID Name Version Release CBI Version : : : : : vpn1 VPN-1 Power NGXR65 1.0.2.0-5 1.0.2.0
Syntax
show application vap-group [<VAP_group_name>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <VAP_group_name> Description Displays information about the application installed on the VAP group with the specified VAP group name. If you do not specify this parameter, the show application vap-group command displays information about all applications installed on VAP groups configured on the X-Series Platform.
855
Output
This command displays information about the application installed on a VAP group using the following format: VAP Group : App ID : Name : Version : Release : Start on Boot : App Monitor : App State (<VAP_group_name>_1): App State (<VAP_group_name>_2): .... App State (<VAP_group_name>_n): <VAP_group_name> <application_identifier> {<application_name> | N/A} <application_version> {<application_release_number> | N/A} {yes | no} {on | off} {Up | Down | Initializing | Not Monitored} {Up | Down | Initializing | Not Monitored} {Up | Down | Initializing | Not Monitored}
The following table describes the information provided in each column/row. Column/Row Heading VAP Group App ID Information Provided Name of the VAP group on which the application is installed. Application identifier that Crossbeam has assigned to the application. When you use a CLI command to perform an operation on a specific application, you specify the application identifier as an argument to the CLI command. For example, to install Check Point VPN-1 Power NGX R65 on a VAP group, you specify the application identifier, vpn1, with the following command: CBS# application vpn1 version NGXR65 vap-group <VAP_group_name> install Name Application name. NOTE: N/A indicates that the application is installed using an RPM. Version Release Application version. Application release number. NOTE: N/A indicates that the application is installed using an RPM. Start on Boot Indicates whether the application automatically starts running when you boot up the VAP group: on Application automatically starts up when you boot up the VAP group. off You must manually start up the application each time you boot up the VAP group.
856
Information Provided Indicates whether application monitoring is enabled (on) or disabled (off) on the VAP group on which the application is installed. By default, application monitoring is enabled (on). See application-monitor (config-vap-group context) on page 198 for more information about application monitoring and for instructions on enabling and disabling application monitoring on a VAP group.
Indicates the current state of the application on the VAP with the VAP index number n. The show application vap-group command displays the current state of the application on each VAP on which an application is installed. Possible application states are: Up Application is running on the VAP. Down Application is not running on the VAP, but the APM on which the VAP is loaded is functional. Initializing The APM on which the VAP will load is rebooting. Not Monitored Application monitoring is disabled on the VAP group on which the application is installed. Therefore, XOS is unable to determine the current state of the application on any VAP. NOTE: These rows appear only for VAPs that are currently loaded onto APMs. NOTE: For applications that are installed using RPMs, this row has the format: <VAP_group_name>_n
Restrictions
Default Privilege Level: 0
Example
The following command shows information about the firewall application running on the VAP group called testvapgroup: CBS# show application vap-group testvapgroup VAP Group : testvapgroup App ID : vpn1 Name : VPN-1 Power Version : NGXR65 Release : 1.0.2.0-5 Start on Boot : yes App Monitor : on App State (testvapgroup_1) : Up App State (testvapgroup_2) : Up App State (testvapgroup_3) : Up CBS#
857
show remote-box
This command displays the system ID and addresses of any remote systems configured with this system in a VRRP configuration. Optionally, you can specify the system-identifier of a remote system. Use the ? option to see a list of currently configured remote systems.
Syntax
show remote-box [<remote_box_ID>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <remote_box_ID> Description A number from 1 through 255, representing the system-identifier of the remote-box.
Output
The following table explains the information provided in the output from the show remote-box command. Column Heading Remote IP Local Intf Local IP Status Description The IP address of the interface on the remote-box. The local interface that is used to access the remote IP address. The IP address of the local interface that is used to access the remote IP address. The status of the connection to the remote box (Active or Standby).
858
Description The amount of time that the current Status (Active or Standby) has been true. The quality of the link between the local and remote boxes. If the link has been connected for some time, the value of link quality is 100. If the link is disconnected for some time, the value is reset to 0. When the link is reconnected, the value increases over time to the maximum value of 100. If a link connection is intermittent, the value that appears will be somewhere between 0 and 100.
Restrictions
Default Privilege Level: 15
Example
The following is an example of this command: CBS# show remote-box 22 Local System ID: 85 Remote System ID: 22 Remote IP Local Intf Local IP 192.168.211.89 14/1 192.168.211.85 1.1.89.20 HA port 1.1.85.20 (2 rows)
show vrrp
This command displays basic configuration and status information for each VRRP failover group configured on the system.
Syntax
show vrrp
Context
You access this command from the main CLI context.
Output
The output for this command has the following format: Priority is Actual/Configured FG-ID Priority 1 100/100 2 150/150 3 150/150 (3 rows) Status Master Master Master Preempt on off on Master Sys ID 1 1 1 Master Priority 100 150 150
859
The following table describes the information provided in each column/row. Column/Row Heading FG-ID Priority Status Information Provided Failover group ID number. Failover group priority (actual/configured). Failover group status. Possible values are: master Failover group is in master mode. backup Failover group is in backup mode. down Failover group is not functioning. init Failover group is initializing. Preempt Master Sys ID Master Priority Indicates whether preemption is enabled (on) or disabled (off) for each failover group. System ID assigned to the master system. Current priority of the failover group on the master system.
Restrictions
Default Privilege Level: 0
Example
The following example shows the output of this command: CBS# show vrrp Priority is Actual/Configured FG-ID Priority 1 200/200 2 250/250 (2 rows) Status Master Master Preempt on on Master Sys ID 62 62 Master Priority 200 250
Syntax
show vrrp circuit-ip [<failover_group_name>] [vrrp-id <virtual_router_ID>]
Context
You access this command from the main CLI context.
860
Parameters
The following table lists the parameters used with this command. Parameter <failover-group-name> vrrp-id <virtual_router_ID> Description Displays the VRRP configurations for all circuits in the specified failover group. Displays the VRRP configuration for the circuit assigned to the specified virtual router.
Output
The output for this command has the following format: Failover Group Failover Group ID VRRP State VRRP ID Circuit Name VAP Group IP Address Interface (State) Group Interface (State) : : : : : : : : : chetire 4 Backup 112 gig15 fw 192.203.10.100/24 192.203.10.255 (Virtual) gigabitethernet 1/5 (Up), gigabitethernet 1/6 (Up) gig15_16 (Up)
The following table describes the information provided in each column/row. Column/Row Heading Failover Group Failover Group ID VRRP State Information Provided Failover group name. Failover group ID number. Current state of the failover group: backup Failover group is in backup mode. down Failover group is not functioning. init Failover group is initializing. master Failover group is in master mode. unknown System cannot determine the state of the failover group. VRRP ID Circuit Name VAP Group IP Address Virtual router ID number. Name of the circuit mapped to the virtual router. Name of the VAP group mapped to the virtual router. Displays the IP address assigned to the circuit for the VAP group mapped to the VIrtual Router, and indicates whether this IP address is the Primary Address for the circuit. If there is no IP address assigned to the circuit for the VAP group mapped to the virtual router, the IP Address field displays the text, IP-less.
861
Information Provided Displays the interface type, slot/port, and state of the physical interface to which the circuit is assigned. If the circuit is assigned to a group interface, Interface (State) displays the interface type, slot/port, and state of each physical interface that belongs to the group interface. Each physical interface can be in one of the following states: Up - The interface is functioning normally. Down - The interface is not functioning. Admin. Down - The administrator has used the CLI to manually disable the individual interface or the group interface. Unknown - System cannot determine the state of the interface.
Displays the name and state of the group interface to which the circuit is assigned. The group interface can be in one of the following states: Up - The group interface is functioning normally. Down - The group interface is not functioning. Admin. Down - The administrator has used the CLI to manually disable the group interface. Unknown - System cannot determine the state of the group interface.
Restrictions
Default Privilege Level: 15
Example
The following example shows four circuits mapped to VAP group vsxb1, which is part of failover group vrrp_vsx. CBS# show vrrp circuit-ip vrrp_vsx VAP Group : vsxb1 IP Address : 10.10.2.1 255.255.255.0 10.10.2.255 (Primary) Interface (State) : gigabitethernet 1/2 (Up), gigabitethernet 1/3 (Up), gigabitethernet 4/2 (Up), gigabitethernet 4/3 (Up) Group Interface (State) : inside (Up) Failover Group : vrrp_vsx Failover Group ID : 200 VRRP State : Master VRRP ID : 1000 Circuit Name : vsx_ckt_vsxb1_internal_l2l3_3003 VAP Group : vsxb1 IP Address : 10.10.3.1 255.255.255.0 10.10.3.255 (Primary) Interface (State) : gigabitethernet 1/2 (Up), gigabitethernet 1/3 (Up), gigabitethernet 4/2 (Up), gigabitethernet 4/3 (Up) Group Interface (State) : inside (Up) Failover Group : vrrp_vsx Failover Group ID : 200
862
VRRP State : Master VRRP ID : 1008 Circuit Name : vsx_ckt_vsxb1_internal_l2l3_3004 VAP Group : vsxb1 IP Address : 10.10.4.1 255.255.255.0 10.10.4.255 (Primary) Interface (State) : gigabitethernet 1/2 (Up), gigabitethernet 1/3 (Up), gigabitethernet 4/2 (Up), gigabitethernet 4/3 (Up) Group Interface (State) : inside (Up) Failover Group : vrrp_vsx Failover Group ID : 200 VRRP State : Master VRRP ID : 1003 Circuit Name : vsx_ckt_vsxb1_internal_l2l3_3005 VAP Group : vsxb1 IP Address : 10.10.5.1 255.255.255.0 10.10.5.255 (Primary) Interface (State) : gigabitethernet 1/2 (Up), gigabitethernet 1/3 (Up), gigabitethernet 4/2 (Up), gigabitethernet 4/3 (Up) Group Interface (State) : inside (Up) Failover Group : vrrp_vsx Failover Group ID : 200 VRRP State : Master VRRP ID : 1004 Circuit Name : vsx_ckt_vsxb1_internal_l2l3_3006 VAP Group : vsxb1 IP Address : IP-less (Primary) Interface (State) : gigabitethernet 1/2 (Up), gigabitethernet 1/3 (Up), gigabitethernet 4/2 (Up), gigabitethernet 4/3 (Up) Group Interface (State) : inside (Up) (5 rows)
Syntax
show vrrp detail-status [<failover_group_name>]
Context
You access this command from the main CLI context.
863
Parameters
The following table lists the parameters used with this command. Parameter <failover_group_name> Description Displays information only for the components of the specified failover group.
Output
The output for this command has the following format: FG_ID 1 1 1 1 Status Backup Backup Backup Backup Priority 99/101 99/101 99/101 99/101 Delta 2 2 1 -2 Type vr vr mc vg Component gig14/101 gig13/100 dummy fw
The following table describes the information provided in each column/row. Column/Row Heading FG_ID Status Information Provided Failover group ID number Failover group status. Possible values are: master Failover group is in master mode. backup Failover group is in backup mode. down Failover group is not functioning. init Failover group is initializing. Priority Delta Failover group priority (actual/configured). The number shown in this column is the VRRP component's configured priority-delta value. The number is displayed differently depending on the status of the priority-delta: Number is positive Components priority-delta is not in effect, as the component is functioning normally. Number is negative Components priority-delta is in effect, as the component has failed. The failover groups priority has been decremented by the components priority-delta value. Star symbol (*) appears after the number Next hop status is unknown. (See the XOS Configuration Guide for more details on this status.) Type VRRP component type. Possible values are: vr virtual router mi Monitored interface mc Monitored circuit vg VAP group nh Next hop
864
Information Provided Detailed information about the VRRP component. The contents of this field depend on the VRRP component type: virtual router Field displays circuit name/ID number for the virtual router. Monitored interface Field displays the monitored interface name. Monitored circuit Field displays the monitored circuit name. VAP group Field displays the VAP group name. If the VAP groups active-vap-threshold value is configured, the Component field displays that value in parenthesis after the VAP group name. Next hop Field displays verify-next-hop IP address/ID number for the VIrtual Router.
Restrictions
Default Privilege Level: 15
Example
The following example shows the output of the show vrrp detail-status command run on an X-Series Platform configured as the backup system for VRRP failover group 200. CBS# show vrrp detail-status FG_ID Status Priority Delta 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1 200 Backup 198/198 1* 200 Backup 198/198 50 (21 rows) Type vr vr vr vr vr vr vr vr vr vr vr vr vr vr vr nh vg Component vsx_ckt_vsxb2_wrp448/33 vsx_ckt_vsxb2_internal_l2l3_3006/32 vsx_ckt_vsxb2_wrp384/31 vsx_ckt_vsxb2_internal_l2l3_3005/30 vsx_ckt_vsxb2_wrp320/29 vsx_ckt_vsxb2_internal_l2l3_3004/28 vsx_ckt_vsxb2_wrp256/27 vsx_ckt_vsxb2_internal_l2l3_3003/26 vsx_ckt_vsxb2_wrp192/25 vsx_ckt_vsxb2_internal_l2l3_3002/24 vsx_ckt_vsxb2_wrp128/23 vsx_ckt_vsxb2_internal_l2l3_3001/22 vsx_ckt_vsxb2_outside_4001/21 l2l3/20 outside/10 10.10.1.10/22 vsxb2
865
Syntax
show vrrp failover-group [<failover_group_name>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <failover_group_name> Description Displays the configuration for the specified failover group. Default is to display the configuration for all failover groups.
Output
The output for this command has the following format: Failover Group Failover Group ID Advertisement Interval (seconds) Preemption (true/false) Enabled (true/false) Configured Priority Actual Priority Virtual Router IDs Monitored Circuits Monitored Group Interfaces OSPF Cost Increment (Circuits) VAP Groups (failover-group) VAP Groups (failover-group-list) State Time of Last State Change: Reason for Last State change: : : : : : : : : : : : : : : : : odin 1 1 t t 101 101 100, 101 dummy gig15_55 fw fw Master Fri Sep 3 04:47:53 2010 Timed out waiting for master
The following table describes the information provided in each column/row. Column/Row Heading Failover Group Failover Group ID Advertisement Interval (seconds) Preemption (true/false) Enabled (true/false) Configured Priority Information Provided Displays the failover group name. Displays the failover group ID. Displays the number of seconds between VRRP advertisements. Displays the preemption status. Displays the configuration status (enabled or disabled) for the failover group. The configured priority is the VRRP priority that you set for the failover group. If the configured priority is not the same as the actual priority, a failure caused a priority-delta to decrement the priority.
866
Information Provided The actual priority is the current VRRP priority value. If the actual priority is not the same as the configured priority, a failure caused a priority-delta to decrement the priority. Displays the virtual router ID. Displays the circuits that VRRP monitors in the configured virtual routers. Displays the group interfaces that VRRP monitors in the configured virtual routers. Displays the OSPF cost increment associated for the configured circuits. Displays the VAP groups associated with the failover group. Displays the VAP groups associated with the failover group list. The State is the state of the failover group, which can be one of the following: backup Failover group is in backup mode. down Failover group is not functioning. init Failover group is initializing. master Failover group is in master mode. unknown System cannot determine the state of the failover group
Virtual Router IDs Monitored Circuits Monitored Group Interfaces OSPF Cost Increment (Circuits) VAP Groups (failover-group) VAP Groups (failover-group-list) State
The date and time of the most recent change in the State parameter. The reason for the most recent change in the State parameter. Possible reasons include: Initializing Priority is 255 Priority is 0 Priority higher than remote box <remote_box_id> Remote box <remote_box_id> has higher priority Timed out waiting for master Master <remote_box_id> has lower priority, but preemption is disabled Preempted by remote box <remote_box_id> Relinquished by user VRRP failover group is disabled No valid virtual routers configured
Restrictions
Default Privilege Level: 0
867
Syntax
show vrrp monitor-circuit [<failover_group_name>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <failover_group_name> Description Displays only the monitored circuits for the specified failover group.
Output
The output for this command has the following format: Failover Group Failover Group ID Circuit Interface (State) Priority Delta (1 row) : : : : : odin 1 dummy gigabitethernet 1/2 (Up) 1
The following table describes the information provided in each column/row. Column/Row Heading Failover Group Failover Group ID Circuit Information Provided Displays the monitored circuits failover group name. Displays the monitored circuits failover group ID number. Displays the name of the monitored circuit.
868
Information Provided Displays the interface type, slot/port, and state of the physical interface to which the monitored circuit is assigned. If the monitored circuit is assigned to a group interface, Interface (State) displays the interface type, slot/port, and state of each physical interface that belongs to the group interface. Each physical interface can be in one of the following states: Up - The interface is functioning normally. Down - The interface is not functioning. Admin. Down - The administrator has used the CLI to manually disable the individual interface or the group interface. Unknown - System cannot determine the state of the interface.
Displays the name and state of the group interface to which the monitored circuit is assigned. The group interface can be in one of the following states: Up - The group interface is functioning normally. Down - The group interface is not functioning. Admin. Down - The administrator has used the CLI to manually disable the group interface. Unknown - System cannot determine the state of the group interface.
Priority Delta
Displays the monitored circuits configured priority-delta value. If the Interface (State) or Group Interface (State) is Down, Admin. Down, or Unknown, the failover groups priority has been decremented by the Priority Delta.
Restrictions
Default Privilege Level: 15
Example
The following is an example of this command: CBS# show vrrp monitor-circuit Failover Group : vrrp_vsx Failover Group ID : 200 Circuit : vsx_ckt_vsxb2_l2l3_3005 Interface (State) : gigabitethernet 1/2 (Up), gigabitethernet 1/3 (Up), gigabitethernet 2/2 (Up), gigabitethernet 2/3 (Up) Group Interface (State) : l2l3 (Up) Priority Delta : 25 (1 row)
869
Syntax
show vrrp monitor-interfaces [<failover_group_name>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <failover_group_name> Description Displays only the monitored interfaces for the specified failover group.
Output
The output for this command has the following format: Failover Group Failover Group ID Interface Interface State Priority Delta (1 row) : : : : : vosem 8 gigabitethernet 2/2 Up 2
The following table describes the information provided in each column/row. Column/Row Heading Failover Group Failover Group ID Interface Interface State Information Provided Failover group name. Failover group ID number. Interface being monitored. Current state of the monitored interface. Possible values are: Up Interface is functioning. Down Interface is not functioning. Unknown Interface may or may not be functioning. Admin. Down - The administrator has used the CLI to manually disable the interface. Priority Delta Monitored interfaces configured priority-delta value. If the Interface State is Down, Admin. Down, or Unknown, the failover groups priority has been decremented by the Priority Delta.
870
Restrictions
Default Privilege Level: 15
Example
The following is an example of this command: CBS# show vrrp monitor-interfaces Failover Group : vrrp_vsx Failover Group ID : 200 Interface : gigabitethernet 1/2 Interface State : Up Priority Delta : 1 Failover Group : vrrp_vsx Failover Group ID : 200 Interface : gigabitethernet 1/3 Interface State : Up Priority Delta : 1 Failover Group : vrrp_vsx Failover Group ID : 200 Interface : gigabitethernet 4/2 Interface State : Up Priority Delta : 1 Failover Group : vrrp_vsx Failover Group ID : 200 Interface : gigabitethernet 4/3 Interface State : Up Priority Delta : 1 (4 rows)
Syntax
show vrrp monitor-group-interfaces [<failover_group_name>]
Context
You access this command from the main CLI context.
871
Parameters
The following table lists the parameters used with this command. Parameter <failover_group_name> Description Displays only the monitored group-interfaces for the specified failover group.
Output
The output for this command has the following format: CBS# show vrrp monitor-group-interfaces Failover Group : tri Failover Group ID : 3 Group Interface (State) : gig15_16 (Up) Interface (State) : gigabitethernet 1/5 (Up), gigabitethernet 1/6 (Up) Priority Delta : 5 Distributing Port Threshold : 2 Distributing Interfaces : 2 (1 row) The following table describes the information provided in each column/row. Column/Row Heading Failover Group Failover Group ID Group Interface (State) Interface (State) Information Provided Failover group name. Failover group ID number. Group interface being monitored with the current state of the group interface in parentheses Current state of each of the interfaces that are included in the monitored-group-interface. Possible values are: Up Interface is functioning. Down Interface is not functioning. Unknown Interface may or may not be functioning. Admin. Down - The administrator has used the CLI to manually disable the interface. Priority Delta VRRP reduces the VRRP priority of the failover-group by this value whenever the number of active distributing ports for the group interface falls below the configured Distributing Port Threshold value. The minimum number of ports in the active distributing state required for the group interface. When the number of active distributing ports is less than this value, VRRP decrements the failover group VRRP priority by the priority-delta value. The number of interfaces that are currently in the active distributing state in the group interface. Whenever this number falls below the Distributing Port Threshold value, the Priority Delta value is subtracted from the failover group VRRP priority.
Distributing Interfaces
872
Syntax
show vrrp status [<failover_group_id>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <failover_group_name> Description Displays only the monitored circuits for the specified failover group.
Output
The output for this command has the following format: Priority is Actual/Configured FG-ID Priority 1 100/100 2 150/150 3 150/150 (3 rows) Status Backup Backup Backup Preempt on off on Master Sys ID 0 0 0 Master Priority 0 0 0
The following table describes the information provided in each column/row. Column/Row Heading FG-ID Priority Status Information Provided Failover group ID number. Failover group priority (actual/configured). Failover group status. Possible values are: master Failover group is in master mode. backup Failover group is in backup mode. down Failover group is not functioning. init Failover group is initializing. Preempt Master Sys ID Master Priority Indicates whether preemption is enabled (on) or disabled (off) for each failover group. System ID assigned to the master system. Current priority of the failover group on the master system.
873
Restrictions
Default Privilege Level: 0
Example
The following is an example of this command: CBS# show vrrp status Group ID Priority VR ID Device Name 1 101 / 101 100 gig21 1 101 / 101 100 gig21 1 101 / 101 101 gig22 1 101 / 101 101 gig22 2 0 / 100 200 gig21 2 0 / 100 200 gig21 2 0 / 100 201 gig22 2 0 / 100 201 gig22 (8 rows) Priority is Actual/Configured Status Master Master Master Master Backup Backup Backup Backup
Syntax
show vrrp vap-group [<VAP_group_name>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <VAP_group_name> Description Existing VAP group.
Output
The output for this command has the following format: VAP Group Enable (true/false) Hold Down Timer Priority Delta Active Slot Threshold Active VAPs Failover Group List : : : : : : : L2 t 120 51 2 2 fg1 fg2
874
The following table describes the information provided in each column/row. Column/Row Heading VAP Group Enable (true/false) Hold Down Timer Priority Delta The value that the priority will be decremented if the VAP group does not meet the minimum criteria for the VRRP configuration. The minimum number of slots required for the VAP group. When the number of active VAPs is less than this value, VRRP decrements the failover groups VRRP priority by the priority-delta value. The Active VAPs field show the number of VAPs that are currently active in the VAP group. If this number is less than the Active Slot Threshold value, then the Priority Delta value has been subtracted from the failover groups VRRP priority. Displays the failover groups that are participating in the VRRP configuration. Information Provided Displays the name of the VAP group assigned to the virtual router. Displays the status of the VAP group in the virtual-router.
Active VAPs
Restrictions
Default Privilege Level: 15
Example
The following is an example of this command: CBS# show vrrp vap-group VAP Group : cb1ids Enable (true/false) : t Hold Down Timer : 1 Priority Delta : 2 Active Slot Threshold : 3 Active VAPs : 4 Failover Group List : failoverfw
Syntax
show vrrp verify-next-hop [<failover_group_name>] [vrrp-id <virtual_router_id>]
Context
You access this command from the main CLI context.
875
Parameters
The following table lists the parameters used with this command. Parameter <failover-group-name> vrrp-id <virtual_router_id> Description Displays only the configuration for the specified failover group. If not specified, all virtual routers are displayed. Existing virtual router Identifier. Values are 1-4096.
Output
The output for this command has the following format: Failover Group : 3 VRRP ID : 6 Circuit Name : c12Bottom VAP Group : fwv5 Verify Next Hop IP : 103.1.1.1 Priority Delta : 77 State : Reachable The following table describes the information provided in each column/row. Column/Row Heading Failover Group VRRP ID Circuit Name VAP Group Verify Next Hop IP Priority Delta State Information Provided Displays the virtual routers failover group name. Displays the virtual router ID number. Displays the name of the circuit mapped to the virtual router. Displays the name of the VAP group assigned to the virtual router. Displays the specified IP address for the next hop check. If the next hop IP address is unreachable, the failover groups priority will be decremented by the Priority Delta. The State can be Reachable, Unreachable, or Unknown. If the State is Unreachable or Unknown, the Priority Delta value has been subtracted from the failover groups VRRP priority.
Restrictions
Default Privilege Level: 15
876
Example
The following is an example. CBS# show vrrp verify-next-hop Failover Group VRRP ID Circuit Name VAP Group Verify Next Hop IP Priority Delta State : : : : : : : failoverfw 62 vlan602 cb1fw 192.168.1.106 2 Reachable
Syntax
show vrrp virtual-router [<failover_group_name>] [vrrp-id <virtual_router_id>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <failover-group-name> vrrp-id <virtual_router_ID> Description Displays the VRRP configurations only for the virtual routers that belong to the specified failover group. Displays the VRRP configuration only for the specified virtual router.
Output
The output for this command has the following format: Failover Group Failover Group ID VRRP State Virtual Router ID Circuit Name Priority Delta Backup Stay Up (true/false) MAC Usage VAP Group MAC Address : : : : : : : : : : fg2 2 Backup 4 MltOut 10 t vrrp-mac fwv5 00:00:5E:00:00:04
877
The following table describes the information provided in each column/row. Column/Row Heading Failover Group Failover Group ID VRRP State Information Provided Displays the virtual routers failover group name. Displays the virtual routers failover group ID number. Current state of the failover group: backup Failover group is in backup mode. down Failover group is not functioning. init Failover group is initializing. master Failover group is in master mode. unknown System cannot determine the state of the failover group. Virtual Router ID Circuit Name Priority Delta Displays the virtual router ID number. Displays the name of the circuit mapped to the virtual router. Displays the virtual routers configured priority-delta value. If the Interface (State) or Group Interface (State) is Down, Admin. Down, or Unknown, the failover groups priority has been decremented by the Priority Delta. Indicates whether the backup-stay-up parameter is enabled (t) or disabled (f) for the virtual router. Displays the mac-usage parameter setting for the virtual router. Displays the name of the VAP group assigned to the virtual router. Displays the interface type, slot/port, and state of the physical interface to which the virtual routers circuit is assigned. If the virtual routers circuit is assigned to a group interface, Interface (State) displays the interface type, slot/port, and state of each physical interface that belongs to the group interface. Each physical interface can be in one of the following states: Up - The interface is functioning normally. Down - The interface is not functioning. Admin. Down - The administrator has used the CLI to manually disable the individual interface or the group interface. Unknown - System cannot determine the state of the interface.
878
Information Provided Displays the name and state of the group interface to which the monitored circuit is assigned. The group interface can be in one of the following states: Up - The group interface is functioning normally. Down - The group interface is not functioning. Admin. Down - The administrator has used the CLI to manually disable the group interface. Unknown - System cannot determine the state of the group interface.
MAC Address
Restrictions
Default Privilege Level: 15
Example
The following is an example. CBS# show vrrp virtual-router vrrp-id 1014 Failover Group : vrrp_vsx Failover Group ID : 200 VRRP State : Backup Virtual Router ID : 1014 Circuit Name : vsx_ckt_vsxb2_l2l3_3333 Priority Delta : 1 Backup Stay Up (true/false) : t MAC Usage : vrrp-mac VAP Group : vsxb2 Interface (State) : gigabitethernet 1/2 (Up), gigabitethernet 1/3 (Up), gigabitethernet 2/2 (Up), gigabitethernet 2/3 (Up) Group Interface (State) : l2l3 (Up) MAC Address : 00:00:5E:00:03:F6 (1 row)
879
show npm-tech
This command provides information needed to troubleshoot an NPM. The NPM heartbeat, interface information, status, revision information, slot/numbering mapping information, build information, flow table count statistics, and crash information are provided.
Syntax
show npm-tech [np1] [np2] [np3] [np4] [all] [-file <filename>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter np1 np2 np3 np4 all -file <filename> Description Information regarding the NPM in slot #1 Information regarding the NPM in slot #2 Information regarding the NPM in slot #3 Information regarding the NPM in slot #4 General information on all NPMs configured in the current system. This is the default. Specifies the name of a file to be used to capture the output of this command.
Restrictions
Default Privilege Level: 15
Example
The following is an abbreviated example of this command CBS# show npm-tech np1 -------------------- begin: show calendar -------------------Tue Mar 16 10:50:21 2010 --------- slot 1: show logging console hostname np1 ---------
880
Sep 4 04:02:04 np1 cbs_np6_flowd[639]: [W] COD_PRINT COD: Jan 30 2010 activated connection to slot 6 0 Sep 4 04:02:13 np1 cbs_np6_flowd[639]: [W] COD_PRINT COD: Jan 30 2010 activated connection to slot 7 0 Sep 4 04:46:20 np1 cbs_np6_flowd[639]: [W] COD_PRINT COD: deactivated slot 5 0 Sep 4 04:46:21 np1 cbs_np6_flowd[639]: [W] COD_PRINT COD: deactivated slot 8 0 ... ------------------- slot 1: show heartbeat ------------------Link Quality TO: 1 FROM 1 2 3 4 5 6 7 8 9 10 11 12 ON ports CB A: NA 100% NA 100% 100% 100% NA NA 100% NA NA NA CB B: NA NA NA NA NA NA NA NA NA NA NA NA DP A: 100% 100% NA 100% 100% 100% NA NA 100% NA NA NA DP B: NA NA NA NA NA NA NA NA NA NA NA NA ... ----------------------- show interface ----------------------... 10Gigabitethernet 1/12 is up Hardware address is N/A MTU N/A, BW 10 Gigabit, full-duplex, auto-negotiation is disabled
13
14 100% NA 100% NA NA NA NA NA
Last clearing of "show interface" counters never 17 packets input, 1088 bytes Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions ... --------- slot 1: show module status revision serial --------NA = Not Available, DP = Data Plane, CP = Control Plane cp = Control Processor, ap = Application Processor, np = Network Processor Slot 1: Board Part Number 003927 Board Serial Number G7150512 Board Revision 8 FPGA Revision 0x2 ... -------------- slot 1: show module status link --------------NA = Not Available, DP = Data Plane, CP = Control Plane cp = Control Processor, ap = Application Processor, np = Network Processor Slot 1: Control Bus A Up Control Bus B Up np1/ap3 Link Up ... ------------------ show flow table counters -----------------Statistics Counts reported by np1: fp_up_slots: 0xfffffffffff simplexFlowCount: 2 ezFlowsRemaining: 2437119 All Total sent to EZ: All Total rcvd from EZ:
216 232
881
... --------------- show NPM86xx version and build --------------NPM86xx version and build information reported by np2: Copyright (c) 2000-2011 by Crossbeam Systems, Inc. All rights reserved. Version: NPM Software Version ==> 9.5.1 [Feb 19 2011 02:15:42] (bldmgr) gcc: 4.1.2 label: XOS-9_5_0_0-20101205_2 ------------------ show tech-crash for NPM ------------------NPs crash information on slot 3 =================================== Found NP crash information in total 480 -rw-r----- 1 root root 105 -rwxr-x--- 1 root root 402372 -rw-r----- 1 root root 38869 -rwxr-x--- 1 root root 638 -rwxr-x--- 1 root root 32760 Detail crash information: Crash information from /tftpboot/npm6_3/logs/cbsoops/crash.1/ksymoops.txt: Crash occured on 2011.02.23 at 00:06:08 Kernel release 2.6.16.26-Octeon. -- Watchdog Interrupt, core 0 Hardware Information cores present: cores active: DRAM size, MB: CPU clock MHz: DRAM clock MHz: SPI clock MHz: board type, rev: chip type, rev: serial number: mac_addr_base: (bootinfo): 0xffff 0xffff 2048 750 266 350 27, 1.0 2, 1.0 00:03:d2:00:01:01 the following directory: Mar Mar Mar Mar Mar 31 31 31 31 31 00:06 00:06 00:06 00:06 00:06 cbsoops.txt kallsyms ksymoops.txt modules nvdata.raw
Cpu 0 - Process 'swapper' -- Watchdog Interrupt, core 0 $ 0 : $ 4 : $ 8 : <output 0000000000000000 ffffffff8110b024 a80000002aecff58 a80000002afd48b0 a80000002afd4880 0000000000000001 0000000000000000 0000000000000000 a80000002aecc000 0000000000020000 0000000000040000 ffffffff82bf0000 example abbreviated>
----------- show ezchip and XBPRC data collection -----------NPM/EZ-chip RFD state ===================== NPM2 : OK rfd RFD rx_port_budget = 000000c0
882
RFD status rx RFD status tx RFD status rx/tx RFD status high
= = = =
show tech-crash
This command displays crash information to help technical support with any problems you may experience.
Syntax
show tech-crash [<n>]
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter <n> Description Specify a number to view a specific crash. Values are 0 to 20. Use 0 (default) to display all crashes.
Restrictions
Default Privilege Level: 15 NOTE: This command is not available on an offline CPM.
Example
The following shows output from this command. CBS# show tech-crash CPs crash information ===================== Found CP crash information in the following directory: /crossbeam/logs/cbsoops/crash.1: total 4376 -rwxr-x--- 1 root root 1219612 Mar 15 12:14 System.map -rw-r----- 1 root root 305 Mar 15 12:14 cbsoops.txt -rw-r----- 1 root root 78 Mar 15 12:37 cinfo -rw-r----- 1 root root 575 Mar 15 12:14 ksymoops.txt -rwxr-x--- 1 root root 3232837 Mar 15 12:56 ksyms -rwxr-x--- 1 root root 1804 Mar 15 12:56 modules Detail crash information:
883
Crash information from /crossbeam/logs/cbsoops/crash.1/ksymoops.txt: Kernel rlease 2.6.18-53.el5_64smp. Crash occured on 01/07/2011 at 18:21:12.180912 CPU: 0 RIP: [<ffffffff88ee7837>] RSP: [<ffff8100d0329dd8>] EFLAGS: 0000000000000002 Call Trace: [<ffffffff8000be53>] [<ffffffff88ee7837>] [<ffffffff800356ff>] [<ffffffff8000c2e3>] [<ffffffff802be76d>] Code:>>RIP; <ffffffff88ee7837 [cbnvram]CbNvramRead+50> Trace; <ffffffff8000be53 cbs_dump_crash+958> Trace; <ffffffff88ee7837 [cbnvram]CbNvramRead+50> Trace; <ffffffff800356ff [x_tables]printk+67> Trace; <ffffffff8000c2e3 show_registers+3b> Trace; <ffffffff802be76d __die+af> APs crash information ===================== No crash information found NPs crash information ===================== Found NP crash information in total 480 -rw-r----- 1 root root 105 -rwxr-x--- 1 root root 402372 -rw-r----- 1 root root 38869 -rwxr-x--- 1 root root 638 -rwxr-x--- 1 root root 32760 Detail crash information: Crash information from /tftpboot/npm6_3/logs/cbsoops/crash.1/ksymoops.txt: Crash occured on 2010.03.31 at 00:06:08 Kernel release 2.6.16.26-Octeon. -- Watchdog Interrupt, core 0 Hardware Information (bootinfo): cores present: cores active: DRAM size, MB: CPU clock MHz: DRAM clock MHz: SPI clock MHz: board type, rev: chip type, rev: serial number: mac_addr_base: Cpu 0xffff 0xffff 2048 750 266 350 27, 1.0 2, 1.0 00:03:d2:00:01:01
the following directory: Mar Mar Mar Mar Mar 31 31 31 31 31 00:06 00:06 00:06 00:06 00:06 cbsoops.txt kallsyms ksymoops.txt modules nvdata.raw
0 - Process 'swapper'
-- Watchdog Interrupt, core 0 $ 0 $ 4 $ 8 : 0000000000000000 ffffffff8110b024 a80000002aecff58 a80000002afd48b0 : a80000002afd4880 0000000000000001 0000000000000000 0000000000000000 : a80000002aecc000 0000000000020000 0000000000040000 ffffffff82bf0000
884
ffffffff82be0000 ffffffff82bf0000 0000500000999000 a80000002ab26900 0000000000000001 0000000000000017 0000000004000000 0000000000000001 ffffffff82be0000 ffffffff82bf0000 ffffffff82bf0000 ffffffff813a4000 ffffffff813a7d40 0000000000000000 0000000000000000 0000000000000000 ffffffff81351700 ffffffff81155b1c 1000ffe3 KX SX UX KERNEL EXL IE 00800400 swapper (pid: 0, state: 0, sigpend: 0) 202d2d2057617463 ffffffff813a7be0 ffffffff813a7c00 0000000000000000 ffffffff81155b1c ffffffff813a7be0 ffffffff813a7c00 ffffffff813a7e00 68646f6720496e74 a800000002a5ade8 0000000000000000 0000000000000034 a80000002ab26900 0000000004000000 a80000002ab26900 0000000004000000
Code: 0000010f ac800000 0000010f 0000010f <03e00008> 00000000 0000010f 0000010f ac800000 Call Trace: [<c000000000038434>] rgmii_eth + 0x2434 Cpu 1 - Process 'cbs_flowd' <output example abbreviated> CBS#
10a00002 0000010f
41606000 0000010f
41606020 41606020
show tech-support
This command runs several show commands to display extensive and detailed information to help Crossbeam Systems technical support diagnose any problems that your X-Series Platform may experience. Use the -paging parameter to enable paging of the output of the show tech-support command to the screen. By default, all of the show tech-support command output is printed to the screen. This output is typically 5000 or more lines, so make sure the scrollback buffer of your command shell is set to a sufficient size. Use the -file parameter to send the output to a file instead of the screen. Use the -bundle parameter to send the output file and additional diagnostic data to a .tar.gz archive. NOTE: If you use the -file or -bundle parameter, you will need to wait for up to several minutes for the command to complete its various operations and send all the information to the designated file or archive.
Syntax
show tech-support [-paging | -file <filenameWithCompletePath> | -bundle <filenameWithCompletePath>]
885
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter -bundle <filename> Description Use the -bundle parameter to capture the show tech-support commands output and bundles with additional diagnostic information in tar.gz format. The <filename> should include the complete path desired for the tar.gz archive. Use the optional -file parameter to send the show tech-support commands output to a file. The <filename> should include the complete path desired for the output file. Use the paging parameter to enable paging of the output of the show tech-support command to the screen. Press Q to quit the output. Press any other key to view the next page of output. If you do not use the -paging parameter, the command prints all of the output to the screen.
-file <filename>
-paging
Output
The output of the show tech-support command consists of the aggregate output of a number of CLI show commands. The following table lists the commands that are executed when you run the show tech-support command. Command show calendar show version detail show tech-crash show startup-config show running-config show chassis show environment show system show interface detail show application vap-group show alarms active minor/major/critical show operating-mode show module status See show calendar on page 779 See show version on page 644 See show tech-crash on page 883 See show startup-config on page 636 See show running-config on page 632 See show chassis on page 780 See show environment on page 786 See show system on page 801 See show interface on page 838 See show application vap-group on page 855 See show alarms on page 769 See show operating-mode on page 660 See show module status on page 794
886
Command show ap-vap-mapping show firmware Revision Checking show Release History show cp-redundancy show cp-unknown-state show ip-mapping show ip addresses show kernel show module admin-state show redundancy-interface show veth-stats show group-interface status show bridge-mode show cpu utilization-average show cpu load-average show cpu statistic show vrrp show NFIq and VDF show disk-usage history show current disk-usage show flow distribution show vdf-stats show resource-statistics show audit-trail show npm-tech show heartbeat show NPM interface detail show flow table counters show NPM86xx version and build show tech-crash for NPM show ezchip and XBPRC data collection show current-release verify-rpm show calendar See show ap-vap-mapping on page 852 See revs_check in the XOS Configuration Guide Displays XOS installation and upgrade history See show cp-redundancy on page 681 See show cp-unknown-state on page 682 See show ip-mapping on page 706 See show ip addresses on page 653 See show kernel on page 687 See show module admin-state on page 793 See show redundancy-interface on page 845 See show veth-stats on page 850 See show group-interface on page 837 See show bridge-mode on page 696 See show cpu on page 782 See show cpu on page 782 See show cpu on page 782 See show vrrp on page 859 See show vdf-status on page 846 See show disk-usage on page 785 See show disk-usage on page 785 show flow distribution on page 835 See show vdf-status on page 846 See show resource-statistics on page 641 See show audit-trail on page 630 See show npm-tech on page 880 See show heartbeat on page 788 See show interface on page 838 See show npm-tech on page 880 See show npm-tech on page 880 See show tech-crash on page 883 See show npm-tech on page 880 See show current-release on page 784 See show calendar on page 779
Restrictions
Default Privilege Level: 15
887
Example
The following shows a partial output from this command. NOTE: Information for some parameters such as mac-addr are only available for NPM Series-2 mode. ----------------------- show calendar -----------------------Thu Nov 18 14:18:40 2010
-------------------- show version detail --------------------Copyright (c) 2000-2011 by Crossbeam Systems, Inc. All rights reserved. Version: XOS 9.5.1 [Feb 26 2011 02:12:22] (bldmgr) gcc: gcc version 2.96 20000731 (Linux 7.3 2.96-112) CVS_Label: XOS-9_5_1_0-20110226_1 Kit_Number: 37 CPU at 2327 Mhz processor with 16410064K bytes of memory 8165904K bytes of memory in use Uptime is 3 day(s) 17 hour(s) 58 min(s) 17 sec(s) Hard disk is 500(GB) Second Hard disk is 500(GB) Flash is not present
Details per slot: Revision for slot 1 Boot Strap version Bootloader version Diagnostics version SysCtl FPGA version Focus FPGA version CPLD version Board version Board serial number Board type Board part number Revision for slot 2 Boot Strap version Bootloader version Diagnostics version SysCtl FPGA version Focus FPGA version CPLD version Board version Board serial number Board type Board part number Revision for slot 5 Boot Strap version Bootloader version Diagnostics version : 1.7.0.1 : 1.7.0.2 : 1.1.0.4 : : : : : : : : : : 2.0.0.10 2.0.0.10 2.1.0.3 0x4 0xf 0x4 8 G7150508 NP8600 003927 : : : : : : : : : : 2.0.0.10 2.0.0.10 2.1.0.3 0x4 0xf 0x4 8 G7150499 NP8600 003927
888
SysCtl FPGA version Focus FPGA version CPLD version Board version Board serial number Board type Board part number
: : : : : : :
889
debug
This command is used for troubleshooting. It should only be used when advised by Customer Support.
Syntax
debug {dump-database <table_name>|dump-psql <query>|tree-syntax}
Context
You access this command from the main CLI context.
Parameters
The following table lists the parameters used with this command. Parameter dump-database dump-psql tree-syntax Description Displays database for a given table (internal debug only). Displays table according to PSQL query (internal debug only). Displays command tree with syntax (internal debug only).
Restrictions
Default Privilege Level: 15
890
15
Using Unix Commands
This chapter describes the UNIX commands used on all VAPs within a VAP group. NOTE: /usr/os/bin/cbs_rsh is a tool that can be used to execute any interactive UNIX command on all available VAPs in a VAP group or on a particular VAP within a VAP group. Executing Unix Commands on a Designated VAP on page 892 Executing Unix Commands on All VAPs on page 892
891
[root@vgSync_2 /root]# [root@vgSync_2 /root]# exit rlogin: connection closed. [root@xxxx bin]#
892
893
PID 1175 1177 1178 1229 1234 1235 1685 1686 1687
TTY ? ? ? ? ? ? ? ? ?
TIME 00:00:00 00:00:00 00:00:00 00:00:00 00:00:00 00:00:00 00:00:00 00:00:00 00:00:00
894
16
Understanding CLI Error Messages
This chapter describes the system error and warning messages. These messages are specified by the following categories: General Error Messages on page 896 Subsystem Errors on page 897 Threshold (RMON) Agent Errors on page 898 SNMP Errors on page 899 WEB Access Control Related Error Messages on page 899 Warning Messages on page 899
895
Database has reached the maximum number of entries for a controlled entity such as the number of circuits allowed. Database entry specified is currently in use. Database entry specified does not exist. The logical interface specified is unavailable. The paired-logical interface specified is unavailable. An application conflict has been detected. The file specified was not found. File specified is not currently accessible. Entry specified has generated a conflict. The command specified could not be executed. System could not allocate memory for this action. Parameter missing from entered command. A conflict in IP addresses has occurred. The network portion specified is empty.
Entry is being used Entry not found Unavailable logical interface Paired interface is unavailable Application conflict detected File not found File not accessible
Conflict with existing entry Unable to execute command Could not allocate memory Missing parameter IP Address confliction found Network portion is empty
896
Message Multicast, broadcast network Loopback network Invalid Host Portion Vlan tag ranges overlaps with other logical interfaces on this physical interface Invalid Backup Interface. Interface type should not be the same as the primary Un-recognized type Input too short Input too long Error converting Network mask format Error retrieving IP address and Mask from CIDR format
The host portion specified is not valid. Check the specified host portion and re-enter the command. Physical interface has VLAN tag ranges that overlap logical interfaces configured on this physical interface. The backup interface is configured the same as the primary interface. Check VLAN range for the logical interface and reconfigure them with a different VLAN range. Reconfigure the backup interface to be different from the primary interface.
The type specified is not valid. The input specified is too short. The input specified is too long. An error occurred during the network mask conversion process. An error occurred during the IP address and network mask from CDIR format.
Check the specified type and re-enter the command. Check the specified input and re-enter the command. Check the specified input and re-enter the command. Check the network mask and re-enter the command. Check the CIDR format and re-enter the command.
Subsystem Errors
Message Error connecting to the database Bad data found during execution Bad input arguments found Bad output method specified Unable to obtain RPC Handle RPC call failed Unable to obtain Exec Handle Description An error occurred during the system to database connection was in progress. Corrupt data found during the execution of the current process. Incorrect input parameters found in command. Incorrect output method specified. Unable to obtain RPC handle. Error occurred during RPC call. Unable to obtain Exec handle. Action Check syslog and contact Customer Support. Check syslog and contact Customer Support. Check syslog and contact Customer Support. Check syslog and contact Customer Support. Check syslog and contact Customer Support. Check syslog and contact Customer Support. Check syslog and contact Customer Support.
897
898
SNMP Errors
Message Invalid Alarm variable: SNMP NoSuchName Invalid Alarm variable: SNMP General Error SNMP Error SNMP agent not responding Community string internal not allowed Description Specified Alarm parameter is not valid. Specified Alarm parameter is not valid. SNMP error has occurred. SNMP agent not responding. Specified string not allowed. Restart SNMP agent. Check string and re-enter command. Action Check parameter and re-enter command. Check parameter and re-enter command.
Warning Messages
Message WARNING: Command takes effect next system reboot (reload) WARNING: Operation Pending Description Specified command does not activate dynamically. Specified operation is in progress. Action Re-boot system. No action required.
899
900
A
Example XOS Running Configuration File
#Do not remove after this line # Last time the configuration was saved on Wed Feb 23 14:08:10.831535 2011 EST # Configuration generated by CLI on Wed Feb 23 14:23:52 2011 # CLI Version 9.5.1 [Feb 19 2011 02:15:42] (bldmgr) # Kit Number: xx #Do not remove above this line # configure # hostname x80 cp1 hostname x80 cp2 ip domainname crossbeam ip telnet ip ftp system-identifier 40 system-internal-network 1.1.0.0/16 operating-mode quad-np series-6 # # access-list 1001 permit ip source-ip 0.0.0.0 255.255.255.255 destination-ip 0.0.0.0 255.255.255.255 access-list 1002 permit ip source-ip 0.0.0.0 255.255.255.255 destination-ip 0.0.0.0 255.255.255.255 # ntp server 192.168.66.10 # # # # username admin privilege 15 gui-level administrator # prompt x80 no timeout web-server # alias wr 'copy running-config startup-config' # # # vap-group iss xslinux_v3 vap-count 2 max-load-count 2 ap-list ap3 ap5 load-balance-vap-list 1 2 3 4 5 6 7 8 9 10
901
ip-flow-rule iss_lb action load-balance incoming-circuit-group any activate vap-group vsx xslinux_v5 vap-count 3 max-load-count 2 ap-list ap8 ap9 load-balance-vap-list 3 4 5 6 7 8 9 10 1 2 ip-forwarding no rp-filter ip-flow-rule ikesync action broadcast domain 500 priority 15 destination-port 500 500 activate vap-group mca xsve vap-count 2 max-load-count 2 ap-list ap4 ap10 ap7 load-balance-vap-list 1 2 ip-forwarding fail-to-host flow-proxy ip-flow-rule mca_lb action load-balance incoming-circuit-group any activate ip-flow-rule mca_sync action broadcast priority 30 incoming-circuit-group 3 destination-addr 239.255.0.0 239.255.0.255 activate vap-group ft xslinux_v5 vap-count 2 ap-list ap6 ap7 load-balance-vap-list 1 2 ip-flow-rule ft action load-balance activate # system-non-ip-flow-rule stp encapsulation lsap any action pass-to-masters activate system-non-ip-flow-rule snap
902
encapsulation snap any action pass-to-masters activate # dns server 192.168.66.10 vap-group mca dns server 192.168.66.10 vap-group ft # dns search-name lab.crossbeamsys.com vap-group ft # incoming-circuit-group-name 2 internal incoming-circuit-group-name 3 sync incoming-circuit-group-name 4 ser incoming-circuit-group-name 5 ymlt incoming-circuit-group-name 6 mgmt # circuit sync device-name sync incoming-circuit-group 3 link-state-resistant vap-group mca ip-forwarding ip 5.5.5.1 255.255.255.0 5.5.5.255 increment-per-vap 5.5.5.4 alias 5.5.5.5/24 5.5.5.255 floating circuit sync2 domain 500 device-name sync link-state-resistant vap-group vsx ip-forwarding ip 7.7.7.1 255.255.255.0 7.7.7.255 increment-per-vap 7.7.7.4
circuit ser device-name ser incoming-circuit-group 4 vap-group iss promiscuous-mode active vap-group vsx vap-group mca circuit ser_3001 domain 501 device-name ser.3001 incoming-circuit-group 4 vap-group mca ip-forwarding default-egress-vlan-tag 3001 ip 30.30.1.1/24 30.30.1.255 circuit mgt device-name mgt incoming-circuit-group 6 vap-group iss management-circuit ip 172.16.1.94 255.255.255.0 172.16.1.255 increment-per-vap 172.16.1.95 vap-group vsx ip-forwarding
903
ip 172.16.1.35/24 172.16.1.255 increment-per-vap 172.16.1.37 vap-group mca ip-forwarding ip 172.16.1.41/24 172.16.1.255 increment-per-vap 172.16.1.44 alias 192.168.71.45/24 192.168.71.255 floating vap-group ft management-circuit ip 172.16.1.60/24 172.16.1.255 increment-per-vap 172.16.1.62 circuit vpn circuit-id device-name vpn vap-group vsx
circuit snif device-name snif vap-group ft promiscuous-mode circuit ct72 device-name ct72 vap-group ft ip 172.16.2.55/24 172.16.2.255 circuit l2br device-name l2br vap-group iss circuit inside device-name inside vap-group iss promiscuous-mode active circuit ymlt device-name ymlt incoming-circuit-group 5 vap-group vsx vap-group mca vap-group ft circuit ymlt_4001 domain 502 device-name ymlt.4001 incoming-circuit-group 5 vap-group mca ip-forwarding default-egress-vlan-tag 4001 ip 40.40.0.1/24 40.40.0.255 circuit ymlt_4003 device-name ymlt.4003ft vap-group ft
904
circuit vsx_ckt_vsx_internal_ser_3002 domain 501 device-name ser.3002 vap-group vsx ip-forwarding default-egress-vlan-tag 3002 ip 30.30.2.1 255.255.255.0 30.30.2.255 circuit vsx_ckt_vsx_ymlt_4002 domain 505 device-name ymlt.4002 vap-group vsx ip-forwarding default-egress-vlan-tag 4002 ip 40.40.2.1 255.255.255.0 40.40.2.255 # bridge-mode l2br transparent circuit inside circuit ser # interface gigabitethernet 1/10 logical-all snif circuit snif interface gigabitethernet 2/1 logical mgt circuit mgt interface gigabitethernet 2/10 logical vpn circuit vpn interface gigabitethernet 4/7 logical ct72 circuit ct72 # group-interface inside interface-type gigabitethernet mode multi-link circuit inside interface 2/4 interface 4/4 group-interface ymlt interface-type gigabitethernet mode multi-link circuit ymlt interface 2/6 interface 4/6 logical ymlt_4001 ingress-vlan-tag 4001 4001 circuit ymlt_4001 logical ymlt_4003 ingress-vlan-tag 4003 4003 circuit ymlt_4003
905
# interface-internal l2br logical-all log_ser circuit ser logical ser_3001 ingress-vlan-tag 3001 3001 circuit ser_3001 logical vsx_log_vsxe40_l2br_3002 ingress-vlan-tag 3002 3002 circuit vsx_ckt_vsxe40_internal_ser_3002 # interface-internal sync logical-all sync circuit sync # interface-internal sync2 logical-all sync2 circuit sync2 # ip route 0.0.0.0 0.0.0.0 172.16.1.1 vap-group mca circuit mgt ip route 0.0.0.0 0.0.0.0 172.16.1.1 vap-group iss circuit mgt ip route 0.0.0.0 0.0.0.0 172.16.2.1 vap-group ft circuit ct72 ip route 10.0.0.0/8 172.16.1.1 vap-group ft circuit mgt # management gigabitethernet 13/1 ip-addr 192.168.71.200 255.255.255.0 192.168.71.255 enable access-list 1001 input access-list 1002 output # management high-availability cp1 management high-availability cp2 # management default-gateway 192.168.71.1 # cp-action cp1 disk-error offline cp-action cp2 disk-error offline # end
906
B
Legal Single Line Command Groupings
This appendix describes a complete list of all possible XOS CLI commands that you can enter from the main context: alias application application-remove application-remove version application-remove version release application-update application-upgrade archive-vap-group archive-vap-group backup archive-vap-group delete archive-vap-group restore archive-vap-group show audit-trail auto-promote automated-workflow-menu automated-workflows automated-workflows purge-log-files broadcast calendar cd clear clear alarms clear alarms all clear alarms id clear flow-active clear interface clear interface 10gigabitethernet clear interface all clear interface gigabitethernet clear interface gigabitethernet default1 clear interface high-availability clear netstat
907
clear resource-statistics clear switch-data-path clear switch-data-path all clear switch-data-path module clear vdf-status clear vdf-status module clear vdf-status vap-group-member clear-screen configure configure access-list configure access-list icmp configure access-list icmp source-any configure access-list icmp source-any destination-any configure access-list icmp source-any destination-any icmp-message configure access-list icmp source-any destination-any icmp-type configure access-list icmp source-any destination-ip configure access-list icmp source-any destination-ip icmp-message configure access-list icmp source-any destination-ip icmp-type configure access-list icmp source-ip configure access-list icmp source-ip destination-any configure access-list icmp source-ip destination-any icmp-message configure access-list icmp source-ip destination-any icmp-type configure access-list icmp source-ip destination-ip configure access-list icmp source-ip destination-ip icmp-message configure access-list icmp source-ip destination-ip icmp-type configure access-list ip configure access-list ip source-any configure access-list ip source-any destination-any configure access-list ip source-any destination-ip configure access-list ip source-ip configure access-list ip source-ip destination-any configure access-list ip source-ip destination-ip configure access-list protocol-number configure access-list protocol-number source-any configure access-list protocol-number source-any destination-any configure access-list protocol-number source-any destination-ip configure access-list protocol-number source-ip configure access-list protocol-number source-ip destination-any configure access-list protocol-number source-ip destination-ip configure access-list tcp
908
configure access-list tcp source-any configure access-list tcp source-any source-port configure access-list tcp source-any source-port destination-any configure access-list tcp source-any source-port destination-any destination-port configure access-list tcp source-any source-port destination-any destination-port-any configure access-list tcp source-any source-port destination-any destination-port-name configure access-list tcp source-any source-port destination-ip configure access-list tcp source-any source-port destination-ip destination-port configure access-list tcp source-any source-port destination-ip destination-port-any configure access-list tcp source-any source-port destination-ip destination-port-name configure access-list tcp source-any source-port-any configure access-list tcp source-any source-port-any destination-any configure access-list tcp source-any source-port-any destination-any destination-port configure access-list tcp source-any source-port-any destination-any destination-port-any configure access-list tcp source-any source-port-any destination-any destination-port-name configure access-list tcp source-any source-port-any destination-ip configure access-list tcp source-any source-port-any destination-ip destination-port configure access-list tcp source-any source-port-any destination-ip destination-port-any configure access-list tcp source-any source-port-any destination-ip destination-port-name configure access-list tcp source-any source-port-name configure access-list tcp source-any source-port-name destination-any configure access-list tcp source-any source-port-name destination-any destination-port configure access-list tcp source-any source-port-name destination-any destination-port-any configure access-list tcp source-any source-port-name destination-any destination-port-name configure access-list tcp source-any source-port-name destination-ip configure access-list tcp source-any source-port-name destination-ip destination-port configure access-list tcp source-any source-port-name destination-ip destination-port-any configure access-list tcp source-any source-port-name destination-ip destination-port-name configure access-list tcp source-ip configure access-list tcp source-ip source-port configure access-list tcp source-ip source-port destination-any configure access-list tcp source-ip source-port destination-any destination-port configure access-list tcp source-ip source-port destination-any destination-port-any configure access-list tcp source-ip source-port destination-any destination-port-name configure access-list tcp source-ip source-port destination-ip configure access-list tcp source-ip source-port destination-ip destination-port configure access-list tcp source-ip source-port destination-ip destination-port-any configure access-list tcp source-ip source-port destination-ip destination-port-name configure access-list tcp source-ip source-port-any configure access-list tcp source-ip source-port-any destination-any
909
configure access-list tcp source-ip source-port-any destination-any destination-port configure access-list tcp source-ip source-port-any destination-any destination-port-any configure access-list tcp source-ip source-port-any destination-any destination-port-name configure access-list tcp source-ip source-port-any destination-ip configure access-list tcp source-ip source-port-any destination-ip destination-port configure access-list tcp source-ip source-port-any destination-ip destination-port-any configure access-list tcp source-ip source-port-any destination-ip destination-port-name configure access-list tcp source-ip source-port-name configure access-list tcp source-ip source-port-name destination-any configure access-list tcp source-ip source-port-name destination-any destination-port configure access-list tcp source-ip source-port-name destination-any destination-port-any configure access-list tcp source-ip source-port-name destination-any destination-port-name configure access-list tcp source-ip source-port-name destination-ip configure access-list tcp source-ip source-port-name destination-ip destination-port configure access-list tcp source-ip source-port-name destination-ip destination-port-any configure access-list tcp source-ip source-port-name destination-ip destination-port-name configure access-list udp configure access-list udp source-any configure access-list udp source-any source-port configure access-list udp source-any source-port destination-any configure access-list udp source-any source-port destination-any destination-port configure access-list udp source-any source-port destination-any destination-port-any configure access-list udp source-any source-port destination-any destination-port-name configure access-list udp source-any source-port destination-ip configure access-list udp source-any source-port destination-ip destination-port configure access-list udp source-any source-port destination-ip destination-port-any configure access-list udp source-any source-port destination-ip destination-port-name configure access-list udp source-any source-port-any configure access-list udp source-any source-port-any destination-any configure access-list udp source-any source-port-any destination-any destination-port configure access-list udp source-any source-port-any destination-any destination-port-any configure access-list udp source-any source-port-any destination-any destination-port-name configure access-list udp source-any source-port-any destination-ip configure access-list udp source-any source-port-any destination-ip destination-port configure access-list udp source-any source-port-any destination-ip destination-port-any configure access-list udp source-any source-port-any destination-ip destination-port-name configure access-list udp source-any source-port-name configure access-list udp source-any source-port-name destination-any configure access-list udp source-any source-port-name destination-any destination-port configure access-list udp source-any source-port-name destination-any destination-port-any
910
configure access-list udp source-any source-port-name destination-any destination-port-name configure access-list udp source-any source-port-name destination-ip configure access-list udp source-any source-port-name destination-ip destination-port configure access-list udp source-any source-port-name destination-ip destination-port-any configure access-list udp source-any source-port-name destination-ip destination-port-name configure access-list udp source-ip configure access-list udp source-ip source-port configure access-list udp source-ip source-port destination-any configure access-list udp source-ip source-port destination-any destination-port configure access-list udp source-ip source-port destination-any destination-port-any configure access-list udp source-ip source-port destination-any destination-port-name configure access-list udp source-ip source-port destination-ip configure access-list udp source-ip source-port destination-ip destination-port configure access-list udp source-ip source-port destination-ip destination-port-any configure access-list udp source-ip source-port destination-ip destination-port-name configure access-list udp source-ip source-port-any configure access-list udp source-ip source-port-any destination-any configure access-list udp source-ip source-port-any destination-any destination-port configure access-list udp source-ip source-port-any destination-any destination-port-any configure access-list udp source-ip source-port-any destination-any destination-port-name configure access-list udp source-ip source-port-any destination-ip configure access-list udp source-ip source-port-any destination-ip destination-port configure access-list udp source-ip source-port-any destination-ip destination-port-any configure access-list udp source-ip source-port-any destination-ip destination-port-name configure access-list udp source-ip source-port-name configure access-list udp source-ip source-port-name destination-any configure access-list udp source-ip source-port-name destination-any destination-port configure access-list udp source-ip source-port-name destination-any destination-port-any configure access-list udp source-ip source-port-name destination-any destination-port-name configure access-list udp source-ip source-port-name destination-ip configure access-list udp source-ip source-port-name destination-ip destination-port configure access-list udp source-ip source-port-name destination-ip destination-port-any configure access-list udp source-ip source-port-name destination-ip destination-port-name configure acl-interface configure acl-interface destination-mac configure acl-interface direction configure acl-interface ether-type configure acl-interface source-mac configure acl-interface vlan configure acl-interface-mapping
911
configure acl-interface-mapping group-interface configure acl-interface-mapping group-interface acl-interface configure acl-interface-mapping group-interface acl-interface capture configure acl-interface-mapping group-interface acl-interface drop configure acl-interface-mapping group-interface acl-interface mirror configure acl-interface-mapping group-interface acl-interface mirror 10gigabitethernet configure acl-interface-mapping group-interface acl-interface mirror gigabitethernet configure acl-interface-mapping group-interface acl-interface pass-through configure acl-interface-mapping group-interface acl-interface pass-through 10gigabitethernet configure acl-interface-mapping group-interface acl-interface pass-through gigabitethernet configure acl-interface-mapping interface configure acl-interface-mapping interface 10gigabitethernet configure acl-interface-mapping interface 10gigabitethernet acl-interface configure acl-interface-mapping interface 10gigabitethernet acl-interface capture configure acl-interface-mapping interface 10gigabitethernet acl-interface drop configure acl-interface-mapping interface 10gigabitethernet acl-interface mirror configure acl-interface-mapping interface 10gigabitethernet acl-interface mirror 10gigabitethernet configure acl-interface-mapping interface 10gigabitethernet acl-interface mirror gigabitethernet configure acl-interface-mapping interface 10gigabitethernet acl-interface pass-through configure acl-interface-mapping interface 10gigabitethernet acl-interface pass-through 10gigabitethernet configure acl-interface-mapping interface 10gigabitethernet acl-interface pass-through gigabitethernet configure acl-interface-mapping interface gigabitethernet configure acl-interface-mapping interface gigabitethernet acl-interface configure acl-interface-mapping interface gigabitethernet acl-interface capture configure acl-interface-mapping interface gigabitethernet acl-interface drop configure acl-interface-mapping interface gigabitethernet acl-interface mirror configure acl-interface-mapping interface gigabitethernet acl-interface mirror 10gigabitethernet configure acl-interface-mapping interface gigabitethernet acl-interface mirror gigabitethernet configure acl-interface-mapping interface gigabitethernet acl-interface pass-through configure acl-interface-mapping interface gigabitethernet acl-interface pass-through 10gigabitethernet configure acl-interface-mapping interface gigabitethernet acl-interface pass-through gigabitethernet configure alias configure arp configure bridge-mode configure bridge-mode circuit configure bridge-mode show configure chassis-resource-protection configure chassis-resource-protection enable configure chassis-resource-protection flow-table-partition configure chassis-resource-protection flow-table-partition flow-table-profile
912
configure chassis-resource-protection flow-table-partition flow-table-profile backup-flow-info configure chassis-resource-protection flow-table-partition flow-table-profile table-limit configure chassis-resource-protection fragment-handling-options configure chassis-resource-protection fragment-handling-options ip-id-validation configure chassis-resource-protection fragment-handling-options selective-drop configure chassis-resource-protection fragment-handling-options selective-drop allow-fragment-overlap configure chassis-resource-protection fragment-handling-options selective-drop limit-fragment-queue configure chassis-resource-protection fragment-handling-options tcp-overlap-protection configure chassis-resource-protection tcp-flow-validation configure chassis-resource-protection tcp-flow-validation bypass-tcp-flow-setup-validation configure check-flow-rule configure circuit configure circuit device-name configure circuit incoming-circuit-group configure circuit link-state-resistant configure circuit new-flow-control configure circuit proxy-arp configure circuit show configure circuit tcp-rst-injection configure circuit vap-group configure circuit vap-group default-egress-vlan-tag configure circuit vap-group dhcp-relay configure circuit vap-group enable configure circuit vap-group icmp-redirect configure circuit vap-group ip configure circuit vap-group ip alias configure circuit vap-group ip alias floating configure circuit vap-group ip-flow-rule-no-failover configure circuit vap-group ip-flow-rule-priority configure circuit vap-group ip-forwarding configure circuit vap-group mac-addr configure circuit vap-group management-circuit configure circuit vap-group mtu configure circuit vap-group promiscuous-mode configure circuit vap-group reclassify-nat-flows configure circuit vap-group replace-vlan-tag configure circuit vap-group verify-next-hop-ip configure cp-action configure cp-action disk-error configure cp-redundancy
913
configure cp-redundancy set configure dns configure dns search-name configure dns server configure enable configure enable alarm configure enable password configure facility-alarm configure facility-alarm cpu configure facility-alarm cpu-core configure facility-alarm disk-usage-boot configure facility-alarm disk-usage-cbconfig configure facility-alarm disk-usage-mgmt configure facility-alarm disk-usage-root configure facility-alarm disk-usage-tftpboot configure facility-alarm disk-usage-var configure facility-alarm free-memory configure group-interface configure group-interface flow-table-limit configure group-interface fragment-handling-options configure group-interface interface configure group-interface interface enable configure group-interface interface-type configure group-interface interface-type 10gigabitethernet configure group-interface interface-type 10gigabitethernet enable configure group-interface interface-type 10gigabitethernet mac-addr configure group-interface interface-type 10gigabitethernet pause-frame configure group-interface interface-type gigabitethernet configure group-interface interface-type gigabitethernet auto-negotiate configure group-interface interface-type gigabitethernet duplex-mode configure group-interface interface-type gigabitethernet enable configure group-interface interface-type gigabitethernet mac-addr configure group-interface interface-type gigabitethernet media-speed configure group-interface interface-type gigabitethernet pause-frame configure group-interface logical configure group-interface logical circuit configure group-interface logical circuit flow-table-limit configure group-interface logical circuit fragment-handling-options configure group-interface logical circuit packet-validation configure group-interface logical circuit packet-validation validate-ip-packet
914
configure group-interface logical circuit packet-validation validate-tcp-packet configure group-interface logical circuit packet-validation validate-tcp-xsum configure group-interface mode configure group-interface packet-validation configure group-interface packet-validation validate-ip-packet configure group-interface packet-validation validate-tcp-packet configure group-interface packet-validation validate-tcp-xsum configure group-interface show configure host configure hostname configure incoming-circuit-group-name configure interface configure interface 10gigabitethernet configure interface 10gigabitethernet enable configure interface 10gigabitethernet logical configure interface 10gigabitethernet logical circuit configure interface 10gigabitethernet logical circuit flow-table-limit configure interface 10gigabitethernet logical circuit fragment-handling-options configure interface 10gigabitethernet logical circuit packet-validation configure interface 10gigabitethernet logical circuit packet-validation validate-ip-packet configure interface 10gigabitethernet logical circuit packet-validation validate-tcp-packet configure interface 10gigabitethernet logical circuit packet-validation validate-tcp-xsum configure interface 10gigabitethernet logical show configure interface 10gigabitethernet logical-all configure interface 10gigabitethernet logical-all circuit configure interface 10gigabitethernet logical-all circuit flow-table-limit configure interface 10gigabitethernet logical-all circuit fragment-handling-options configure interface 10gigabitethernet logical-all circuit packet-validation configure interface 10gigabitethernet logical-all circuit packet-validation validate-ip-packet configure interface 10gigabitethernet logical-all circuit packet-validation validate-tcp-packet configure interface 10gigabitethernet logical-all circuit packet-validation validate-tcp-xsum configure interface 10gigabitethernet pause-frame configure interface 10gigabitethernet show configure interface 10gigabitethernet standby-only configure interface gigabitethernet configure interface gigabitethernet auto-negotiate configure interface gigabitethernet duplex-mode configure interface gigabitethernet enable configure interface gigabitethernet logical configure interface gigabitethernet logical circuit
915
configure interface gigabitethernet logical circuit flow-table-limit configure interface gigabitethernet logical circuit fragment-handling-options configure interface gigabitethernet logical circuit packet-validation configure interface gigabitethernet logical circuit packet-validation validate-ip-packet configure interface gigabitethernet logical circuit packet-validation validate-tcp-packet configure interface gigabitethernet logical circuit packet-validation validate-tcp-xsum configure interface gigabitethernet logical show configure interface gigabitethernet logical-all configure interface gigabitethernet logical-all circuit configure interface gigabitethernet logical-all circuit flow-table-limit configure interface gigabitethernet logical-all circuit fragment-handling-options configure interface gigabitethernet logical-all circuit packet-validation configure interface gigabitethernet logical-all circuit packet-validation validate-ip-packet configure interface gigabitethernet logical-all circuit packet-validation validate-tcp-packet configure interface gigabitethernet logical-all circuit packet-validation validate-tcp-xsum configure interface gigabitethernet mac-addr configure interface gigabitethernet media-speed configure interface gigabitethernet pause-frame configure interface gigabitethernet show configure interface gigabitethernet standby-only configure interface-internal configure interface-internal logical configure interface-internal logical circuit configure interface-internal logical circuit flow-table-limit configure interface-internal logical circuit fragment-handling-options configure interface-internal logical circuit packet-validation configure interface-internal logical circuit packet-validation validate-ip-packet configure interface-internal logical circuit packet-validation validate-tcp-packet configure interface-internal logical circuit packet-validation validate-tcp-xsum configure interface-internal logical-all configure interface-internal logical-all circuit configure interface-internal logical-all circuit flow-table-limit configure interface-internal logical-all circuit fragment-handling-options configure interface-internal logical-all circuit packet-validation configure interface-internal logical-all circuit packet-validation validate-ip-packet configure interface-internal logical-all circuit packet-validation validate-tcp-packet configure interface-internal logical-all circuit packet-validation validate-tcp-xsum configure interface-status-group configure interface-status-group 10gigabitethernet configure interface-status-group gigabitethernet
916
configure interface-status-group group-interface configure ip configure ip default-network configure ip default-network metric configure ip default-network verify-next-hop configure ip domainname configure ip forwarding configure ip ftp configure ip route configure ip route metric configure ip route verify-next-hop configure ip ssh configure ip ssh authentication-retries configure ip ssh authentication-timeout configure ip telnet configure ipv6-tunnel configure ipv6-tunnel 6to4 configure ipv6-tunnel 6to4 path-mtu-discovery configure ipv6-tunnel 6to4 source-address configure ipv6-tunnel 6to4 time-to-live configure ipv6-tunnel gre configure ipv6-tunnel gre path-mtu-discovery configure ipv6-tunnel gre source-address configure ipv6-tunnel gre time-to-live configure ipv6-tunnel ipv6ip configure ipv6-tunnel ipv6ip path-mtu-discovery configure ipv6-tunnel ipv6ip source-address configure ipv6-tunnel ipv6ip time-to-live configure ipv6-tunnel isatap configure ipv6-tunnel isatap path-mtu-discovery configure ipv6-tunnel isatap source-address configure ipv6-tunnel isatap time-to-live configure ldap-parameter configure ldap-server configure logging configure logging console configure logging monitor configure logging server configure management configure management arp
917
configure management default-gateway configure management gigabitethernet configure management gigabitethernet access-list configure management gigabitethernet enable configure management gigabitethernet ip-addr configure management gigabitethernet ip-alias configure management gigabitethernet ip-nat configure management gigabitethernet ip-nat inside configure management gigabitethernet ip-nat outside configure management gigabitethernet mac-addr configure management gigabitethernet mtu configure management gigabitethernet show configure management gigabitethernet speed configure management high-availability configure management high-availability auto-negotiate configure management high-availability duplex-mode configure management high-availability speed configure management ip-route configure management ip-route metric configure management vip-addr configure module configure neighbor-discovery configure np-reload-timeout configure np-reset-wait-time configure ntp configure ntp server configure operating-mode configure packet-validation configure packet-validation validate-ip-packet configure packet-validation validate-tcp-packet configure packet-validation validate-tcp-xsum configure password configure privilege configure prompt configure radius-server configure radius-server host configure rate-limiter configure rate-limiter excess-burst configure rate-limiter rate configure rate-limiter show
918
configure redundancy-interface configure redundancy-interface master configure redundancy-interface master 10gigabitethernet configure redundancy-interface master 10gigabitethernet backup configure redundancy-interface master 10gigabitethernet backup 10gigabitethernet configure redundancy-interface master 10gigabitethernet backup 10gigabitethernet failovermode configure redundancy-interface master 10gigabitethernet backup gigabitethernet configure redundancy-interface master 10gigabitethernet backup gigabitethernet failovermode configure redundancy-interface master gigabitethernet configure redundancy-interface master gigabitethernet backup configure redundancy-interface master gigabitethernet backup 10gigabitethernet configure redundancy-interface master gigabitethernet backup 10gigabitethernet failovermode configure redundancy-interface master gigabitethernet backup gigabitethernet configure redundancy-interface master gigabitethernet backup gigabitethernet failovermode configure remote-box configure reset-password configure rmon configure rmon alarm configure rmon event configure routing-protocol configure routing-protocol-services configure snmp-server configure snmp-server community configure snmp-server contact configure snmp-server engine-id configure snmp-server host configure snmp-server location configure snmp-user configure snmp-user auth-type configure snmp-user no-passwords configure snmp-user priv-type configure system-identifier configure system-internal-network configure system-ip-flow-rule configure system-ip-flow-rule action configure system-ip-flow-rule action allow configure system-ip-flow-rule action broadcast configure system-ip-flow-rule action drop configure system-ip-flow-rule action none configure system-ip-flow-rule action pass-to-masters
919
configure system-ip-flow-rule activate configure system-ip-flow-rule core-assignment configure system-ip-flow-rule destination-addr configure system-ip-flow-rule destination-port configure system-ip-flow-rule direction configure system-ip-flow-rule domain configure system-ip-flow-rule generate-reversed-flow configure system-ip-flow-rule hide-slot-originator configure system-ip-flow-rule incoming-circuit-group configure system-ip-flow-rule priority configure system-ip-flow-rule protocol configure system-ip-flow-rule rate-limiter configure system-ip-flow-rule show configure system-ip-flow-rule skip-port configure system-ip-flow-rule skip-port-protocol configure system-ip-flow-rule skip-protocol configure system-ip-flow-rule source-addr configure system-ip-flow-rule source-port configure system-ip-flow-rule timeout configure system-ip-flow-rule trace configure system-non-ip-flow-rule configure system-non-ip-flow-rule action configure system-non-ip-flow-rule action broadcast configure system-non-ip-flow-rule action drop configure system-non-ip-flow-rule action pass-to-masters configure system-non-ip-flow-rule activate configure system-non-ip-flow-rule core-assignment configure system-non-ip-flow-rule encapsulation configure system-non-ip-flow-rule encapsulation ethernet configure system-non-ip-flow-rule encapsulation lsap configure system-non-ip-flow-rule encapsulation snap configure system-non-ip-flow-rule show configure terminal configure terminal history configure timeout configure timezone configure username configure vap-group configure vap-group ap-list configure vap-group application-monitor
920
configure vap-group backup-mode configure vap-group delay-flow configure vap-group dhcp-relay-server-list configure vap-group enable-ipv6 configure vap-group enable-ipv6 ip-forwarding-ipv6 configure vap-group fail-to-host configure vap-group flow-proxy configure vap-group ip-flow-rule configure vap-group ip-flow-rule action configure vap-group ip-flow-rule action allow configure vap-group ip-flow-rule action broadcast configure vap-group ip-flow-rule action dest-ip-based-load-balance configure vap-group ip-flow-rule action dest-ip-based-load-balance-no-failover configure vap-group ip-flow-rule action drop configure vap-group ip-flow-rule action load-balance configure vap-group ip-flow-rule action pass-to-master configure vap-group ip-flow-rule action pass-to-vap configure vap-group ip-flow-rule action pass-to-vap-no-failover configure vap-group ip-flow-rule activate configure vap-group ip-flow-rule bypass-tcp-flow-setup-validation configure vap-group ip-flow-rule core-assignment configure vap-group ip-flow-rule destination-addr configure vap-group ip-flow-rule destination-port configure vap-group ip-flow-rule direction configure vap-group ip-flow-rule domain configure vap-group ip-flow-rule generate-reversed-flow configure vap-group ip-flow-rule hide-slot-originator configure vap-group ip-flow-rule incoming-circuit-group configure vap-group ip-flow-rule priority configure vap-group ip-flow-rule protocol configure vap-group ip-flow-rule rate-limiter configure vap-group ip-flow-rule show configure vap-group ip-flow-rule skip-port configure vap-group ip-flow-rule skip-port-protocol configure vap-group ip-flow-rule skip-protocol configure vap-group ip-flow-rule source-addr configure vap-group ip-flow-rule source-port configure vap-group ip-flow-rule timeout configure vap-group ip-flow-rule trace configure vap-group ip-forwarding
921
configure vap-group jumbo-frame configure vap-group load-balance-vap-list configure vap-group load-priority configure vap-group log-martians configure vap-group master-failover-trigger configure vap-group master-holddown configure vap-group max-load-count configure vap-group max-reload-count configure vap-group non-ip-flow-rule configure vap-group non-ip-flow-rule action configure vap-group non-ip-flow-rule action broadcast configure vap-group non-ip-flow-rule action drop configure vap-group non-ip-flow-rule action pass-to-master configure vap-group non-ip-flow-rule activate configure vap-group non-ip-flow-rule core-assignment configure vap-group non-ip-flow-rule encapsulation configure vap-group non-ip-flow-rule encapsulation ethernet configure vap-group non-ip-flow-rule encapsulation lsap configure vap-group non-ip-flow-rule encapsulation snap configure vap-group non-ip-flow-rule show configure vap-group preemption-priority configure vap-group raid configure vap-group reload-timeout configure vap-group rp-filter configure vap-group scatter-gather configure vap-group show configure vap-group vap-count configure vap-group vg-reset-wait-time configure vrrp configure vrrp failover-group configure vrrp failover-group advertise-interval configure vrrp failover-group enable configure vrrp failover-group monitor-circuit configure vrrp failover-group monitor-circuit priority-delta configure vrrp failover-group monitor-group-interface configure vrrp failover-group monitor-group-interface dist-port-threshold configure vrrp failover-group monitor-group-interface priority-delta configure vrrp failover-group monitor-interface configure vrrp failover-group monitor-interface 10gigabitethernet configure vrrp failover-group monitor-interface 10gigabitethernet priority-delta
922
configure vrrp failover-group monitor-interface gigabitethernet configure vrrp failover-group monitor-interface gigabitethernet priority-delta configure vrrp failover-group ospf-cost-increment configure vrrp failover-group preemption configure vrrp failover-group priority configure vrrp failover-group virtual-router configure vrrp failover-group virtual-router backup-stay-up configure vrrp failover-group virtual-router dist-port-threshold configure vrrp failover-group virtual-router mac-usage configure vrrp failover-group virtual-router priority-delta configure vrrp failover-group virtual-router vap-group configure vrrp failover-group virtual-router vap-group ip configure vrrp failover-group virtual-router vap-group verify-next-hop-ip configure vrrp failover-group virtual-router vap-group verify-next-hop-ip priority-delta configure vrrp failover-group virtual-router vap-group virtual-ip configure vrrp failover-group virtual-router vap-group virtual-ip floating configure vrrp vap-group configure vrrp vap-group active-vap-threshold configure vrrp vap-group enable configure vrrp vap-group failover-group-list configure vrrp vap-group hold-down-timer configure vrrp vap-group priority-delta configure web-server configure web-timeout configure web-wizard copy copy running-config copy startup-config copy startup-config interface copy startup-config interface 10gigabitethernet copy startup-config interface gigabitethernet cp-disk-scheme cp-next-boot cp-unknown-state debug debug dump-database debug dump-psql debug tree-syntax dir disconnect
923
disconnect ssh echo enable enable level enable more end exec exit grep help lock-config logging logout logout save-config ping prompt pwd reload reload all reload all at reload all in reload module reload module at reload module in reload offline-cp reload vap-group reset-configuration routing-protocol routing-protocol configure routing-protocol install routing-protocol restore routing-protocol save routing-protocol status routing-protocol uninstall routing-protocol update routing-protocol-services routing-protocol-services configure routing-protocol-services install routing-protocol-services restore routing-protocol-services save
924
routing-protocol-services status routing-protocol-services uninstall routing-protocol-services update routing-protocol-services upgrade script search show show access-list show acl-interface show acl-interface-mapping show alarm-enabled show alarms show alarms active show alarms active date show alarms history show alarms history date show alarms model show alias show ap-vap-mapping show application show application vap-group show archive-vap-group show arp show audit-trail show audit-trail date show auto-promote show autocommand show automated-workflow-progress show bridge-mode show calendar show chassis show check-flow-rule show circuit show cp-disk-error show cp-disk-scheme show cp-next-boot show cp-redundancy show cp-unknown-state show cpu show current-release
925
show default-ip-flow-rule show default-non-ip-flow-rule show disk-usage show dns-search-name show dns-server show environment show facility-alarm show flow show flow active show flow distribution show flow-path show flow-path active show group-interface show group-interface stats show group-interface status show heartbeat show history show host show hostname show incoming-circuit-group-name show interface show interface 10gigabitethernet show interface gigabitethernet show interface high-availability show interface-internal show interface-status-group show internal-ip show ip show ip addresses show ip default-network show ip domainname show ip forwarding show ip ftp show ip route show ip ssh show ip telnet show ip-flow-rule show ip-mapping show kernel show ldap-parameters
926
show ldap-server show lock-config show logging show logging console show logging console date show logging server show logging setting show management show management gigabitethernet show management high-availability show management-ip-alias show management-ip-nat show management-vip show module show module admin-state show module status show neighbor-discovery show netstat show non-ip-flow show np-reload-timeout show np-reset-wait-time show npm-originated-flow-stats show npm-tech show ntp-server show operating-mode show privilege show radius-server show rate-limiter show redundancy-interface show related-running-config show related-startup-config show reload show remote-box show resource-statistics show resource-statistics flow-table-limit show resource-statistics flow-table-usage show rmon show routing-protocol show running-config show running-config interface
927
show running-config interface 10gigabitethernet show running-config interface gigabitethernet show snmp show snmp-user show ssh-session show startup-config show startup-config interface show startup-config interface 10gigabitethernet show startup-config interface gigabitethernet show status-grouping show switch-data-path show system show system-identifier show system-internal-network show system-ip-flow-rule show system-non-ip-flow-rule show tech-crash show tech-support show tech-support -bundle show tech-support -file show tech-support -paging show terminal show terminal history show timeout show timezone show traplog show tree show username show usernames show vap-group show vdf-status show vdf-status module show vdf-status vap-group show vdf-status vap-group-member show version show veth-stats show vlan show vrrp show vrrp circuit-ip show vrrp detail-status
928
show vrrp detail-status-help show vrrp failover-group show vrrp monitor-circuit show vrrp monitor-group-interfaces show vrrp monitor-interfaces show vrrp status show vrrp vap-group show vrrp verify-next-hop show vrrp virtual-router show vsx-configuration show web-server show web-session show web-timeout show web-wizard shutdown sleep ssh swatch terminal terminal history timeout unix upgrade upgrade in-service upgrade in-service batch-1 upgrade in-service batch-10 upgrade in-service batch-2 upgrade in-service batch-3 upgrade in-service batch-4 upgrade in-service batch-5 upgrade in-service batch-6 upgrade in-service batch-7 upgrade in-service batch-8 upgrade in-service batch-9 upgrade in-service batch-default upgrade in-service clear-batches upgrade in-service install upgrade in-service show upgrade in-service show batches upgrade in-service show default-batches
929
upgrade in-service show new-releases upgrade in-service show progress upgrade in-service show standby-modules upgrade install upgrade remove upgrade show upgrade show current-running-release upgrade show new-release upgrade show release upgrade verify-system validate-configuration vap-group-password vap-group-password-expiration vrrp-relinquish-master who
930
C
Configurable Command Privilege Levels
This appendix describes the default privilege level for all commands. +-alias (0) +-application (15) +-application-remove (15) | +-version (15) | +-release (15) +-application-update (15) +-application-upgrade (15) +-archive-vap-group (15) | +-backup (15) | +-delete (15) | +-restore (15) | +-show (15) +-audit-trail (0) +-auto-promote (0) +-automated-workflow-menu (0) +-automated-workflows (15) | +-purge-log-files (15) +-broadcast (0) +-calendar (15) +-cd (0) +-clear (15) | +-alarms (15) | | +-all (15) | | +-id (15) | +-flow-active (15) | +-interface (15) | | +-10gigabitethernet (15) | | +-all (15) | | +-gigabitethernet (15) | | | +-default1 (0) | | +-high-availability (15) | +-netstat (15) | +-resource-statistics (15) | +-switch-data-path (15) | | +-all (15) | | +-module (15) | +-vdf-status (15) | +-module (15) | +-vap-group-member (15) +-clear-screen (0) +-configure (0) | +-access-list (15) | | +-icmp (15) | | | +-source-any (15) | | | | +-destination-any (15) | | | | | +-icmp-message (15) | | | | | +-icmp-type (15)
931
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| | +-destination-ip (15) | | +-icmp-message (15) | | +-icmp-type (15) | +-source-ip (15) | +-destination-any (15) | | +-icmp-message (15) | | +-icmp-type (15) | +-destination-ip (15) | +-icmp-message (15) | +-icmp-type (15) +-ip (15) | +-source-any (15) | | +-destination-any (15) | | +-destination-ip (15) | +-source-ip (15) | +-destination-any (15) | +-destination-ip (15) +-protocol-number (15) | +-source-any (15) | | +-destination-any (15) | | +-destination-ip (15) | +-source-ip (15) | +-destination-any (15) | +-destination-ip (15) +-tcp (15) | +-source-any (15) | | +-source-port (15) | | | +-destination-any (15) | | | | +-destination-port (15) | | | | +-destination-port-any (15) | | | | +-destination-port-name (15) | | | +-destination-ip (15) | | | +-destination-port (15) | | | +-destination-port-any (15) | | | +-destination-port-name (15) | | +-source-port-any (15) | | | +-destination-any (15) | | | | +-destination-port (15) | | | | +-destination-port-any (15) | | | | +-destination-port-name (15) | | | +-destination-ip (15) | | | +-destination-port (15) | | | +-destination-port-any (15) | | | +-destination-port-name (15) | | +-source-port-name (15) | | +-destination-any (15) | | | +-destination-port (15) | | | +-destination-port-any (15) | | | +-destination-port-name (15) | | +-destination-ip (15) | | +-destination-port (15) | | +-destination-port-any (15) | | +-destination-port-name (15) | +-source-ip (15) | +-source-port (15) | | +-destination-any (15) | | | +-destination-port (15) | | | +-destination-port-any (15)
932
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| | | +-destination-port-name (15) | | +-destination-ip (15) | | +-destination-port (15) | | +-destination-port-any (15) | | +-destination-port-name (15) | +-source-port-any (15) | | +-destination-any (15) | | | +-destination-port (15) | | | +-destination-port-any (15) | | | +-destination-port-name (15) | | +-destination-ip (15) | | +-destination-port (15) | | +-destination-port-any (15) | | +-destination-port-name (15) | +-source-port-name (15) | +-destination-any (15) | | +-destination-port (15) | | +-destination-port-any (15) | | +-destination-port-name (15) | +-destination-ip (15) | +-destination-port (15) | +-destination-port-any (15) | +-destination-port-name (15) +-udp (15) +-source-any (15) | +-source-port (15) | | +-destination-any (15) | | | +-destination-port (15) | | | +-destination-port-any (15) | | | +-destination-port-name (15) | | +-destination-ip (15) | | +-destination-port (15) | | +-destination-port-any (15) | | +-destination-port-name (15) | +-source-port-any (15) | | +-destination-any (15) | | | +-destination-port (15) | | | +-destination-port-any (15) | | | +-destination-port-name (15) | | +-destination-ip (15) | | +-destination-port (15) | | +-destination-port-any (15) | | +-destination-port-name (15) | +-source-port-name (15) | +-destination-any (15) | | +-destination-port (15) | | +-destination-port-any (15) | | +-destination-port-name (15) | +-destination-ip (15) | +-destination-port (15) | +-destination-port-any (15) | +-destination-port-name (15) +-source-ip (15) +-source-port (15) | +-destination-any (15) | | +-destination-port (15) | | +-destination-port-any (15) | | +-destination-port-name (15)
933
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| | +-destination-ip (15) | | +-destination-port (15) | | +-destination-port-any (15) | | +-destination-port-name (15) | +-source-port-any (15) | | +-destination-any (15) | | | +-destination-port (15) | | | +-destination-port-any (15) | | | +-destination-port-name (15) | | +-destination-ip (15) | | +-destination-port (15) | | +-destination-port-any (15) | | +-destination-port-name (15) | +-source-port-name (15) | +-destination-any (15) | | +-destination-port (15) | | +-destination-port-any (15) | | +-destination-port-name (15) | +-destination-ip (15) | +-destination-port (15) | +-destination-port-any (15) | +-destination-port-name (15) +-acl-interface (15) | +-destination-mac (15) | +-direction (15) | +-ether-type (15) | +-source-mac (15) | +-vlan (15) +-acl-interface-mapping (15) | +-group-interface (15) | | +-acl-interface (15) | | +-capture (15) | | +-drop (15) | | +-mirror (15) | | | +-10gigabitethernet (15) | | | +-gigabitethernet (15) | | +-pass-through (15) | | +-10gigabitethernet (15) | | +-gigabitethernet (15) | +-interface (15) | +-10gigabitethernet (15) | | +-acl-interface (15) | | +-capture (15) | | +-drop (15) | | +-mirror (15) | | | +-10gigabitethernet (15) | | | +-gigabitethernet (15) | | +-pass-through (15) | | +-10gigabitethernet (15) | | +-gigabitethernet (15) | +-gigabitethernet (15) | +-acl-interface (15) | +-capture (15) | +-drop (15) | +-mirror (15) | | +-10gigabitethernet (15) | | +-gigabitethernet (15) | +-pass-through (15)
934
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| +-10gigabitethernet (15) | +-gigabitethernet (15) +-alias (15) +-arp (15) +-bridge-mode (15) | +-circuit (15) | +-show (15) +-chassis-resource-protection (15) | +-enable (15) | +-flow-table-partition (15) | | +-flow-table-profile (15) | | +-backup-flow-info (15) | | +-table-limit (15) | +-fragment-handling-options (15) | | +-ip-id-validation (15) | | +-selective-drop (15) | | | +-allow-fragment-overlap (15) | | | +-limit-fragment-queue (15) | | +-tcp-overlap-protection (15) | +-tcp-flow-validation (15) | +-bypass-tcp-flow-setup-validation (15) +-check-flow-rule (15) +-circuit (15) | +-device-name (15) | +-incoming-circuit-group (15) | +-link-state-resistant (15) | +-new-flow-control (15) | +-proxy-arp (15) | +-show (15) | +-tcp-rst-injection (15) | +-vap-group (15) | | +-default-egress-vlan-tag (15) | | +-dhcp-relay (15) | | +-enable (15) | | +-icmp-redirect (15) | | +-ip (15) | | | +-alias (15) | | | +-floating (15) | | +-ip-flow-rule-no-failover (15) | | +-ip-flow-rule-priority (15) | | +-ip-forwarding (15) | | +-mac-addr (15) | | +-management-circuit (15) | | +-mtu (15) | | +-promiscuous-mode (15) | | +-reclassify-nat-flows (15) | | +-replace-vlan-tag (15) | | +-verify-next-hop-ip (15) +-cp-action (15) | +-disk-error (15) +-cp-redundancy (15) | +-set (15) +-dns (15) | +-search-name (15) | +-server (15) +-enable (15) | +-alarm (15) | +-password (15)
935
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
+-facility-alarm (15) | +-cpu (15) | +-cpu-core (15) | +-disk-usage-boot (15) | +-disk-usage-cbconfig (15) | +-disk-usage-mgmt (15) | +-disk-usage-root (15) | +-disk-usage-tftpboot (15) | +-disk-usage-var (15) | +-free-memory (15) +-group-interface (15) | +-flow-table-limit (15) | +-fragment-handling-options (15) | +-interface (15) | | +-enable (15) | +-interface-type (15) | | +-10gigabitethernet (15) | | | +-enable (15) | | | +-mac-addr (15) | | | +-pause-frame (15) | | +-gigabitethernet (15) | | +-auto-negotiate (15) | | +-duplex-mode (15) | | +-enable (15) | | +-mac-addr (15) | | +-media-speed (15) | | +-pause-frame (15) | +-logical (15) | | +-circuit (15) | | +-flow-table-limit (15) | | +-fragment-handling-options (15) | | +-packet-validation (15) | | +-validate-ip-packet (15) | | +-validate-tcp-packet (15) | | +-validate-tcp-xsum (15) | +-mode (15) | +-packet-validation (15) | | +-validate-ip-packet (15) | | +-validate-tcp-packet (15) | | +-validate-tcp-xsum (15) | +-show (15) +-host (15) +-hostname (15) +-incoming-circuit-group-name (15) +-interface (15) | +-10gigabitethernet (15) | | +-enable (15) | | +-logical (15) | | | +-circuit (15) | | | | +-flow-table-limit (15) | | | | +-fragment-handling-options (15) | | | | +-packet-validation (15) | | | | +-validate-ip-packet (15) | | | | +-validate-tcp-packet (15) | | | | +-validate-tcp-xsum (15) | | | +-show (15) | | +-logical-all (15) | | | +-circuit (15)
936
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| | | +-flow-table-limit (15) | | | +-fragment-handling-options (15) | | | +-packet-validation (15) | | | +-validate-ip-packet (15) | | | +-validate-tcp-packet (15) | | | +-validate-tcp-xsum (15) | | +-pause-frame (15) | | +-show (15) | | +-standby-only (15) | +-gigabitethernet (15) | +-auto-negotiate (15) | +-duplex-mode (15) | +-enable (15) | +-logical (15) | | +-circuit (15) | | | +-flow-table-limit (15) | | | +-fragment-handling-options (15) | | | +-packet-validation (15) | | | +-validate-ip-packet (15) | | | +-validate-tcp-packet (15) | | | +-validate-tcp-xsum (15) | | +-show (15) | +-logical-all (15) | | +-circuit (15) | | +-flow-table-limit (15) | | +-fragment-handling-options (15) | | +-packet-validation (15) | | +-validate-ip-packet (15) | | +-validate-tcp-packet (15) | | +-validate-tcp-xsum (15) | +-mac-addr (15) | +-media-speed (15) | +-pause-frame (15) | +-show (15) | +-standby-only (15) +-interface-internal (15) | +-logical (15) | | +-circuit (15) | | +-flow-table-limit (15) | | +-fragment-handling-options (15) | | +-packet-validation (15) | | +-validate-ip-packet (15) | | +-validate-tcp-packet (15) | | +-validate-tcp-xsum (15) | +-logical-all (15) | +-circuit (15) | +-flow-table-limit (15) | +-fragment-handling-options (15) | +-packet-validation (15) | +-validate-ip-packet (15) | +-validate-tcp-packet (15) | +-validate-tcp-xsum (15) +-interface-status-group (15) | +-10gigabitethernet (15) | +-gigabitethernet (15) | +-group-interface (15) +-ip (15) | +-default-network (15)
937
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| | +-metric (15) | | +-verify-next-hop (15) | +-domainname (15) | +-forwarding (15) | +-ftp (15) | +-route (15) | | +-metric (15) | | +-verify-next-hop (15) | +-ssh (15) | | +-authentication-retries (15) | | +-authentication-timeout (15) | +-telnet (15) +-ipv6-tunnel (15) | +-6to4 (15) | | +-path-mtu-discovery (15) | | +-source-address (15) | | +-time-to-live (15) | +-gre (15) | | +-path-mtu-discovery (15) | | +-source-address (15) | | +-time-to-live (15) | +-ipv6ip (15) | | +-path-mtu-discovery (15) | | +-source-address (15) | | +-time-to-live (15) | +-isatap (15) | +-path-mtu-discovery (15) | +-source-address (15) | +-time-to-live (15) +-ldap-parameter (15) +-ldap-server (15) +-logging (15) | +-console (15) | +-monitor (15) | +-server (15) +-management (15) | +-arp (15) | +-default-gateway (15) | +-gigabitethernet (15) | | +-access-list (15) | | +-enable (15) | | +-ip-addr (15) | | +-ip-alias (15) | | +-ip-nat (15) | | | +-inside (15) | | | +-outside (15) | | +-mac-addr (15) | | +-mtu (15) | | +-show (15) | | +-speed (15) | +-high-availability (15) | | +-auto-negotiate (15) | | +-duplex-mode (15) | | +-speed (15) | +-ip-route (15) | | +-metric (15) | +-vip-addr (15) +-module (15)
938
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
+-neighbor-discovery (15) +-np-reload-timeout (15) +-np-reset-wait-time (15) +-ntp (15) | +-server (15) +-operating-mode (15) +-packet-validation (15) | +-validate-ip-packet (15) | +-validate-tcp-packet (15) | +-validate-tcp-xsum (15) +-password (0) +-privilege (15) +-prompt (15) +-radius-server (15) | +-host (15) +-rate-limiter (15) | +-excess-burst (15) | +-rate (15) | +-show (15) +-redundancy-interface (15) | +-master (15) | +-10gigabitethernet (15) | | +-backup (15) | | +-10gigabitethernet (15) | | | +-failovermode (15) | | +-gigabitethernet (15) | | +-failovermode (15) | +-gigabitethernet (15) | +-backup (15) | +-10gigabitethernet (15) | | +-failovermode (15) | +-gigabitethernet (15) | +-failovermode (15) +-remote-box (15) +-reset-password (15) +-rmon (15) | +-alarm (15) | +-event (15) +-routing-protocol (15) +-routing-protocol-services (15) +-snmp-server (15) | +-community (15) | +-contact (15) | +-engine-id (15) | +-host (15) | +-location (15) +-snmp-user (15) | +-auth-type (15) | +-no-passwords (15) | +-priv-type (15) +-system-identifier (15) +-system-internal-network (15) +-system-ip-flow-rule (15) | +-action (15) | | +-allow (15) | | +-broadcast (15) | | +-drop (15) | | +-none (15)
939
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| | +-pass-to-masters (15) | +-activate (15) | +-core-assignment (15) | +-destination-addr (15) | +-destination-port (15) | +-direction (15) | +-domain (15) | +-generate-reversed-flow (15) | +-hide-slot-originator (15) | +-incoming-circuit-group (15) | +-priority (15) | +-protocol (15) | +-rate-limiter (15) | +-show (15) | +-skip-port (15) | +-skip-port-protocol (15) | +-skip-protocol (15) | +-source-addr (15) | +-source-port (15) | +-timeout (15) | +-trace (15) +-system-non-ip-flow-rule (15) | +-action (15) | | +-broadcast (15) | | +-drop (15) | | +-pass-to-masters (15) | +-activate (15) | +-core-assignment (15) | +-encapsulation (15) | | +-ethernet (15) | | +-lsap (15) | | +-snap (15) | +-show (15) +-terminal (15) | +-history (15) +-timeout (15) +-timezone (15) +-username (15) +-vap-group (15) | +-ap-list (15) | +-application-monitor (15) | +-backup-mode (15) | +-delay-flow (15) | +-dhcp-relay-server-list (15) | +-enable-ipv6 (15) | | +-ip-forwarding-ipv6 (15) | +-fail-to-host (15) | +-flow-proxy (15) | +-ip-flow-rule (15) | | +-action (15) | | | +-allow (15) | | | +-broadcast (15) | | | +-dest-ip-based-load-balance (15) | | | +-dest-ip-based-load-balance-no-failover (15) | | | +-drop (15) | | | +-load-balance (15) | | | +-pass-to-master (15) | | | +-pass-to-vap (15)
940
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| | | +-pass-to-vap-no-failover (15) | | +-activate (15) | | +-bypass-tcp-flow-setup-validation (15) | | +-core-assignment (15) | | +-destination-addr (15) | | +-destination-port (15) | | +-direction (15) | | +-domain (15) | | +-generate-reversed-flow (15) | | +-hide-slot-originator (15) | | +-incoming-circuit-group (15) | | +-priority (15) | | +-protocol (15) | | +-rate-limiter (15) | | +-show (15) | | +-skip-port (15) | | +-skip-port-protocol (15) | | +-skip-protocol (15) | | +-source-addr (15) | | +-source-port (15) | | +-timeout (15) | | +-trace (15) | +-ip-forwarding (15) | +-jumbo-frame (15) | +-load-balance-vap-list (15) | +-load-priority (15) | +-log-martians (15) | +-master-failover-trigger (15) | +-master-holddown (15) | +-max-load-count (15) | +-max-reload-count (15) | +-non-ip-flow-rule (15) | | +-action (15) | | | +-broadcast (15) | | | +-drop (15) | | | +-pass-to-master (15) | | +-activate (15) | | +-core-assignment (15) | | +-encapsulation (15) | | | +-ethernet (15) | | | +-lsap (15) | | | +-snap (15) | | +-show (15) | +-preemption-priority (15) | +-raid (15) | +-reload-timeout (15) | +-rp-filter (15) | +-scatter-gather (15) | +-show (15) | +-vap-count (15) | +-vg-reset-wait-time (15) +-vrrp (10) | +-failover-group (15) | | +-advertise-interval (15) | | +-enable (15) | | +-monitor-circuit (15) | | | +-priority-delta (15) | | +-monitor-group-interface (15)
941
| | | | +-dist-port-threshold (15) | | | | +-priority-delta (15) | | | +-monitor-interface (15) | | | | +-10gigabitethernet (15) | | | | | +-priority-delta (15) | | | | +-gigabitethernet (15) | | | | +-priority-delta (15) | | | +-ospf-cost-increment (15) | | | +-preemption (15) | | | +-priority (15) | | | +-virtual-router (15) | | | +-backup-stay-up (15) | | | +-dist-port-threshold (15) | | | +-mac-usage (15) | | | +-priority-delta (15) | | | +-vap-group (15) | | | +-ip (15) | | | +-verify-next-hop-ip (15) | | | | +-priority-delta (15) | | | +-virtual-ip (15) | | | +-floating (15) | | +-vap-group (15) | | +-active-vap-threshold (15) | | +-enable (15) | | +-failover-group-list (15) | | +-hold-down-timer (15) | | +-priority-delta (15) | +-web-server (15) | +-web-timeout (15) | +-web-wizard (15) +-copy (15) | +-running-config (15) | +-startup-config (15) | +-interface (15) | +-10gigabitethernet (15) | +-gigabitethernet (15) +-cp-disk-scheme (15) +-cp-next-boot (15) +-cp-unknown-state (15) +-debug (15) | +-dump-database (15) | +-dump-psql (15) | +-tree-syntax (15) +-dir (0) +-disconnect (15) | +-ssh (15) +-echo (0) +-enable (0) | +-level (0) | +-more (0) +-end (0) +-exec (0) +-exit (0) +-grep (15) +-help (0) +-lock-config (15) +-logging (0) +-logout (0)
942
| +-save-config (15) +-ping (0) +-prompt (0) +-pwd (0) +-reload (15) | +-all (15) | | +-at (15) | | +-in (15) | +-module (15) | | +-at (15) | | +-in (15) | +-offline-cp (15) | +-vap-group (15) +-reset-configuration (15) +-routing-protocol (15) | +-configure (15) | +-install (15) | +-restore (15) | +-save (15) | +-status (15) | +-uninstall (15) | +-update (15) +-routing-protocol-services (15) | +-configure (15) | +-install (15) | +-restore (15) | +-save (15) | +-status (15) | +-uninstall (15) | +-update (15) | +-upgrade (15) +-script (0) +-search (0) +-show (0) | +-access-list (15) | +-acl-interface (15) | +-acl-interface-mapping (15) | +-alarm-enabled (0) | +-alarms (0) | | +-active (0) | | | +-date (0) | | +-history (0) | | | +-date (0) | | +-model (0) | +-alias (0) | +-ap-vap-mapping (0) | +-application (0) | | +-vap-group (0) | +-archive-vap-group (0) | +-arp (0) | +-audit-trail (0) | | +-date (0) | +-auto-promote (0) | +-autocommand (0) | +-automated-workflow-progress (15) | +-bridge-mode (0) | +-calendar (0) | +-chassis (0)
943
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
+-check-flow-rule (0) +-circuit (0) +-cp-disk-error (15) +-cp-disk-scheme (0) +-cp-next-boot (0) +-cp-redundancy (0) +-cp-unknown-state (15) +-cpu (0) +-current-release (0) +-default-ip-flow-rule (15) +-default-non-ip-flow-rule (15) +-disk-usage (15) +-dns-search-name (0) +-dns-server (0) +-environment (0) +-facility-alarm (0) +-flow (0) | +-active (15) | +-distribution (0) +-flow-path (15) | +-active (15) +-group-interface (15) | +-stats (15) | +-status (15) +-heartbeat (0) +-history (0) +-host (0) +-hostname (0) +-incoming-circuit-group-name (0) +-interface (0) | +-10gigabitethernet (0) | +-gigabitethernet (0) | +-high-availability (0) +-interface-internal (15) +-interface-status-group (0) +-internal-ip (0) +-ip (0) | +-addresses (0) | +-default-network (0) | +-domainname (0) | +-forwarding (0) | +-ftp (0) | +-route (0) | +-ssh (0) | +-telnet (0) +-ip-flow-rule (15) +-ip-mapping (0) +-kernel (0) +-ldap-parameters (15) +-ldap-server (15) +-lock-config (0) +-logging (0) | +-console (0) | | +-date (0) | +-server (0) | +-setting (0) +-management (0) | +-gigabitethernet (0)
944
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
| +-high-availability (0) +-management-ip-alias (0) +-management-ip-nat (0) +-management-vip (15) +-module (0) | +-admin-state (0) | +-status (0) +-neighbor-discovery (0) +-netstat (0) +-non-ip-flow (15) +-np-reload-timeout (0) +-np-reset-wait-time (15) +-npm-originated-flow-stats (0) +-npm-tech (15) +-ntp-server (0) +-operating-mode (15) +-privilege (0) +-radius-server (15) +-rate-limiter (0) +-redundancy-interface (0) +-related-running-config (15) +-related-startup-config (15) +-reload (15) +-remote-box (15) +-resource-statistics (0) | +-flow-table-limit (15) | +-flow-table-usage (0) +-rmon (0) +-routing-protocol (0) +-running-config (0) | +-interface (15) | +-10gigabitethernet (15) | +-gigabitethernet (15) +-snmp (0) +-snmp-user (0) +-ssh-session (0) +-startup-config (15) | +-interface (15) | +-10gigabitethernet (15) | +-gigabitethernet (15) +-status-grouping (0) +-switch-data-path (0) +-system (0) +-system-identifier (15) +-system-internal-network (15) +-system-ip-flow-rule (15) +-system-non-ip-flow-rule (15) +-tech-crash (15) +-tech-support (15) | +--bundle (15) | +--file (15) | +--paging (15) +-terminal (0) | +-history (0) +-timeout (0) +-timezone (0) +-traplog (0) +-tree (0)
945
| +-username (0) | +-usernames (0) | +-vap-group (0) | +-vdf-status (0) | | +-module (0) | | +-vap-group (0) | | +-vap-group-member (0) | +-version (0) | +-veth-stats (0) | +-vlan (0) | +-vrrp (0) | | +-circuit-ip (15) | | +-detail-status (15) | | +-detail-status-help (15) | | +-failover-group (0) | | +-monitor-circuit (15) | | +-monitor-group-interfaces (15) | | +-monitor-interfaces (15) | | +-status (0) | | +-vap-group (15) | | +-verify-next-hop (15) | | +-virtual-router (15) | +-vsx-configuration (15) | +-web-server (0) | +-web-session (0) | +-web-timeout (0) | +-web-wizard (0) +-shutdown (15) +-sleep (0) +-ssh (15) +-swatch (15) +-terminal (0) | +-history (0) +-timeout (0) +-unix (15) +-upgrade (15) | +-in-service (15) | | +-batch-1 (15) | | +-batch-10 (15) | | +-batch-2 (15) | | +-batch-3 (15) | | +-batch-4 (15) | | +-batch-5 (15) | | +-batch-6 (15) | | +-batch-7 (15) | | +-batch-8 (15) | | +-batch-9 (15) | | +-batch-default (15) | | +-clear-batches (15) | | +-install (15) | | +-show (15) | | +-batches (15) | | +-default-batches (15) | | +-new-releases (15) | | +-progress (15) | | +-standby-modules (15) | +-install (15) | +-remove (15)
946
| +-show (15) | | +-current-running-release (15) | | +-new-release (15) | | +-release (15) | +-verify-system (15) +-validate-configuration (15) +-vap-group-password (15) +-vap-group-password-expiration (15) +-vrrp-relinquish-master (15) +-who (0)
947
948
949
configure bridge-mode 445 configure chassis-resource-protection 153 configure check-flow-rule 387 configure circuit 397 configure cp-action {cp1 | cp2} disk-error 166 configure cp-action disk-error (config context) 588 configure cp-redundancy 164 configure dns search-name 60 configure dns server 61 configure enable alarm 125 configure enable password 119 configure facility-alarm cpu 125 configure facility-alarm cpu-core 126 configure facility-alarm disk-usage-boot 128 configure facility-alarm disk-usage-cbconfig 129 configure facility-alarm disk-usage-mgmt 130 configure facility-alarm disk-usage-root 132 configure facility-alarm disk-usage-tftpboot 133 configure facility-alarm disk-usage-var 134 configure facility-alarm free-memory 136 configure group-interface 496 configure host 209 configure hostname 62 configure incoming-circuit-group-name 405 configure interface 467 configure interface-internal 488 configure interface-status-group 535 configure ip default-network (IPv6 and IPv4) 456 configure ip domainname 63 configure ip forwarding 63 configure ip ftp 64 configure ip route (IPv6 and IPv4) 452 configure ip ssh 64
configure ip telnet 65 configure ipv6-tunnel (IPv6) 463 configure ldap-parameter 67 configure ldap-server 66 configure logging console 148 configure logging monitor 150 configure logging server 152 configure management 80 configure management arp 93 configure management default-gateway 92 configure management high-availability 550 configure management ip-route 91 configure management vip-addr 166 configure module 589 configure neighbor-discovery (IPv6) 461 configure np-reload-timeout 68 configure np-reset-wait-time 69 configure ntp server 70 configure operating-mode 70 configure password 114 configure privilege level 115 configure prompt 47 configure radius-server host 72 configure redundancy-interface 541 configure remote-box 553 configure reset-password 114 configure rmon alarm 145 configure rmon event 144 configure routing-protocol 244 configure snmp-server community 137 configure snmp-server contact 139 configure snmp-server engine-id 141 configure snmp-server host 138 configure snmp-server location 140 configure snmp-user 142 configure system-identifier 73 configure system-internal-network 74 configure system-ip-flow-rule 255 configure system-non-ip-flow-rule 287
configure terminal history 49 configure timeout 75 configure timezone 76 configure username 111 configure vap-group 173 configure vrrp failover-group 554 configure vrrp vap-group 578 configure web-server 77 configure web-timeout 77 configure web-wizard 78 copy running-config 606 copy startup-config 607 Copying an Existing File to a VAP Group 893 core-assignment (ip-flow-rule context) 329 core-assignment (non-ip-flow-rule context) 350 cp-disk-scheme 587 cp-next-boot 67 CPU Activity for the APM and CPM (health_cpubsy.swc) 759 CPU and Board Temperature (health_temp.swc) 761 CPU Load, Utilization, and Memory Information (health_cpumem.swc) 760 cp-unknown-state 167 Crossbeam Daemon Status Script (cbsinitdstats.swc) 754 debug 890 default-egress-vlan-tag (conf-cct-vapgroup context) 417 delay-flow (config-vap-grp context) 197 destination-addr (conf-system-ip-flow context) 264 destination-addr (ip-flow-rule context) 315 destination-mac (conf-acl-intf context) 533 destination-port (conf-system-ip-flow context) 267 destination-port (ip-flow-rule context) 318 device-name (conf-cct context) 399 dhcp-relay (conf-cct-vapgroup context)
950
422 dhcp-relay-server-list (config-vap-grp context) 201 dir 45 direction (conf-acl-intf context) 526 direction (conf-system-ip-flow context) 259 direction (ip-flow-rule context) 310 disconnect ssh 121 dist-port-threshold (conf-vrrp-failover-vr context) 567 domain (conf-system-ip-flow context) 270 domain (ip-flow-rule context) 321 duplex-mode (conf-grp-intf-gig context) 504 duplex-mode (conf-intf-gig context) 482 duplex-mode (conf-mgmt-ha context) 551 echo 624 Editing the Command Line 31 enable (conf-cct-vapgroup) 430 enable (conf-grp-intf-gig or conf-grp-intf-10gig context) 508 enable (conf-grp-intf-intf context) 512 enable (conf-intf-gig or conf-intf-10gig context) 485 enable (conf-mgmt-gig context) 81 enable (conf-vrrp-group context) 578 enable (conf-vrrp-vap-group context) 580 enable level 117 enable more 51 enable-ipv6 (conf-vap-grp context) (IPv6) 186 encapsulation ethernet (conf-system-non-ip-flow context) 292 encapsulation ethernet (non-ip-flow context) 345 encapsulation lsap (conf-system-non-ip-flow context) 293 encapsulation lsap (non-ip-flow context) 346 encapsulation snap (conf-system-non-ip-flow context) 295 encapsulation snap (non-ip-flow
context) 348 end 42 Entering User-defined Strings 32 ether-type (conf-acl-intf context) 529 exec 625 exit 43 failover-group-list (conf-vrrp-vap-group context) 580 failovermode (conf-intf-redun context) 545 fail-to-host (config-vap-grp context) 192 Flow Assignment and Scheduling Statistics (flowsched.swc) 757 flow-proxy (config-vap-grp context) 193 flow-table-partition (conf-resource-protection context) 154 flow-table-profile (conf-flow-table-partition context) 155 fragment-handling-options (conf-resource-protection context) 157 generate-reversed-flow (conf-system-ip-flow context) 262 generate-reversed-flow (ip-flow-rule context) 312 Getting Help 34 grep 611 grep 628 Group Interface Statistics (groupintstats.swc) 758 help 54 hold-down-timer (conf-vrrp-vap-group context) 581 icmp-redirect (conf-cct-vapgroup) 429 incoming-circuit-group (conf-cct context) 403 incoming-circuit-group (conf-system-ip-flow context) 271 incoming-circuit-group (ip-flow-rule context) 322 in-service (upgrade context) 596 install (in-service-upgrade context) 598 install (upgrade context) 600 interface (conf-group-intf context) 510 interface-type (conf-group-intf context) 500
ip (conf-cct-vapgroup context) (IPv6 and IPv4) 407 ip (conf-vrrp-vr-vapgroup context) (IPv6 and IPv4) 570 ip-addr (conf-mgmt-gig context) 83 ip-alias (conf-mgmt-gig context) 84 ip-flow-rule (config-vap-grp context) 188 ip-flow-rule (config-vap-grp context) 302 ip-flow-rule-priority (conf-cct-vapgroup context) 415 ip-forwarding (conf-cct-vapgroup context) 428 ip-forwarding (config-vap-grp context) 192 ip-forwarding-ipv6 (enable-ipv6 context) (IPv6) 187 ip-id-validation (conf-rp-frag-handlings context) 159 ip-nat inside (conf-mgmt-gig context) 85 ip-nat outside (conf-mgmt-gig context) 86 IPv6 Address Notation 20 jumbo-frame (config-vap-grp context) 193 limit-fragment-queue (conf-rp-select-drop context) 158 link-state-resistant (conf-cct context) 400 load-balance-vap-list (config-vap-grp context) 180 load-priority (config-vap-grp context) 182 Local Network Interface Statistics (netifstats.swc) 762 lock-config 122 logging 152 Logging Out of the CLI Session 34 logical (conf-group-intf context) 514 logical (conf-intf-gig or conf-intf-10gig context) 469 logical (conf-intf-internal context) 490 logical-all (conf-intf-gig or conf-intf-10gig context) 475 logical-all (conf-intf-internal context) 492 log-martians (config-vap-grp context)
951
203 logout 123 logout 609 mac-addr (conf-cct-vapgroup context) 424 mac-addr (conf-mgmt-gig context) 86 mac-usage (conf-vrrp-failover-vr context) 567 management-circuit (conf-cct-vapgroup context) 421 master-failover-trigger application (config-vap-grp context) 199 master-holddown (config-vap-grp context) 200 max-load-count (config-vap-grp context) 177 max-reload-count (config-vap-grp context) 178 media-speed (conf-grp-intf-gig context) 506 media-speed (conf-intf-gig context) 483 metric (config-ip-route context) 454 metric (conf-ip-default-network context) 458 mode (conf-group-intf context) 497 Module Uptime Statistics (moduleuptime.swc) 761 monitor-circuit (conf-vrrp-group context) 557 monitor-group-interface (conf-vrrp-group context) 562 monitor-interface (conf-vrrp-group context) 559 mtu (conf-cct-vapgroup context) 427 mtu (conf-mgmt-gig context) 87 non-ip-flow-rule (config-vap-grp context) 189 non-ip-flow-rule (config-vap-grp context) 340 NPM Fabric Packet Statistics (fabricstats.swc) 754 NPM Flow Calculation Statistics (flowcalcstats.swc) 757 NPM Interface Statistics (npmdevstats.swc) 762 NPM VDF Status (npmfragstats.swc) 764
Alphabetical Index of Commands
ospf-cost-increment (conf-vrrp-group context) 564 packet-validation 161 path-mtu-discovery (conf-tunnel-<tunnel_type> context) 464 pause-frame (conf-grp-intf-gig or conf-grp-intf-10gig context) 502 pause-frame (conf-intf-gig or conf-intf-10gig context) 480 ping 804 preemption (conf-vrrp-group context) 556 preemption-priority (config-vap-grp context) 183 priority (conf-system-ip-flow context) 276 priority (conf-vrrp-group context) 555 priority (ip-flow-rule context) 327 priority-delta (conf-intf-gig or conf-intf-10gig context) 561 priority-delta (conf-vrrp-failover-cct context) 558 priority-delta (conf-vrrp-failover-grpintf) 563 priority-delta (conf-vrrp-failover-vr context) 568 priority-delta (conf-vrrp-vap-group context) 582 priority-delta (conf-vrrp-vr-verify-next-hop context) 574 promiscuous-mode (conf-cct-vapgroup context) 423 prompt 48 protocol (conf-system-ip-flow context) 268 protocol (ip-flow-rule context) 319 proxy-arp (conf-cct context) 402 pwd 46 Question Mark (?) Command 52 raid (config-vap-grp context) 185 reload all 590 reload module 591 reload offline-cp 592 reload vap-group 593
reload-timeout (config-vap-grp context) 195 remove (upgrade context) 601 replace-vlan-tag (conf-cct-vapgroup context) 419 reset-configuration 593 reset-configuration 609 reset-cp-serial 592 routing-protocol vap-group configure 237 routing-protocol vap-group install 234 routing-protocol vap-group restore 240 routing-protocol vap-group save 238 routing-protocol vap-group status 243 routing-protocol vap-group uninstall 242 routing-protocol vap-group update 235 routing-protocol-services vap-group configure 246 routing-protocol-services vap-group restore 248 routing-protocol-services vap-group save 247 routing-protocol-services vap-group status 250 routing-protocol-services vap-group update 252 routing-protocol-services vap-group upgrade 251 rp-filter (config-vap-grp context) 202 scatter-gather (config-vap-grp context) 194 script 626 search 612 search 629 selective-drop (conf-rp-frag-handlings context) 157 set (config-cp-redundancy context) 165 show (conf-bridge-mode context) 449 show (conf-cct context) 431 show (conf-group-intf context) 519 show (config-vap-grp context) 204 show (conf-intf-gig or conf-intf-10gig context) 485 show (conf-mgmt-gig context) 89 show (conf-system-ip-flow context) 278
952
show (conf-system-non-ip-flow context) 297 show (in-service-upgrade context) 599 show (intf-gig-logical or intf-10gig-logical context) 473 show (ip-flow-rule context) 331 show (non-ip-flow context) 351 show access-list 667 show acl-interface 708 show acl-interface-mapping 710 show alarm-enabled 674 show alarms 769 show alias 740 show application 222 show application 854 show application vap-group 223 show application vap-group 855 show ap-vap-mapping 852 show archive-vap-group 684 show arp 647 show arp 805 show audit-trail 630 show audit-trail 766 show autocommand 671 show automated-workflow-progress 587 show auto-promote 740 show bridge-mode 696 show calendar 779 show chassis 780 show check-flow-rule 690 show circuit 697 show circuit 808 show cp-disk-error 682 show cp-disk-scheme 588 show cp-next-boot 658 show cp-redundancy 681 show cpu 782 show cp-unknown-state 682 show current-release 784 show current-running-release (upgrade
context) 601 show current-running-release (upgrade context) 785 show default-ip-flow-rule 690 show default-non-ip-flow-rule 691 show disk-usage 785 show dns-search-name 651 show dns-server 652 show environment 786 show facility-alarm 674 show flow active 357 show flow active 810 show flow distribution 382 show flow distribution 835 show flow-path active 370 show flow-path active 823 show group-interface 699 show group-interface 837 show heartbeat 788 show history 632 show history 768 show host 687 show hostname 652 show incoming-circuit-group-name 698 show interface 700 show interface 838 show interface-status-group 705 show internal-ip 843 show ip addresses 653 show ip default-network 653 show ip domainname 653 show ip forwarding 654 show ip ftp 654 show ip route 654 show ip ssh 656 show ip telnet 656 show ip-flow-rule 692 show ip-mapping 706 show kernel 687 show ldap-parameters 657
show ldap-server 657 show lock-config 668 show logging console 677 show logging console 791 show logging server 679 show logging setting 679 show management 665 show management-ip-alias 666 show management-ip-nat 666 show management-vip 683 show module admin-state 735 show module admin-state 793 show module status 736 show module status 794 show neighbor-discovery (IPv6) 648 show neighbor-discovery (IPv6) 805 show netstat 845 show new-release (upgrade context) 602 show non-ip-flow 693 show npm-originated-flow-stats 385 show npm-tech 880 show np-reload-timeout 658 show np-reset-wait-time 659 show ntp-server 659 show operating-mode 660 show privilege 672 show radius-server 660 show redundancy-interface 707 show redundancy-interface 845 show release (upgrade context) 602 show release (upgrade context) 797 show reload 739 show remote-box 712 show remote-box 858 show resource-statistics 641 show rmon 798 show routing-protocol 688 show running-config 613 show running-config 632
953
show snmp 676 show snmp 798 show snmp-user 668 show ssh-session 799 show startup-config 616 show startup-config 636 show status-grouping 707 show switch-data-path 800 show system 643 show system 801 show system-identifier 661 show system-internal-network 661 show system-ip-flow-rule 694 show system-non-ip-flow-rule 695 show tech-crash 883 show tech-support 885 show terminal history 741 show timeout 662 show timezone 662 show traplog 802 show tree include-privilege 673 show username 669 show usernames 670 show vap-group 688 show vdf-status 846 show version 644 show veth-stats 850 show vlan 708 show vrrp 713 show vrrp 859 show vrrp circuit-ip 714 show vrrp circuit-ip 860 show vrrp detail-status 718 show vrrp detail-status 863 show vrrp detail-status-help 56 show vrrp failover-group 720 show vrrp failover-group 865 show vrrp monitor-circuit 722 show vrrp monitor-circuit 868 show vrrp monitor-group-interfaces 726
show vrrp monitor-group-interfaces 871 show vrrp monitor-interfaces 724 show vrrp monitor-interfaces 870 show vrrp status 727 show vrrp status 873 show vrrp vap-group 729 show vrrp vap-group 874 show vrrp verify-next-hop 730 show vrrp verify-next-hop 875 show vrrp virtual-router 732 show vrrp virtual-router 877 show vsx-configuration 639 show web-server 662 show web-session 663 show web-session 803 show web-timeout 664 show web-wizard 664 skip-port-protocol (conf-system-ip-flow context) 261 skip-port-protocol (ip-flow-rule context) 312 sleep 594 source-addr (conf-system-ip-flow context) 263 source-addr (ip-flow-rule context) 314 source-address (conf-tunnel-<tunnel_type> context) 465 source-mac (conf-acl-intf context) 531 source-port (conf-system-ip-flow context) 266 source-port (ip-flow-rule context) 317 speed (conf-mgmt-gig context) 88 speed (conf-mgmt-ha context) 552 standby-only (conf-intf-gig or conf-intf-10gig context) 479 table-limit-action (conf-rp-table-profile context) 156 tcp-flow-validation (conf-resource-protection context) 159 tcp-overlap-protection (conf-rp-frag-handlings context) 159 tcp-rst-injection (conf-cct context) 402 terminal history 50
timeout (conf-system-ip-flow context) 273 timeout (ip-flow-rule context) 324 timeout 75 time-to-live (conf-tunnel-<tunnel_type> context) 465 trace (conf-system-ip-flow context) 275 trace (ip-flow-rule context) 326 Typographical Conventions 18 Understanding CLI Contexts 28 Understanding CLI Syntax Error Messages 33 Understanding Command Privilege Levels 29 Understanding Command Structure and Command Syntax 27 unix 626 Unix Commands: ftp, telnet, ssh, rsh 170 upgrade 595 Upgrading an Application on a VAP Group 894 Using a Serial Connection to Access the CLI 24 Using an Ethernet Connection to Access the CLI over a LAN 25 validate-configuration 768 validate-ip-packet (conf-pkt-validation context) 161 validate-tcp-packet (conf-pkt-validation context) 162 validate-tcp-xsum (conf-pkt-validation context) 163 vap-count (config-vap-grp context) 175 vap-group (conf-cct context) 406 vap-group (conf-vrrp-failover-vr context) 569 vap-group-password 211 vap-group-password-expiration 212 verify-next-hop (config-ip-route context) 455 verify-next-hop (conf-ip-default-network context) 459 verify-next-hop-ip (conf-cct-vapgroup context) (IPv6 and IPv4) 416 verify-next-hop-ip (conf-vrrp-vr-vapgroup context) (IPv6 and IPv4) 573
954
verify-system (upgrade context) 603 vg-reset-wait-time 196 virtual-ip (conf-vrrp-vr-vapgroup context) (IPv6 and IPv4) 575 virtual-router (conf-vrrp-group context) 565 vlan (conf-acl-intf context) 527 vrrp-relinquish-master 583 who 803
955
956
Glossary
The following terms are used throughout the X-Series Platform documentation set.
3DES
Triple Data Encryption Standard. Provides a stronger form of DES encryption where the algorithm is applied three times in order to encrypt data.
ACL
Access Control List. Provides packet filtering through the permission or denial of packets based on certain IP criteria, such as IP address, port, or protocol.
APM
Application Processor Module. The XOS Application Processor system module that provides application processing, status monitoring, and standard and application specific logging. The APM contains one or more CPUs to host applications and network services while processing packets belonging to individual flows.
ARP
Address Resolution Protocol. An Internet protocol used to map an IP address to a MAC address.
BOTW
Bump-on-the-Wire. A device with two or more interfaces that are transparent to the adjacent Layer 3 devices.
cbsflowagentd
Flow Agent daemon that collects statistics and runs on each VAP.
cbsflowcalcd
Flow Calculator daemon that runs the flow scheduling chow file and executes on the CPM.
circuit
An abstract object representing a logical network interface (network service access point). A circuit can be mapped to either single or multiple logical lines. Attributes of a circuit include: a set of physical line or channel pairs, a layer 2 encapsulation type, a layer 2 address, and an IP address (optional).
CLI
Command Line Interface.
CM
Configuration manager/monitor.
957
core-intf
An interface which is attached to the core-facing networks.
CPM
Control Processor Module. The XOS system module that coordinates the actions of all other modules, enables management access to the platform, and supports access to a local disk containing configuration files and databases necessary to execute the applications which reside on the platform.
DES
Data Encryption Standard. A popular algorithm for encrypting data. It is a product cipher that operates on 64-bit blocks of data, using a 56-bit key.
device
OS concept representing either a physical or logical I/O port connected to the APM.
domain
A set of interconnected IP networks belonging to a unique address space. A domain is uniquely identified within the X-Series Platform by a 8-bit domain ID. IP flows must be unique within a given domain.
DSA
Digital Signature Algorithm.
ECC
Error Checking and Correcting. A collection of methods to detect errors in transmitted or stored data and a means to correct them.
edge interface
An interface that is attached to edge-facing networks (typically where subscribers are located).
edge server
A server that is physically located close to its end users designed to deliver faster, higher quality transmissions, typically in a local commercial ISP facility. The number of edge servers in a region depends on the number of users in the locale.
FCAPS
Faults, Configuration, Accounting, Performance, and Security. The general requirements of a network management system as defined by the International Organization for Standardization.
FIB
Forwarding Information Base. A set of IP data structures replacing a route table in Linux.
Glossary
958
firewall
A set of software tools that protects a company's internal network from unwanted entry by unauthorized external users. The firewall works in conjunction with a router program to filter incoming network packets and reject those of unknown origin.
flow
Specific stream of data traveling between two endpoints across a network. Specified by source IP, destination IP, source port, destination port and IP protocol type.
flow rule
A filter rule specifying how a packet is processed.
flow specific
A stream of data traveling between two endpoints across a network. Specified by source IP, destination IP, source port, destination port and IP protocol type.
flow table
A table maintained on the NPM that maps individual flows to their respective processors.
FPGA
Field Programmable Gate Array. A gate array where the logic network can be programmed into the device after its manufacture. An FPGA consists of an array of logic elements, either gates or lookup table RAMs, flip-flops, and programmable interconnect wiring.
FTP
File Transfer Protocol.
gateway
A Layer 3 devices with at least two logical interfaces, that uses a routing table to forward packets between interfaces. Note that a gateway may also act as a multi-homed host.
GBIC
Gigabit Interface Converter. A transceiver that converts electric currents (digital highs and lows) to optical signals, and optical signals to digital electric currents. The GBIC is typically employed in fiber optic and Ethernet systems as an interface for high-speed networking. The data transfer rate is one gigabit per second (1 Gbps) or more.
GEM
Greenlight Element Manager. A GUI tha provides a view into the components and health of your X-Series Platform.
GLM
Gigabit Link Module.
GRUB
GRand Unified Bootloader.
959
hash
A crytographic operation where an entire message is run through a mathematical operation that results in a fixed-length string that is unique.
HTTP
Hypertext Transfer Protocol.
IDEA
International Data Encryption Algorithm. A conventional encryption algorithm, using block cipher, operating on 64-bit blocks with a 128 bit key.
IDS
Intrusion Detection System.
IOP
I/O Processor.
IP Address
Internet Protocol (IP). A numerical address that identifies senders and receivers of Internet data. The address accompanies packetized data and identifies it with a particular network on the Internet and the specific device (such as a server) from which it originated.
IPS
Intrusion Prevention System.
In-Service Upgrade
ISU is an alternate method of upgrading XOS software while minimizing downtime. This feature has several requirements for successful completion of an ISU, including redundant CPMs, APMs, and NPMs. During ISU, the chassis is virtually split in two halves during which time only one half of the chassis will be responsible for forwarding traffic.
LACP
Link Aggregation Control Protocol.
load balancing
Distributing flows in real time amongst multiple APMs.
load table
A table that maps flow profiles to weighted lists of virtual processors.
logical interface
A channelized interface on a physical interface. A subdivision of a physical interface. Currently supported logical interface types are default and VLAN.
Glossary
960
logical line
A combination of a physical line and a sub-line (channel). A logical line is uniquely identified by a physical line ID or channel ID pair.
MD5
Message Digest 5. A one-way function that takes a variable-length message and produces a fixed-length hash.
MAC address
Media Access Control (MAC). A hardware address that uniquely identifies each node of a network. In IEEE 802 networks, the Data Link Control (DLC) layer of the OSI Reference Model is divided into two sub-layers: the Logical Link Control (LLC) layer and the Media Access Control (MAC) layer. The MAC layer interfaces directly with the network media. Consequently, each different type of network media requires a different MAC layer.
MIB
Management Information Base.
MS
Management Server.
multi-homed host
A Layer 3 device with at least two logical interfaces that generate packets but does not forward the packets.
NPM
Network Processor Module. The XOS module responsible for network interface access (up to 1 Gb/sec full-duplex), flow classification, distribution of flows to APMs, and load balancing of the APMs.
PGP
Pretty Good Privacy. A high-security RSA public-key encryption application that enables files or messages to be exchanged with privacy and authentication.
physical interface
The physical hardware connector on the NPM or CPM representing a network interface port.
POS
Packet Over Sonet.
POST
Power On Self-Test.
PPP
Point to Point Protocol.
961
RAID
Redundant Array of Inexpensive/Independent Drives. A data storage scheme used to allow multiple drives to work as a single drive. RAID level 0 and level 1 are supported by Crossbeam Systems in our newer modules. RAID 0 writes data to whichever drive is currently free. This method is used for greater data speed efficiency (however, all drives in the RAID are needed to fully access all the data). RAID 1 writes identical data to all the drives in the RAID grouping. This method is used for greater data integrity.
RDRAM
Rambus Direct Random Access Memory.
RMON
Remote Network Monitoring.
RPM
Red Hat Package Manager.
SCP
Secure copy.
SMP
Symmetric Multi Processor.
SNMP
Simple Network Management Protocol. The Internet standard protocol developed to manage and monitor nodes on an IP network.
SSH
Secure Shell. A powerful authentication and encryption program replacing older and less secure tools like Telnet. SSH provides both authentication and encryption and is therefore the preferred method of network access. SSH allows a secure connection to be established between a client computer and a server host. The X-Series Platform provides SSH server, SSH client, and scp capability.
SSL
Secure Socket Layer.
static route
A user-defined route that causes packets to move between a source and destination along a specific path.
Glossary
962
sub-line
A multiplexed channel within a single line. Examples include: a DS0 channel within a T1/T3 serial interface, a ATM PVC, and a tagged VLAN. A sub-line is uniquely identified by a 32-bit channel ID.
SYSLOGD
System Logger Daemon.
Telnet
An administrator can enable Telnet as part of the boot dialogue, or by using a CLI command. Telnet comes disabled because traffic is not encrypted between the client and the X-Series Platform.
VAP
Virtual Application Processor. An application operating environment which can be run on an APM. A VAP consists of the OS, system software, and a set of applications which run concurrently.
VAP group
A virtual set of Application Processor Modules identically configured for load balancing and redundancy to process the same set of applications.
VLAN
Virtual Local Area Network. A local area network with a definition that maps workstations on some other basis than geographic location (for example, by department, type of user, or primary application).
VND
Virtual Network Device. A Linux kernel object representing a logical network interface. A virtual network device is directly mapped to an NPM circuit.
VPN
Virtual Private Network. Consists of private lines, switching equipment and other networking equipment that are provided for the exclusive use of one customer. A VPN gives users a secure way to access resources over the Internet or other public or private networks using encryption, authentication, and tunneling.
VRRP
Virtual Router Redundancy Protocol. This protocol allows several routers on a multiaccess link to utilize the same virtual IP address. One router will be elected as a master with the other routers acting as backups in case of the failure of the master router. The protocol should also support the ability to load share traffic when both routers are up. A Virtual Router in XOS is an IP address or a set of IP addresses that can be instantiated on a circuit for a subset of the VAP groups on which the circuit is configured, and active only on one of the X-Series Platforms participating in multi-system High Availability configuration.
XML
Extensible Markup Language. The universal format for structured documents and data on the Web as defined by a set of specifications and recommendations from the W3C.
963